Heather Meeker and Michael Herzog discuss the latest trends in open source compliance for supply chain activities: the key legal issues for supply chain management as well as the latest automation tools and projects for open source management.
Agenda
• Legal issues for supply chain management
• Best practices to avoid claims and reduce risk
• Latest automation tools and projects for open source compliance management
2. Managing Open Source Software Supply Chains
Agenda
• Introduction
• Identify the ten most common open source license obligations
• Explain what you need to do to comply with these obligations
• Discuss the key compliance challenges today
• Discuss open source software supply chain trends
• Preview a new tool for basic compliance automation
• Questions
3. Managing Open Source Software Supply Chains
Ten Most Common OSS License Obligations
• Copyright notices
• License notices
• Attribution requirements
• “Copyleft” obligations (licensing of derivative works)
• Source code licensing
• Source code delivery
• Build and installation instruction delivery (GPL)
• Notice of changes
• Indemnities
• Non-use of trademarks
4. Managing Open Source Software Supply Chains
How to Comply – Notices
• Copyright, license, modification, and attribution
requirements
• Delivery of source code may be the easiest way to
comply, because notices are “baked in” to distribution
package
• Binary delivery requires creation of notice files
• Notices must be in the product delivery, for most
licenses
• Online delivery is usually not sufficient
• Relying on third party notices is usually not sufficient
5. Managing Open Source Software Supply Chains
How to Comply – Source Code
• For GPL, LGPL, and other copyleft licenses
• Source materials must be made available, but not
necessarily delivered with product
• Not necessary to post source materials on the web, but
this is a good practice
6. Managing Open Source Software Supply Chains
How to Comply - Licenses
• Need to carve copyleft licensing requirements from
EULAs
• GPL, LGPL and other licenses cannot be changed to
other terms
• “Weak copyleft” licenses like EPL, MPL allow bifurcated
licensing of source and binaries
7. Managing Open Source Software Supply Chains
Key Compliance Challenges
• Tracking open source use
• Notice creation
• Notice delivery
• Build and installation instruction delivery
• Ensuring the source code is right for the build
AND
• Getting OSS data from suppliers and to customers
8. Managing Open Source Software Supply Chains
FANTEC Litigation
• Plaintiff: Harald Welte of gpl-violations.org
• Open Source Software: iptables, a packet filtering utility licensed under GPL
• Defendant: FANTEC ---- Product: FANTEC 3DFHDL Media Player
• Compliance Efforts: FANTEC made a version of the source code available for
download that it had received from its contract manufacturer. It was not the
right source code for the binaries.
• Court holding: a distributor of software may not rely on assurances made by
the supplier of the software that the software does not infringe the rights of
any third party
• History: FANTEC had previously settled a GPL dispute with Welte in 2010 by a
settlement that specified penalties if FANTEC committed any future GPL
violation. At a 2012 "Hacking for Compliance" workshop hosted by the Free
Software Foundation, compliance engineers discovered that the firmware
object code shipping with the 3DFHDL included iptables and that the source
code provided by FANTEC did not.
9. Managing Open Source Software Supply Chains
OSS Supply Chain Trends
• More customers are requiring suppliers to share the
OSS compliance burden and provide compliance
artifacts for their products
– Software BOM
– Attribution Text
– Source Code Redistribution Packages as needed
• New challenge is what to do with the OSS information
from suppliers
– Where to put the data for future reference and use
– How to validate/audit the data with minimal rework
– How to deal with errors in the supplier-provided data
9
11. Managing Open Source Software Supply Chains
OSS Supply Chain Solutions
• SPDX - Software Package Data Exchange®
• A standard format for communicating the components,
licenses and copyrights associated with a software
package
• Intended to support automated exchange of Software
Package Data
• Working Group of the Linux Foundation at
www.spdx.org
• Organized in Business, Legal and Technical teams
• Open to participation by anyone
12. Managing Open Source Software Supply Chains
• Supports exchange of
component and license
data in RDF/XML or
Tag/Value format
• Designed for automation
of data exchange -- not a
tool for provenance
analysis
• v2.0 will address complex
Software BOMs
Document Information
Creation Information
Package Information
File Information
Licensing Information
Review Information
SPDX Today - v1.1
13. Managing Open Source Software Supply Chains
OSS Supply Chain Data
• SPDX provides a “container” for exchange of
component and license data, but you still need to
create and manage the data for your products
• Possible data sources include:
– Open source projects
– Suppliers
– Internal analysis / audit
– Third-party analysis / audit
• You need somewhere to keep and maintain/update
the component and license/origin data
14. Managing Open Source Software Supply Chains
OSS Supply Chain Solutions
A basic system should be:
• Adaptable to existing engineering processes
– Engineers can use and update the data during normal
software development activities
– Independent of programming languages or tools
• Able to produce data for:
– Delivery to customers as
• Attribution and Redistribution packages
• SPDX files
– Synchronize with enterprise systems
15. Managing Open Source Software Supply Chains
ABOUT-Code
• nexB created the ABOUT-Code tools to automate OSS
compliance
• Based on our ABOUT specification
• An ABOUT file documents the origin and license for each
component, usually at the library or directory level
• An ABOUT file is a text file with the file extension “.about”
• Applicable to any programming language and software
development environment
• Extensible to build system integration for advanced automation
• Tools are in Python and licensed under Apache 2.0
• Code available at https://github.com/dejacode/about-code-tool
• Specification: http://www.dejacode.org/about_spec_v0.8.0.html
16. Managing Open Source Software Supply Chains
ABOUT File Example
A text file in “tag / value” format
httpd-2.4.3.tar.gz.about
name: Apache HTTP Server
home_url: http://httpd.apache.org
download_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gz
version: 2.4.3
date: 2012-08-21
license: apache-2.0
license_file: httpd-2.4.3.tar.gz/LICENSE
copyright: Copyright 2012 The Apache Software Foundation.
