This session will present the 2 new projects initiated by HP around Open Source Governance:
● FOSSBazaar is a community Web site gathering all type of information around Open Source Governance (Policy examples, Workflow models, White Papers, Blogs of experts, References to related projects, ...)
● FOSSology is a tool helping in the evaluation of Open Source licenses really used in projects by doing code analysis, and pattern matching searches in it and reporting what had been found. A video of the Fossology Project Lead, Bob Gobeille, will be made extra for the fOSSa event.
2. Open Source Governance in the Enterprise
Agenda
• Introduction
• Open Source in the Enterprise
• What is Open Source Governance?
−Concepts
−Best practices
• HP's Open Source Governance initiative
−FOSSBazaar
−FOSSology
−HP Health Check services
2 18 November 2009 FOSS Governance / Bruno Cornec / HP
3. Open Source Governance in the Enterprise
Introducting myself
• Software engineering since 1988
−Mostly Configuration Management Systems (CMS), Build systems,
quality tools, on multiple commercial Unix systems
• Discover Open Source & Linux (OSL) & first contributions in 1993
• Full time on OSL since 1995, first as HP reseller then @HP
• Currently…
−Technology Architect on OSL for the HP/Intel Solution Center
−OSL HP Ambassador
−EMEA OSL HP Profession Lead
−Solutions Linux Conference board member
−MondoRescue, Dploy.org, Project-Builder.org project leader
−LinuxCOE, mrepo, tellico contributor
−Mandriva, Fedora distribution packager
3 18 November 2009 FOSS Governance / Bruno Cornec / HP
4. Open Source Governance in the Enterprise
“Open Source” is three things
Licenses Community Methodology
Almost 60 licenses today Communal, shared
Any collection of
Some require that code development
developers with a
changes be returned to Various projects each
common interest
the community at large with their own
Historically made up of
These are called subculture
free agents
copyleft or reciprocal Governance models vary
Increasingly funded by
They are not viral widely, some autocratic,
large companies sharing
This requirement is what others consensus based
development costs
makes the methodology Very few roadmaps, but
Governments and
work some projects are
academia also
Other licenses are starting to publish them
contributing at an
similar to the public Influence and control is
increasing pace
domain and have few achieved by being
requirements integrated & involved
Copyrights are still a Individuals are largely in
core foundational control, not companies
element of all open
source licenses
•You can use all three as a competitive advantage
You
•The business model shifts to subscriptions and support
The
•The more you get involved, the more you can influence/control
The
4 18 November 2009 FOSS Governance / Bruno Cornec / HP
5. Open Source Governance in the Enterprise
Free & Open Source Software (FOSS) Licenses
no-charge
software
source code
available
binary-only
source with
limitations
FOSS
Adobe
Reader
many
java Sun
libraries copyleft no impact on
SCSL other code
freeware Microsoft
shared source
shareware GNU GPL W3C
IBM BSD
GNU LGPL Mozilla Apache MIT
Reference URL: http://www.gnu.org/licenses/licenses.en.html
5 18 November 2009 FOSS Governance / Bruno Cornec / HP
6. Open Source Governance in the Enterprise
Free & Open Source Licenses Key Points
Redistribution is permitted without a
need to pay fees for distributed copies.
Source code is available and may be
modified.
Modified versions may be distributed
with permission for others to do all the
above.
FOSS goals are:
Knowledge sharing
Modification to adapt
Learn by looking inside
A FOSS is like a car whose hood is open
6 18 November 2009 FOSS Governance / Bruno Cornec / HP
7. Open Source Governance in the Enterprise
Open Source Governance
Concepts
7 18 November 2009 FOSS Governance / Bruno Cornec / HP
8. Open Source Governance in the Enterprise
What is IT Governance?
Specifying the decision rights and accountability framework to
encourage desirable behavior in the use of IT. (Weill & Ross, “IT
Governance”)
IT Governance is the organizational capacity exercised by the
board, executive management and IT management to control the
formulation and implementation of IT strategy and in this way
ensure the fusion of business and IT. (Van Grembergen, 2002)
IT Governance is the effective management of all IT assets,
functions & processes in support of the enterprise’s business
objectives.
