managing software inventories & automating open source software compliance
TRANSCRIPT
Managing Software Inventories & Automating OSS Compliance
Agenda• Introduction• Identify Most Common Open Source License Requirements• Discuss Key Compliance Challenges Today• Outline Approach For Automating Compliance With Attribution
And Redistribution Requirements • Demo: Automating Attribution Generation with AboutCode and
DejaCode • Q&A
Managing Software Inventories & Automating OSS Compliance
Most Common OSS License Obligations• Copyright notices• License notices• Attribution obligations• “Copyleft” obligations (licensing of derivative works)
– Source code delivery– Build and installation instruction delivery (GPL)
• Notice of changes• Indemnities• Non-use of trademarks
Managing Software Inventories & Automating OSS Compliance
Attribution Obligations• Copyright, license, modification, and attribution
requirements• Delivery of source code may be the easiest way to
comply in some cases because notices are “baked in” to distribution package– Very common approach for Linux Kernel
• Binary delivery requires creation of notice files• Notices must be in the product delivery, for most
licenses• Posting on a website is usually not sufficient• Relying on third party notices is usually not sufficient
Managing Software Inventories & Automating OSS Compliance
Source Code Redistribution Obligations• For GPL, LGPL, and other copyleft licenses• Source materials must be made available, but not
necessarily delivered with product• Not necessary to post source materials on the web, but
this is often a good practice• For GPL and LGPL you must enable recipient to compile
the code
Managing Software Inventories & Automating OSS Compliance
Licensing Obligations• Need to carve out copyleft and some other OSS
licensing requirements from EULAs• GPL, LGPL and other licenses cannot be changed to
other terms• Copyleft Limited licenses like EPL, MPL allow bifurcated
licensing of source and binaries
Managing Software Inventories & Automating OSS Compliance
Key Compliance Automation Challenges• Identifying open source in use and how used
– Software Inventory of components in Development environments
• Tracking open source redistributed by product release– Software Bill of Materials (BOM) of components distributed or deployed
• Creating Attribution Notices by product release– Including offer to redistribute source code
• And doing this while the amount of open source used increases exponentially– See GitHub……
– Proportion of open source in commercial software solutions is higher than 50% and growing
Managing Software Inventories & Automating OSS Compliance
• Most companies have software component data in many formats in many places without approval process for third-party codeo Components in Version Control systems and Reposo Reports from internal and/or external software auditso FOSS disclosures from supplierso Contracts for proprietary components
Page Content Copyright 2010 by Linux Foundation
Managing Software Inventories & Automating OSS Compliance
OSS Compliance Trends• More customers are requiring suppliers to share the
OSS compliance burden and provide compliance artifacts for their products– Software Bill of Materials (BOM)– SPDX Documents– Attribution Notices– Source Code Redistribution Packages as needed
• Focus is shifting from “scanning” to managing the growing amount of software provenance data from internal and external sources
9
Managing Software Inventories & Automating OSS Compliance
OSS Compliance Trends• How do I manage OSS information from internal and
external sources?– Where to store the data?– How to validate the data with minimal rework?– How to update the data as the software changes?
