Open Source Compliance at Orange, OW2online, June 2020

•

0 likes•166 views

Presentation by Nicolas Toussaint, Software Architect, Orange. Abstract: Orange and Orange Business Services have turned to full open source solutions to tackle the complex problem of respecting the open source legal compliance constraints. This talk presents the journey undertaken the past few years to build and improve the existing tooling and processes to make compliance validation possible, as well as allow overseeing progresses.

Technology

2020 OW2 CONF
OPEN SOURCE COMPLIANCE
TOOLS & PROCESSES: HOW WE DO IT AT ORANGE
Date: June 17h 2020
Author: Nicolas Toussaint

WHY SHARING
Isn't it that we get better together ?

HOW WE DO IT:
I. PROCESSES
II. TOOLING
III. CONCLUSION

I. COMPLIANCE PROCESSES
ACCROSS THE GROUP, VERY DIFFERENT
ACTIVITIES:
Internal projects, and B2C services
=> open source publications
Software development, B2B services
=> software distributions
Cloud hosting services
=> Run [modified] open source software as SAAS
Integration services
=> Deploy [modified] open source softwares on customers' premises
And always: contributions to existing open sources projects of all sizes

I. COMPLIANCE PROCESSES
3 SITUATIONS
Publications:
material is released under an open source licence
Large contributions to existing projects
Distributions:
material is distributed to customers
(and customers may distribute to their customers)
Patches: small contributions to existing projects

I. COMPLIANCE PROCESSES
THE ORGANISATION
Open source usage validation relies on:
open source referents accross the group
a small team of lawyer and IP specialised in open source
an audit team to conduct scans for the projects

I. COMPLIANCE PROCESSES
THE PROCESS
1. The projects make a request
2. Request is assigned to an OSS Referent
3. Project is prepared in terms of "use cases"
Front-end, back-end, embedded, mobile, standalone software
4. Source code is scanned and a factual report is produced
5. Report is analysed with, at least, a lawyer, Project members and the referent
6. A validation is given (or not), together with a set of recommendations to apply
7. The referent assists and verifies that the recommendatrions are applied, and also
validates the ticket.
8. The project can publish, or distribute !

II. COMPLIANCE TOOLING
WHAT WE NEED
For each analysed projects, we want to know:
the open source components: integrated + dependencies
For each component, we want to know:
its name, version, licence, copyright, reference URL
has the component been modified ?
For complex projects: the architecture, third parties, contracts, etc.
For publication: CLA and DCO

II. COMPLIANCE TOOLING
SOURCE CODE ANALYSIS, NO DEPENDENCY
Here Fossology is perfect:
We manage multiple Docker based central instances
Automatic build mixing home-grown feature with community version
Automated deployement

II. COMPLIANCE TOOLING
DEPENDENCY ANALYSIS
Here, multiple tools are used
Including Opensource Review Toolkit
but nothing is automated... yet

II. COMPLIANCE TOOLING
INTEGRATION
GitLab-CI and Jenkins can trigger Fossology scans
KPIS
A new dashboarding solution is crafted to measure Fossology usage
Soon to be published and shared !

III. CONCLUSION
ALL IN ALL: IT WORKS !
BUT LET'S IMPROVE ...

III. CONCLUSION
We have:
a strong process, dedicated referents
integrated, and improving tooling
dedicated lawyers and IP specialist
a team specialised in Fossology scanning

III. CONCLUSION
We need:
More control : better dependency and container analysis
More tooling integration and automation
Better KPIs => Looking forward to use Bitergia's dashboards !
We also need more cooperation:
Open Source Compliance Tooling Group => to imagine and build tomorrow's tooling !
OW2 Good Governance Iniative, to share and improve governance practices

RESOURCES
Some of the resources on which our compliance relies (or will rely)
Open Source Compliance Tooling Group:
Fossology:
Opensource Review Toolkit:
Bitergia dashboards:
https://oss-compliance-tooling.org/
https://www.fossology.org/
https://oss-review-toolkit.org/
https://bitergia.com/bitergia-analytics/

The Eclipse SW360 project provides a server application for the management of used software components in an organization. The catalogue can then be used to create Software Bill-of-Materials (SBOM) for products and projects. SBOM management is essential for a number of important aspects when delivering products: for understanding if vulnerabilities are relevant, for reviewing the licensing situation, for covering trade compliance and last but not least for the generation of compliance documentation. SW360 itself focusses only on SBOM management and the support of the approval processes, it does not scan for licenses nor for dependencies. For these tasks, integration with other OSS tools, for example, FOSSology for license scanning is provided. To automate the SBOM management, SW360 provides a REST API which allows CI infrastructure to call SW360 directly for checks, downloads or uploads. SW360 is a project hosted by the Eclipse Foundation licensed under the EPL-2.0; thus it is available for everyone as Open Source software.

