2. Agenda
●
Introduction
●
Open Source & Licenses
●
What is Open Source Governance ?
–
–
●
Concepts
Best practices
Which Open Source Governance at HP ?
2
05/09/13
2
3. Introducing Myself
Software engineering and Unices since 1988
●
–
Mostly Configuration Management Systems (CMS), Build systems, quality tools, on
multiple commercial Unix systems
–
Discover Open Source & Linux (OSL) & first contributions in 1993
–
Full time on OSL since 1995, first as HP reseller then @HP
Currently:
– Master Technology Architect on OSL for the HP/Intel Solution Center, Grenoble
●
–
–
3
OSL HP Advocate
EMEA OSL HP Profession Lead
–
Solutions Linux Conference and OWF board member. Conferences at WW level in
LinuxCon, Linux.conf.au
–
MondoRescue, Dploy.org, Project-Builder.org Project Lead
–
LinuxCOE, mrepo, tellico, rinse, fossology, collectl contributor
–
FOSSBazaar and OSL Governance enthusiast
–
Mandriva, Mageia, Fedora packager
4. “Open Source” is three things
Community
Licenses
4
Almost 60 licenses today
Some require that code
changes be returned to the
community at large
These are called copyleft or
reciprocal
They are not viral
This requirement is what
makes the methodology work
Other licenses are similar to
the public domain and have
few requirements
Copyrights are still a core
foundational element of all
open source licenses
Any collection of developers
with a common interest
Historically made up of free
agents
Increasingly funded by large
companies sharing development
costs
Governments and academia also
contributing at an increasing
pace
Methodology
Communal, shared
development
Various projects each with
their own subculture
Governance models vary
widely, some autocratic,
others consensus based
Very few roadmaps, but some
projects are starting to
publish them
Influence and control is
achieved by being integrated
& involved
Individuals are largely in
control, not companies
•You can use all three as a competitive advantage
•The business model shifts to subscriptions and support
•The more you get involved, the more you can influence/control
05/09/13
4
5. Free & Open Source Software (FOSS) Licenses
no-charge
software
source code
available
binary-only
source with
limitations
Adobe
Reader
5
many
java
libraries
freeware
shareware
05/09/13
FOSS
Sun
SCSL
no impact on
other code
copyleft
Microsoft
shared source
GNU GPL
GNU LGPL
IBM
W3C
BSD
Mozilla
Reference URL: http://www.gnu.org/licenses/licenses.en.html
Apache
5
MIT
6. Free & Open Source Licenses Key Points
Redistribution is permitted without a need to
pay fees for distributed copies.
Source code is available and may be modified.
Modified versions may be distributed with
permission for others to do all the above.
FOSS goals are:
6
Knowledge sharing
Modification to adapt
Learn by looking inside
05/09/13
A FOSS is like a car whose hood is open
6
8. What is IT Governance?
Specifying the decision rights and accountability framework to encourage
desirable behavior in the use of IT. (Weill & Ross, “IT Governance”)
IT Governance is the organizational capacity exercised by the board, executive
management and IT management to control the formulation and
implementation of IT strategy and in this way ensure the fusion of business and
IT. (Van Grembergen, 2002)
8
IT Governance is the effective management of all IT assets, functions &
processes in support of the enterprise’s business objectives.
05/09/13
8
HP Proprietary
8
9. Scope of IT Governance
•
IT operating principles
•
− Changes brought by extensive FOSS usage on
operational principles (buy, build, reuse, ...)
IT project portfolio
• Enterprise Architecture
•
•
IT application portfolio
− Impact of mixing stacks using FOSS, evaluation of
the technical fit first.
•
IT finance
•
IT infrastructure / operations
9
Project/Program methodology
− FOSS program office addition impact, FOSS review in the
development process
•
Human capital
− Employee participation, performance plan impact,
employment contract impact
•
Software Development Life Cycle
− Interaction with FOSS communities, its viability
IT procurement
• IT sourcing
•
− Impact of FOSS on In/Out sourcing
− FOSS deployment and management impacts
CRM / SRM
Open Source will effect many areas within an organization’s IT governance
structure depending upon the organization’s business model
•
05/09/13
9
10. Open Source Governance: Why now?
●
●
●
●
10
Compelling FOSS value proposition leading to increased
pervasiveness.
FOSS usage & contributions often unclear, under the
radar. 80% of IT environments WW (Gartner) include or
will include open source SW, but less than 10% are
conscious of the risks incurred.
Increasing worldwide requirements for compliance –
Distribution & acquisitions issues.
Current IT policies and processes not always designed
for open source:
–
Usage must be reviewed in context.
–
Legal exposure from ~60 OSI “approved” licenses (HP
tracks 400+).
License violations can have different consequences
than traditional software.