• Most companies will need a layered solution– Specific tools at the engineering group level that are best
suited for the technologies, languages and development systems
– An enterprise system to pull data together across products and development systems
Managing Software Inventories & Automating OSS Compliance
AboutCode and DejaCodenexB offers two OSS Compliance solutions:•AboutCode for engineering/product teams
– Basic system that can be adapted for any technology platform or language
– Can be integrated into build systems– Open source license – Apache 2.0
•Dejacode for the enterprise– Enterprise application designed for use by legal, engineering
and business staff across all products and technologies– Import data from any engineering-level system and from
external sources (system of record for product releases)– Subscription for SaaS (or on-premises)
11
Managing Software Inventories & Automating OSS Compliance
AboutCode• nexB created the AboutCode tools to automate OSS compliance
• Based on ABOUT specification v1.0• An ABOUT file documents the origin and license for each
component, usually at the library or directory level• An ABOUT file = text file with file extension “.about”• Applicable to any programming language and software
development environment• Extensible for build system integration for advanced automation• Currently offered as command line tools
• Tools are written in Python and licensed under Apache 2.0• Code and specification available at
https://github.com/dejacode/about-code-tool
Managing Software Inventories & Automating OSS Compliance
ABOUT File Example
A text file in tag / value format:httpd-2.4.3.tar.gz.aboutname: Apache HTTP Serverhome_url: http://httpd.apache.orgdownload_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gzversion: 2.4.3date: 2012-08-21license: apache-2.0license_file: httpd-2.4.3.tar.gz/LICENSEcopyright: Copyright 2012 The Apache Software Foundation.notice_file: httpd-2.4.3.tar.gz/NOTICE
Managing Software Inventories & Automating OSS Compliance
AboutCode tools• Create ABOUT files inside a codebase from a Software
BOM or Inventory file (spreadsheet or other)• Create a Software BOM or Inventory file (spreadsheet
or other) from ABOUT files in the codebase• Generate an Attribution Notices file
• Text file organized by copyright/license notice and component
• Default text or HTML format• Generate a Source Code Redistribution package list
Managing Software Inventories & Automating OSS Compliance
AboutCode Demonstration• Example based on e2fspgprogs project
– Package included in most Linux distributions
– Set of utilities under different licenses
• Software Inventory file to create ABOUT files• ABOUT files as created• Generated Attribution Notice
16
Managing Software Inventories & Automating OSS Compliance
DejaCodeEnterprise system for business, engineering and legal use•Apply policies to licenses (and components)•Use public component data from nexB and/or add private data about supplier-provided or own components•Import or create a Product BOM for each product release•Generate Attribution Notices and other compliance documents
See also https://enterprise.dejacode.com/landing/
17
Managing Software Inventories & Automating OSS Compliance
Product Portfolio
Component Catalog License Library
Managing Software Inventories & Automating OSS Compliance
DejaCode Demonstration• Product Portfolio• Attribution Notice generation• Component Catalog• License Library
19
Managing Software Inventories & Automating OSS Compliance
About Fenwick & West• 40 years working closely with technology and life sciences
companies that are changing the world through innovation, and the venture capital and investment banking firms that are financing them.
• One of the first technology law firms in the world. Now one of the 150 largest law firms in the U.S.
• More than 350 attorneys focused on representing technology and life sciences companies in all facets of their legal needs
• Nationally ranked practices in initial public offerings, complex financial and commercial transactions, intellectual property protection and licensing, mergers and acquisitions, domestic and international tax planning and tax controversies
21
Managing Software Inventories & Automating OSS Compliance
About nexB Inc.• nexB offers:– DejaCode Enterprise – a central business system for
managing software components – Software analysis/audit services for products and for
acquisitions– Open source tools for OSS management – AboutCode and
ScanCode coming soon..
• 300+ software audit projects completed to-date– Aggregated audited codebases > 3 billion lines of source
code– Aggregated value of the acquisitions transactions > $5B
• See DejaCode Enterprise at www.dejacode.com
Managing Software Inventories & Automating OSS Compliance
Contacts• Fenwick & West
Stephen Gillespie
+1 415.875.2421
• nexB Inc.Michael Herzog
+1 650 380 0680
Managing Software Inventories & Automating OSS Compliance
Glossary• Software Provenance: Owner, origin and license for a
software component• FOSS: Free and Open Source Software (aka FLOSS)– Includes free, but not open source, components like Oracle
Java libraries under their Binary Code License
• SPDX: Software Package Data Exchange • http://spdx.org/ • Emerging standard for exchanging software license data• Sponsored by Linux Foundation
Managing Software Inventories & Automating OSS Compliance
Advanced Automation with AboutCode Enhance your build system and tools to:• Recognize ABOUT files
• Assemble ABOUT files during a build for the sub-set of components included in an end-product (Deployed)
• Collect Attribution data for Deployed components and create Attribution Notices file
• Insert Attribution Notices into GUI (Help / About)
• Collect source code for the components that require Redistribution (including dependencies)
• Create an archive file of the Source Code Redistribution package