Embed Size (px)
Citation preview
Marcel de VriesCTO Xpirit
Best Practices for Using
Open Source Software in
the Enterprise
How software is built• 80% is based on components + your
code + glue code => new product
• Components dominantly are now open source
• Build on the shoulders of giants by using free software components in your products
DEMOAwareness is key!
Look at average ASP.NET website
• ASP.NET itself
• Entity framework
• JQuery
• Angular
• Bootstrap
• …201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
The new Microsoft• Microsoft embraces open source in many areas
now
• Did you know Azure provides many different flavors of Linux distributions?
• Did you know Microsoft open sourced important parts of their development platform?– ASP.NET MSBuild
– SignalR .NET Core (CLR & FW)
– Roslyn compilers WCF
The .NET Foundation .NET API for Hadoop WebClient
.NET Compiler Platform ("Roslyn").NET Map Reduce API for Hadoop
.NET Micro Framework
ASP.NET MVC
ASP.NET Web API
ASP.NET Web Pages
ASP.NET SignalR
Composition (MEF2)
Entity Framework
Linq to Hive
MEF (Managed Extensibility Framework)
OWIN Authentication Middleware
Rx (Reactive Extensions)
Web Protection Library
Windows Azure .NET SDK
Windows Phone Toolkit
WnsRecipe
Mimekit Xamarin.Auth
Xamarin.Mobile
Couchbase for .NET
Miguel de Icaza (Xamarin)
Laurent Bugnion (IdentityMine)
Niels Hartvig (Umbraco)
Anthony van der Hoorn (Glimpse)
Paul Betts (GitHub)
Nigel Sampson (Compiled Experience)
http://www.dotnetfoundation.org
Mailkit
System.Drawing
Best practices in OSS for the enterprise
• In the Microsoft eco system we are just getting started• How do you come up with best practices already?
– Look at the eco systems that have been using OSS for a long time
• E.g. Java ecosystem
– My personal experience as Technology manager, CTO in terms of risk awareness
• Experiences based on consulting engagements where I worked in heterogeneous environment
Challenge to the enterprise
• Developers want freedom to use open source software– It is highly encouraged by modern development tools like Visual
Studio
– NuGet, NPM (node), Bower, Maven, etc.
• How can I empower my developers, without bringing my company at risk?
• I see my .NET developer use open source now, how can I cope with this and still keep them happy?
Open source software
• What are the implications in the enterprise?What is open source?
Publish open source software
What are common business models?
When can I publish Oss?
What do I need to accept contributions?
Consuming open source software
What are the Licenses implications?
Are there known Vulnerabilities?
How well are these sources maintained?
How can we keep that in control?
What is open source anyway?
“Computer software with its source code made available under a license in which the copyright holder provides the rights to study, change and distribute the software to anyone and for any purpose”
St. Laurent, Andrew M. (2008). Understanding Open Source and Free Software Licensing. O'Reilly Media. p. 4. ISBN 9780596553951
According to the Open Source Definition, the license must not:• Discriminate against persons or groups
• Discriminate against fields of endeavour
• Be specific to a product
• Restrict other software
http://opensource.org/osd
What is a license?
COPYLEFT
GPL
LGPL
AGPL
Permissive
Restrictive
License spectrum
Copyleft License implications• Distribution triggers obligations
– And in some cases using on a network also trigger obligations (AGPL)
• Obligations are:• Disclosing the source code of your product;
• Making your product available under that copyleft license;
• Licensing your patents that read on the software.
• Once your product is available under a copyleft license any recipient can use it and distribute it without charge.
