SlideShare a Scribd company logo

Managing Open Source Compliance in the GitHub Era

nexB Inc.
nexB Inc.

This document summarizes a presentation on managing open source software in the GitHub era. It discusses how open source development and distribution has evolved from centralized models to a decentralized model exemplified by GitHub. This shift has introduced new challenges for open source compliance, such as tracking the large number of dependencies between projects and properly attributing and licensing snippets of code. The presentation provides best practices for organizations to reduce risks, such as vetting dependency sources and embedding license information.

Business
1 of 25
December 3rd, 2014 – Silicon Valley, CA
Managing Open Source in the GitHub Era Agenda • IntroducEon • Understanding basis issues for OSS compliance • Understanding new issues for OSS compliance in the GitHub Era • Best pracEces to reduce risk • Latest trends for process and tools to manage open source compliance • QuesEons
Managing Open Source in the GitHub Era Most Common OSS License ObligaEons • Copyright and license noEces • ANribuEon obligaEons • “CopyleP” obligaEons – Licensing of derivaEve works – Change noEces – Offer to provide source code • Carve out for OSS in your license agreements
Managing Open Source in the GitHub Era Key OSS Compliance Challenges • Tracking acquisiEon and use of open source • GeWng OSS informaEon from suppliers • Delivering OSS informaEon to customers – ANribuEon noEce creaEon and delivery – CopyleP -­‐ source code packaging and delivery
Managing Open Source in the GitHub Era The “GitHub Era” • Decentralized and distributed model of Git represents many of the new OSS trends • More individuals engaged directly • Smaller projects/components with many more dependencies • Forking is encouraged à exponenEal growth in number of copies of popular components • Explosion in the number of disEnct OSS components used in products and systems -­‐ from dozens to hundreds to thousands or more
Managing Open Source in the GitHub Era Growth of component repositories • In January 2011 there were less than 80K components available in the main component repositories (Maven, CPAN, Pypi, RubyGems) • In December 2014 there are more than 500K components and counEng (including NPM, Bower, Godoc, Packagist, NuGet) • In 2014, new components have been added to these repositories at the rate of over 10,000 new component-­‐versions per month. Source: hNp://www.modulecounts.com/
Managing Open Source in the GitHub Era GitHub – more background • Provides Git-­‐based services. • Git is a version control and content management tool from Linus Torvalds (GPL v2) • GitHub key aNributes are easy code sharing and collaboraEon • JavaScript is dominant – Other languages: Ruby, Java, PHP, Python, C/C++ • Started in 2008 – Over 17 million repos and 7.8 million users claimed • Over the last 12 months, new public open source components repositories: – Over 350K created per month (excluding forks) – Over 10,000+ created daily Source: nexB research data, Github API, 2013-­‐11/2014-­‐11
EvoluEon of OSS Development OLD OSS • Centralized development • CVS, Subversion • Project leader is benevolent dictator • Fewer larger components • Push releases • C/C++, Java • SourceForge, Maven • L/GPL v2, BSD, MIT • Desktops and servers NEW OSS • Decentralized development • Git / GitHub • Each developer forks code at any Eme • More smaller components • Pull releases • JavaScript, Ruby, Scala, Go • RubyGems, NPM • MIT, Apache, L/GPL v3 • Mobile and Cloud
EvoluEon of OSS Compliance Challenges OLD OSS • Components without a license • OSS code downloaded to internal codebase and compiled locally (vendored) • DistribuEon means shipment or download • Snippets NEW OSS • Many more components without a license • Deep external dependencies provisioned live from the web at deployment or runEme • DistribuEon via network / Internet deployment • Many more snippets
Managing Open Source in the GitHub Era Challenges -­‐ Missing licenses • No license from copyright holder means that you do not have a right to copy or re-­‐use the soPware • License at project / README level helps, but… • Ambiguous without noEces in source files • License informaEon is lost when code is parEally copied • Not a new problem, but scale is increasing rapidly
Managing Open Source in the GitHub Era SoluEons – Missing licenses
Managing Open Source in the GitHub Era Challenges – Snippets • Many snippet-­‐sharing / educaEonal web sites have vague or no license terms – Someone who posts a code snippet or code example does not usually think about an explicit license – Terms of service are the typical default • StackOverflow example – Major source of advice about coding including code snippets – StackOverflow license is CC-­‐BY-­‐SA which is effecEvely copyleP
Managing Open Source in the GitHub Era Challenges – JavaScript example • Accelerated usage on server and clients – esp. mobile • Very common to mash up snippets of JavaScript from mulEple origins and compile/minify them in a single file for execuEon efficiency – License informaEon oPen lost when extracEng snippets – Most restricEve license applies to the JavaScript file • jQuery core components are MIT-­‐licensed, but components named jquery-­‐xxxxx may be copyleP-­‐ licensed – ExecuEng JS on client could be considered distribuEon – And could have copyleP impact on server-­‐side code
