SlideShare ist ein Scribd-Unternehmen logo

How to Manage OSS Licenses in CI/CD Development

Als PPTX, PDF herunterladen
Shane Coughlan
Shane Coughlan

How to Manage OSS Licenses in CI/CD Development A presentation from Ueba San of Fujitsu at the recent OpenChain Workshop adjacent to OSS EU in Lyon.

Software
1 von 11
How to manage OSS licenses for CI/CD development Takuma Ueba Fujitsu Computer Technologies Limited 1553ka1 CC BY-SA 4.0
whoami Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED I have contributed to the following communities  Linux kernel  U-Boot  Yocto Project Developer of In-house Embedded Linux Distribution for Fujitsu Our Distribution is built with Yocto Project My team-member is maintainer of meta-spdxscanner(Lei Maohui) and dnf-plugin-tui(Zheng Ruoqin) Our Distribution is used for 80+ products  IVI  Server System Controller  Storage System  Network equipment etc.. Mainly platform community
Agenda Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Why SPDX is needed? Simple introduction of “meta-spdxscanner” Case Study (CI/CD development) Future Work (Current effort) Finally The names of products are the product names, trademarks or registered trademarks of the respective companies. Trademark notices ((R),TM) are not necessarily displayed on system names and product names in this material.
Why SPDX is needed? Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Difficult to manage OSS information in various formats product vendor SPDX OSS package information lack of information list delivery software A software B software C delivery delivery Company A Company B Company C supplier Missing OSS License Information!?
Why SPDX is needed? Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Extracting all license and copyright information Centralized format of package information for easier management delivery software A software B software C delivery delivery Company A Company B Company C SPDX OSS package information SPDX SPDX Software Package Data eXchange ® Standard format for communicating licenses, copyrights, etc. concerning software packages SPDX is an efficient method to comply with OpenChain.
Simple introduction of “meta-spdxscanner” Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED  Patches come from 3rd party Yocto Project meta-spdxscanner SPDX files openembedded-core meta-oe meta-……  OSS source code ・default output: SPDX files (considering OpenChain) ・currently use FOSSology as a license scanner (but considering change to scancode-toolkit.) ・support for SPDX “Modification” field Yocto Project is embedded linux distribution build environment and De facto standard in WW. (e.g. Automotive Grade Linux (AGL), SoC vendor BSP … built with YP) do_fetch do_spdx do_package・・・do_unpack Yocto Build process
Case Study (CI/CD development)  If integration (CI) is performed, new OSS and license will be added, so it is necessary to clarify the license to deliver.  In CI/CD development, reducing scan time is an theme. e.g. In Weekly Deploy environment, If it takes several hours, it does not fit the development cycle. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED scan time delivery delivery scan time delivery delivery scan scan delivery delivery time integration integration scan integration integrationscan integration integration
Case Study (CI/CD development)  “meta-spdxscanner” improved performance by reusing previous scan results. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED 0 50 100 150 200 250 ntp busybox openssl openssh Spendtime(seconds) OSS first reuse
Future work (current effort)  Automatically import spdx files from Yocto build process to SW360 (OSS management tool). Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED meta-spdxscanner License scanner  Scan only files with differences. (Currently, If there are differences in the source file, the entire file is rescanned.) Automation Easier license-clearing! Output only differences to spdx
Finally Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED I'd appreciate it if you could give me feedback using meta-spdxscanner. github URL: https://github.com/dl9pf/meta-spdxscanner If you want to know more about meta-spdxscanner, please ask me.
Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED

Empfohlen

OpenChain Telco - 2022-02-03
OpenChain Telco - 2022-02-03OpenChain Telco - 2022-02-03
OpenChain Telco - 2022-02-03
Shane Coughlan
 
Automotive Processes and Open Source
Automotive Processes and Open SourceAutomotive Processes and Open Source
Automotive Processes and Open Source
Shane Coughlan
 
Ten Elements of Open Source Governance
Ten Elements of Open Source GovernanceTen Elements of Open Source Governance
Ten Elements of Open Source Governance
Rogue Wave Software
 
Open Source at Scania
Open Source at ScaniaOpen Source at Scania
Open Source at Scania
Shane Coughlan
 
OpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonOpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - Lyon
Shane Coughlan
 