8 18 November 2009 HP Proprietary FOSS Governance / Bruno Cornec / HP 12
9. Open Source Governance in the Enterprise
Scope of IT Governance
• IT operating principles • Project/Program methodology
− Changes brought by extensive FOSS usage − FOSS program office addition impact, FOSS
on operational principles (buy, build, review in the development process
reuse, ...)
• Human capital
• IT project portfolio
− Employee participation, performance plan
• Enterprise Architecture impact, employment contract impact
• IT application portfolio • Software Development Life Cycle
− Impact of mixing stacks using FOSS, − Interaction with FOSS communities, its viability
evaluation of the technical fit first.
• IT procurement
• IT finance • IT sourcing
• IT infrastructure / operations − Impact of FOSS on In/Out sourcing
− FOSS deployment and management
impacts • CRM / SRM
Open Source will effect many areas within an organization’s IT
governance structure depending upon the organization’s
business model
9 18 November 2009 FOSS Governance / Bruno Cornec / HP
10. Open Source Governance in the Enterprise
Open Source Governance: Why now?
• Compelling FOSS value proposition leading to
increased pervasiveness.
• FOSS usage & contributions often unclear, under
the radar. 80% of IT environments WW (Gartner)
include or will include open source SW, but less
than 10% are conscious of the risks incurred.
• Increasing worldwide requirements for compliance
– Distribution & acquisitions issues.
• Current IT policies and processes not designed for
open source:
−Usage must be reviewed in context.
−Legal exposure from ~60 OSI “approved”
licenses (HP tracks 200+).
−License violations can have different
consequences than traditional software.
Best practices and streamlined processes required to reap benefits and mitigate
risks => Eliminate (perceived) risk of using Open Source.
10 18 November 2009 FOSS Governance / Bruno Cornec / HP
11. Open Source Governance in the Enterprise
Why FOSS is any different than Commercial Software?
To use commercial software in your development process,
you must go through….
Procurement!
11 18 November 2009 FOSS Governance / Bruno Cornec / HP
12. Open Source Governance in the Enterprise
Accepting and Managing Open Source
• The question is not if an enterprise should use FOSS, but rather
when, how, where, and with whom.
• FOSS is unavoidable, it's even already there.
• Questions that need to be answered:
−How is FOSS chosen and acquired?
−Where does it come from?
−How and where is it used?
−How is it supported?
−What version should I be running?
−Is it LSB compliant?
−What are the license obligations?
−How is it deployed, managed, updated and secured?
−How is it tracked (how is the project tracked)?
12 18 November 2009 FOSS Governance / Bruno Cornec / HP
13. Open Source Governance in the Enterprise
“The goal of all of this is to reduce a
barrier to adoption of FOSS by
enterprises. When you can understand
it and you can manage it, the FUD
factor goes away.”
Christine Martino, as quoted in Matt
Asay’s CNET blog on 2008-01-27
13 18 November 2009 FOSS Governance / Bruno Cornec / HP
14. Open Source Governance in the Enterprise
What is Open Source Governance?
Open source governance is a framework of policies,
processes and tools that helps an organization effectively
manage all of its interactions with open source software
resulting in optimal use and reduced risk.
Image source: http://www.niehs.nih.gov/kids/illusion/illusions7.htm
14 18 November 2009 FOSS Governance / Bruno Cornec / HP
15. Open Source Governance in the Enterprise
Depends on who you ask ...
