1. Samsung Open Source Group 1 https://social.samsunginter.net/@rzr
Up/Down Stream Flows
Harmony in community not “Far West” !
<https://www.meetup.com/fr-FR/Rennes-Embedded/>
#RennesEmbedded, Rennes France <2019-04-11>
Philippe Coval
Samsung Open Source Group / SRUK
p.coval@samsung.com
2. Samsung Open Source Group 2 https://social.samsunginter.net/@rzr
$ who am i
●
Software engineer at Samsung OSG
– Belong to SRUK team based in Rennes, France
– Currently working on “Privacy by Design” Web of Things,
– Interest: Free Libre Open Source, OpenData, OpenDesign...
●
Ping me on the fediverse:
– https://social.samsunginter.net/@rzr
3. Samsung Open Source Group 3
“Without trust there's no cooperation.
And without cooperation there's no progress.
History stops.”
~ Rick Yancey, The Last Star
4. Samsung Open Source Group 4 https://social.samsunginter.net/@rzr
Types of FLOSS models
●
Built with OSS:
– Some libs are used in products
●
+ patches (shared or not)
●
Built on OSS: Custom code on top
– Free OSS base and un-free extensions
– The base is shared to/with community
●
Behind doors / Inner source
– Public on releases (Code drop)
●
not development branches or metadata
●
May not review community contribs
●
To open development:
– Governance models
●
Community is involved
●
Meritocracy
●
decision making, roadmaps
●
Constitution, CoC
– may help in case of conflicts
●
To OpenSource foundations
– Copyright holders
– Neutral entity founded by members
5. Samsung Open Source Group 5 https://social.samsunginter.net/@rzr
Avoid Pitfalls
●
FLOSS is gratis (if your time has no value)
– Freeriders (taking without giving)’s back draft: Reputation, Community Support…
●
FLOSS Code will evolve with or without you!
– Your base is already open, and will improve if used (by others)
– You will never catch up, it will affect your quality (and users’ security)
●
Better focus on your value and build a better common base:
– Design smart, isolate elements:
●
UNIX philosophy & KISS principle not “Not Invented here”
●
Be a good and smarter citizen since day one
– Comply licenses, Separate upstream and downstream works
6. Samsung Open Source Group 6 https://social.samsunginter.net/@rzr
How to maximize efficiency of FLOSS use
●
Improve culture & skills:
– Dedicate experts with FLOSS Culture: Tech & Legal background
– Part of company and involved in communities
– Scale: Learn and Teach
●
Setup infrastructure: Listen to developers requirements
– To use their most productive environments:
●
GNU/Linux desktop, any flavours, root
– To reach communities
●
IRC, mailing lists etc
– Transparent proxies/firewall, Flexible Email (IMAP/SMTP), bandwidth (setup cache)
7. Samsung Open Source Group 7 https://social.samsunginter.net/@rzr
Tooling
●
Adopt upstream tools: SCM (git), build system
– Switch to git: The sooner, the better
– Eventually use bridge like git-svn (but it will create more confusion)
– git is flexible, not github (how will you export reviews and PR?)
●
CI may help too (if not required)
– Can be self hosted on site or outsourced
8. Samsung Open Source Group 8 https://social.samsunginter.net/@rzr
Cooperation
●
Forward patches to upstream first
– Maybe you are doing it wrong? Or upstream may suggest better way.
– Could be merged in stable version (safer)
– Small changes are faster to review
– Easier to apply to several branches (less conflicts) and revert
●
Then merge downstream:
– Adjust delay according to your policies (eg: 48h to 7days)
●
Keep an eye on it, try to reduce gap
– Technical debt is growing (until it’s upstreamed)
9. Samsung Open Source Group 9 https://social.samsunginter.net/@rzr
History >>> Code
●
Mixing code randomly is a risky behavior and not future proof
●
Don’t break “evolution chain”
– use external dependencies:
– fork project in last resort but keep history
●
Preserve history/authorship:
– Avoid to import/copy code for other tree (public or private)
●
Helpful commit messages:
git commit -sam ‘context: Add X for feature Y...
Because of Z reason...