OpenChain Automation Case Study - September to December 2021

Shane Coughlan

Convergence of Communities

All Things Open

The internet of things in now , see how golang is a part of this evolution

Yoni Davidson

Welcome to the FOSS4G Community

Jody Garnett

Welcome to the Free and Open Source Software for Geospatial community. Freedom is one of the tools we use to take on the world. This presentation breaks down the principles on which our community built. This welcome presentation is a quick orientation on open source, open data, open standards and open development. Please attend this talk if you are new to the FOSS4G community, or would like some background on how all the fun toys you see on display fit together to form a larger picture. A larger picture we like to call the future.

Bridging Between Development and Operations

anorqiu

Un des principes les plus répandus dans l'ingénierie est celui de "ne pas réinventer la roue" ; il est d'autant plus important et courant dans le domaine de l'informatique. Aujourd'hui, de plus en plus de projets se trouvent avec des dépendances Open Source, mais avec la facilité d'utiliser une librairie maintenue par toute une communauté vient aussi la responsabilité de s'assurer que cette librairie ne contient pas de failles de sécurité connues, et qu'elle est compatible avec le reste du projet en termes de licences. Ainsi, cela nous mène à devoir faire une analyse SCA (Software Composition Analysis), qui consiste principalement en deux parties : la production d'une SBOM (Software Bill Of Materials) afin de détailler l'arbre des dépendances et les informations de licences de chaque logiciel utilisé dans le projet, et aussi la production d'un rapport de vulnérabilités de ces dépendances, afin d'avertir les utilisateurs en ce qui concerne les CVEs publiés pour un logiciel donné. Chez AdaCore, nous avons décidé de faire cela avec deux projets Open Source : ScanCode Toolkit et VulnerableCode. Après avoir examiné les leaders du marché, en recherchant une solution "plug-and-play" qui nécessiterait peu de maintenance, nous avons trouvé que les équivalents Open Source sont, dans notre cas, plus adaptés et plus flexibles. Dans cette présentation, je partagerai les résultats de cette analyse, et j'expliquerai comment nous mettons en œuvre ces solutions en pratique.

Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...

Black Duck by Synopsys

NIST redesigned the National Vulnerability Database with a much-needed, modernized look-and-feel — including a scrolling list of the latest scored vulnerabilities and a “visualization” section designed to provide different ways to look at the data. First impression? While some kinks still need to be worked out (the site loads very slowly), it’s going to be much easier to find vulnerability and mitigation information in the NVD than in the past.

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

Ashley Wolf

Presentation from Open Source Leadership Summit 2019. This talk will highlight some best practices that your Open Source Program Office (OSPO) can use to manage security vulnerabilities for open source projects using GitHub’s security alerts at scale. We’ll discuss the mechanics and governance around the process we’ve set up at Verizon Media to notify internal employees about CVEs on their projects.

apidays LIVE Paris 2021 - Building an Accessible API Spec with Traditional En...

apidays

OpenChain: Japan WG # 9 – Update Time!

Shane Coughlan

Beyond GeoServer Basics

Jody Garnett

You've got GeoServer running and you've loaded some data that users can consume. Now what? For many users, GeoServer is only used to serve rendered map images, but in this workshop, attendees will learn about some of the features that GeoServer that are often overlooked. The specific topics that will be covered include: - updating data on the server using WFS-T - Web Processing Service for server-side geospatial analysis - rendering transforms to dynamically transform your data into heatmaps - filtering data based on user input - using SQL Views with GeoServer - working with time-enabled data Each of these skills can be applied to making beautiful and dynamic web applications powered by GeoServer. This workshop will assume that you are familiar with basic GeoServer concepts and interaction, such as how to load and publish a shapefile.

INTERFACE, by apidays - Spatially enabling Web APIs through OGC Standards b...

apidays

Europace's journey to InnerSource

Enrico Hartung

Europace is a network-centric organization within a network of organizations (Hypoport). It uses the self-organization framework Holacracy as its operating system---loosely coupled, autonomous teams are working together for a common purpose. But with autonomy also comes a trend towards self-sufficiency. In the years after starting with self-organization we experienced a lot of “reinventing the wheel” instead of company-wide collaboration. In order to find a way out of this dilemma we looked at the open source world, especially on how collaboration works in such a distributed world. What we found was The Apache Way. Next, a group of people interested and experienced in Open Source founded a community of practise at Europace. Together, we run experiments for applying the patterns of The Apache Way at our teams. As a result of those experiments these patterns can nowadays be found everywhere at Europace, especially when it comes to collaboration between teams. But we did not stop there, we kept on running experiments in order to improve the InnerSource experience at Europace. In this talk you will learn which experiments we run, how we did it and what we discovered on our journey so far.