Managing Open Source in the GitHub Era Healthcare.gov case study • Healthcare.gov uses JavaScript code from Datatables (jQuery plug-­‐in under BSD 3-­‐clause or GPL v2) • Weekly Standard accused HHS of removing copyright & license noEces from the borrowed code • Our analysis determined that the developers did not remove noEces – they created their own Datatables.js file from snippets from other Datatables project files that did not contain license noEces • HHS quickly corrected this case, but the error indicates poor guidance to developers See hNp://www.dejacode.org/healthcare_case_study.html
Managing Open Source in the GitHub Era Challenges – Managing dependencies • Java, JavaScript, Ruby, Go and many newer languages automate provisioning of required components, aka dependencies • AutomaEon is convenient for developers, but adds risk – Dependent components may not be provisioned unEl deployment or runEme – Dependencies may be deep and recursive – AutomaEcally provisioned components may contain “hidden” security, quality or licensing issues – Accurate ANribuEon for OSS components may be very complex
Managing Open Source in the GitHub Era SoluEons – Dependency Management • A basic soluEon is “vendoring” – explicitly control provisioning of third-­‐party components • SoP vendoring – define exact list of third-­‐party component-­‐ versions from known/veNed repositories • Hard vendoring – physically copy the third-­‐party component-­‐ versions to a /vendor folder in your codebase • Different repositories / plarorms provide different tools • Maven and others for Java • .gitmodules file for Git • Godep for Go, NPM for Node.js, Bundler for Ruby, etc.
Managing Open Source in the GitHub Era Compliance in the GitHub Era • Open source code is evolving and expanding too quickly for tradiEonal source code scanning and matching techniques – Number of possible matches increase with each fork – Many or most of the open source components may not actually be in your codebase (dependencies) • Risk focus on components over snippets even more important • AcceleraEng proliferaEon of languages, plarorms and repositories requires acEve management and coordinaEon from business, engineering and legal teams 17
Managing Open Source in the GitHub Era Compliance in the GitHub Era • Adapt policies to specific languages and plarorms upfront: – Define acceptable licenses in context of the technology and usage • Distributed as soPware package or Cloud-­‐based service? • What does copyleP mean in context? – Create Light-­‐weight process for idenEfying and resolving provenance gaps / issues – Evaluate preferred sources for provisioning components – Determine best dependency management approach for each technology 18
Managing Open Source in the GitHub Era Compliance in the GitHub Era • Embed open source provenance data in your codebase – As close to the code as possible – Adapt techniques to leverage exisEng tools and data from each plarorm / repository – Use simple approach to document provenance data if missing from original project – Instrument your build processes to idenEfy components that you actually use in each deployed product • Most accurate way to track and fulfill OSS obligaEons • Fully automate aNribuEon documentaEon • RedistribuEon, if applicable, has extra steps See also hNps://github.com/dejacode/about-­‐code-­‐tool 19
Managing Open Source in the GitHub Era Compliance in the GitHub Era • Establish central database of open source and third-­‐ party components – Collect provenance data for all products across languages and plarorms – Document all effecEve component dependencies – Harmonize open source compliance by product across languages and plarorms • Current soluEons from several vendors, but no OSS soluEon is available today See also hNps://enterprise.dejacode.com/landing/ 20
Managing Open Source in the GitHub Era QuesEons
Managing Open Source in the GitHub Era About nexB Inc. • nexB offers: – DejaCode – a central business system for managing soPware components – SoPware analysis/audit services for products and for acquisiEons • 350+ soPware audit projects completed to-­‐date – Aggregated audited codebases > 3 billion lines of source code – Aggregated value of the acquisiEons transacEons > $5B • See DejaCode at www.dejacode.com
Managing Open Source in the GitHub Era Contacts • O’Melveny & Myers Heather Meeker hmeeker@omm.com +1 650 473 2635 Subscribe to news and events alert at hNp://heathermeeker.squarespace.com/ • nexB Inc. Michael Herzog mjherzog@nexB.com +1 650 380 0680
Managing Open Source in the GitHub Era Resources – OSS Licensing Trends • Neil McAllister -­‐ Study: Most projects on GitHub not open source licensed hNp://www.theregister.co.uk/2013/04/18/github_licensing_study/ • MaN Asay -­‐ Open Source Is Old School, Says The GitHub GeneraEon hNp://readwrite.com/2013/05/15/open-­‐source-­‐is-­‐old-­‐school-­‐says-­‐the-­‐github-­‐ generaEon • Richard Fontana -­‐ Post open source soPware, licensing and GitHub hNp://opensource.com/law/13/8/github-­‐poss-­‐licensing • Simon Phipps -­‐ GitHub finally takes open source licenses seriously hNp://www.infoworld.com/arEcle/2611422/open-­‐source-­‐soPware/github-­‐finally-­‐ takes-­‐open-­‐source-­‐licenses-­‐seriously.html • Armin Ronacher -­‐ Licensing in a Post Copyright World hNp://lucumr.pocoo.org/2013/7/23/licensing/ 24
Managing Open Source in the GitHub Era Resources – OSS Language / Repo Trends • GitHub growth and language trends hNp://redmonk.com/dberkholz/2013/01/21/github-­‐will-­‐hit-­‐5-­‐million-­‐users-­‐within-­‐a-­‐ year/ hNp://redmonk.com/dberkholz/2014/05/02/github-­‐language-­‐trends-­‐and-­‐the-­‐ fragmenEng-­‐landscape/ hNp://beust.com/weblog/2014/05/03/language-­‐popularity-­‐on-­‐github/ hNp://redmonk.com/dberkholz/2014/09/26/githubs-­‐vanishing-­‐acceleraEon/ • Repository package growth staEsEcs hNp://www.modulecounts.com/ • GitHub Users Worldwide hNp://aasen.in/github_globe/ 25