• What OSS is contained in this product I just purchased
from my ISV partner? (Procurement)
• What are the license obligations for using this OSS in our
company's products? (Legal)
• Which of these open source LDAP servers will best suit
my IT infrastructure? (IT Department)
• Is this open source xml parser really going to save me
20% of my engineer's time? (Engineering manager)
• So, you work on our flagship management software
product, but you also want to contribute to nagios? (IP
Department)
• Will statically linking this OSS library to my application
cause me any problems? (S/W developer)
15 18 November 2009 FOSS Governance / Bruno Cornec / HP
16. Open Source Governance in the Enterprise
Open Source Governance
Best practices
16 18 November 2009 FOSS Governance / Bruno Cornec / HP
17. Open Source Governance in the Enterprise
HP’s interaction with FOSS
• Internal Usage
−OpenLDAP, Jabber (XMPP), bind (DNS), postfix (SMTP), sympa,
mediawiki, etc…
• Incorporated in our Software Products
−OpenView, Insight Manager, SSSTK, PSP, … many software products
including kernel modules
• Ship Open Source Distributions
−Red Hat, Suse, Debian, etc…
• Embedded in our hardware products
−Printers, televisions, storage devices, etc…
• Active participants in the communities
−Contributors in dozens of projects (including Linux, Debian, Samba,
bind, sympa, ...)
−Maintainers in several projects (including Debian, LinuxCOE,
MondoRescue, cciss, ...)
http://opensource.hp.com/opensource_projects.html
17 18 November 2009 FOSS Governance / Bruno Cornec / HP
18. Open Source Governance in the Enterprise
Open Source Governance Maturity Model
Level HP today
Open source librarian and quality assurance
5
“Golden” repository of software and metadata
4
3 Automated tools and workflow
2 Policy and processes
1 Training and awareness
Most customers
18 18 November 2009 FOSS Governance / Bruno Cornec / HP
19. Open Source Governance in the Enterprise
HP Open Source Governance IP
Best Practices (HP internally-developed) Tools
• Defined and communicated corporate-
Agents:
wide policies (training, awareness &
License analysis
knowledge base)
Source code reuse
• Open Source Program Office
Central place where all open source activities
Linux kernel taint
are understood for consistent communication analysis
inside/outside the company. Reponsible of
http://opensource.hp.com and HP's promotion.
LSB compliance
• Open Source Review Board (conceptual)
Core Governance process evolving throughout
Code repository (in
years, controlled by a virtual team of Open
Source experts. development)
Control FOSS used, delivered, shipped, new
Meta data (in
FOSS products, employee contributions, ...
development)
• Open Source Policy Manual
OSRB portal / proposal
• Legal FOSS expertise tracking system
19 18 November 2009 FOSS Governance / Bruno Cornec / HP
20. Open Source Governance in the Enterprise
HP Open Source Program Office
Fast track
OSRB OSRB
check
for Add’l info
Proposals: Approved.
(New & OSRB OSRB OSRB Reject
Attorney Go Go Go
Submitter Resubmit) Pre- IP Final On-hold
Review
Review Review Review
Request for
Add’l info
Feedback: Go/No Go, Add’l Info
Automated Communications
Manual Activities
20 18 November 2009 FOSS Governance / Bruno Cornec / HP
21. Open Source Governance in the Enterprise
HP's Open Source
Governance initiative
New community initiatives
Major IP contributions
New HP services
21 18 November 2009 FOSS Governance / Bruno Cornec / HP
22. Open Source Governance in the Enterprise
HP FOSS Governance Initiative
Major HP's intellectual property contribution:
• An international open source community
program launched focussed on FOSS
governance including
− FOSSBazaar: a Web based community to develop, share
and provide information and industry best practices to
take advantage of FOSS benefits, Founded by HP along
with partners: Coverity, Google, Linux Foundation,
Novell, Olliance Group, OpenLogic and SourceForge
− FOSSology: a Web based community to develop an
architectural framework and tools to analyze FOSS,
founded by HP. IT Mgmt
Service
SIs/VARs
−An ecosystem Providers
• Centered on FOSSBazaar ISVs &
Academia
• Partners/Corp and academia developers, best IHVs
practices and tools Gov/Pub Corp
Sector Developers
• HP C&I and Partners Services
• HP SW BTO solutions
−Bridging Developing and supporting
the utilization of open
• The FOSS and the Business Communities standards
22 23 18 November 2009 7 mars 2008 FOSS Governance / Bruno Cornec / HP
23. Open Source Governance in the Enterprise
Why is HP investing in FOSSBazaar and FOSSology?
