Presentation by Nicolas Toussaint, Software Architect, Orange. Abstract: Orange and Orange Business Services have turned to full open source solutions to tackle the complex problem of respecting the open source legal compliance constraints. This talk presents the journey undertaken the past few years to build and improve the existing tooling and processes to make compliance validation possible, as well as allow overseeing progresses.

1. 2020 OW2 CONF
OPEN SOURCE COMPLIANCE
TOOLS & PROCESSES: HOW WE DO IT AT ORANGE
Date: June 17h 2020
Author: Nicolas Toussaint

2. WHY SHARING
Isn't it that we get better together ?

3. HOW WE DO IT:
I. PROCESSES
II. TOOLING
III. CONCLUSION

4. I. COMPLIANCE
PROCESSES

5. I. COMPLIANCE PROCESSES
ACCROSS THE GROUP, VERY DIFFERENT
ACTIVITIES:
Internal projects, and B2C services
=> open source publications
Software development, B2B services
=> software distributions
Cloud hosting services
=> Run [modified] open source software as SAAS
Integration services
=> Deploy [modified] open source softwares on customers' premises
And always: contributions to existing open sources projects of all sizes

7. I. COMPLIANCE PROCESSES
3 SITUATIONS
Publications:
material is released under an open source licence
Large contributions to existing projects
Distributions:
material is distributed to customers
(and customers may distribute to their customers)
Patches: small contributions to existing projects

8. I. COMPLIANCE PROCESSES
THE ORGANISATION
Open source usage validation relies on:
open source referents accross the group
a small team of lawyer and IP specialised in open source
an audit team to conduct scans for the projects

9. I. COMPLIANCE PROCESSES
THE PROCESS
1. The projects make a request
2. Request is assigned to an OSS Referent
3. Project is prepared in terms of "use cases"
Front-end, back-end, embedded, mobile, standalone software
4. Source code is scanned and a factual report is produced
5. Report is analysed with, at least, a lawyer, Project members and the referent
6. A validation is given (or not), together with a set of recommendations to apply
7. The referent assists and verifies that the recommendatrions are applied, and also
validates the ticket.
8. The project can publish, or distribute !

11. II. COMPLIANCE
TOOLING

12. II. COMPLIANCE TOOLING
WHAT WE NEED
For each analysed projects, we want to know:
the open source components: integrated + dependencies
For each component, we want to know:
its name, version, licence, copyright, reference URL
has the component been modified ?
For complex projects: the architecture, third parties, contracts, etc.
For publication: CLA and DCO

13. II. COMPLIANCE TOOLING
SOURCE CODE ANALYSIS, NO DEPENDENCY
Here Fossology is perfect:
We manage multiple Docker based central instances
Automatic build mixing home-grown feature with community version
Automated deployement

14. II. COMPLIANCE TOOLING
DEPENDENCY ANALYSIS
Here, multiple tools are used
Including Opensource Review Toolkit
but nothing is automated... yet

15. II. COMPLIANCE TOOLING
INTEGRATION
GitLab-CI and Jenkins can trigger Fossology scans
KPIS
A new dashboarding solution is crafted to measure Fossology usage
Soon to be published and shared !

16. III. CONCLUSION &
RESOURCES

17. III. CONCLUSION
ALL IN ALL: IT WORKS !
BUT LET'S IMPROVE ...

18. III. CONCLUSION
We have:
a strong process, dedicated referents
integrated, and improving tooling
dedicated lawyers and IP specialist
a team specialised in Fossology scanning

19. III. CONCLUSION
We need:
More control : better dependency and container analysis
More tooling integration and automation
Better KPIs => Looking forward to use Bitergia's dashboards !
We also need more cooperation:
Open Source Compliance Tooling Group => to imagine and build tomorrow's tooling !
OW2 Good Governance Iniative, to share and improve governance practices

20. RESOURCES
Some of the resources on which our compliance relies (or will rely)
Open Source Compliance Tooling Group:
Fossology:
Opensource Review Toolkit:
Bitergia dashboards:
https://oss-compliance-tooling.org/
https://www.fossology.org/
https://oss-review-toolkit.org/
https://bitergia.com/bitergia-analytics/