Recommended

nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Inc.
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCodenexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodenexB Inc.
 
Managing Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodeManaging Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodenexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS IntroductionnexB Inc.
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with DejacodenexB Inc.
 

Recommended

nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Inc.
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCodenexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodenexB Inc.
 
Managing Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodeManaging Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodenexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS IntroductionnexB Inc.
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with DejacodenexB Inc.
 
nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product releasenexB Inc.
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBnexB Inc.
 
nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB Inc.
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Supporting Digital Media Workflows in the Cloud with Perforce Helix
Supporting Digital Media Workflows in the Cloud with Perforce HelixSupporting Digital Media Workflows in the Cloud with Perforce Helix
Supporting Digital Media Workflows in the Cloud with Perforce HelixPerforce
 
Using Perforce Data in Development at Tableau
Using Perforce Data in Development at TableauUsing Perforce Data in Development at Tableau
Using Perforce Data in Development at TableauPerforce
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by PerforcePerforce
 
Software Testing in a Distributed Environment
Software Testing in a Distributed EnvironmentSoftware Testing in a Distributed Environment
Software Testing in a Distributed EnvironmentPerforce
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackAaron G. Sauers, CLP
 
From ClearCase to Perforce Helix: Breakthroughs in Scalability at Intel
From ClearCase to Perforce Helix: Breakthroughs in Scalability at IntelFrom ClearCase to Perforce Helix: Breakthroughs in Scalability at Intel
From ClearCase to Perforce Helix: Breakthroughs in Scalability at IntelPerforce
 
Creating and Maintaining an Open Source Library
Creating and Maintaining an Open Source LibraryCreating and Maintaining an Open Source Library
Creating and Maintaining an Open Source LibraryNicholas Schweitzer
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsRogue Wave Software
 