Nuxeo Live Connect & Connector to Salesforce

Nuxeo

Modern Post-Exploitation Strategies - 44CON 2012

44CON

Contributing to Apache Projects and Making Profits

Henry Saputra

E bpf and profilers

LibbySchulze

Git tech

Taj Nehme

SFScon 21 - Marina Latini - openSUSE Leap 15.3 and how community and enterpri...

South Tyrol Free Software Conference

An highlight of the important changes made in the openSUSE Leap development The presentation will introduce the attendee to what is openSUSE Leap and what has been changed in its development workflow for reducing the previous contribution barrier between openSUSE Leap and its Enterprise counterpart. The most visible news is a full binary compatibility between openSUSE Leap and SUSE Linux Enterprise. This presentation will also show the benefits of this shared journey and how the openSUSE community benefits from it.

Presentazione resin.io

Gianluca Leo

Security: The Value of SBOMs

Weaveworks

Watch this talk on YouTube: https://youtu.be/-3K74I7t7CQ Securing the Software Supply Chain has become a focus of cybersecurity efforts the world over. One aspect of this is with the generation and verification of a Software Bill of Materials (SBOM). But what is an SBOM and how would you go about setting this up for your cloud native container/applications/pipeline? The Flux team recently published a blog on this very topic and how they’ve gone about implementing these measures. During this session, Dan Luhring, OSS Engineering Manager at Anchore, will dive into SBOMs - what they are, why you need them, some common use cases and how to get your pipeline ready for SBOM generation and verification using the Flux SBOM as an example. Resources Anchore: A comprehensive, continuous security and compliance platform to protect your cloud-native applications. Anchore’s OSS tools featured during this session: - Syft: A CLI tool for generating a Software Bill of Materials (SBOM) from container images and file systems - Grype: An easy-to-integrate open source vulnerability scanning tool for container images and file systems. Speaker Bios: Dan Luhring heads up OSS at Anchore, where he leads the software engineering team that develops Syft and Grype. Dan is drawn deeply into the cloud native security space, where he focuses on container workflows and developer experience. Dan believes in making software more secure by making life better for software engineers and security practitioners. Dan is a maintainer of Sigstore’s Cosign project, and he loves partnering with other people to find solutions to daunting challenges. Priyanka (aka “Pinky”) is a Developer Experience Engineer at Weaveworks. She has worked on a multitude of topics including front end development, UI automation for testing and API development. Previously she was a software developer at State Farm where she was on the delivery engineering team working on GitOps enablement. She was instrumental in the multi-tenancy migration to utilize Flux for an internal Kubernetes offering. Outside of work, Priyanka enjoys hanging out with her husband and two rescue dogs as well as traveling around the globe.

Foundation Comparison

Jody Garnett

We have two great organizations supporting our Free and Open Source Software for Geospatial: The Open Source Geospatial Foundation and LocationTech. Putting on events like FOSS4G is primary responsibility of these software foundations - supporting our great open source software is! This talk will introduce OSGeo and LocationTech, and balance the tricky topic of comparison for those interested in what each organisation offers. We will also look at areas where these organizations are collaboration and explore possibilities for future work. Each of these software foundations support for their existing projects, ranging from "release parties" such as OSGeo Live or the Eclipse Annual Release. We are also interested in the “incubation” process each provides to onboard new projects. Review of the incubation provides an insight into an organization's priorities. This talks draws the incubation experience of: * GeoServer (OSGeo), GeoTools (OSGeo), * GeoGig (LocationTech), uDig (LocationTech) If you are an open source developer interested in joining a foundation we will cover some of the resource, marking and infrastructure benefits that may be a factor for consideration. We will also looking into some of the long term benefits a software foundation provides both you and importantly users of your software. If you are a team members faced with the difficult choice of selecting open source technologies this talk can help. We can learn a lot about the risks associated with open source based on how each foundation seeks to protect you. The factors a software foundation considers for its projects provide useful criteria you can use to evaluate any projects.

