the art and science of open source compliance
DESCRIPTION
IbrahTRANSCRIPT
![Page 1: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/1.jpg)
1 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Ibrahim Haddad, Ph.D.
Head of Open Source Innovation Group | Samsung Research America –
Silicon Valley
Balancing Business, Community and Legal Currents: The Art & Science of Successful OSS Compliance
![Page 2: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/2.jpg)
2 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
How did I get here?
Jan 2000
![Page 3: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/3.jpg)
3 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Basic Elements of a Compliance
Program
![Page 4: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/4.jpg)
4 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Compliance 101
• Companies using open source software must:
- Observe the obligations of FOSS licenses
- Protect their IP
- Protect the IP of 3rd party software providers from unintended disclosure
• Basic Elements of Compliance
- Policy
- Process
- Guidelines
- Staffing
- Training
- Audits
- Tools and Automation
- Inquiries
Snapshot of Compliance Program Elements
![Page 5: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/5.jpg)
5 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Compliance: A Balancing Act
![Page 6: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/6.jpg)
![Page 7: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/7.jpg)
7 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Balancing what?
Internal & External Legal Counsel opinions /
requirements
Business needs
Community needs
Enforcers, whistle blowers
It’s easier to make enemies than to make friends.
![Page 8: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/8.jpg)
8 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Sweet Spot
Legal
Community Enforcers
Business
![Page 9: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/9.jpg)
9 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
How to balance?Welcome to the Art & Science of Compliance.
![Page 10: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/10.jpg)
10 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
The Art & Science Compliance Meter
Art(Creative Activity)
Science(Systematic Approach)
![Page 11: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/11.jpg)
11 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Policy
• The 1 line compliance policy.
We must ensure that all of <COMPANY NAME>’s
incoming software (in house, 3rd party
commercial, open source, other) is compliant with the
license it is provided under by following the open
source compliance process defined in <URL>.
![Page 12: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/12.jpg)
12 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Policy
• The 72 pages master policy
72 pages policy + various mini policies ranging
from 10 to 22 pages.
[The largest mini policy at 22 pages is on “Open Source
Compliance Practices When Engaging With Business Partners]
Fun Fact:
1 policy page per 1000 employee!
![Page 13: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/13.jpg)
13 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Policy: Art / Science Meter
Art Science
![Page 14: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/14.jpg)
14 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Process
The way we ensure the policy is applied.
Simple process:
- Check all incoming software
- Identify origin, license, obligations, notices, etc.
- Upon product release, meet the conditions of the licenses
IncomingSoftware
Released codeNotices
Written offer
ide
nti
ficati
o
n
Au
dit
Ap
pro
vals
Dis
trib
uti
on
![Page 15: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/15.jpg)
15 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Do you think all engineers request approval?
![Page 16: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/16.jpg)
16 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Process Story (1)
• What to do when you are severely understaffed?
• 1 JIRA ticket – 5 milestones in the JIRA process (identification, auditing,
reviews, approval, fulfillment).
Identify
incoming
codeAudit
Review
Results & Fix
IssuesApprove Publish
JIRA ticket linear lifecycle; does not assume iterations between different phases.
![Page 17: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/17.jpg)
17 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Process Story (2)
• Bring people into your world: Palm story.
• Palm Pre compliance story.
![Page 18: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/18.jpg)
18 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Process: Art / Science Meter
Art Science
![Page 19: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/19.jpg)
19 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Guidelines (Balancing with Legal Staff)
License Compatibility Matrix
License Playbooks
Legal Best Practices
Compliance 911
![Page 20: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/20.jpg)
20 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Guidelines (Balancing with Engineering Staff)
HOW-TOs
Do’s and Don’t’s
Engineering best practices
![Page 21: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/21.jpg)
21 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Guidelines Story
• Example comment found in source code while
auditing it:
“I stole this code from >URL<”
![Page 22: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/22.jpg)
22 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Guidelines: Art / Science Meter
Art Science
License
Playbooks
![Page 23: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/23.jpg)
23 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Guidelines: Art / Science Meter
Art Science
Engineering
Guidelines
![Page 24: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/24.jpg)
24 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Guidelines: Art / Science Meter
Art Science
Compatibility
Matrix
How-To
Do’s & Don’t’s911
![Page 25: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/25.jpg)
25 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Compliance Staffing: Art / Science Meter
Art Science
Building
Compliance
Team
Right Mindset
Hard To FindEasy To Find/Hire
![Page 26: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/26.jpg)
26 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Staffing Story
Ibrahim, I am not convinced we need to do any
of this compliance stuff and we need to
transfer the compliance resources to development.
Can you figure out a plan for this?
Compliance requires an executive sponsor.
![Page 27: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/27.jpg)
27 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Training
Crucial to the adoption of compliance.
Ranges from a brown bag talk to a 3-days workshop.
STORY:
Compliance Seminar #1 - Less than 10 people
attended.
Compliance Seminar #2 (a week later) – Full
house
Any guess on what influenced the increased attendance? (2
factors)
Must provide proper motivation!
![Page 28: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/28.jpg)
28 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Audits and Tools
• Tools
• Project management
• Auditing
• Linkage analysis
• BoM diff tool
![Page 29: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/29.jpg)
29 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Running the Audits
Art Science
![Page 30: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/30.jpg)
30 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Interpreting the Audit Results
Art Science
![Page 31: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/31.jpg)
31 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Automation
• We ship 100s of products every year, many with multiple
firmware and OTA updates.
• How to deal with this industrial scale compliance?
![Page 32: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/32.jpg)
32 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Coming up with a solution
Art Science
![Page 33: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/33.jpg)
33 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
The Automation Solution
Art Science
![Page 34: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/34.jpg)
34 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Inquiries / Challenges
Acknowledge
Inform
Investigate
Report
Rectify
Improve
Incoming Inquiry
These steps are taken only if a violation was found
CloseInquiry
![Page 35: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/35.jpg)
35 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Managing Inquiries – Process
Art Science
![Page 36: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/36.jpg)
36 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Resolving Rightful Inquiries
Art Science
![Page 37: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/37.jpg)
37 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Closing
![Page 38: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/38.jpg)
38 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Relationships Matter
![Page 39: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/39.jpg)
39 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
How good is good enough?
Cost
Very HighRisk
AcceptableSafeLevel
0%Risk
OptimalPoint?
• IP Leakage• Product Recall• Compensation• Public Apology• Opening code• $ Settlement• Reputation damage
• Compliance Infra• Education & Training• Code Scanning • Legal Due Diligence• Automation
Source: Yunjae Jung, Samsung SDS
![Page 40: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/40.jpg)
40 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Final Thoughts
We’ve come a long way in compliance and we learned a lot.
Compliance today is now more of a scalability and a cost issue,
not as much of a license interpretation debate.
The Next Frontier:
How can we take cost out of compliance and provide a
consistent , bullet proof and repeatable approach that helps
companies avoid compliance hiccups?
We need Artists & Scientists to attack the Scaling,
Automation and Cost challenges.
![Page 41: The Art and Science of Open Source Compliance](https://reader033.vdocument.in/reader033/viewer/2022060123/559793521a28abed108b460d/html5/thumbnails/41.jpg)
41 © 2014 Samsung Electronics Co.Open Source Group – Silicon Valley
Ibrahim Haddad, Ph.D.
Head of Open Source Innovation Group
Samsung Research America – Silicon Valley
@IbrahimAtLinux
Thank you!