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce
 
Implementing Continuous Delivery with Enterprise Middleware
Implementing Continuous Delivery with Enterprise MiddlewareImplementing Continuous Delivery with Enterprise Middleware
Implementing Continuous Delivery with Enterprise MiddlewareXebiaLabs
 
BYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiBYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiDataWorks Summit
 
Accelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flexAccelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flexPerforce
 
Swarm Update
Swarm UpdateSwarm Update
Swarm UpdatePerforce
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at CitrixPerforce
 
Guidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in EvergreenGuidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in Evergreenloriayre
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 

More Related Content

What's hot

nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product releasenexB Inc.
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBnexB Inc.
 
nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB Inc.
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Supporting Digital Media Workflows in the Cloud with Perforce Helix
Supporting Digital Media Workflows in the Cloud with Perforce HelixSupporting Digital Media Workflows in the Cloud with Perforce Helix
Supporting Digital Media Workflows in the Cloud with Perforce HelixPerforce
 
Using Perforce Data in Development at Tableau
Using Perforce Data in Development at TableauUsing Perforce Data in Development at Tableau
Using Perforce Data in Development at TableauPerforce
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by PerforcePerforce
 
Software Testing in a Distributed Environment
Software Testing in a Distributed EnvironmentSoftware Testing in a Distributed Environment
Software Testing in a Distributed EnvironmentPerforce
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackAaron G. Sauers, CLP
 
From ClearCase to Perforce Helix: Breakthroughs in Scalability at Intel
From ClearCase to Perforce Helix: Breakthroughs in Scalability at IntelFrom ClearCase to Perforce Helix: Breakthroughs in Scalability at Intel
From ClearCase to Perforce Helix: Breakthroughs in Scalability at IntelPerforce
 
Creating and Maintaining an Open Source Library
Creating and Maintaining an Open Source LibraryCreating and Maintaining an Open Source Library
Creating and Maintaining an Open Source LibraryNicholas Schweitzer
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsSteve Markey
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsRogue Wave Software
 
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce
 
Implementing Continuous Delivery with Enterprise Middleware
Implementing Continuous Delivery with Enterprise MiddlewareImplementing Continuous Delivery with Enterprise Middleware
Implementing Continuous Delivery with Enterprise MiddlewareXebiaLabs
 
BYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiBYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiDataWorks Summit
 
Accelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flexAccelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flexPerforce
 
Swarm Update
Swarm UpdateSwarm Update
Swarm UpdatePerforce
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at CitrixPerforce
 

What's hot (20)

nexB - Software audit for product release
nexB - Software audit for product releasenexB - Software audit for product release
nexB - Software audit for product release
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexB
 
nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due Diligence
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Supporting Digital Media Workflows in the Cloud with Perforce Helix
Supporting Digital Media Workflows in the Cloud with Perforce HelixSupporting Digital Media Workflows in the Cloud with Perforce Helix
Supporting Digital Media Workflows in the Cloud with Perforce Helix
 
Using Perforce Data in Development at Tableau
Using Perforce Data in Development at TableauUsing Perforce Data in Development at Tableau
Using Perforce Data in Development at Tableau
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
 
Software Testing in a Distributed Environment
Software Testing in a Distributed EnvironmentSoftware Testing in a Distributed Environment
Software Testing in a Distributed Environment
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP Track
 
From ClearCase to Perforce Helix: Breakthroughs in Scalability at Intel
From ClearCase to Perforce Helix: Breakthroughs in Scalability at IntelFrom ClearCase to Perforce Helix: Breakthroughs in Scalability at Intel
From ClearCase to Perforce Helix: Breakthroughs in Scalability at Intel
 
Creating and Maintaining an Open Source Library
Creating and Maintaining an Open Source LibraryCreating and Maintaining an Open Source Library
Creating and Maintaining an Open Source Library
 
Reverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clientsReverse_Engineering_Thick-clients
Reverse_Engineering_Thick-clients
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
 
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco StudiosPerforce Helix Never Dies: DevOps at Bandai Namco Studios
Perforce Helix Never Dies: DevOps at Bandai Namco Studios
 
Implementing Continuous Delivery with Enterprise Middleware
Implementing Continuous Delivery with Enterprise MiddlewareImplementing Continuous Delivery with Enterprise Middleware
Implementing Continuous Delivery with Enterprise Middleware
 
BYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiBYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFi
 
Accelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flexAccelerating Software Development with NetApp's P4flex
Accelerating Software Development with NetApp's P4flex
 
Swarm Update
Swarm UpdateSwarm Update
Swarm Update
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at Citrix
 

Similar to Managing Open Source Compliance in the GitHub Era

Guidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in EvergreenGuidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in Evergreenloriayre
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply ChainsnexB Inc.
 