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Shane Coughlan
 
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote MessageOpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
Shane Coughlan
 
OpenChain Reference Tooling Work Group in 2020
OpenChain Reference Tooling Work Group in 2020OpenChain Reference Tooling Work Group in 2020
OpenChain Reference Tooling Work Group in 2020
Shane Coughlan
 

Empfohlen

OpenChain Telco - 2022-02-03
OpenChain Telco - 2022-02-03OpenChain Telco - 2022-02-03
OpenChain Telco - 2022-02-03
Shane Coughlan
 
Automotive Processes and Open Source
Automotive Processes and Open SourceAutomotive Processes and Open Source
Automotive Processes and Open Source
Shane Coughlan
 
Ten Elements of Open Source Governance
Ten Elements of Open Source GovernanceTen Elements of Open Source Governance
Ten Elements of Open Source Governance
Rogue Wave Software
 
Open Source at Scania
Open Source at ScaniaOpen Source at Scania
Open Source at Scania
Shane Coughlan
 
OpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - LyonOpenChain Automotive Work Group Meeting #2 - Lyon
OpenChain Automotive Work Group Meeting #2 - Lyon
Shane Coughlan
 
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Bosch: AN UPDATE ON OUR ACTIVITIES IN AUTOMATING OSS COMPLIANCE: A WORKING SH...
Shane Coughlan
 
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote MessageOpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
OpenChain Japan Work Group Meeting #18 (Virtual Meeting #5) - Keynote Message
Shane Coughlan
 
OpenChain Reference Tooling Work Group in 2020
OpenChain Reference Tooling Work Group in 2020OpenChain Reference Tooling Work Group in 2020
OpenChain Reference Tooling Work Group in 2020
Shane Coughlan
 
OpenChain Japan Work Group Meeting #16 - Remote Meeting #3
OpenChain Japan Work Group Meeting #16 - Remote Meeting #3OpenChain Japan Work Group Meeting #16 - Remote Meeting #3
OpenChain Japan Work Group Meeting #16 - Remote Meeting #3
Shane Coughlan
 
Open source business models for FOSSASIA 2015
Open source business models for FOSSASIA 2015Open source business models for FOSSASIA 2015
Open source business models for FOSSASIA 2015
Gilles Gravier
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source Project
Shane Coughlan
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
FIDO Adoption and Market Trends in Japan
FIDO Adoption and Market Trends in JapanFIDO Adoption and Market Trends in Japan
FIDO Adoption and Market Trends in Japan
FIDO Alliance
 
Free and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainFree and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply Chain
Shane Coughlan
 
Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...
OW2
 
OpenChain: How to manage OSS licenses for CI/CD development
OpenChain: How to manage OSS licenses for CI/CD developmentOpenChain: How to manage OSS licenses for CI/CD development
OpenChain: How to manage OSS licenses for CI/CD development
Shane Coughlan
 
The Yocto Project
The Yocto ProjectThe Yocto Project
The Yocto Project
rossburton
 
TDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux EmbarcadoTDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux Embarcado
tdc-globalcode
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018
Mender.io
 
如何在 Ubuntu 上更快、更便捷地部署物联网设备
如何在 Ubuntu 上更快、更便捷地部署物联网设备如何在 Ubuntu 上更快、更便捷地部署物联网设备
如何在 Ubuntu 上更快、更便捷地部署物联网设备
Rex Tsai
 
UplinQ - ubuntu linux on the qualcomm® snapdragon™ 600 processor
UplinQ - ubuntu linux on the qualcomm® snapdragon™ 600 processorUplinQ - ubuntu linux on the qualcomm® snapdragon™ 600 processor
UplinQ - ubuntu linux on the qualcomm® snapdragon™ 600 processor
Satya Harish
 
Why you should use the Yocto Project
Why you should use the Yocto ProjectWhy you should use the Yocto Project
Why you should use the Yocto Project
rossburton
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
RuggedBoardGroup
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentation
Bruno Cornec
 
Contiki OS Research Projects Guidance
Contiki OS Research Projects GuidanceContiki OS Research Projects Guidance
Contiki OS Research Projects Guidance
Network Simulation Tools
 
LAS16-200: Firmware summit - Tianocore Progress and Status
LAS16-200: Firmware summit - Tianocore Progress and StatusLAS16-200: Firmware summit - Tianocore Progress and Status
LAS16-200: Firmware summit - Tianocore Progress and Status
Linaro
 
Bringing Tizen to a Raspberry Pi 2 Near You
Bringing Tizen to a Raspberry Pi 2 Near YouBringing Tizen to a Raspberry Pi 2 Near You
Bringing Tizen to a Raspberry Pi 2 Near You
Samsung Open Source Group
 
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Yoshitake Kobayashi
 
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
Anne Nicolas
 
Developing an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architectureDeveloping an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architecture
Christian Charreyre
 

Weitere ähnliche Inhalte

Was ist angesagt?

OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...
OW2
 

Was ist angesagt? (7)

OpenChain Japan Work Group Meeting #16 - Remote Meeting #3
OpenChain Japan Work Group Meeting #16 - Remote Meeting #3OpenChain Japan Work Group Meeting #16 - Remote Meeting #3
OpenChain Japan Work Group Meeting #16 - Remote Meeting #3
 
Open source business models for FOSSASIA 2015
Open source business models for FOSSASIA 2015Open source business models for FOSSASIA 2015
Open source business models for FOSSASIA 2015
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source Project
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
 
FIDO Adoption and Market Trends in Japan
FIDO Adoption and Market Trends in JapanFIDO Adoption and Market Trends in Japan
FIDO Adoption and Market Trends in Japan
 
Free and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply ChainFree and Open Source Software - Challenges for the Automotive Supply Chain
Free and Open Source Software - Challenges for the Automotive Supply Chain
 
Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...Software Heritage, a revolutionary infrastructure for software source code, O...
Software Heritage, a revolutionary infrastructure for software source code, O...
 

Ähnlich wie How to Manage OSS Licenses in CI/CD Development

Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Yoshitake Kobayashi
 
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
Anne Nicolas
 

Ähnlich wie How to Manage OSS Licenses in CI/CD Development (20)

OpenChain: How to manage OSS licenses for CI/CD development
OpenChain: How to manage OSS licenses for CI/CD developmentOpenChain: How to manage OSS licenses for CI/CD development
OpenChain: How to manage OSS licenses for CI/CD development
 
The Yocto Project
The Yocto ProjectThe Yocto Project
The Yocto Project
 
TDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux EmbarcadoTDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux Embarcado
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018
 
如何在 Ubuntu 上更快、更便捷地部署物联网设备
如何在 Ubuntu 上更快、更便捷地部署物联网设备如何在 Ubuntu 上更快、更便捷地部署物联网设备
如何在 Ubuntu 上更快、更便捷地部署物联网设备
 
UplinQ - ubuntu linux on the qualcomm® snapdragon™ 600 processor
UplinQ - ubuntu linux on the qualcomm® snapdragon™ 600 processorUplinQ - ubuntu linux on the qualcomm® snapdragon™ 600 processor
UplinQ - ubuntu linux on the qualcomm® snapdragon™ 600 processor
 
Why you should use the Yocto Project
Why you should use the Yocto ProjectWhy you should use the Yocto Project
Why you should use the Yocto Project
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentation
 
Contiki OS Research Projects Guidance
Contiki OS Research Projects GuidanceContiki OS Research Projects Guidance
Contiki OS Research Projects Guidance
 
LAS16-200: Firmware summit - Tianocore Progress and Status
LAS16-200: Firmware summit - Tianocore Progress and StatusLAS16-200: Firmware summit - Tianocore Progress and Status
LAS16-200: Firmware summit - Tianocore Progress and Status
 
Bringing Tizen to a Raspberry Pi 2 Near You
Bringing Tizen to a Raspberry Pi 2 Near YouBringing Tizen to a Raspberry Pi 2 Near You
Bringing Tizen to a Raspberry Pi 2 Near You
 
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
Civil Infrastructure Platform: Industrial Grade SLTS Kernel and Base-layer De...
 
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
Kernel Recipes 2017 - Developing an embedded video application on dual Linux ...
 
