eyes wide open - aiea · project gnu at mit, ... eric raymond publishes the cathedral and the...

47
Eyes Wide Open Sebastiano Cobianco CEO Ex Machina SAGL 6900 Lugano

Upload: dangphuc

Post on 18-Aug-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

Eyes Wide Open

Sebastiano Cobianco CEOEx Machina SAGL

6900 Lugano

I AM NOT A LAWYER

...so why am I here?

www.blackducksoftware.com

Agenda

How FOSS gets into the Enterprise

How FOSS should get into the Enterprise

How the Enterprise should manage FOSS

but first...

1998

"Open Source" is coined, foundation of the Open Source Initiative (non-profit)

1984

Project GNU at MIT, Richard Stallman, the Free Software Foundation

1991

Linus Torvalds releases the first Unix-like kernel for GNU software, building the GNU/Linux operating system

1994

Foundation of Red Hat for Linux commercial support and distribution

1995

A community of developers starts work on the Apache Web Server

1997

Eric Raymond publishes The Cathedral and the Bazaar

You might think the whole point is free software

but it isn’t.

The real push isbetter software

What isWhat is FOSS FOSS

Free, as defined by the Free Software Foundation

Open, as defined by the Open Source Initiative

Source, although source is not enough!

Software, we focus on software, not hw, books, ...

Software is an

Intellectual Property

How manyOS projects have been published?

FOSS licenses are out there?

Updated daily at http://www.blackducksoftware.com/oss

Academic Licenses• Relatively short and simple, easy to specify few restrictions Example: BSD, MIT

Permissive Licenses• Modifications/enhancements may remain proprietary• Distribution in source code or object code permitted provided copyright notice & liability disclaimer are included and contributors’ names are not used to endorse productsExample: Apache Software License v2.0

Types of FOSS Licenses

Partially Closable• Useful when licensing libraries or extensible applications• Modifications to the library must be distributed under similar terms while the whole program can remain closedExamples: MPL, GNU LGPL

Reciprocal• Requires to make improvements or enhancements available under similar terms• Licensee must distribute “work based on the program” and cause such works to be licensed at no charge under similar termsExample: GPL

Types of FOSS Licenses - continued

Top 20 most commonly used FOSS Licenses

Updated daily at http://www.blackducksoftware.com/oss

License Incompatibility

This is a major concern as free and open source software was intended to create a broad set of reusable components that can be mixed and work together.

Compatibility is determined by comparing restrictions

Usually it is one-way compatibility where code can only move up the chain of control from academic to reciprocal licensing terms.

The Windows 7 USB/DVD Tool Violated GPLv2 License

• Code was “multi-source,” including code from an external supplier with OSS

• Microsoft pulled the product from the Microsoft Store, then had to make the source code and binaries available

Takeaways:• Even big, well run companies

make mistakes• OSS can enter from many

sources in the supply chain• It’s difficult to manage OSS

without both process and technology

Compliance flaws...

InfringementValuationNegative publicityLost revenueSupport costsVulnerability

(VOIP Phone)

(Wireless Router)

(GPS Navigation)

(Network Attached Storage)

(WiMax, other )

(iPhone WIP300)

(Home Hub Router)

HDTVs

Compliance flaws...

These vulnerabilities discovered within 24 hours of release

Easily avoided with the right solution

Security flaws...

Cost of defectsMinimal when issues are detected early in lifecycle

Grows 100-1,000X late in the lifecycle

Invest time and process to choose good code up front vs fixing problems later

Capers Jones, Applied software measurement: assuring productivity and quality, 1999.

Recognise issues up front

How FOSS gets into the Enterprise

How FOSS should get into the Enterprise

How the Enterprise should manage FOSS

Business enabler

Accelerate Time to Market

Use open source software to avoid reinventing

the wheel

Increase Innovation & Product Capability

Readily available to fill out feature list

Focus internal resources on valuable new features that

provide strong value to customers or

differentiation against competitors

Control Development Costs

Reuse to lower development and licensing costs

Improve development and group productivity

Developers are working under increasing pressure

It is a disruptive and epochal

changein software development...

It does not go through procurement

How Companies handle FOSS...Deny usage of FOSS

Anger over unexpected loss of control

Crash plan, remediation to FOSS,

lawyers meetings...

No return...

...and then?

How FOSS gets into the Enterprise

How FOSS should get into the Enterprise

How the Enterprise should manage FOSS

in the beginning there was...

a Policy

SimpleSimple enough enough

for developers to followfor developers to follow

Clear and Clear and unambiguousunambiguous

• Open source discovery• Review and selection• Code management• Maintenance and support• Compliance program• Community interaction• Executive oversight

A Policy isn't just for developers...

Keep a component Keep a component catalogcatalog to support compliance and securityto support compliance and security

be Socia

l!

How FOSS gets into the Enterprise

How FOSS should get into the Enterprise

How the Enterprise should manage FOSS

Used by permission of Black Duck Software, Inc.

Risks in multisource development

The game has The game has changed ...changed ...

… and the Enterprise must adapt the way it plays...

...it needs tools to stay abreast of the game!

CercaI codici da utilizzare

all'interno delle applicazioni

SelezionaI codici sulla base della policy e dei metadata chiave

ApprovaIl codice sulla base delle policy aziendali

SviluppaIl codice approvato utilizzando gli strumenti preferitiValida

Che solo codici autorizzati vengono usati

MonitoraL'uso del codice e

l'impatto sulle applicazioni complesse

Used by permission of Black Duck Software, Inc.

10 Best Practices from FOSS adopters

Appoint an OSS stewardCreate a comprehensible policyFrontload acquisition processes, adapt RFTRequire project leaders to identify OSS dependenciesUse EA to regulate exploitation and maintenanceTrust teams - but verify with code-scanning utilitiesMaintain a repository of preapproved OSS componentsDon't dwell on processes and artifacts; focus on outcomesDon't expect perfection, and plan for remediationSet a contribution policy – it will happen over time anyway

Attributions

http://bit.ly/gGDsAy

Source: Box.net

Source: TheDailyWTF.com

Brajeshwar on Flickr, License a-nc-sa

Sebastiano Cobianco CEOEx Machina SAGL

6900 Lugano

For info: Luca [email protected]+393284977129