managing open source software supply chains
DESCRIPTION
Heather Meeker and Michael Herzog discuss the latest trends in open source compliance for supply chain activities: the key legal issues for supply chain management as well as the latest automation tools and projects for open source management. Agenda • Legal issues for supply chain management • Best practices to avoid claims and reduce risk • Latest automation tools and projects for open source compliance managementTRANSCRIPT
Managing Open Source Software Supply Chains
Managing Open Source Software Supply Chains
Agenda• Introduction• Identify the ten most common open source license obligations• Explain what you need to do to comply with these obligations• Discuss the key compliance challenges today• Discuss open source software supply chain trends• Preview a new tool for basic compliance automation• Questions
Managing Open Source Software Supply Chains
Ten Most Common OSS License Obligations• Copyright notices• License notices• Attribution requirements• “Copyleft” obligations (licensing of derivative works)• Source code licensing• Source code delivery• Build and installation instruction delivery (GPL)• Notice of changes• Indemnities• Non-use of trademarks
Managing Open Source Software Supply Chains
How to Comply – Notices• Copyright, license, modification, and attribution
requirements• Delivery of source code may be the easiest way to
comply, because notices are “baked in” to distribution package
• Binary delivery requires creation of notice files• Notices must be in the product delivery, for most
licenses• Online delivery is usually not sufficient• Relying on third party notices is usually not sufficient
Managing Open Source Software Supply Chains
How to Comply – Source Code• For GPL, LGPL, and other copyleft licenses• Source materials must be made available, but not
necessarily delivered with product• Not necessary to post source materials on the web, but
this is a good practice
Managing Open Source Software Supply Chains
How to Comply - Licenses• Need to carve copyleft licensing requirements from
EULAs• GPL, LGPL and other licenses cannot be changed to
other terms• “Weak copyleft” licenses like EPL, MPL allow bifurcated
licensing of source and binaries
Managing Open Source Software Supply Chains
Key Compliance Challenges• Tracking open source use• Notice creation• Notice delivery• Build and installation instruction delivery• Ensuring the source code is right for the buildAND • Getting OSS data from suppliers and to customers
Managing Open Source Software Supply Chains
FANTEC Litigation• Plaintiff: Harald Welte of gpl-violations.org• Open Source Software: iptables, a packet filtering utility licensed under GPL• Defendant: FANTEC ---- Product: FANTEC 3DFHDL Media Player• Compliance Efforts: FANTEC made a version of the source code available for
download that it had received from its contract manufacturer. It was not the right source code for the binaries.
• Court holding: a distributor of software may not rely on assurances made by the supplier of the software that the software does not infringe the rights of any third party
• History: FANTEC had previously settled a GPL dispute with Welte in 2010 by a settlement that specified penalties if FANTEC committed any future GPL violation. At a 2012 "Hacking for Compliance" workshop hosted by the Free Software Foundation, compliance engineers discovered that the firmware object code shipping with the 3DFHDL included iptables and that the source code provided by FANTEC did not.
Managing Open Source Software Supply Chains
OSS Supply Chain Trends• More customers are requiring suppliers to share the
OSS compliance burden and provide compliance artifacts for their products– Software BOM– Attribution Text– Source Code Redistribution Packages as needed
• New challenge is what to do with the OSS information from suppliers – Where to put the data for future reference and use– How to validate/audit the data with minimal rework– How to deal with errors in the supplier-provided data
9
Managing Open Source Software Supply Chains
OSS Supply Chain Context
Component Catalog
Supplier
Software Package
---------------------
Software BOM
OSS Attribution Text
OSS Source Code
OSS SWPackages
CustomerISV SW
Packages
Embedded OSS
Managing Open Source Software Supply Chains
OSS Supply Chain Solutions• SPDX - Software Package Data Exchange®• A standard format for communicating the components,
licenses and copyrights associated with a software package
• Intended to support automated exchange of Software Package Data
• Working Group of the Linux Foundation at www.spdx.org • Organized in Business, Legal and Technical teams
• Open to participation by anyone
Managing Open Source Software Supply Chains
• Supports exchange of component and license data in RDF/XML or Tag/Value format
• Designed for automation of data exchange -- not a tool for provenance analysis
• v2.0 will address complex Software BOMs
Document Information
Creation Information
Package Information
File Information
Licensing Information
Review Information
SPDX Today - v1.1
Managing Open Source Software Supply Chains
OSS Supply Chain Data• SPDX provides a “container” for exchange of
