SlideShare une entreprise Scribd logo

Managing Open Source Software Supply Chains

Télécharger en tant que PPTX, PDF
nexB Inc.
nexB Inc.

Heather Meeker and Michael Herzog discuss the latest trends in open source compliance for supply chain activities: the key legal issues for supply chain management as well as the latest automation tools and projects for open source management. Agenda • Legal issues for supply chain management • Best practices to avoid claims and reduce risk • Latest automation tools and projects for open source compliance management

Technologie
1  sur  26
Managing Open Source Software Supply Chains
Managing Open Source Software Supply Chains Agenda • Introduction • Identify the ten most common open source license obligations • Explain what you need to do to comply with these obligations • Discuss the key compliance challenges today • Discuss open source software supply chain trends • Preview a new tool for basic compliance automation • Questions
Managing Open Source Software Supply Chains Ten Most Common OSS License Obligations • Copyright notices • License notices • Attribution requirements • “Copyleft” obligations (licensing of derivative works) • Source code licensing • Source code delivery • Build and installation instruction delivery (GPL) • Notice of changes • Indemnities • Non-use of trademarks
Managing Open Source Software Supply Chains How to Comply – Notices • Copyright, license, modification, and attribution requirements • Delivery of source code may be the easiest way to comply, because notices are “baked in” to distribution package • Binary delivery requires creation of notice files • Notices must be in the product delivery, for most licenses • Online delivery is usually not sufficient • Relying on third party notices is usually not sufficient
Managing Open Source Software Supply Chains How to Comply – Source Code • For GPL, LGPL, and other copyleft licenses • Source materials must be made available, but not necessarily delivered with product • Not necessary to post source materials on the web, but this is a good practice
Managing Open Source Software Supply Chains How to Comply - Licenses • Need to carve copyleft licensing requirements from EULAs • GPL, LGPL and other licenses cannot be changed to other terms • “Weak copyleft” licenses like EPL, MPL allow bifurcated licensing of source and binaries
Managing Open Source Software Supply Chains Key Compliance Challenges • Tracking open source use • Notice creation • Notice delivery • Build and installation instruction delivery • Ensuring the source code is right for the build AND • Getting OSS data from suppliers and to customers
Managing Open Source Software Supply Chains FANTEC Litigation • Plaintiff: Harald Welte of gpl-violations.org • Open Source Software: iptables, a packet filtering utility licensed under GPL • Defendant: FANTEC ---- Product: FANTEC 3DFHDL Media Player • Compliance Efforts: FANTEC made a version of the source code available for download that it had received from its contract manufacturer. It was not the right source code for the binaries. • Court holding: a distributor of software may not rely on assurances made by the supplier of the software that the software does not infringe the rights of any third party • History: FANTEC had previously settled a GPL dispute with Welte in 2010 by a settlement that specified penalties if FANTEC committed any future GPL violation. At a 2012 "Hacking for Compliance" workshop hosted by the Free Software Foundation, compliance engineers discovered that the firmware object code shipping with the 3DFHDL included iptables and that the source code provided by FANTEC did not.
Managing Open Source Software Supply Chains OSS Supply Chain Trends • More customers are requiring suppliers to share the OSS compliance burden and provide compliance artifacts for their products – Software BOM – Attribution Text – Source Code Redistribution Packages as needed • New challenge is what to do with the OSS information from suppliers – Where to put the data for future reference and use – How to validate/audit the data with minimal rework – How to deal with errors in the supplier-provided data 9
Managing Open Source Software Supply Chains OSS Supply Chain Context Component Catalog Supplier Software Package --------------------- Software BOM OSS Attribution Text OSS Source Code OSS SW Packages Customer ISV SW Packages Embedded OSS
Managing Open Source Software Supply Chains OSS Supply Chain Solutions • SPDX - Software Package Data Exchange® • A standard format for communicating the components, licenses and copyrights associated with a software package • Intended to support automated exchange of Software Package Data • Working Group of the Linux Foundation at www.spdx.org • Organized in Business, Legal and Technical teams • Open to participation by anyone
Managing Open Source Software Supply Chains • Supports exchange of component and license data in RDF/XML or Tag/Value format • Designed for automation of data exchange -- not a tool for provenance analysis • v2.0 will address complex Software BOMs Document Information Creation Information Package Information File Information Licensing Information Review Information SPDX Today - v1.1
