Managing Open Source Software Supply Chains

Managing Open Source Software
Supply Chains

Managing Open Source Software Supply Chains
Agenda
• Introduction
• Identify the ten most common open source license obligations
• Explain what you need to do to comply with these obligations
• Discuss the key compliance challenges today
• Discuss open source software supply chain trends
• Preview a new tool for basic compliance automation
• Questions

Ten Most Common OSS License Obligations
• Copyright notices
• License notices
• Attribution requirements
• “Copyleft” obligations (licensing of derivative works)
• Source code licensing
• Source code delivery
• Build and installation instruction delivery (GPL)
• Notice of changes
• Indemnities
• Non-use of trademarks

How to Comply – Notices
• Copyright, license, modification, and attribution
requirements
• Delivery of source code may be the easiest way to
comply, because notices are “baked in” to distribution
package
• Binary delivery requires creation of notice files
• Notices must be in the product delivery, for most
licenses
• Online delivery is usually not sufficient
• Relying on third party notices is usually not sufficient

How to Comply – Source Code
• For GPL, LGPL, and other copyleft licenses
• Source materials must be made available, but not
necessarily delivered with product
• Not necessary to post source materials on the web, but
this is a good practice

How to Comply - Licenses
• Need to carve copyleft licensing requirements from
EULAs
• GPL, LGPL and other licenses cannot be changed to
other terms
• “Weak copyleft” licenses like EPL, MPL allow bifurcated
licensing of source and binaries

Key Compliance Challenges
• Tracking open source use
• Notice creation
• Notice delivery
• Build and installation instruction delivery
• Ensuring the source code is right for the build
AND
• Getting OSS data from suppliers and to customers

FANTEC Litigation
• Plaintiff: Harald Welte of gpl-violations.org
• Open Source Software: iptables, a packet filtering utility licensed under GPL
• Defendant: FANTEC ---- Product: FANTEC 3DFHDL Media Player
• Compliance Efforts: FANTEC made a version of the source code available for
download that it had received from its contract manufacturer. It was not the
right source code for the binaries.
• Court holding: a distributor of software may not rely on assurances made by
the supplier of the software that the software does not infringe the rights of
any third party
• History: FANTEC had previously settled a GPL dispute with Welte in 2010 by a
settlement that specified penalties if FANTEC committed any future GPL
violation. At a 2012 "Hacking for Compliance" workshop hosted by the Free
Software Foundation, compliance engineers discovered that the firmware
object code shipping with the 3DFHDL included iptables and that the source
code provided by FANTEC did not.

OSS Supply Chain Trends
• More customers are requiring suppliers to share the
OSS compliance burden and provide compliance
artifacts for their products
– Software BOM
– Attribution Text
– Source Code Redistribution Packages as needed
• New challenge is what to do with the OSS information
from suppliers
– Where to put the data for future reference and use
– How to validate/audit the data with minimal rework
– How to deal with errors in the supplier-provided data
9

OSS Supply Chain Context
Component
Catalog
Supplier
Software
Package
---------------------
Software BOM
OSS Attribution Text
OSS Source Code
OSS SW
Packages
Customer
ISV SW
Packages
Embedded
OSS

OSS Supply Chain Solutions
• SPDX - Software Package Data Exchange®
• A standard format for communicating the components,
licenses and copyrights associated with a software
package
• Intended to support automated exchange of Software
Package Data
• Working Group of the Linux Foundation at
www.spdx.org
• Organized in Business, Legal and Technical teams
• Open to participation by anyone

• Supports exchange of
component and license
data in RDF/XML or
Tag/Value format
• Designed for automation
of data exchange -- not a
tool for provenance
analysis
• v2.0 will address complex
Software BOMs
Document Information
Creation Information
Package Information
File Information
Licensing Information
Review Information
SPDX Today - v1.1

OSS Supply Chain Data
• SPDX provides a “container” for exchange of
component and license data, but you still need to
create and manage the data for your products
• Possible data sources include:
– Open source projects
– Suppliers
– Internal analysis / audit
– Third-party analysis / audit
• You need somewhere to keep and maintain/update
the component and license/origin data

OSS Supply Chain Solutions
A basic system should be:
• Adaptable to existing engineering processes
– Engineers can use and update the data during normal
software development activities
– Independent of programming languages or tools
• Able to produce data for:
– Delivery to customers as
• Attribution and Redistribution packages
• SPDX files
– Synchronize with enterprise systems

