OSHUG

— Open Source Hardware User Group

Event #65 — Yanking the Chain: Open Source Software Compliance in the Supply Chain

On the 22 March 2018, 09:00 - 17:00 at BCS London, 25 Copthall Avenue, London, EC2R 7BP, [map] (51.5168155, -0.090039)

Please register to attend.

With the ever increasing complexity of embedded device software stacks, coupled with the proliferation of new mechanisms for distributing complex server software stacks, open source compliance has never been more important — or indeed more of a challenge.

Fortunately, there are growing number of tools and methods at our disposal to support open source software compliance efforts. This 1-day event will feature talks and hands-on workshops covering a number of these, with insights into practical experiences and lessons learned.

Talks

Introducing OpenChain

OpenChain is a scalable, flexible compliance programme, developed by the Linux Foundation. It provides a great foundation for businesses of all sizes to adopt appropriate practices and procedures in place to control development and supply chain risks. Already adopted by companies like Qualcomm, Siemens and Wind River (an Intel company), it's equally applicable to SMEs.

Andrew Katz is a lawyer and former programmer who advises extensively on free and open source software and other opens. He is head of the technology department at Moorcrofts LLP, a boutique technology law firm, which is one of the 5 OpenChain pilot partners in the world, and has been involved in drafting many of the OpenChain materials.

SPDX: Describing Software and Licenses

Software Package Data Exchange (SPDX) provides a standard format for describing the components and licenses associated with software packages. The SPDX standard helps facilitate compliance with Free and Open Source Software licenses by standardizing the way license information is shared across the software supply chain. SPDX reduces redundant work by providing a common format for companies and communities to share licensing data, thereby streamlining and improving compliance. The presentation will introduce the standard, describe common use scenarios, and provide details on the other deliverables of the SPDX working group, like tools and the authoritative License List.

Alexios Zavras, PhD, is the Senior Open Source Compliance Engineer of Intel Corporation. He has been involved with Free and Open Source Software since 1983, and is an evangelist for all things Open. He has a PhD in Computer Science after having studied Electrical Engineering and Computer Science in Greece and the United States.

Eclipse SW360 - Open Source Management with Open Source

SW360 manages software components with their license compliance documentation in SPDX and allows for setting up bills-of-material to provide comprehensive documentation for products and projects.

Organizations can use SW360 as a one-stop shop for sharing component information, tracking their usage in projects or products. This involves the handing of compliance information, but also, as an example, matching for vulnerabilities from data providers.

As an EPL-1.0 licensed Open Source project, it is highly customizable, letting organizations keep their confidential product development data on premises, and prevents them from becoming dependent on a single vendor. This presentation shows briefly features and a walk through the application to demonstrate capabilities and use cases of SW360.

Michael C. Jaeger is one of the maintainers for the projects, FOSSology and SW360, both of which are in the area of license compliance and component management with open source software. At Siemens Corporate Technology in Munich, Germany, Michael manages the Siemens contributions to SW360 and FOSSology. Michael is a certified software architect and received a German PhD degree from the faculty of electrical engineering and computer science at TU Berlin.

How License Compliance Engineering Can be Simplified

When people are confronted with license compliance for the first time it feels overwhelming because there are many aspects to it: license scanning of hundreds of thousands of files, complete and corresponding source code, derivative works and code clone detection, and so on. Clients often say that they simply do not know where to start.

However, experience demonstrates that license compliance does not need to be overly complicated, as there are short-cuts that can be taken and have zero risk, but that will vastly speed up compliance processes. This talk will highlight a few best practices learned from compliance work with clients and explain how information from upstream projects can be used to make the license compliance processes quicker, predictable and more standardised.

Armijn Hemel, MSc, is an expert in open source license compliance engineering. From 2005-2012 he helped enforce the GPL license in Germany several hundred times as part of the coreteam of gpl-violations.org. Since then he has assisted companies to come into compliance (including in recent troll cases in Germany) and is actively involved in advancing the field of compliance by exploring new topics and tooling.

Compliance Tooling using Build Time Analysis

The Quartermaster project aims at building industry standard tooling that supports the open source license compliance workflow. It's open source workflow engine integrates existing scanning and reporting tools, and integrates into continuous integration/development processes. It offers API endpoints against which toolmakers, communities and service providers can integrate their products, while maintaining an open source and open data model for the elemental toolchain.

The presentation will explore a number of key findings from the development of Quartermaster so far. For example, that focusing on whole source packages alone to identify and convey license information may be insufficient, and that the product build process may be the most suitable time to create compliance documentation. The presentation will introduce the Quartermaster project, the novel approach it takes on implementing open source compliance tooling, and how the lessons learned from the prototype influenced the Quartermaster toolchain architecture.

Mirko Boehm is a Free Software and Open Source contributor, primarily as a software developer and speaker. He is the founder of the Quartermaster project, and has been a contributor to major Open Source projects including the KDE Desktop since 1997, including several years on the KDE e.V. Board. He is a visiting lecturer and researcher on Free Software and Open Source at the Technical University of Berlin, a fellowship representative in the FSFE general assembly and a Qt-certified specialist and trainer.

The Open Invention Network protects the Open Source ecosystem by acquiring patents and licensing them royalty free to all participants. As director for the Linux system definition, Mirko is responsible for the technical scope that defines the field of use of the patent non-aggression agreements.

As founder and CEO of Endocode, an employee-owned, shareholder company based in Berlin, Germany providing professional IT services with a focus on Open Source technologies, Mirko specialises in consulting to and mentoring startups and medium to large businesses. His areas of expertise include complex software development endeavours, the use of Open Source products and methods in organisations, and technology related issues of business strategy and intellectual property.

Workshops

Using FOSSology - License Analysis Hands On

FOSSology is an open source license compliance software system and toolkit. As a toolkit, you can run license, copyright and export control scans from the command line. As a system, a database and Web user interface provide you with user interface and functionality to analyse the licensing situation of open source software.

It is important that you install the required software in advance of this workshop!

FOSSology is a server application and needs some installation effort compared to a double-click application the computer's desktop.

There are three main installation options for FOSSology so far:

  • use the packages for debian 8 and debian 9, and for Ubuntu 14.04 and Ubuntu 16.04: link.
  • use the Docker image from Dockerhub (for evaluation and testing), see instructions: link.
  • build a VirtualBox with Vagrant (both need to be installed), see instructions: link.

Hosted by: Michael C. Jaeger.

Note: Please aim to arrive by 08:45 as the workshop will start at 09:00 prompt.

To add your photographs to ones shown here, upload them to Flickr with the tag "oshug:event=65". You might also like to join the OSHUG Flickr Pool.