Managing Open Source Software Supply Chains OSS Supply Chain Data • SPDX provides a “container” for exchange of component and license data, but you still need to create and manage the data for your products • Possible data sources include: – Open source projects – Suppliers – Internal analysis / audit – Third-party analysis / audit • You need somewhere to keep and maintain/update the component and license/origin data
Managing Open Source Software Supply Chains OSS Supply Chain Solutions A basic system should be: • Adaptable to existing engineering processes – Engineers can use and update the data during normal software development activities – Independent of programming languages or tools • Able to produce data for: – Delivery to customers as • Attribution and Redistribution packages • SPDX files – Synchronize with enterprise systems
Managing Open Source Software Supply Chains ABOUT-Code • nexB created the ABOUT-Code tools to automate OSS compliance • Based on our ABOUT specification • An ABOUT file documents the origin and license for each component, usually at the library or directory level • An ABOUT file is a text file with the file extension “.about” • Applicable to any programming language and software development environment • Extensible to build system integration for advanced automation • Tools are in Python and licensed under Apache 2.0 • Code available at https://github.com/dejacode/about-code-tool • Specification: http://www.dejacode.org/about_spec_v0.8.0.html
Managing Open Source Software Supply Chains ABOUT File Example A text file in “tag / value” format httpd-2.4.3.tar.gz.about name: Apache HTTP Server home_url: http://httpd.apache.org download_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gz version: 2.4.3 date: 2012-08-21 license: apache-2.0 license_file: httpd-2.4.3.tar.gz/LICENSE copyright: Copyright 2012 The Apache Software Foundation. notice_file: httpd-2.4.3.tar.gz/NOTICE
Managing Open Source Software Supply Chains ABOUT-Code tools • Create ABOUT files in a codebase from a Software BOM or Inventory file (spreadsheet) • Create a Software BOM or Inventory file (spreadsheet) from ABOUT files in the codebase • Create an Attribution text file • Text file organized by copyright/license notice and component • Default text or HTML format • Create a Source Code Redistribution package list • Currently offered as command line tools
Managing Open Source Software Supply Chains “Virtuous” Compliance Lifecycle Product Release (R1) Baseline R1 Software Inventory/BOM R1 Codebase ABOUT Files Component License Text R2 Software Inventory/BOM Attribution Display / Docs R2 Codebase ABOUT Files Source Code Redistribution Package Update ABOUT Files
Managing Open Source Software Supply Chains Basic Automation - Today • Use ABOUT-Code to read ABOUT files to • Create a Software BOM / Inventory • Create an Attribution text file • Create a Source Code Redistribution package list • Edit output files to remove components that are not Deployed • Add the Attribution text file to the product documentation and(or) product GUI (Help / About) • Assign an engineer to create the Source Code Redistribution package with installation/build instructions
Managing Open Source Software Supply Chains Advanced Automation Enhance your build system and tools to: • Recognize ABOUT files • Assemble ABOUT files during a build for the sub-set of components included in an end-product (Deployed) • Collect Attribution data for Deployed components and create Attribution text file • Insert Attribution text into GUI (Help / About) • Collect source code for the components that require Redistribution (including dependencies) • Create an archive file of the Redistribution package
Managing Open Source Software Supply Chains ABOUT-Code • Download and use the code from GitHub at: https://github.com/dejacode/about-code-tool • Read the specification at: http://www.dejacode.org/about_spec_v0.8.0.html • Join the discussion at: http://www.dejacode.org/ 21
Managing Open Source Software Supply Chains Questions
Managing Open Source Software Supply Chains About Greenberg Traurig LLP • GT is an international, multidisciplinary law firm in 35 locations in the United States, Latin America, Europe, the Middle East and Asia. • An International Network of More than 1,750 Attorneys & Governmental Affairs Professionals
Managing Open Source Software Supply Chains About nexB Inc. • nexB offers: – Software analysis/audit services for products and for acquisitions – DejaCode Enterprise – a central business system for managing software components • 200+ software audit projects completed to-date – Aggregated audited codebases > 3 billion lines of source code – Aggregated value of the acquisitions transactions > $5B • See DejaCode Enterprise at www.dejacode.com
Managing Open Source Software Supply Chains DejaCode.org • nexB is sponsoring DejaCode.org as a community site to share techniques and tools for automating compliance with OSS obligations • Documentation of existing techniques and tools from Android, Apache Maven (Java), CPAN (Perl) and others • Home for new projects like nexB’s ABOUT system • Visit us at: www.dejacode.org
Managing Open Source Software Supply Chains Contacts • Greenberg Traurig Heather Meeker MeekerH@gtlaw.com +1 650 289 7825 Subscribe to news and events alert at http://eepurl.com/wQIp9 • nexB Inc. Michael Herzog mjherzog@nexB.com +1 650 380 0680