.NET Fest 2018. Оля Гавриш. Что нового в .NET Core 3.0

NETFest

Все большую и большую полулярность в мире .NET приобретает .Net Core - кросс-платформенная опен-сорс альтернатива .NET Framework, которая содержит основные библиотеки .NET Framework и при этом обладает существенными преимуществами, такими как улучшенной производительностью, возможностью деплоймента .Net Core вместе с приложением и многими другими. В конце 2018 года выйдет новая превью версия .NET Core 3.0, где, наряду с прочими усовершенствованиями, будет добавлена возможность создавать Windows десктоп приложения с помощью WinForms и WPF. В этом доколаде Вы услышите о новинках .NET Core 3, узнаете как выбрать между .NET Framework and .NET Core для ваших приложений, и как портировать существующие приложения на .NET Core.

Open Source and Standards Communities Coming Together to Solve Real World Pro...

All Things Open

CNCF Introduction - Feb 2018

Krishna-Kumar

A $5 Billion Value (Linux Foundation, 2015)

Simone Aliprandi

What's hot

Whether you should migrate to git

Amit Anand

Analyse de la composition logicielle à l’aide d’outils open source

Open Source Experience

Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...

Black Duck by Synopsys

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

Ashley Wolf

apidays LIVE Paris 2021 - Building an Accessible API Spec with Traditional En...

apidays

OpenChain: Japan WG # 9 – Update Time!

Shane Coughlan

Beyond GeoServer Basics

Jody Garnett

INTERFACE, by apidays - Spatially enabling Web APIs through OGC Standards b...

apidays

Europace's journey to InnerSource

Enrico Hartung

Nuxeo Live Connect & Connector to Salesforce

Nuxeo

Modern Post-Exploitation Strategies - 44CON 2012

44CON

Contributing to Apache Projects and Making Profits

Henry Saputra

E bpf and profilers

LibbySchulze

Git tech

Taj Nehme

SFScon 21 - Marina Latini - openSUSE Leap 15.3 and how community and enterpri...

South Tyrol Free Software Conference

Presentazione resin.io

Gianluca Leo

Security: The Value of SBOMs

Weaveworks

Foundation Comparison

Jody Garnett

.NET Fest 2018. Оля Гавриш. Что нового в .NET Core 3.0

NETFest

Open Source and Standards Communities Coming Together to Solve Real World Pro...

All Things Open

What's hot (20)

Whether you should migrate to git

Analyse de la composition logicielle à l’aide d’outils open source

Open Source Insight: NVD's New Look, Struts Vuln Ransomware & Google Open So...

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

apidays LIVE Paris 2021 - Building an Accessible API Spec with Traditional En...

OpenChain: Japan WG # 9 – Update Time!

Beyond GeoServer Basics

INTERFACE, by apidays - Spatially enabling Web APIs through OGC Standards b...

Europace's journey to InnerSource

Nuxeo Live Connect & Connector to Salesforce

Modern Post-Exploitation Strategies - 44CON 2012

Contributing to Apache Projects and Making Profits

E bpf and profilers

Git tech

SFScon 21 - Marina Latini - openSUSE Leap 15.3 and how community and enterpri...

Presentazione resin.io

Security: The Value of SBOMs

Foundation Comparison

.NET Fest 2018. Оля Гавриш. Что нового в .NET Core 3.0

Open Source and Standards Communities Coming Together to Solve Real World Pro...

Similar to Open Source Compliance at Orange, OW2online, June 2020

CNCF Introduction - Feb 2018

Krishna-Kumar

A $5 Billion Value (Linux Foundation, 2015)

Simone Aliprandi

Open Source & What It Means For Self-Sovereign Identity (SSI)

Evernym

Open source and open standards have been two pillars of self-sovereign identity since the beginning. Only by breaking down barriers to both development and production can we ensure that SSI works for everyone, everywhere. Openness is also at the core of how Evernym operates, and our motivation for launching Sovrin, subsequently donating Hyperledger Indy to the world, and more recently, open-sourcing our own products. In this webinar, we covered: - The importance of open source software, and why it's needed for self-sovereign identity - The open source tools available today, from Hyperledger Indy and Aries to Evernym's Verity - What Evernym's open-sourcing of Verity means for developers - Getting started with either open source or our free Sandbox plan

Syncitall

Aakash Praliya

Choisir le bon business model et la bonne licence pour la survie de son proje...

Open Source Experience

RTP Bluemix Meetup April 20th 2016

Tom Boucher

How to Contribute to Cloud Native Computing Foundation

CodeOps Technologies LLP

How to contribute to cloud native computing foundation (CNCF)

Krishna-Kumar

Smart Device Link Integration into Linux systems by Jeremiah Foster

Luxoft

Choreo: Empowering the Future of Enterprise Software Engineering

WSO2

Key topics covered: - Real-world examples of Choreo's comprehensive coverage from application design and deployment, security, scaling, and monitoring - Running different types of workloads, such as web applications, APIs, microservices, integrations, and tasks at scale, and wire them together to deliver seamless omnichannel digital experiences - How Choreo improves the developer experience by eliminating repetition, silos, and redundancy through enhanced discoverability and self-serviceability

[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...