Spring Roo Add-On Development & Distribution
Spring Roo Add-On Development & DistributionSpring Roo Add-On Development & Distribution
Spring Roo Add-On Development & DistributionStefan Schmidt
 
Ursula Sarracini - When Old Meets New: Codebases
Ursula Sarracini - When Old Meets New: CodebasesUrsula Sarracini - When Old Meets New: Codebases
Ursula Sarracini - When Old Meets New: CodebasesAnton Caceres
 
License compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto projectLicense compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto projectPaul Barker
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...dmgerman
 
Guide to open source
Guide to open source Guide to open source
Guide to open source Javier Perez
 
Open Source License Compliance with AGL
Open Source License Compliance with AGLOpen Source License Compliance with AGL
Open Source License Compliance with AGLPaul Barker
 
Embedded Systems: Lecture 10: Introduction to Git & GitHub (Part 1)
Embedded Systems: Lecture 10: Introduction to Git & GitHub (Part 1)Embedded Systems: Lecture 10: Introduction to Git & GitHub (Part 1)
Embedded Systems: Lecture 10: Introduction to Git & GitHub (Part 1)Ahmed El-Arabawy
 
Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1Henry S
 
Dev ops in the cloud use case and best practices meetup
Dev ops in the cloud use case and best practices meetupDev ops in the cloud use case and best practices meetup
Dev ops in the cloud use case and best practices meetupNitu Parimi
 
Learn from my Mistakes - Building Better Solutions in SPFx
Learn from my Mistakes - Building Better Solutions in SPFxLearn from my Mistakes - Building Better Solutions in SPFx
Learn from my Mistakes - Building Better Solutions in SPFxThomas Daly
 
August OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedAugust OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedHoward Greenberg
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)dmgerman
 
Code the docs-yu liu
Code the docs-yu liuCode the docs-yu liu
Code the docs-yu liuStreamNative
 
Managing Changes to the Database Across the Project Life Cycle (presented by ...
Managing Changes to the Database Across the Project Life Cycle (presented by ...Managing Changes to the Database Across the Project Life Cycle (presented by ...
Managing Changes to the Database Across the Project Life Cycle (presented by ...eZ Systems
 

Similar to Managing Open Source Compliance in the GitHub Era (20)

Guidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in EvergreenGuidelines for Working with Contract Developers in Evergreen
Guidelines for Working with Contract Developers in Evergreen
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
 
Spring Roo Add-On Development & Distribution
Spring Roo Add-On Development & DistributionSpring Roo Add-On Development & Distribution
Spring Roo Add-On Development & Distribution
 
Ursula Sarracini - When Old Meets New: Codebases
Ursula Sarracini - When Old Meets New: CodebasesUrsula Sarracini - When Old Meets New: Codebases
Ursula Sarracini - When Old Meets New: Codebases
 
Open Development
Open DevelopmentOpen Development
Open Development
 
License compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto projectLicense compliance in embedded linux with the yocto project
License compliance in embedded linux with the yocto project
 
Case study
Case studyCase study
Case study
 
The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...The adoption of FOSS workfows in commercial software development: the case of...
The adoption of FOSS workfows in commercial software development: the case of...
 