Best practices and streamlined processes required to reap benefits and mitigate risks =>
Eliminate (perceived) risk of using Open Source.
–
05/09/13
10
11. Why FOSS is any different than Commercial Software?
To use commercial software in your development process,
you must go through….
11
Procurement!
05/09/13
11
12. Accepting and Managing Open Source
●
The question is not if an enterprise should use FOSS, but rather when, how, where, and with
whom.
●
FOSS is unavoidable, it's even already there.
●
Questions that need to be answered:
–
–
Where does it come from?
–
How and where is it used?
–
How is it supported?
–
12
How is FOSS chosen and acquired?
What version should I be running?
–
Is it LSB compliant?
–
What are the license obligations?
–
How is it deployed, managed, updated and secured?
–
How is it tracked (how is the project tracked)?
05/09/13
12
13. What is Open Source Governance?
Image source: http://www.niehs.nih.gov/kids/illusion/illusions7.htm
13
Open source governance is a framework of policies, processes and
tools that helps an organization effectively manage all of its
interactions with open source software resulting in optimal use and
reduced risk.
05/09/13
13
14. Depends on who you ask ...
What OSS is contained in this product I just purchased from my ISV
partner? (Procurement)
• What are the license obligations for using this OSS in our company's
products? (Legal)
• Which of these open source LDAP servers will best suit my IT
infrastructure? (IT Department)
• Is this open source xml parser really going to save me 20% of my
engineer's time? (Engineering manager)
• So, you work on our flagship management software product, but you also
want to contribute to nagios? (IP Department)
• Will statically linking this OSS library to my application cause me any
problems? (S/W developer)
•
14
05/09/13
14
16. HP’s interaction with FOSS
●
Internal Usage
–
●
Incorporated in our Software Products
–
●
Red Hat, Suse, Debian, Ubuntu etc…
Embedded in our hardware products
16
–
●
OpenView, Insight Manager, SSSTK, PSP, WebOS, CloudOS… many software products
including kernel modules
Ship Open Source Distributions
–
●
OpenLDAP, Jabber (XMPP), bind (DNS), postfix (SMTP), sympa, mediawiki, etc…
Printers, televisions, storage devices, etc…
Active participants in the communities
–
Contributors in dozens of projects (including Linux, OpenLDAP, Samba, bind, sympa, ...)
–
Maintainers in several projects (including Debian, OpenStack, LinuxCOE, MondoRescue,
cciss, ...)
05/09/13
http://opensource.hp.com/opensource_projects.html
16
17. Open Source Governance Maturity Model
Level
HP today
5
Open source librarian and quality assurance
4
“Golden” repository of software and metadata
3
17
2
1
05/09/13
Automated tools and workflow
Policy and processes
Training and awareness
Most customers
17
18. HP Open Source Governance IP
Best Practices (HP internally-developed):
• Defined and communicated corporate-wide
policies, with upper management support
•
Open Source Program Office
Central place where all open source activities are
understood for consistent communication inside/outside
the company. Reponsible of http://opensource.hp.com
and HP's promotion.
•
18
•
Open Source Review Board
Core Governance process evolving throughout years,
controlled by a virtual team of Open Source experts.
Control FOSS used, delivered, shipped, new FOSS
products, employee contributions, ...
Tools
Fossology
PTS
Internal mailing list
Docs
Open Source Policy Manual
Training material / Webinars
Knowledge base / Web portal
Legal and IP FOSS expertise
05/09/13
18
19. HP Open Source Program Office
Fast track
OSRB
Proposals:
(New &
Resubmit)
Submitter
19
Attorney
Review
OSRB
check
for Add’l info
Go
OSRB
PreReview
Go
OSRB
IP
Review
Go
OSRB
Final
Review
Approved.
Reject
On-hold
Request for
Add’l info
Feedback: Go/No Go, Add’l Info
Automated Communications
05/09/13
Manual Activities
19
20. PTS: Proposal Tracking System
- Internal tool (2nd generation) to help manage Open Source usage in HP
- HP contributions requests
- Personal contributions requests
- Software components reuse
- Interface with library DB to ease declaration
- Workflow to support previous OSRB review
- Online help
- Champions community per BU
- Fast track possibility for obvious case
- Support up to the most complex cases (GPLv3 proposals, license
modification, mixed contributions)
- History of modifications to proposals
20
05/09/13
20
21. HP FOSS Governance Initiative
Major HP's intellectual property contribution:
• An international open source community program
launched focussed on FOSS governance including
− FOSSBazaar: a Web based community to develop, share and
provide information and industry best practices to take advantage
of FOSS benefits, Founded by HP along with partners: Coverity,
Google, Linux Foundation, Novell, Olliance Group, OpenLogic and
SourceForge
− FOSSology: a Web based community to develop an architectural SIs/VARs
framework and tools to analyze FOSS, founded by HP.