Bug: url://upstream/project/bug/42
’
10. Samsung Open Source Group 10 https://social.samsunginter.net/@rzr
Linking to contexts
●
Trackers might be updated after commits (xlinks, regressions etc)
– Origin: $url (Where patch was published first)
– Forwarded: $url (Where upstream will review it)
– Bug: $url (Upstream context)
– Bug-$downstream: $url or $id (downstream context)
●
Bug-Debian: #42 (DEP3)
– Relate-to: $url
– Change-id: I1dbadc0de… (unique id to track or search)
11. Samsung Open Source Group 11 https://social.samsunginter.net/@rzr
Attribution
●
Respect authors (and their works or time), in commit messages:
– Author: ...
– Thanks-to:, Credit-to:, Reported-by:, Suggested-by: ...
●
Author is the most knowledgeable why or how the change was made:
– (Current or Future) License may require attributions (ex: BSD-3-Clause-Attribution)
– May be contacted afterwards for project interest (regressions etc)
●
Commits may be signed
– Per project policy: to ensure integrity or authorship
– Comply with project’s license
– Ensure code is not “borrowed” from random source
12. Samsung Open Source Group 12 https://social.samsunginter.net/@rzr
Legal & Security
●
FLOSS is not public domain: Rights and duties
– Different philosophies:
●
Author/User, Business/Community, OSI/FSF, Permissive/Copyleft…
●
SPDX: Software Package Data Exchange
– Standard (namespace) for licensing
– SPDX Header in source:
●
SPDX-License-Identifier: GPL-2.0
●
Never assume that random public code is safe
– Minimal chain of trust to author should be established
13. Samsung Open Source Group 13 https://social.samsunginter.net/@rzr
Security matters
●
Scan for vulnerability and legal compliance
●
Upstream code is exposed
– it can be scanned by bots:
●
Fossa, FOSSology, OpenHub/Black duck, github alerts...
– And vulnerabilities reported (1st private, then public)
●
Downstream code maybe not
– Patches may fix ? or add more vulnerabilities
– Scanning code, verifying code is long and costly
●
Usually: gratis for FLOSS / pay for private code
14. Samsung Open Source Group 14 https://social.samsunginter.net/@rzr
Git chain is robust if well linked
●
git cherry-pick upstream’s changes
– Eg: Apply fixes from release branches
●
Or rebase your tree on upstream:
– CONTINUOUSLY on post release branches
– Follow versions: git rebase -i $tag
– Adapt your changes on conflict:
●
Hint: may split changes and upstream progressively
●
Other useful commands: git blame, git bissect
– Prefer git rebase over git merge
15. Samsung Open Source Group 15 https://social.samsunginter.net/@rzr
Moving forward & Sustainability
●
OSS Foundations
– Neutral and Legal entity
– Funded by companies and
individuals
– Provides infrastructure
– Training and certifications
●
Originally seeded by 1 project:
– Linux Foundation:
●
From kernel to many projects:
– OS: Tizen, Yocto, AGL
– Middlewares:
●
IoTivity, LFEdge. Onap,
OpenJS
– Similar to:
●
Apache, Eclipse, Document,
OpenStack, FSF, Mozilla, Debian/
SPI, ROS, Python, Pi, OW2 ...
16. Samsung Open Source Group 16 https://social.samsunginter.net/@rzr
Prefer Co-maintenance
●
Inactive upstream
– Upstream is not your contractor
– Shift to co-maintenance ?
●
Abandonware Organization:
– https://abandonware.github.io/
– Community maintained packages
– Maximize benefit, minimize effort
– No trade off on security
17. Samsung Open Source Group 17 https://social.samsunginter.net/@rzr
Summary
●
Avoid “Not invented here”
– It’s easy to start a new project. It’s harder to maintain it
– Join an existing project / Reduce duplication
– Review changes, minimize downstream changes
●
Be part of chain of trust
– Bigger Adoption => More checks and test => care about interoperability
●
Establish Long term strategy with opensource foundations:
– Scale, Comply license, involve community...
18. Samsung Open Source Group 18 https://social.samsunginter.net/@rzr
References:
●
https://www.SoftwareHeritage.org/
– 88M projects 2019-04-08
●
https://wiki.iotivity.org/contribute
– Example: Contrubution tips for IoTivity project
●
https://social.samsunginter.net/@rzr/101640930444343920
– tizen-upstream-coop-tdc2014-pcoval
●
Samsung’s Open Source portal
– https://opensource.samsung.com/
●
https://youtu.be/2KDFRiSNSX8
– OSI’s Simon Phipps at OW2 2018