Guide to open source
Guide to open source Guide to open source
Guide to open source
 
Github
GithubGithub
Github
 
Migrating To GitHub
Migrating To GitHub Migrating To GitHub
Migrating To GitHub
 
Open Source License Compliance with AGL
Open Source License Compliance with AGLOpen Source License Compliance with AGL
Open Source License Compliance with AGL
 
Embedded Systems: Lecture 10: Introduction to Git & GitHub (Part 1)
Embedded Systems: Lecture 10: Introduction to Git & GitHub (Part 1)Embedded Systems: Lecture 10: Introduction to Git & GitHub (Part 1)
Embedded Systems: Lecture 10: Introduction to Git & GitHub (Part 1)
 
Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1Code for Startup MVP (Ruby on Rails) Session 1
Code for Startup MVP (Ruby on Rails) Session 1
 
Dev ops in the cloud use case and best practices meetup
Dev ops in the cloud use case and best practices meetupDev ops in the cloud use case and best practices meetup
Dev ops in the cloud use case and best practices meetup
 
Learn from my Mistakes - Building Better Solutions in SPFx
Learn from my Mistakes - Building Better Solutions in SPFxLearn from my Mistakes - Building Better Solutions in SPFx
Learn from my Mistakes - Building Better Solutions in SPFx
 
August OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub ExplainedAugust OpenNTF Webinar - Git and GitHub Explained
August OpenNTF Webinar - Git and GitHub Explained
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
 
Code the docs-yu liu
Code the docs-yu liuCode the docs-yu liu
Code the docs-yu liu
 
Managing Changes to the Database Across the Project Life Cycle (presented by ...
Managing Changes to the Database Across the Project Life Cycle (presented by ...Managing Changes to the Database Across the Project Life Cycle (presented by ...
Managing Changes to the Database Across the Project Life Cycle (presented by ...
 

Recently uploaded

8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Call Girls Contact Number Andheri 9920874524
Call Girls Contact Number Andheri 9920874524Call Girls Contact Number Andheri 9920874524
Call Girls Contact Number Andheri 9920874524najka9823
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 

Recently uploaded (20)

8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Call Girls Contact Number Andheri 9920874524
Call Girls Contact Number Andheri 9920874524Call Girls Contact Number Andheri 9920874524
Call Girls Contact Number Andheri 9920874524
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 