notice_file: httpd-2.4.3.tar.gz/NOTICE
17. Managing Open Source Software Supply Chains
ABOUT-Code tools
• Create ABOUT files in a codebase from a Software
BOM or Inventory file (spreadsheet)
• Create a Software BOM or Inventory file (spreadsheet)
from ABOUT files in the codebase
• Create an Attribution text file
• Text file organized by copyright/license notice and
component
• Default text or HTML format
• Create a Source Code Redistribution package list
• Currently offered as command line tools
18. Managing Open Source Software Supply Chains
“Virtuous” Compliance Lifecycle
Product
Release (R1)
Baseline
R1 Software
Inventory/BOM
R1 Codebase
ABOUT Files
Component
License Text
R2 Software
Inventory/BOM
Attribution
Display /
Docs
R2 Codebase
ABOUT Files
Source Code
Redistribution
Package
Update ABOUT Files
19. Managing Open Source Software Supply Chains
Basic Automation - Today
• Use ABOUT-Code to read ABOUT files to
• Create a Software BOM / Inventory
• Create an Attribution text file
• Create a Source Code Redistribution package list
• Edit output files to remove components that are not
Deployed
• Add the Attribution text file to the product
documentation and(or) product GUI (Help / About)
• Assign an engineer to create the Source Code
Redistribution package with installation/build
instructions
20. Managing Open Source Software Supply Chains
Advanced Automation
Enhance your build system and tools to:
• Recognize ABOUT files
• Assemble ABOUT files during a build for the sub-set of
components included in an end-product (Deployed)
• Collect Attribution data for Deployed components and create
Attribution text file
• Insert Attribution text into GUI (Help / About)
• Collect source code for the components that require
Redistribution (including dependencies)
• Create an archive file of the Redistribution package
21. Managing Open Source Software Supply Chains
ABOUT-Code
• Download and use the code from GitHub at:
https://github.com/dejacode/about-code-tool
• Read the specification at:
http://www.dejacode.org/about_spec_v0.8.0.html
• Join the discussion at:
http://www.dejacode.org/
21
23. Managing Open Source Software Supply Chains
About Greenberg Traurig LLP
• GT is an international, multidisciplinary law firm in 35
locations in the United States, Latin America, Europe,
the Middle East and Asia.
• An International
Network of More
than 1,750
Attorneys &
Governmental
Affairs
Professionals
24. Managing Open Source Software Supply Chains
About nexB Inc.
• nexB offers:
– Software analysis/audit services for products and for
acquisitions
– DejaCode Enterprise – a central business system for
managing software components
• 200+ software audit projects completed to-date
– Aggregated audited codebases > 3 billion lines of source code
– Aggregated value of the acquisitions transactions > $5B
• See DejaCode Enterprise at www.dejacode.com
25. Managing Open Source Software Supply Chains
DejaCode.org
• nexB is sponsoring DejaCode.org as a community site
to share techniques and tools for automating
compliance with OSS obligations
• Documentation of existing techniques and tools from
Android, Apache Maven (Java), CPAN (Perl) and others
• Home for new projects like nexB’s ABOUT system
• Visit us at:
www.dejacode.org
26. Managing Open Source Software Supply Chains
Contacts
• Greenberg Traurig
Heather Meeker
MeekerH@gtlaw.com
+1 650 289 7825
Subscribe to news and events alert at http://eepurl.com/wQIp9
• nexB Inc.
Michael Herzog
mjherzog@nexB.com
+1 650 380 0680
Notas del editor
OSS Compliance is always in some supply chain contextBecause most obligations are triggered by distribution of the software
Think about the subset of Deployed components from the beginningPrecision may be difficult, but accuracy at library level is most critical informationThere are commercial tools (plugins) for major software development systems (Maven, Atlassian, etc.) but these do not usually automate compliance
Engineers cannot / will not track OSS using spreadsheetsEnterprise approval/tracking systems are far from the actual code
Format based on plain text and simple conventions: name/value pairs separated by a semi-colonEasy to read and write for human and or processed using a scriptSyntax based on RFC5322 (email header fields)Well-defined and extensible so that it can be used for basic or advanced (build system) approaches to compliance automation.An ABOUT file is stored in the same directory as the software component it documentsNo need to change the code you document.
Supports integration with DejaCode License LibraryWill support creation of SPDX files
Depends on policies and standards, such as format for Attribution text and where you provide/display itIterative process to refine the compliance deliverablesBasic approach may be good enough for many products
Advanced approach is best suited for software groups with an integrated build and continuous integration approachExisting tools may provide part of a solution already – highly dependent on language/platform and toolingKey benefit can be automatically applying policies to prevent Deployment of components based on license