[oshug-announce] OSHUG 65 — Yanking the Chain: open source software compliance in the supply chain, Thursday 22nd March.

Andrew Back andrew at abopen.com
Wed Feb 7 20:35:27 UTC 2018


In March we have another 1-day event, which this time will be dedicated
to the topic of open source software compliance, featuring talks and
workshops on topics such as OpenChain, SW360, Quartmermaster and FOSSology.

There are additional sessions in the pipeline also and further details
will be provided in due course.




OSHUG #65 — Yanking the Chain: Open Source Software Compliance in the
Supply Chain

On the 22 March 2018, 09:00 - 17:00 at BCS London, 1st Floor, The
Davidson Building, 5 Southampton Street, London, WC2E 7HA.

  Registration: http://oshug.org/event/65

With the ever increasing complexity of embedded device software stacks,
coupled with the proliferation of new mechanisms for distributing
complex server software stacks, open source compliance has never been
more important — or indeed more of a challenge.

Fortunately, there are growing number of tools and methods at our
disposal to support open source software compliance efforts. This 1-day
event will feature talks and hands-on workshops covering a number of
these, with insights into practical experiences and lessons learned.

The preliminary programme can be found below and please note that
further details will be published in due course as additional sessions
are confirmed.


- Introducing OpenChain

OpenChain is a scalable, flexible compliance programme, developed by the
Linux Foundation. It provides a great foundation for businesses of all
sizes to adopt appropriate practices and procedures in place to control
development and supply chain risks. Already adopted by companies like
Qualcomm, Toyota and ARM, it's equally applicable to SMEs.

* Andrew Katz is a lawyer and former programmer who advises extensively
on free and open source software and other opens. He is head of the
technology department at Moorcrofts LLP, a boutique technology law firm,
which is one of the 5 OpenChain pilot partners in the world, and has
been involved in drafting many of the OpenChain materials.

- Eclipse SW360 - Open Source Management with Open Source

SW360 manages software components with their license compliance
documentation in SPDX and allows for setting up bills-of-material to
provide comprehensive documentation for products and projects.

Organizations can use SW360 as a one-stop shop for sharing component
information, tracking their usage in projects or products. This involves
the handing of compliance information, but also, as an example, matching
for vulnerabilities from data providers.

As an EPL-1.0 licensed Open Source project, it is highly customizable,
letting organizations keep their confidential product development data
on premises, and prevents them from becoming dependent on a single
vendor. This presentation shows briefly features and a walk through the
application to demonstrate capabilities and use cases of SW360.

* Michael C. Jaeger is one of the maintainers for the projects,
FOSSology and SW360, both of which are in the area of license compliance
and component management with open source software. At Siemens Corporate
Technology in Munich, Germany, Michael manages the Siemens contributions
to SW360 and FOSSology. Michael is a certified software architect and
received a German PhD degree from the faculty of electrical engineering
and computer science at TU Berlin.

- How License Compliance Engineering Can be Simplified

When people are confronted with license compliance for the first time it
feels overwhelming because there are many aspects to it: license
scanning of hundreds of thousands of files, complete and corresponding
source code, derivative works and code clone detection, and so on.
Clients often say that they simply do not know where to start.

However, experience demonstrates that license compliance does not need
to be overly complicated, as there are short-cuts that can be taken and
have zero risk, but that will vastly speed up compliance processes. This
talk will highlight a few best practices learned from compliance work
with clients and explain how information from upstream projects can be
used to make the license compliance processes quicker, predictable and
more standardised.

* Armijn Hemel, MSc, is an expert in open source license compliance
engineering. From 2005-2012 he helped enforce the GPL license in Germany
several hundred times as part of the coreteam of gpl-violations.org.
Since then he has assisted companies to come into compliance (including
in recent troll cases in Germany) and is actively involved in advancing
the field of compliance by exploring new topics and tooling.

- Compliance Tooling using Build Time Analysis

The Quartermaster project aims at building industry standard tooling
that supports the open source license compliance workflow. It's open
source workflow engine integrates existing scanning and reporting tools,
and integrates into continuous integration/development processes. It
offers API endpoints against which toolmakers, communities and service
providers can integrate their products, while maintaining an open source
and open data model for the elemental toolchain.

The presentation will explore a number of key findings from the
development of Quartermaster so far. For example, that focusing on whole
source packages alone to identify and convey license information may be
insufficient, and that the product build process may be the most
suitable time to create compliance documentation. The presentation will
introduce the Quartermaster project, the novel approach it takes on
implementing open source compliance tooling, and how the lessons learned
from the prototype influenced the Quartermaster toolchain architecture.

* Mirko Boehm is a Free Software and Open Source contributor, primarily
as a software developer and speaker. He is the founder of the
Quartermaster project, and has been a contributor to major Open Source
projects including the KDE Desktop since 1997, including several years
on the KDE e.V. Board. He is a visiting lecturer and researcher on Free
Software and Open Source at the Technical University of Berlin, a
fellowship representative in the FSFE general assembly and a
Qt-certified specialist and trainer.

The Open Invention Network protects the Open Source ecosystem by
acquiring patents and licensing them royalty free to all participants.
As director for the Linux system definition, Mirko is responsible for
the technical scope that defines the field of use of the patent
non-aggression agreements.

As founder and CEO of Endocode, an employee-owned, shareholder company
based in Berlin, Germany providing professional IT services with a focus
on Open Source technologies, Mirko specialises in consulting to and
mentoring startups and medium to large businesses. His areas of
expertise include complex software development endeavours, the use of
Open Source products and methods in organisations, and technology
related issues of business strategy and intellectual property.

— Workshops

- Using FOSSology - License Analysis Hands On

FOSSology is an open source license compliance software system and
toolkit. As a toolkit, you can run license, copyright and export control
scans from the command line. As a system, a database and Web user
interface provide you with user interface and functionality to analyse
the licensing situation of open source software.

* Hosted by: Michael C. Jaeger.

Note: Please aim to arrive by 08:45 as the workshop will start at 09:00

Andrew Back

More information about the oshug-announce mailing list