Recommandé

nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB Inc.
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBnexB Inc.
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCodenexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Inc.
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
Managing Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodeManaging Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodenexB Inc.
 
Managing Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EraManaging Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EranexB Inc.
 

Recommandé

nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB Inc.
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBnexB Inc.
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCodenexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Inc.
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
Managing Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodeManaging Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodenexB Inc.
 
Managing Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EraManaging Open Source Software in the GitHub Era
Managing Open Source Software in the GitHub EranexB Inc.
 
IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsSieuwert van Otterloo
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product releasenexB Inc.
 
nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS IntroductionnexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodenexB Inc.
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with DejacodenexB Inc.
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
Ensuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPEnsuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPArasan Chip Systems
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...Virtual Forge
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
FileServicesPitch
FileServicesPitchFileServicesPitch
FileServicesPitchSean Lawrence
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
The Importance of Data for DevOps: How TCF Bank Meets Test Data Challenges
The Importance of Data for DevOps: How TCF Bank Meets Test Data ChallengesThe Importance of Data for DevOps: How TCF Bank Meets Test Data Challenges
The Importance of Data for DevOps: How TCF Bank Meets Test Data ChallengesCompuware
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessmentSanjay Kumar (Seeking options outside India)
 
How to look for specific news publications using the e journal portal_1011S
How to look for specific news publications using the e journal portal_1011SHow to look for specific news publications using the e journal portal_1011S
How to look for specific news publications using the e journal portal_1011Smchiware
 
How to look for a specific journal article using the e journal portal
How to look for a specific journal article using the e journal portalHow to look for a specific journal article using the e journal portal
How to look for a specific journal article using the e journal portalmchiware
 

Contenu connexe

Tendances

IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsSieuwert van Otterloo
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product releasenexB Inc.
 
nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS IntroductionnexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodenexB Inc.
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with DejacodenexB Inc.
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
Ensuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPEnsuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPArasan Chip Systems
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...Virtual Forge
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
The Importance of Data for DevOps: How TCF Bank Meets Test Data Challenges
The Importance of Data for DevOps: How TCF Bank Meets Test Data ChallengesThe Importance of Data for DevOps: How TCF Bank Meets Test Data Challenges
The Importance of Data for DevOps: How TCF Bank Meets Test Data ChallengesCompuware
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 

Tendances (20)

IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startups
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
 
nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product release
 
nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS Introduction
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCode
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with Dejacode
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
 
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
FLIGHT Amsterdam Presentation - Open Source License Management in the Black D...
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
Ensuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IPEnsuring Design Quality in Mixed Signal IP
Ensuring Design Quality in Mixed Signal IP
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
How Pratt & Whitney Streamlined Their ABAP Security and Quality Code Review P...
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
 
FileServicesPitch
FileServicesPitchFileServicesPitch
FileServicesPitch
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
The Importance of Data for DevOps: How TCF Bank Meets Test Data Challenges
The Importance of Data for DevOps: How TCF Bank Meets Test Data ChallengesThe Importance of Data for DevOps: How TCF Bank Meets Test Data Challenges
The Importance of Data for DevOps: How TCF Bank Meets Test Data Challenges
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
 

En vedette

How to look for specific news publications using the e journal portal_1011S
How to look for specific news publications using the e journal portal_1011SHow to look for specific news publications using the e journal portal_1011S
How to look for specific news publications using the e journal portal_1011Smchiware
 
