managing open source software supply chains

Managing Open Source Software Supply Chains


Agenda• Introduction• Identify the ten most common open source license obligations• Explain what you need to do to comply with these obligations• Discuss the key compliance challenges today• Discuss open source software supply chain trends• Preview a new tool for basic compliance automation• Questions


Ten Most Common OSS License Obligations• Copyright notices• License notices• Attribution requirements• “Copyleft” obligations (licensing of derivative works)• Source code licensing• Source code delivery• Build and installation instruction delivery (GPL)• Notice of changes• Indemnities• Non-use of trademarks


How to Comply – Notices• Copyright, license, modification, and attribution

requirements• Delivery of source code may be the easiest way to

comply, because notices are “baked in” to distribution package

• Binary delivery requires creation of notice files• Notices must be in the product delivery, for most

licenses• Online delivery is usually not sufficient• Relying on third party notices is usually not sufficient


How to Comply – Source Code• For GPL, LGPL, and other copyleft licenses• Source materials must be made available, but not

necessarily delivered with product• Not necessary to post source materials on the web, but

this is a good practice


How to Comply - Licenses• Need to carve copyleft licensing requirements from

EULAs• GPL, LGPL and other licenses cannot be changed to

other terms• “Weak copyleft” licenses like EPL, MPL allow bifurcated

licensing of source and binaries


Key Compliance Challenges• Tracking open source use• Notice creation• Notice delivery• Build and installation instruction delivery• Ensuring the source code is right for the buildAND • Getting OSS data from suppliers and to customers


FANTEC Litigation• Plaintiff: Harald Welte of gpl-violations.org• Open Source Software: iptables, a packet filtering utility licensed under GPL• Defendant: FANTEC ---- Product: FANTEC 3DFHDL Media Player• Compliance Efforts: FANTEC made a version of the source code available for

download that it had received from its contract manufacturer. It was not the right source code for the binaries.

• Court holding: a distributor of software may not rely on assurances made by the supplier of the software that the software does not infringe the rights of any third party

• History: FANTEC had previously settled a GPL dispute with Welte in 2010 by a settlement that specified penalties if FANTEC committed any future GPL violation. At a 2012 "Hacking for Compliance" workshop hosted by the Free Software Foundation, compliance engineers discovered that the firmware object code shipping with the 3DFHDL included iptables and that the source code provided by FANTEC did not.


OSS Supply Chain Trends• More customers are requiring suppliers to share the

OSS compliance burden and provide compliance artifacts for their products– Software BOM– Attribution Text– Source Code Redistribution Packages as needed

• New challenge is what to do with the OSS information from suppliers – Where to put the data for future reference and use– How to validate/audit the data with minimal rework– How to deal with errors in the supplier-provided data

9


OSS Supply Chain Context

Component Catalog

Supplier

Software Package

---------------------

Software BOM

OSS Attribution Text

OSS Source Code

OSS SWPackages

CustomerISV SW

Packages

Embedded OSS


OSS Supply Chain Solutions• SPDX - Software Package Data Exchange®• A standard format for communicating the components,

licenses and copyrights associated with a software package

• Intended to support automated exchange of Software Package Data

• Working Group of the Linux Foundation at www.spdx.org • Organized in Business, Legal and Technical teams

• Open to participation by anyone


• Supports exchange of component and license data in RDF/XML or Tag/Value format

• Designed for automation of data exchange -- not a tool for provenance analysis

• v2.0 will address complex Software BOMs

Document Information

Creation Information

Package Information

File Information

Licensing Information

Review Information

SPDX Today - v1.1


OSS Supply Chain Data• SPDX provides a “container” for exchange of

component and license data, but you still need to create and manage the data for your products

• Possible data sources include:– Open source projects– Suppliers– Internal analysis / audit– Third-party analysis / audit

• You need somewhere to keep and maintain/update the component and license/origin data


OSS Supply Chain SolutionsA basic system should be:• Adaptable to existing engineering processes

– Engineers can use and update the data during normal software development activities