Managing Open Source Compliance in the GitHub Era

  • 1. December 3rd, 2014 – Silicon Valley, CA
  • 2. Managing Open Source in the GitHub Era Agenda • IntroducEon • Understanding basis issues for OSS compliance • Understanding new issues for OSS compliance in the GitHub Era • Best pracEces to reduce risk • Latest trends for process and tools to manage open source compliance • QuesEons
  • 3. Managing Open Source in the GitHub Era Most Common OSS License ObligaEons • Copyright and license noEces • ANribuEon obligaEons • “CopyleP” obligaEons – Licensing of derivaEve works – Change noEces – Offer to provide source code • Carve out for OSS in your license agreements
  • 4. Managing Open Source in the GitHub Era Key OSS Compliance Challenges • Tracking acquisiEon and use of open source • GeWng OSS informaEon from suppliers • Delivering OSS informaEon to customers – ANribuEon noEce creaEon and delivery – CopyleP -­‐ source code packaging and delivery
  • 5. Managing Open Source in the GitHub Era The “GitHub Era” • Decentralized and distributed model of Git represents many of the new OSS trends • More individuals engaged directly • Smaller projects/components with many more dependencies • Forking is encouraged à exponenEal growth in number of copies of popular components • Explosion in the number of disEnct OSS components used in products and systems -­‐ from dozens to hundreds to thousands or more
  • 6. Managing Open Source in the GitHub Era Growth of component repositories • In January 2011 there were less than 80K components available in the main component repositories (Maven, CPAN, Pypi, RubyGems) • In December 2014 there are more than 500K components and counEng (including NPM, Bower, Godoc, Packagist, NuGet) • In 2014, new components have been added to these repositories at the rate of over 10,000 new component-­‐versions per month. Source: hNp://www.modulecounts.com/
  • 7. Managing Open Source in the GitHub Era GitHub – more background • Provides Git-­‐based services. • Git is a version control and content management tool from Linus Torvalds (GPL v2) • GitHub key aNributes are easy code sharing and collaboraEon • JavaScript is dominant – Other languages: Ruby, Java, PHP, Python, C/C++ • Started in 2008 – Over 17 million repos and 7.8 million users claimed • Over the last 12 months, new public open source components repositories: – Over 350K created per month (excluding forks) – Over 10,000+ created daily Source: nexB research data, Github API, 2013-­‐11/2014-­‐11
  • 8. EvoluEon of OSS Development OLD OSS • Centralized development • CVS, Subversion • Project leader is benevolent dictator • Fewer larger components • Push releases • C/C++, Java • SourceForge, Maven • L/GPL v2, BSD, MIT • Desktops and servers NEW OSS • Decentralized development • Git / GitHub • Each developer forks code at any Eme • More smaller components • Pull releases • JavaScript, Ruby, Scala, Go • RubyGems, NPM • MIT, Apache, L/GPL v3 • Mobile and Cloud
  • 9. EvoluEon of OSS Compliance Challenges OLD OSS • Components without a license • OSS code downloaded to internal codebase and compiled locally (vendored) • DistribuEon means shipment or download • Snippets NEW OSS • Many more components without a license • Deep external dependencies provisioned live from the web at deployment or runEme • DistribuEon via network / Internet deployment • Many more snippets
  • 10. Managing Open Source in the GitHub Era Challenges -­‐ Missing licenses • No license from copyright holder means that you do not have a right to copy or re-­‐use the soPware • License at project / README level helps, but… • Ambiguous without noEces in source files • License informaEon is lost when code is parEally copied • Not a new problem, but scale is increasing rapidly
  • 11. Managing Open Source in the GitHub Era SoluEons – Missing licenses
  • 12. Managing Open Source in the GitHub Era Challenges – Snippets • Many snippet-­‐sharing / educaEonal web sites have vague or no license terms – Someone who posts a code snippet or code example does not usually think about an explicit license – Terms of service are the typical default • StackOverflow example – Major source of advice about coding including code snippets – StackOverflow license is CC-­‐BY-­‐SA which is effecEvely copyleP
  • 13. Managing Open Source in the GitHub Era Challenges – JavaScript example • Accelerated usage on server and clients – esp. mobile • Very common to mash up snippets of JavaScript from mulEple origins and compile/minify them in a single file for execuEon efficiency – License informaEon oPen lost when extracEng snippets – Most restricEve license applies to the JavaScript file • jQuery core components are MIT-­‐licensed, but components named jquery-­‐xxxxx may be copyleP-­‐ licensed – ExecuEng JS on client could be considered distribuEon – And could have copyleP impact on server-­‐side code
  • 14. Managing Open Source in the GitHub Era Healthcare.gov case study • Healthcare.gov uses JavaScript code from Datatables (jQuery plug-­‐in under BSD 3-­‐clause or GPL v2) • Weekly Standard accused HHS of removing copyright & license noEces from the borrowed code • Our analysis determined that the developers did not remove noEces – they created their own Datatables.js file from snippets from other Datatables project files that did not contain license noEces • HHS quickly corrected this case, but the error indicates poor guidance to developers See hNp://www.dejacode.org/healthcare_case_study.html