component and license data, but you still need to create and manage the data for your products
• Possible data sources include:– Open source projects– Suppliers– Internal analysis / audit– Third-party analysis / audit
• You need somewhere to keep and maintain/update the component and license/origin data
Managing Open Source Software Supply Chains
OSS Supply Chain SolutionsA basic system should be:• Adaptable to existing engineering processes
– Engineers can use and update the data during normal software development activities
– Independent of programming languages or tools• Able to produce data for:
– Delivery to customers as• Attribution and Redistribution packages• SPDX files
– Synchronize with enterprise systems
Managing Open Source Software Supply Chains
ABOUT-Code• nexB created the ABOUT-Code tools to automate OSS compliance
• Based on our ABOUT specification• An ABOUT file documents the origin and license for each
component, usually at the library or directory level• An ABOUT file is a text file with the file extension “.about”• Applicable to any programming language and software
development environment• Extensible to build system integration for advanced automation
• Tools are in Python and licensed under Apache 2.0• Code available at https://github.com/dejacode/about-code-tool• Specification: http://www.dejacode.org/about_spec_v0.8.0.html
Managing Open Source Software Supply Chains
ABOUT File ExampleA text file in “tag / value” format
httpd-2.4.3.tar.gz.aboutname: Apache HTTP Serverhome_url: http://httpd.apache.orgdownload_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gzversion: 2.4.3date: 2012-08-21license: apache-2.0license_file: httpd-2.4.3.tar.gz/LICENSEcopyright: Copyright 2012 The Apache Software Foundation.notice_file: httpd-2.4.3.tar.gz/NOTICE
Managing Open Source Software Supply Chains
ABOUT-Code tools• Create ABOUT files in a codebase from a Software BOM
or Inventory file (spreadsheet)• Create a Software BOM or Inventory file (spreadsheet)
from ABOUT files in the codebase• Create an Attribution text file
• Text file organized by copyright/license notice and component
• Default text or HTML format• Create a Source Code Redistribution package list• Currently offered as command line tools
Managing Open Source Software Supply Chains
“Virtuous” Compliance Lifecycle
Product Release (R1)
Baseline
R1 Software Inventory/BOM
R1 Codebase
ABOUT Files
Component License Text
R2 Software Inventory/BOM
Attribution Display /
Docs
R2 Codebase
ABOUT Files
Source Code Redistribution
Package
Update ABOUT Files
Managing Open Source Software Supply Chains
Basic Automation - Today • Use ABOUT-Code to read ABOUT files to
• Create a Software BOM / Inventory• Create an Attribution text file • Create a Source Code Redistribution package list
• Edit output files to remove components that are not Deployed
• Add the Attribution text file to the product documentation and(or) product GUI (Help / About)
• Assign an engineer to create the Source Code Redistribution package with installation/build instructions
Managing Open Source Software Supply Chains
Advanced Automation Enhance your build system and tools to:
• Recognize ABOUT files• Assemble ABOUT files during a build for the sub-set of
components included in an end-product (Deployed)• Collect Attribution data for Deployed components and create
Attribution text file• Insert Attribution text into GUI (Help / About)• Collect source code for the components that require
Redistribution (including dependencies)• Create an archive file of the Redistribution package
Managing Open Source Software Supply Chains
ABOUT-Code • Download and use the code from GitHub at:
https://github.com/dejacode/about-code-tool• Read the specification at:
http://www.dejacode.org/about_spec_v0.8.0.html • Join the discussion at:
http://www.dejacode.org/
21
Managing Open Source Software Supply Chains
Questions
Managing Open Source Software Supply Chains
About Greenberg Traurig LLP• GT is an international, multidisciplinary law firm in 35
locations in the United States, Latin America, Europe, the Middle East and Asia.
• An International Network of More than 1,750 Attorneys & Governmental Affairs Professionals
Managing Open Source Software Supply Chains
About nexB Inc.• nexB offers:
– Software analysis/audit services for products and for acquisitions
– DejaCode Enterprise – a central business system for managing software components
• 200+ software audit projects completed to-date– Aggregated audited codebases > 3 billion lines of source code– Aggregated value of the acquisitions transactions > $5B
• See DejaCode Enterprise at www.dejacode.com
Managing Open Source Software Supply Chains
DejaCode.org• nexB is sponsoring DejaCode.org as a community site
to share techniques and tools for automating compliance with OSS obligations
• Documentation of existing techniques and tools from Android, Apache Maven (Java), CPAN (Perl) and others
• Home for new projects like nexB’s ABOUT system• Visit us at:
www.dejacode.org
Managing Open Source Software Supply Chains
Contacts• Greenberg Traurig
Heather [email protected]+1 650 289 7825Subscribe to news and events alert at http://eepurl.com/wQIp9
• nexB Inc.Michael [email protected]+1 650 380 0680