How to look for a specific journal article using the e journal portal
How to look for a specific journal article using the e journal portalHow to look for a specific journal article using the e journal portal
How to look for a specific journal article using the e journal portalmchiware
 
How to look for specific news publications using the e journal portal
How to look for specific news publications using the e journal portalHow to look for specific news publications using the e journal portal
How to look for specific news publications using the e journal portalmchiware
 
Walt Disney
Walt DisneyWalt Disney
Walt Disneymspite
 
How to look for specific news publications using the e journal portal
How to look for specific news publications using the e journal portalHow to look for specific news publications using the e journal portal
How to look for specific news publications using the e journal portalmchiware
 
How to look for books in uct libraries
How to look for books in uct librariesHow to look for books in uct libraries
How to look for books in uct librariesmchiware
 
Valenzuela, Eduardo. Nuevas Generaciones
Valenzuela, Eduardo. Nuevas GeneracionesValenzuela, Eduardo. Nuevas Generaciones
Valenzuela, Eduardo. Nuevas GeneracionesCristian Arce
 
González, Roberto. Integración social de jóvenes
González, Roberto. Integración social de jóvenesGonzález, Roberto. Integración social de jóvenes
González, Roberto. Integración social de jóvenesCristian Arce
 
Zuzulich, de la Maza. Desafío de enseñar a jóvenes universitarios hoy.
Zuzulich, de la Maza. Desafío de enseñar a jóvenes universitarios hoy.Zuzulich, de la Maza. Desafío de enseñar a jóvenes universitarios hoy.
Zuzulich, de la Maza. Desafío de enseñar a jóvenes universitarios hoy.Cristian Arce
 
How to search for journal articles using ebsco host
How to search for journal articles using ebsco hostHow to search for journal articles using ebsco host
How to search for journal articles using ebsco hostmchiware
 

En vedette (11)

How to look for specific news publications using the e journal portal_1011S
How to look for specific news publications using the e journal portal_1011SHow to look for specific news publications using the e journal portal_1011S
How to look for specific news publications using the e journal portal_1011S
 
How to look for a specific journal article using the e journal portal
How to look for a specific journal article using the e journal portalHow to look for a specific journal article using the e journal portal
How to look for a specific journal article using the e journal portal
 
How to look for specific news publications using the e journal portal
How to look for specific news publications using the e journal portalHow to look for specific news publications using the e journal portal
How to look for specific news publications using the e journal portal
 
Walt Disney
Walt DisneyWalt Disney
Walt Disney
 
How to look for specific news publications using the e journal portal
How to look for specific news publications using the e journal portalHow to look for specific news publications using the e journal portal
How to look for specific news publications using the e journal portal
 
How to look for books in uct libraries
How to look for books in uct librariesHow to look for books in uct libraries
How to look for books in uct libraries
 
Valenzuela, Eduardo. Nuevas Generaciones
Valenzuela, Eduardo. Nuevas GeneracionesValenzuela, Eduardo. Nuevas Generaciones
Valenzuela, Eduardo. Nuevas Generaciones
 
González, Roberto. Integración social de jóvenes
González, Roberto. Integración social de jóvenesGonzález, Roberto. Integración social de jóvenes
González, Roberto. Integración social de jóvenes
 
Zuzulich, de la Maza. Desafío de enseñar a jóvenes universitarios hoy.
Zuzulich, de la Maza. Desafío de enseñar a jóvenes universitarios hoy.Zuzulich, de la Maza. Desafío de enseñar a jóvenes universitarios hoy.
Zuzulich, de la Maza. Desafío de enseñar a jóvenes universitarios hoy.
 
How to search for journal articles using ebsco host
How to search for journal articles using ebsco hostHow to search for journal articles using ebsco host
How to search for journal articles using ebsco host
 
E.s unit 6
E.s unit 6E.s unit 6
E.s unit 6
 

Similaire à Managing Open Source Software Supply Chains

Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligationsnexB Inc.
 
OpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSologyOpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSologyShane Coughlan
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)dmgerman
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsProtecode
 
Licensing in Composite Projects
Licensing in Composite ProjectsLicensing in Composite Projects
Licensing in Composite ProjectsTiberius Forrester
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Open Source Compliance Automation Capability Map
Open Source Compliance Automation Capability MapOpen Source Compliance Automation Capability Map
Open Source Compliance Automation Capability MapShane Coughlan
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSNuno Brito
 
Welcome to the FOSS4G Community
Welcome to the FOSS4G CommunityWelcome to the FOSS4G Community
Welcome to the FOSS4G CommunityJody Garnett
 
Guidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in EvergreenGuidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in Evergreenloriayre
 
Where’s the license?
Where’s the license?Where’s the license?
Where’s the license?Protecode
 
Neev Open Source Contributions
Neev Open Source ContributionsNeev Open Source Contributions
Neev Open Source ContributionsNeev Technologies
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source AutomationShane Coughlan
 
Open Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingAll Things Open
 
Open Source License Compliance with AGL
Open Source License Compliance with AGLOpen Source License Compliance with AGL
Open Source License Compliance with AGLPaul Barker
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeEmerasoft, solutions to collaborate
 

Similaire à Managing Open Source Software Supply Chains (20)

Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligations
 
OWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply ChainOWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply Chain
 
OpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSologyOpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSology
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source Projects
 
Licensing in Composite Projects
Licensing in Composite ProjectsLicensing in Composite Projects
Licensing in Composite Projects
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
 
Open Development
Open DevelopmentOpen Development
Open Development
 
Open Source ETL
Open Source ETLOpen Source ETL
Open Source ETL
 
Open Source Compliance Automation Capability Map
Open Source Compliance Automation Capability MapOpen Source Compliance Automation Capability Map
Open Source Compliance Automation Capability Map
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSS
 
Welcome to the FOSS4G Community
Welcome to the FOSS4G CommunityWelcome to the FOSS4G Community
Welcome to the FOSS4G Community
 
Guidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in EvergreenGuidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in Evergreen
 
Where’s the license?
Where’s the license?Where’s the license?
Where’s the license?
 
Neev Open Source Contributions
Neev Open Source ContributionsNeev Open Source Contributions
Neev Open Source Contributions
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
 
Open Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are using
 
Open Source License Compliance with AGL
Open Source License Compliance with AGLOpen Source License Compliance with AGL
Open Source License Compliance with AGL
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 

Dernier

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Dernier (20)

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Managing Open Source Software Supply Chains