  • 15. Managing Open Source in the GitHub Era Challenges – Managing dependencies • Java, JavaScript, Ruby, Go and many newer languages automate provisioning of required components, aka dependencies • AutomaEon is convenient for developers, but adds risk – Dependent components may not be provisioned unEl deployment or runEme – Dependencies may be deep and recursive – AutomaEcally provisioned components may contain “hidden” security, quality or licensing issues – Accurate ANribuEon for OSS components may be very complex
  • 16. Managing Open Source in the GitHub Era SoluEons – Dependency Management • A basic soluEon is “vendoring” – explicitly control provisioning of third-­‐party components • SoP vendoring – define exact list of third-­‐party component-­‐ versions from known/veNed repositories • Hard vendoring – physically copy the third-­‐party component-­‐ versions to a /vendor folder in your codebase • Different repositories / plarorms provide different tools • Maven and others for Java • .gitmodules file for Git • Godep for Go, NPM for Node.js, Bundler for Ruby, etc.
  • 17. Managing Open Source in the GitHub Era Compliance in the GitHub Era • Open source code is evolving and expanding too quickly for tradiEonal source code scanning and matching techniques – Number of possible matches increase with each fork – Many or most of the open source components may not actually be in your codebase (dependencies) • Risk focus on components over snippets even more important • AcceleraEng proliferaEon of languages, plarorms and repositories requires acEve management and coordinaEon from business, engineering and legal teams 17
  • 18. Managing Open Source in the GitHub Era Compliance in the GitHub Era • Adapt policies to specific languages and plarorms upfront: – Define acceptable licenses in context of the technology and usage • Distributed as soPware package or Cloud-­‐based service? • What does copyleP mean in context? – Create Light-­‐weight process for idenEfying and resolving provenance gaps / issues – Evaluate preferred sources for provisioning components – Determine best dependency management approach for each technology 18
  • 19. Managing Open Source in the GitHub Era Compliance in the GitHub Era • Embed open source provenance data in your codebase – As close to the code as possible – Adapt techniques to leverage exisEng tools and data from each plarorm / repository – Use simple approach to document provenance data if missing from original project – Instrument your build processes to idenEfy components that you actually use in each deployed product • Most accurate way to track and fulfill OSS obligaEons • Fully automate aNribuEon documentaEon • RedistribuEon, if applicable, has extra steps See also hNps://github.com/dejacode/about-­‐code-­‐tool 19
  • 20. Managing Open Source in the GitHub Era Compliance in the GitHub Era • Establish central database of open source and third-­‐ party components – Collect provenance data for all products across languages and plarorms – Document all effecEve component dependencies – Harmonize open source compliance by product across languages and plarorms • Current soluEons from several vendors, but no OSS soluEon is available today See also hNps://enterprise.dejacode.com/landing/ 20
  • 21. Managing Open Source in the GitHub Era QuesEons
  • 22. Managing Open Source in the GitHub Era About nexB Inc. • nexB offers: – DejaCode – a central business system for managing soPware components – SoPware analysis/audit services for products and for acquisiEons • 350+ soPware audit projects completed to-­‐date – Aggregated audited codebases > 3 billion lines of source code – Aggregated value of the acquisiEons transacEons > $5B • See DejaCode at www.dejacode.com
  • 23. Managing Open Source in the GitHub Era Contacts • O’Melveny & Myers Heather Meeker hmeeker@omm.com +1 650 473 2635 Subscribe to news and events alert at hNp://heathermeeker.squarespace.com/ • nexB Inc. Michael Herzog mjherzog@nexB.com +1 650 380 0680
  • 24. Managing Open Source in the GitHub Era Resources – OSS Licensing Trends • Neil McAllister -­‐ Study: Most projects on GitHub not open source licensed hNp://www.theregister.co.uk/2013/04/18/github_licensing_study/ • MaN Asay -­‐ Open Source Is Old School, Says The GitHub GeneraEon hNp://readwrite.com/2013/05/15/open-­‐source-­‐is-­‐old-­‐school-­‐says-­‐the-­‐github-­‐ generaEon • Richard Fontana -­‐ Post open source soPware, licensing and GitHub hNp://opensource.com/law/13/8/github-­‐poss-­‐licensing • Simon Phipps -­‐ GitHub finally takes open source licenses seriously hNp://www.infoworld.com/arEcle/2611422/open-­‐source-­‐soPware/github-­‐finally-­‐ takes-­‐open-­‐source-­‐licenses-­‐seriously.html • Armin Ronacher -­‐ Licensing in a Post Copyright World hNp://lucumr.pocoo.org/2013/7/23/licensing/ 24
  • 25. Managing Open Source in the GitHub Era Resources – OSS Language / Repo Trends • GitHub growth and language trends hNp://redmonk.com/dberkholz/2013/01/21/github-­‐will-­‐hit-­‐5-­‐million-­‐users-­‐within-­‐a-­‐ year/ hNp://redmonk.com/dberkholz/2014/05/02/github-­‐language-­‐trends-­‐and-­‐the-­‐ fragmenEng-­‐landscape/ hNp://beust.com/weblog/2014/05/03/language-­‐popularity-­‐on-­‐github/ hNp://redmonk.com/dberkholz/2014/09/26/githubs-­‐vanishing-­‐acceleraEon/ • Repository package growth staEsEcs hNp://www.modulecounts.com/ • GitHub Users Worldwide hNp://aasen.in/github_globe/ 25