− SPDX: a Linux Foundation standard for license identification in
Academia
upstream software
− An ecosystem
21
• Centered on FOSSBazaar
• Partners/Corp and academia developers, best practices and
tools
• HP C&I and Partners Services
− Bridging
• The FOSS and the Business Communities
05/09/13
21
7 mars 2008
IT Mgmt
Gov/Pub
Sector
Service
Providers
ISVs &
IHVs
Corp
Developers
Developing and supporting the
utilization of open standards
21
22. License Discovery and Analysis (1)
License claims cannot be trusted
•
Example open source project - OpenOffice
− Claimed license is LGPL (http://www.openoffice.org/license.html)
• Is this for the entire package?
• Has this been verified?
• Does it include other components that are under a different license?
− Discovered license(s)
•
•
•
•
•
•
22
05/09/13
From openoffice.org2_1.9.129-0.1ubuntu4.dsc (breezy)
2706 LGPL
421 OpenGroup-style
327 BSD-style
103 MIT-style
48 GPL
22
23. License Discovery and Analysis (2)
Licenses change, all the time
•
Example open source project - elfutils
− Core component of RedHat Linux distributions
− elfutils-0.89-1 in RHEL-3 was licensed under the OSL (v1.0)
− elfutils-0.91-3 in RHEL-3.1 was licensed under GPL (v2.0)
•
HP did not ship RHEL-3 to customers due to elfutils' license
•
With HP's help, license was changed to GPL for next revision of
package
•
Typical Linux distributions contain 1000's of packages
23
05/09/13
23
24. Key Paradigm
Tools are NOT a replacement
for Open Source governance processes
but will improve the processes by providing:
• Enablement (manual process not viable)
• Efficiencies (improved TCO)
• Agility (improved time-to-market)
24
• Reliability (license detection)
• Scalability (single package as well as complete
distribution)
• Traceability (record proposals and history)
05/09/13
24
25. Open Source Governance Workshop
Workshop designed to guide through the top issues around management of Open Source in the enterprise.
Targeted at a cross-organizational audience, including auditing, legal, procurement, operational risk management,
technology strategy, and line-of-business departments
•
Open Source Baseline
•
− Business Drivers
− Various open source touch points in your company
− Awareness, responsibilities , risks, processes
•
•
Legal Aspects of Open Source Governance
− Assessment of Free and Open source software
phenomenon
− Detailed discussion of Open Source Licenses
− Bridging the legal and technical communities
− Other considerations: WEB-based services,
mergers and acquisitions, other
25
Open Source Policy Best Practices
Automating Open Source Compliance
− Open Source discovery
− License detection and analysis
05/09/13
•
Use of open source – when appropriate, when not
appropriate for your business
Review of licenses, product distribution
considerations
Considerations for employee contribution to open
source community
Company relationship with community
Open Source Governance Processes
Best practices for open source tracking, review and
management
Open Source Compliance Lifecycle, workflow
Building Internal Open Source Communities
25
26. Company FOSS Policies and Guidelines Considerations
Recommend joint development by all involved company departments:
Legal (requires FOSS legal expertise, local or outsourced), IP (patents portfolio
management), IT (in charge of tooling), Development (developers trained),
Business management (Risk management)
Grouped in an Open Source Review Board to define the FOSS Governance:
• Company use of Open Source: Define Policies & Processes
•Business Drivers
•Infrastructure, required tools to perform mandatory analyzes
•Development Projects responsabilities
•FOSS Usage models
•Technical contributions, FOSS usage, shipments/distribution, ...
26
•
•
•
•
•
Employee Open Source Contributions
Relationships with Open Source Community
Awareness, Docs, Communication and Compliance
Licensing, Copyrights and Patent Guidelines
Employee and Manager Responsibilities
05/09/13
26
28. Contact - Thanks
Bruno.Cornec@hp.com
(Open Source and Linux Technology
Architect at the HP/Intel Solution Center)
http://www.hp.com/linux
http://opensource.hp.com
Thanks goes to:
28
Linus Torvalds, Richard Stallman, Eric
Raymond, Nat Makarevitch, René
Cougnenc, Eric Dumas, Rémy Card,
Bdale Garbee, Bryan Gartner, Craig
Lamparter, Lee Mayes, Gallig Renaud,
Andree Leidenfrost, Phil Robb, Bob
Gobeille, Martin Michlmayr among
others, for their work and devotion to
the Open Source Software cause... and
my family for their patience :-)
« Changes are never easy to make.
There is comfort and safety in
tradition, but change must come,
no matter how painful or expensive
it may be. »
Bill Hewlett