ABOUT-Code
• nexB created the ABOUT-Code tools to automate OSS
compliance
• Based on our ABOUT specification
• An ABOUT file documents the origin and license for each
component, usually at the library or directory level
• An ABOUT file is a text file with the file extension “.about”
• Applicable to any programming language and software
development environment
• Extensible to build system integration for advanced automation
• Tools are in Python and licensed under Apache 2.0
• Code available at https://github.com/dejacode/about-code-tool
• Specification: http://www.dejacode.org/about_spec_v0.8.0.html

ABOUT File Example
A text file in “tag / value” format
httpd-2.4.3.tar.gz.about
name: Apache HTTP Server
home_url: http://httpd.apache.org
download_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gz
version: 2.4.3
date: 2012-08-21
license: apache-2.0
license_file: httpd-2.4.3.tar.gz/LICENSE
copyright: Copyright 2012 The Apache Software Foundation.
notice_file: httpd-2.4.3.tar.gz/NOTICE

ABOUT-Code tools
• Create ABOUT files in a codebase from a Software
BOM or Inventory file (spreadsheet)
• Create a Software BOM or Inventory file (spreadsheet)
from ABOUT files in the codebase
• Create an Attribution text file
• Text file organized by copyright/license notice and
component
• Default text or HTML format
• Create a Source Code Redistribution package list
• Currently offered as command line tools

“Virtuous” Compliance Lifecycle
Product
Release (R1)
Baseline
R1 Software
Inventory/BOM
R1 Codebase
ABOUT Files
Component
License Text
R2 Software
Inventory/BOM
Attribution
Display /
Docs
R2 Codebase
ABOUT Files
Source Code
Redistribution
Package
Update ABOUT Files

Basic Automation - Today
• Use ABOUT-Code to read ABOUT files to
• Create a Software BOM / Inventory
• Create an Attribution text file
• Create a Source Code Redistribution package list
• Edit output files to remove components that are not
Deployed
• Add the Attribution text file to the product
documentation and(or) product GUI (Help / About)
• Assign an engineer to create the Source Code
Redistribution package with installation/build
instructions

Advanced Automation
Enhance your build system and tools to:
• Recognize ABOUT files
• Assemble ABOUT files during a build for the sub-set of
components included in an end-product (Deployed)
• Collect Attribution data for Deployed components and create
Attribution text file
• Insert Attribution text into GUI (Help / About)
• Collect source code for the components that require
Redistribution (including dependencies)
• Create an archive file of the Redistribution package

ABOUT-Code
• Download and use the code from GitHub at:
https://github.com/dejacode/about-code-tool
• Read the specification at:
http://www.dejacode.org/about_spec_v0.8.0.html
• Join the discussion at:
http://www.dejacode.org/
21

Questions

About Greenberg Traurig LLP
• GT is an international, multidisciplinary law firm in 35
locations in the United States, Latin America, Europe,
the Middle East and Asia.
• An International
Network of More
than 1,750
Attorneys &
Governmental
Affairs
Professionals

About nexB Inc.
• nexB offers:
– Software analysis/audit services for products and for
acquisitions
– DejaCode Enterprise – a central business system for
managing software components
• 200+ software audit projects completed to-date
– Aggregated audited codebases > 3 billion lines of source code
– Aggregated value of the acquisitions transactions > $5B
• See DejaCode Enterprise at www.dejacode.com

DejaCode.org
• nexB is sponsoring DejaCode.org as a community site
to share techniques and tools for automating
compliance with OSS obligations
• Documentation of existing techniques and tools from
Android, Apache Maven (Java), CPAN (Perl) and others
• Home for new projects like nexB’s ABOUT system
• Visit us at:
www.dejacode.org

Contacts
• Greenberg Traurig
Heather Meeker
MeekerH@gtlaw.com
+1 650 289 7825
Subscribe to news and events alert at http://eepurl.com/wQIp9
• nexB Inc.
Michael Herzog
mjherzog@nexB.com
+1 650 380 0680

Managing Open Source Software Supply Chains

More Related Content

What's hot

Viewers also liked

Similar to Managing Open Source Software Supply Chains

Recently uploaded

Managing Open Source Software Supply Chains

Editor's Notes