Nuxeo

See how Codenvy's Factories allow Nuxeo Platform developers to manage their entire development cycle in the cloud without installing anything. This How-To webinar will walk you through the steps used to build the Codenvy factory for the Nuxeo Platform. Attendees will learn: - How a project is edited and run in the Codenvy Cloud - How to use a running project as the base for a one-click factory - What Docker is, and how Dockerfiles simplify setup of the developer environment - How to automate developer workspace construction - How to publish a single URL that gives instant access to project contributors

Introduction to Bluemix and Watson

Jake Peyser

How open source is driving DevOps innovation: CloudOpen NA 2015

Gordon Haff

It’s no coincidence that all the interest around DevOps today comes at a time when open source technologies and processes are so dominant in cloud computing, data storage and analysis, and--increasingly--in networking. Innovations in Linux and other projects, including containers, configuration management, and continuous integration, are what make DevOps workflows and portable application deployments possible. But it’s also the result of open source culture, practices, and the tools supporting those practices that have made iterative development and collaboration such a powerful model for creating great software in communities. And now, they’re also providing a template for how to develop and operate applications internally within enterprises. In this session, we will discuss how open source tools and practices can be applied to create effective DevOps workflows and practices.

Complex Made Simple @ Bird&Birds OpenChain Seminar

Shane Coughlan

Open by Design

Nimesh Bhatia

Starting an Open Source Program Office (OSPO)

Chris Aniszczyk

The path to an hybrid open source paradigm

Jonathan Challener

Open Source project failure often stems from not setting clear objectives or having a shared vision from the start. That said there are many success stories, including two well known Statistical examples: Demetra; and Eurostat SDMX tools (SDMX-RI). However, in all these examples there was at first a founding organisation/entity that created the right environment for its successful path into a new paradigm. In the context of my presentation this being the Statistical Information System Collaboration Community (SIS-CC / http://siscc.oecd.org). Presented at the International Marketing and Output DataBase Conference, Gozd Martuljek, September 18 - 22, 2016.

OpenWhisk - Serverless Architecture

Dev_Events

Serverless architectures are one of the hottest trends in cloud computing this year, and for good reason. There are several technical capabilities and business factors coming together to make this approach compelling from both an application development and deployment cost perspective. The new OpenWhisk project provides an open source platform to enable these cloud-native, event-driven applications. This talk will lay out the technical and business drivers behind the rise of serverless architectures, provide an introduction to the OpenWhisk open source project (and describe how it differs from other services like AWS Lambda), and give a demonstration showing how to start developing with this new cloud computing model using the OpenWhisk implementation available on IBM Bluemix. Lightning talk and lab presented by IBM Cloud Software Engineer, Andrew Bodine.

Best dev ops tools to master in 2022

SameerShaik43

Scaling Git for Enterprise DevOps

Eng Teong Cheah

Similar to Open Source Compliance at Orange, OW2online, June 2020 (20)

CNCF Introduction - Feb 2018

A $5 Billion Value (Linux Foundation, 2015)

Open Source & What It Means For Self-Sovereign Identity (SSI)

Syncitall

Choisir le bon business model et la bonne licence pour la survie de son proje...

RTP Bluemix Meetup April 20th 2016

How to Contribute to Cloud Native Computing Foundation

How to contribute to cloud native computing foundation (CNCF)

Smart Device Link Integration into Linux systems by Jeremiah Foster

Choreo: Empowering the Future of Enterprise Software Engineering

[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...

Introduction to Bluemix and Watson

How open source is driving DevOps innovation: CloudOpen NA 2015

Complex Made Simple @ Bird&Birds OpenChain Seminar

Open by Design

Starting an Open Source Program Office (OSPO)

The path to an hybrid open source paradigm

OpenWhisk - Serverless Architecture

Best dev ops tools to master in 2022

Scaling Git for Enterprise DevOps

More from OW2

OW2 and RIOS teaming up to boost the open source impact, Nov. 2022 in Roma

Open Source Compliance at Orange, OW2online, June 2020

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Open Source Compliance at Orange, OW2online, June 2020

Similar to Open Source Compliance at Orange, OW2online, June 2020 (20)

More from OW2

More from OW2 (20)

Recently uploaded

Recently uploaded (20)

Open Source Compliance at Orange, OW2online, June 2020