  • 1. Managing Open Source Software Supply Chains
  • 2. Managing Open Source Software Supply Chains Agenda • Introduction • Identify the ten most common open source license obligations • Explain what you need to do to comply with these obligations • Discuss the key compliance challenges today • Discuss open source software supply chain trends • Preview a new tool for basic compliance automation • Questions
  • 3. Managing Open Source Software Supply Chains Ten Most Common OSS License Obligations • Copyright notices • License notices • Attribution requirements • “Copyleft” obligations (licensing of derivative works) • Source code licensing • Source code delivery • Build and installation instruction delivery (GPL) • Notice of changes • Indemnities • Non-use of trademarks
  • 4. Managing Open Source Software Supply Chains How to Comply – Notices • Copyright, license, modification, and attribution requirements • Delivery of source code may be the easiest way to comply, because notices are “baked in” to distribution package • Binary delivery requires creation of notice files • Notices must be in the product delivery, for most licenses • Online delivery is usually not sufficient • Relying on third party notices is usually not sufficient
  • 5. Managing Open Source Software Supply Chains How to Comply – Source Code • For GPL, LGPL, and other copyleft licenses • Source materials must be made available, but not necessarily delivered with product • Not necessary to post source materials on the web, but this is a good practice
  • 6. Managing Open Source Software Supply Chains How to Comply - Licenses • Need to carve copyleft licensing requirements from EULAs • GPL, LGPL and other licenses cannot be changed to other terms • “Weak copyleft” licenses like EPL, MPL allow bifurcated licensing of source and binaries
  • 7. Managing Open Source Software Supply Chains Key Compliance Challenges • Tracking open source use • Notice creation • Notice delivery • Build and installation instruction delivery • Ensuring the source code is right for the build AND • Getting OSS data from suppliers and to customers
  • 8. Managing Open Source Software Supply Chains FANTEC Litigation • Plaintiff: Harald Welte of gpl-violations.org • Open Source Software: iptables, a packet filtering utility licensed under GPL • Defendant: FANTEC ---- Product: FANTEC 3DFHDL Media Player • Compliance Efforts: FANTEC made a version of the source code available for download that it had received from its contract manufacturer. It was not the right source code for the binaries. • Court holding: a distributor of software may not rely on assurances made by the supplier of the software that the software does not infringe the rights of any third party • History: FANTEC had previously settled a GPL dispute with Welte in 2010 by a settlement that specified penalties if FANTEC committed any future GPL violation. At a 2012 "Hacking for Compliance" workshop hosted by the Free Software Foundation, compliance engineers discovered that the firmware object code shipping with the 3DFHDL included iptables and that the source code provided by FANTEC did not.
  • 9. Managing Open Source Software Supply Chains OSS Supply Chain Trends • More customers are requiring suppliers to share the OSS compliance burden and provide compliance artifacts for their products – Software BOM – Attribution Text – Source Code Redistribution Packages as needed • New challenge is what to do with the OSS information from suppliers – Where to put the data for future reference and use – How to validate/audit the data with minimal rework – How to deal with errors in the supplier-provided data 9
  • 10. Managing Open Source Software Supply Chains OSS Supply Chain Context Component Catalog Supplier Software Package --------------------- Software BOM OSS Attribution Text OSS Source Code OSS SW Packages Customer ISV SW Packages Embedded OSS
  • 11. Managing Open Source Software Supply Chains OSS Supply Chain Solutions • SPDX - Software Package Data Exchange® • A standard format for communicating the components, licenses and copyrights associated with a software package • Intended to support automated exchange of Software Package Data • Working Group of the Linux Foundation at www.spdx.org • Organized in Business, Legal and Technical teams • Open to participation by anyone
  • 12. Managing Open Source Software Supply Chains • Supports exchange of component and license data in RDF/XML or Tag/Value format • Designed for automation of data exchange -- not a tool for provenance analysis • v2.0 will address complex Software BOMs Document Information Creation Information Package Information File Information Licensing Information Review Information SPDX Today - v1.1
  • 13. Managing Open Source Software Supply Chains OSS Supply Chain Data • SPDX provides a “container” for exchange of component and license data, but you still need to create and manage the data for your products • Possible data sources include: – Open source projects – Suppliers – Internal analysis / audit – Third-party analysis / audit • You need somewhere to keep and maintain/update the component and license/origin data
  • 14. Managing Open Source Software Supply Chains OSS Supply Chain Solutions A basic system should be: • Adaptable to existing engineering processes – Engineers can use and update the data during normal software development activities – Independent of programming languages or tools • Able to produce data for: – Delivery to customers as • Attribution and Redistribution packages • SPDX files – Synchronize with enterprise systems
  • 15. Managing Open Source Software Supply Chains ABOUT-Code • nexB created the ABOUT-Code tools to automate OSS compliance • Based on our ABOUT specification • An ABOUT file documents the origin and license for each component, usually at the library or directory level • An ABOUT file is a text file with the file extension “.about” • Applicable to any programming language and software development environment • Extensible to build system integration for advanced automation • Tools are in Python and licensed under Apache 2.0 • Code available at https://github.com/dejacode/about-code-tool • Specification: http://www.dejacode.org/about_spec_v0.8.0.html