Developing an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architectureDeveloping an embedded video application on dual Linux + FPGA architecture
Developing an embedded video application on dual Linux + FPGA architecture
 
TI TechDays 2010: swiftBoot
TI TechDays 2010: swiftBootTI TechDays 2010: swiftBoot
TI TechDays 2010: swiftBoot
 
CNCF and Fujitsu
CNCF and FujitsuCNCF and Fujitsu
CNCF and Fujitsu
 
Ceph Day Beijing - SPDK in Ceph
Ceph Day Beijing - SPDK in CephCeph Day Beijing - SPDK in Ceph
Ceph Day Beijing - SPDK in Ceph
 
Ceph Day Beijing - SPDK for Ceph
Ceph Day Beijing - SPDK for CephCeph Day Beijing - SPDK for Ceph
Ceph Day Beijing - SPDK for Ceph
 
IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
 

Mehr von Shane Coughlan

OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
Shane Coughlan
 

Mehr von Shane Coughlan (20)

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
 

Kürzlich hochgeladen

How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Kürzlich hochgeladen (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 

How to Manage OSS Licenses in CI/CD Development

  • 1. How to manage OSS licenses for CI/CD development Takuma Ueba Fujitsu Computer Technologies Limited 1553ka1 CC BY-SA 4.0
  • 2. whoami Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED I have contributed to the following communities  Linux kernel  U-Boot  Yocto Project Developer of In-house Embedded Linux Distribution for Fujitsu Our Distribution is built with Yocto Project My team-member is maintainer of meta-spdxscanner(Lei Maohui) and dnf-plugin-tui(Zheng Ruoqin) Our Distribution is used for 80+ products  IVI  Server System Controller  Storage System  Network equipment etc.. Mainly platform community
  • 3. Agenda Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Why SPDX is needed? Simple introduction of “meta-spdxscanner” Case Study (CI/CD development) Future Work (Current effort) Finally The names of products are the product names, trademarks or registered trademarks of the respective companies. Trademark notices ((R),TM) are not necessarily displayed on system names and product names in this material.
  • 4. Why SPDX is needed? Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Difficult to manage OSS information in various formats product vendor SPDX OSS package information lack of information list delivery software A software B software C delivery delivery Company A Company B Company C supplier Missing OSS License Information!?
  • 5. Why SPDX is needed? Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED Extracting all license and copyright information Centralized format of package information for easier management delivery software A software B software C delivery delivery Company A Company B Company C SPDX OSS package information SPDX SPDX Software Package Data eXchange ® Standard format for communicating licenses, copyrights, etc. concerning software packages SPDX is an efficient method to comply with OpenChain.
  • 6. Simple introduction of “meta-spdxscanner” Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED  Patches come from 3rd party Yocto Project meta-spdxscanner SPDX files openembedded-core meta-oe meta-……  OSS source code ・default output: SPDX files (considering OpenChain) ・currently use FOSSology as a license scanner (but considering change to scancode-toolkit.) ・support for SPDX “Modification” field Yocto Project is embedded linux distribution build environment and De facto standard in WW. (e.g. Automotive Grade Linux (AGL), SoC vendor BSP … built with YP) do_fetch do_spdx do_package・・・do_unpack Yocto Build process
  • 7. Case Study (CI/CD development)  If integration (CI) is performed, new OSS and license will be added, so it is necessary to clarify the license to deliver.  In CI/CD development, reducing scan time is an theme. e.g. In Weekly Deploy environment, If it takes several hours, it does not fit the development cycle. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED scan time delivery delivery scan time delivery delivery scan scan delivery delivery time integration integration scan integration integrationscan integration integration
  • 8. Case Study (CI/CD development)  “meta-spdxscanner” improved performance by reusing previous scan results. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED 0 50 100 150 200 250 ntp busybox openssl openssh Spendtime(seconds) OSS first reuse
  • 9. Future work (current effort)  Automatically import spdx files from Yocto build process to SW360 (OSS management tool). Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED meta-spdxscanner License scanner  Scan only files with differences. (Currently, If there are differences in the source file, the entire file is rescanned.) Automation Easier license-clearing! Output only differences to spdx
  • 10. Finally Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED I'd appreciate it if you could give me feedback using meta-spdxscanner. github URL: https://github.com/dl9pf/meta-spdxscanner If you want to know more about meta-spdxscanner, please ask me.
  • 11. Copyright 2019 FUJITSU COMPUTER TECHNOLOGIES LIMITED

Hinweis der Redaktion

  1. 0
  2. 1
  3. 2
  4. 3
  5. 4
  6. 5
  7. 9