• Our FSI customers have asked HP to open source our governance
tools.
• Demonstrate HP’s leadership and strong commitment to the Open
Source movement.
−Small projects and/or vendors have begun to address some of this
need in a piece-meal fashion.
• This initiative is not in competition with any other organization or
individual:
−Anyone can join FOSSBazaar and access the documentation and tools,
download, modify, and use what is provided.
−Any contributor can join FOSSology.
−Competition is for products (Open Logic, Palamida, Black Duck,
Krugle) and services.
• Enable C&I FOSS governance service revenue.
• Leverage the power of many to speed-up the adoption of FOSS.
23 18 November 2009 FOSS Governance / Bruno Cornec / HP
24. Open Source Governance in the Enterprise
FOSSBazaar
• A workgroup of the Linux Foundation
For FOSS users & experts in
• HP’s FOSS Governance Fundamentals document
businesses, institutions &
• HP Whitepapers: governments.
− “Best practices in open source governance”
− “Open source governance: Critical business considerations
and strategies”
• Assessment guides:
− Open source Governance Maturity Self-assessment survey
− Open source Supportability Assessment (OSSA) tools &
process
• Moderated forums
− General/getting started, legal & licensing, policy and
process, security, lifecycle management, support
• Blogs authored by industry experts
• News articles
• Links providing access to sponsors/vendors
− (i.e. HP’s C&I services, OpenLogic), other open source
communities of interest (i.e. openBRR)
• Tools area,
− Link to FOSSology project
24 18 November 2009 FOSS Governance / Bruno Cornec / HP
25. Open Source Governance in the Enterprise
FOSSology
• Makesit easier to inventory, study
and evaluate free and open source
software. Report
−Dedicated to the development of Generation
Agents
Governance tools. OSS Discovery &
−Encompassing a code repository, a Extraction
meta-data database, and an open
source license detection agent Meta-data
License Detection
•Add’l agents will be developed Database
over time Code Reuse
−Based on an extensible architecture
designed by HP (Nomos) Integration Testing
Results
•Enable anyone to create and
easily plug-in new functionality.
Vulnerability/Security
Open Source Software Repository Monitor
−Academia, enterprise researchers & LSB Compliance
developers interested in deploying and others…
FOSS
• Download site for the FOSSology HP Initial IP
1st Half ‘08
Future ideas
tool Software: HP contribution
http://www.fossology.org
25 18 November 2009 FOSS Governance / Bruno Cornec / HP
26. Open Source Governance in the Enterprise
Key Paradigm
Tools are NOT a replacement
for Open Source governance processes
but will improve the processes by providing:
• Enablement (manual process not viable)
• Efficiencies (improved TCO)
• Agility (improved time-to-market)
• Reliability (license detection)
• Scalability (single package as well as
complete distribution)
26 18 November 2009 FOSS Governance / Bruno Cornec / HP
27. Open Source Governance in the Enterprise
Open Source Health Check - What is it?
• A set of services to diagnose the
use of Open Source in an
enterprise
• Designed to answer 3 key
questions
−What OSS is used in my
company?
−Where is it being used?
−How is it being used?
• Diagnosis is base for eventual
process improvement
27 18 November 2009 FOSS Governance / Bruno Cornec / HP
28. Open Source Governance in the Enterprise
Bruno.Cornec@hp.com
(Linux Solution Consultant in the
Contact HP/Intel Solution Center)
http://www.hp.com/linux
”Changes are never easy to make.
There is comfort and safety in
tradition, but change must come,
no matter how painful or
expensive it may be.” Linus Torvalds, Richard Stallman,
Bill Hewlett Eric Raymond, Nat Makarevitch,
René Cougnenc, Eric Dumas,
Rémy Card, Phil Robb, Michael
Thanks
Wenig among others, for their
work and devotion to the Open
Source Software cause... and my
family for their patience :-)
28 18 November 2009 FOSS Governance / Bruno Cornec / HP