Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 6

Jeff Luszcz on Open Source Compliance

Oct. 03, 2019
0 likes 404 views

0

Share

Download to read offline

Software

Jeff Luszcz on Open Source Compliance

Compliance is still a personality driven process
When influencers leave, a company’s compliance process often falls apart
Bus Factor=<1 at many companies
Experience levels vary greatly across the industry
BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person.
Analysis Paralysis is a double edged sword
First reviews lead to either NO reviews or MORE reviews
Remediation is an ART not a Science

The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets

The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing

We need to start requiring accurate BOMS in contracts with real teeth

“Internal Audit” is waking up to OSS issues

Pressure building for new FOSS licenses / models

OpenChain has a bright future! Well respected and outside knowledge is growing

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(3/5)
Free
Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Triumph Books
(4.5/5)
Free
The Inmates Are Running the Asylum (Review and Analysis of Cooper's Book) BusinessNews Publishing
(4/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
Algorithms to Live By: The Computer Science of Human Decisions Tom Griffiths
(4.5/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community that Will Listen Kristen Meinzer
(4.5/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(3.5/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(3.5/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
Kill All Normies: Online Culture Wars From 4Chan And Tumblr To Trump And The Alt-Right Angela Nagle
(4/5)
Free
The Art of Social Media: Power Tips for Power Users Guy Kawasaki
(4/5)
Free
The Book of Why: The New Science of Cause and Effect Judea Pearl
(4/5)
Free

Jeff Luszcz on Open Source Compliance

  1. 1. 15 YEARS IN OPEN SOURCE COMPLIANCE Jeff Luszcz jeff@luszcz.com @JeffLuszcz
  2. 2. 15 YEARS IN OPEN SOURCE COMPLIANCE INTRODUCTION – JEFF LUSZCZ  Founded Palamida in 2004  One of the first Scanning tools to manage FOSS  Designed compliance audit program and built out Professional Services team to implement it  Team helped everything from basic compliance, M&A due diligence, and open source project hygiene  Everyone from sole proprietors to largest software companies in the world  Witnessed industry move from dozens of OSS packages to 1000s of packages per BOM
  3. 3. THINGS LEARNED ALONG THE WAY  Compliance is still a personality driven process  When influencers leave, a company’s compliance process often falls apart  Bus Factor=<1 at many companies  Experience levels vary greatly across the industry  BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person.  Analysis Paralysis is a double edged sword  First reviews lead to either NO reviews or MORE reviews  Remediation is an ART not a Science
  4. 4. WHAT IS HARD FOR COMPANIES?  New code is valued over “maintenance” and no dev cycles are earmarked for compliance*  (*outside of post M&A work)  Top level package licenses can be managed but inner- package licensing is difficult to understand  The typical BOM undercounts by 99%!  Each layer (build, dev, deployed) is managed by different teams who all are scared to call the lawyers  “Here be dragons issues” like Old code with non- standard licenses from dead people
  5. 5. WHAT’S ON THE HORIZON  The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets  The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing  We need to start requiring accurate BOMS in contracts with real teeth  “Internal Audit” is waking up to OSS issues  Pressure building for new FOSS licenses / models  OpenChain has a bright future! Well respected and outside knowledge is growing
  6. 6. THANKS! CONTACT: Jeff Luszcz jeff@luszcz.com @JeffLuszcz

Editor's Notes

  • We quickly discovered we need the human touch as well
  • In terms of maturity We don’t have this problem with financial compliance
    Experience impacts trust
    Still at the mercy of the right person being in the right place at the right time, affects the trustworthiness of a company
    Analysis paralysis: can lead to either ignoring the problem and pushing off compliance OR calling in the experts to fix things ASAP
    If we did a scan and everything was MIT or Apache 2.0 no one would have problems deciding to run a scan
  • In 2019 we are still not scheduling time for compliance
    Old code with non-standard licenses from dead people: this is problem with some of our core infrastructure that I hope projects like Clearly Defined or similar can help fix
    We all probably have “That File” or “That Package” we wish could get cleared up

  • There are holes in which we are monitoring. The build environment. I’m very concerned about this
    I’m still amazed that the level of quality in BOMs produced by companies is so large.
    The company with the better BOM can sometimes be penalized and that’s just wrong.

    In my interactions with companies who are not on the open chain calls, there is growing awareness. They are happy to see this, even if they don’t feel they can offer any help.




    • ×