Download - Soscon ibrahim haddad
![Page 1: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/1.jpg)
Doing it Right: The Executive Guide to Open Source Compliance
Ibrahim Haddad, Ph.D.Head of Open Source Innovation Group
Samsung Research America – Silicon Valley@IbrahimAtLinux
![Page 2: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/2.jpg)
• I am not a Legal Counsel
• This talk does not provide legal advice
• I advise Samsung on open source compliance
Disclaimers
![Page 3: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/3.jpg)
Executive View on Open Source Compliance
• What
• Why
• How
• Who
![Page 4: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/4.jpg)
What is Open Source Compliance?
![Page 5: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/5.jpg)
What is Open Source compliance?
Open Source compliance refers to the aggregate of Policies, Processes, Training and Tools that enables an organization to effectively use open source software and contribute to open communities while
– Respecting copyrights, – Complying with license obligations, and – Protecting the organization's IP– Protecting the IP of customers and suppliers.
![Page 6: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/6.jpg)
What basic compliance obligations must be satisfied?
• OSS license obligations generally are triggered with external distribution – Code intended only for internal use sometimes gets distributed later on, so compliance
practices should be applied to internal code, too.
• Depending on the license(s) involved, obligations could consist of:– Written office – Attribution Notices – License Notices – Copyright Notices – Source code availability– Etc.
• Analysis performed during review of intended open source use is needed to clarify obligations
![Page 7: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/7.jpg)
Why do we need to implement an open source compliance program?
![Page 8: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/8.jpg)
A Changing Business Environment
From To
Middleware(Proprietary, 3rd party or a mix)
Commercial Applications(3rd Party)
Proprietary Applications
Proprietary OS
Open Source
Applications
Middleware (Open Source, Proprietary, 3rd party or a mix)
Linux OS
Proprietary Applications
(possibly include Open Source code)
Open Source Driver
Chip
Open Source Driver
Chip
CommercialApplications
(possibly include Open Source code)
Chip
Proprietary Driver
Chip
Proprietary Driver
Chip
Proprietary Driver
Chip
Proprietary Driver
•Commercial licenses are negotiated•There is a limited number of licenses •Very predictable business environment•IP protection is done via commercial contracts and licenses•Risks are mitigated through license negotiation •The providers of each software component are known
•Licenses are not negotiated•There are potentially tens of licenses involved •The business environment is not as •Thousands of contributors to the various FOSS used•The origin of some components may not clear•Risks are mitigated through compliance and engineering practices
![Page 9: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/9.jpg)
Mitigation of Risks via Compliance
• Identification of the origin and license of used software in the product
• Identification of license obligations for each software component
• Fulfillment of license obligations when product ships
![Page 10: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/10.jpg)
Failure to Comply: Undesired Consequences
• Block product shipment until the fulfillment of FOSS license obliga-tions have been verified
• Establish a more rigorous Open Source compliance program • Appoint an “Open Source Compliance Officer” to ensure compliance• Lose IP when required to release source code • Negative press • Damaged relationships with customers, suppliers and community• Pay undisclosed sums of money for breach of FOSS licenses
![Page 11: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/11.jpg)
How do we do it?
![Page 12: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/12.jpg)
What’s involved in achieving compliance?
• Process• Policies • Guidelines• Tools • Education• Networking
![Page 13: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/13.jpg)
Example Compliance Process
Iden
tifi
cati
on
Aud
it
Reso
lve Is-
sues
Revie
ws
App
rovals
Reg
istr
ati
on
Noti
ces
Dis
trib
uti
on
Veri
fica
tionsProprietary
Software3rd Party Soft-
wareFOSS
Outgoing Software
Open Source BoM: Notices & Attribu-
tionsWritten Offer
![Page 14: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/14.jpg)
Tools to assist with open source compliance
• Source code scanning (origin and license)
• Linkage analysis (static and dynamic)
• Project management tool to track compliance tickets
![Page 15: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/15.jpg)
Who is going to do it?
![Page 16: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/16.jpg)
Who is involved in achieving open source compliance?
• Developers / Software Architects Write code
• Software Development Managers Approve technical merit
• Open Source Compliance Staff Scan code and report results
• Legal Counsel Advise on licensing
• Compliance Officer Manage compliance process
• Documentation team Include licensing info in product
![Page 17: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/17.jpg)
You will be challenged!
![Page 18: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/18.jpg)
Compliance Inquires
• It happens all the time.
• Maintain a constant stream of communication, investigate and resolve.
![Page 19: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/19.jpg)
![Page 20: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/20.jpg)
Closing Notes
![Page 21: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/21.jpg)
Clear is the new Smart
• Governance
• Process
• Policies
• Guidelines
![Page 22: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/22.jpg)
Compliance is Easy
• The challenge lies in three interconnected areas:
– Scaling
– Automation
– Cost
![Page 23: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/23.jpg)
Available + Neutral Resources
• Training• Education Material • Compliance Self Assessment Checklist• Tools• Compliance Templates• SPDX
http://compliance.linuxfoundation.org
![Page 24: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/24.jpg)
Your compliance practices will get better with time!
![Page 25: Soscon ibrahim haddad](https://reader033.vdocument.in/reader033/viewer/2022052307/5561edfed8b42a9d068b548f/html5/thumbnails/25.jpg)