– Independent of programming languages or tools• Able to produce data for:

– Delivery to customers as• Attribution and Redistribution packages• SPDX files

– Synchronize with enterprise systems


ABOUT-Code• nexB created the ABOUT-Code tools to automate OSS compliance

• Based on our ABOUT specification• An ABOUT file documents the origin and license for each

component, usually at the library or directory level• An ABOUT file is a text file with the file extension “.about”• Applicable to any programming language and software

development environment• Extensible to build system integration for advanced automation

• Tools are in Python and licensed under Apache 2.0• Code available at https://github.com/dejacode/about-code-tool• Specification: http://www.dejacode.org/about_spec_v0.8.0.html


ABOUT File ExampleA text file in “tag / value” format

httpd-2.4.3.tar.gz.aboutname: Apache HTTP Serverhome_url: http://httpd.apache.orgdownload_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gzversion: 2.4.3date: 2012-08-21license: apache-2.0license_file: httpd-2.4.3.tar.gz/LICENSEcopyright: Copyright 2012 The Apache Software Foundation.notice_file: httpd-2.4.3.tar.gz/NOTICE


ABOUT-Code tools• Create ABOUT files in a codebase from a Software BOM

or Inventory file (spreadsheet)• Create a Software BOM or Inventory file (spreadsheet)

from ABOUT files in the codebase• Create an Attribution text file

• Text file organized by copyright/license notice and component

• Default text or HTML format• Create a Source Code Redistribution package list• Currently offered as command line tools


“Virtuous” Compliance Lifecycle

Product Release (R1)

Baseline

R1 Software Inventory/BOM

R1 Codebase

ABOUT Files

Component License Text

R2 Software Inventory/BOM

Attribution Display /

Docs

R2 Codebase

ABOUT Files

Source Code Redistribution

Package

Update ABOUT Files


Basic Automation - Today • Use ABOUT-Code to read ABOUT files to

• Create a Software BOM / Inventory• Create an Attribution text file • Create a Source Code Redistribution package list

• Edit output files to remove components that are not Deployed

• Add the Attribution text file to the product documentation and(or) product GUI (Help / About)

• Assign an engineer to create the Source Code Redistribution package with installation/build instructions


Advanced Automation Enhance your build system and tools to:

• Recognize ABOUT files• Assemble ABOUT files during a build for the sub-set of

components included in an end-product (Deployed)• Collect Attribution data for Deployed components and create

Attribution text file• Insert Attribution text into GUI (Help / About)• Collect source code for the components that require

Redistribution (including dependencies)• Create an archive file of the Redistribution package


ABOUT-Code • Download and use the code from GitHub at:

https://github.com/dejacode/about-code-tool• Read the specification at:

http://www.dejacode.org/about_spec_v0.8.0.html • Join the discussion at:

http://www.dejacode.org/

21


Questions


About Greenberg Traurig LLP• GT is an international, multidisciplinary law firm in 35

locations in the United States, Latin America, Europe, the Middle East and Asia.

• An International Network of More than 1,750 Attorneys & Governmental Affairs Professionals


About nexB Inc.• nexB offers:

– Software analysis/audit services for products and for acquisitions

– DejaCode Enterprise – a central business system for managing software components

• 200+ software audit projects completed to-date– Aggregated audited codebases > 3 billion lines of source code– Aggregated value of the acquisitions transactions > $5B

• See DejaCode Enterprise at www.dejacode.com


DejaCode.org• nexB is sponsoring DejaCode.org as a community site

to share techniques and tools for automating compliance with OSS obligations

• Documentation of existing techniques and tools from Android, Apache Maven (Java), CPAN (Perl) and others

• Home for new projects like nexB’s ABOUT system• Visit us at:

www.dejacode.org


Contacts• Greenberg Traurig

Heather [email protected]+1 650 289 7825Subscribe to news and events alert at http://eepurl.com/wQIp9

• nexB Inc.Michael [email protected]+1 650 380 0680

managing open source software supply chains

Technology