  • 16. Managing Open Source Software Supply Chains ABOUT File Example A text file in “tag / value” format httpd-2.4.3.tar.gz.about name: Apache HTTP Server home_url: http://httpd.apache.org download_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gz version: 2.4.3 date: 2012-08-21 license: apache-2.0 license_file: httpd-2.4.3.tar.gz/LICENSE copyright: Copyright 2012 The Apache Software Foundation. notice_file: httpd-2.4.3.tar.gz/NOTICE
  • 17. Managing Open Source Software Supply Chains ABOUT-Code tools • Create ABOUT files in a codebase from a Software BOM or Inventory file (spreadsheet) • Create a Software BOM or Inventory file (spreadsheet) from ABOUT files in the codebase • Create an Attribution text file • Text file organized by copyright/license notice and component • Default text or HTML format • Create a Source Code Redistribution package list • Currently offered as command line tools
  • 18. Managing Open Source Software Supply Chains “Virtuous” Compliance Lifecycle Product Release (R1) Baseline R1 Software Inventory/BOM R1 Codebase ABOUT Files Component License Text R2 Software Inventory/BOM Attribution Display / Docs R2 Codebase ABOUT Files Source Code Redistribution Package Update ABOUT Files
  • 19. Managing Open Source Software Supply Chains Basic Automation - Today • Use ABOUT-Code to read ABOUT files to • Create a Software BOM / Inventory • Create an Attribution text file • Create a Source Code Redistribution package list • Edit output files to remove components that are not Deployed • Add the Attribution text file to the product documentation and(or) product GUI (Help / About) • Assign an engineer to create the Source Code Redistribution package with installation/build instructions
  • 20. Managing Open Source Software Supply Chains Advanced Automation Enhance your build system and tools to: • Recognize ABOUT files • Assemble ABOUT files during a build for the sub-set of components included in an end-product (Deployed) • Collect Attribution data for Deployed components and create Attribution text file • Insert Attribution text into GUI (Help / About) • Collect source code for the components that require Redistribution (including dependencies) • Create an archive file of the Redistribution package
  • 21. Managing Open Source Software Supply Chains ABOUT-Code • Download and use the code from GitHub at: https://github.com/dejacode/about-code-tool • Read the specification at: http://www.dejacode.org/about_spec_v0.8.0.html • Join the discussion at: http://www.dejacode.org/ 21
  • 22. Managing Open Source Software Supply Chains Questions
  • 23. Managing Open Source Software Supply Chains About Greenberg Traurig LLP • GT is an international, multidisciplinary law firm in 35 locations in the United States, Latin America, Europe, the Middle East and Asia. • An International Network of More than 1,750 Attorneys & Governmental Affairs Professionals
  • 24. Managing Open Source Software Supply Chains About nexB Inc. • nexB offers: – Software analysis/audit services for products and for acquisitions – DejaCode Enterprise – a central business system for managing software components • 200+ software audit projects completed to-date – Aggregated audited codebases > 3 billion lines of source code – Aggregated value of the acquisitions transactions > $5B • See DejaCode Enterprise at www.dejacode.com
  • 25. Managing Open Source Software Supply Chains DejaCode.org • nexB is sponsoring DejaCode.org as a community site to share techniques and tools for automating compliance with OSS obligations • Documentation of existing techniques and tools from Android, Apache Maven (Java), CPAN (Perl) and others • Home for new projects like nexB’s ABOUT system • Visit us at: www.dejacode.org
  • 26. Managing Open Source Software Supply Chains Contacts • Greenberg Traurig Heather Meeker MeekerH@gtlaw.com +1 650 289 7825 Subscribe to news and events alert at http://eepurl.com/wQIp9 • nexB Inc. Michael Herzog mjherzog@nexB.com +1 650 380 0680

Notes de l'éditeur

  1. OSS Compliance is always in some supply chain contextBecause most obligations are triggered by distribution of the software
  2. Think about the subset of Deployed components from the beginningPrecision may be difficult, but accuracy at library level is most critical informationThere are commercial tools (plugins) for major software development systems (Maven, Atlassian, etc.) but these do not usually automate compliance
  3. Engineers cannot / will not track OSS using spreadsheetsEnterprise approval/tracking systems are far from the actual code
  4. Format based on plain text and simple conventions: name/value pairs separated by a semi-colonEasy to read and write for human and or processed using a scriptSyntax based on RFC5322 (email header fields)Well-defined and extensible so that it can be used for basic or advanced (build system) approaches to compliance automation.An ABOUT file is stored in the same directory as the software component it documentsNo need to change the code you document.
  5. Supports integration with DejaCode License LibraryWill support creation of SPDX files
  6. Depends on policies and standards, such as format for Attribution text and where you provide/display itIterative process to refine the compliance deliverablesBasic approach may be good enough for many products
  7. Advanced approach is best suited for software groups with an integrated build and continuous integration approachExisting tools may provide part of a solution already – highly dependent on language/platform and toolingKey benefit can be automatically applying policies to prevent Deployment of components based on license