Copyleft and Cloud• In general, using modified Copy left sources do not need to
be published when used in cloud solution
• Cloud service is in general not considered distribution, but use of the software– So does not trigger copy left obligations
• Except for following licenses:– AGPL
– European Union Public License
– Common Public License
CONTRIBUTING TO OPEN SOURCE
OSS Contribution Funnel• Be able to understand what it does
• Can easily pick it up and use
• Download• Fork / Follow / FavouriteUse
• Log bugs
• Answer questions
• Write blog posts
• Fix / add documentation
• Fix typos
Contribute Time
• Actually contribute code patches that fix bugs / improve test cases
• Contribute entirely new features
• Translate• Maintain platforms
Contribute Code
• Become a core committer (get write access)
• Accept / validate code contributions
• Nurture new people• Stick around
• Influence the direction of the project
Own
Publishing open source• What do you need when you want to publish open source
software?
• You need to know who worked on the software– Each individual is a copyright holder!– If you don’t know, you are at risk going forward, you need to chase
them down
• How about I publish software on my blog?– You are still the copyright holder and need to set license terms for
others to be able to use it!
A Contributor License Agreement (CLA) defines the terms under which intellectual property has been
contributed to a company/project, typically software under an open source
license.From Wikipedia, the free encyclopedia
Why would I publish my product as OSS?
• Open source is a proven viable business model
• Company builds and contributes to the open source software
• Company builds premium components they sell• Company provides premium services
– e.g. SaaS versions of the product, or consulting services
CONSUMING OPEN SOURCE
Consuming open source software
Use of components creates a
SOFTWARE SUPPLY CHAIN
DEVELOPMENTBUILD AND DEPLOY
PRODUCTIONCOMPONENT
SELECTION
Licenses are one part of the story, but what about…
HEARTBLEEDEverything was secure until, suddenly it wasn’t
Introduced December 2011 Discovered April 2014 Lot of instances fixed, but still not all!
Consuming open source softwareIf you’re not using secure
COMPONENTSyou’re not building secure
APPLICATIONS
DEVELOPMENTBUILD AND DEPLOY
PRODUCTIONCOMPONENT
SELECTION
You need to know what is used in your enterprise!
How can we empower developers in using open source but be risk aware?
What can we learn from the Java space?
• They use artifact repositories to pull their packages from and push their packages to– Provides a single point where you can ask questions about the
software
• In the Microsoft ALM tools, we are used to– Use Version control repositories for our sources
– Use network drop locations for our build products
– Use the web to pull our packages
Consuming open source software
DEVELOPMENTBUILD AND PUBLISH
PRODUCTIONCOMPONENT
SELECTION
When you have a repo in place, you can….
• Scan for licenses in use
• Scan for known vulnerabilities
• Scan for popularity
Meet the artifact repository• There are different flavors out there
– Alternatives are archiva, Artifactory, Nexus
– You can look at a comparison at: http://docs.codehaus.org/display/MAVENUSER/Maven+Repository+Manager+Feature+Matrix
• For my demos I am using Sonatype Nexus– The one I most commonly encountered in my engagements with
customers
– Supports the Microsoft Eco system with NuGet!
DEMOShow nexus PRO
Great but not all OSS comes from NuGet
How can you know what is in your enterprise, because just using a proxy does not cut it?
How to publish to repo after build
By publishing your product back to the artifact repository, you can now scan your software on use of OSS
Consuming open source software
DEVELOPMENTBUILD AND PUBLISH PRODUCTION
COMPONENT SELECTION
DEMOPublish to artefact repo
Great!Now I have an artifact
repository, how does that solve my needs?
We need a way to scan my repository and answer my
important questions
DEMOHealth reports
Part of the puzzle• Artifact repositories can help you
– Empower your developers to build on shoulders of giants
– Analyze what is in use• Source code or binaries
– Give insights in your exposure to known vulnerabilities in OSS components
• There are things you need to figure out yourself
– What OSS do we pick for certain parts of the system
– How do you select the right component with an abundance of choice?
– How do you engage with communities?
– How to manage contributions to OSS?
What we not covered• Integrating license and vulnerability scans as part of your continuous
delivery pipeline
• Defining policies for what you allow
– Component Lifecycle Management tooling
– Can plug into your build system or your delivery pipelines
• People and Perception
– Developer bias
– Developer satisfaction
– Not looking at the other side of the fence
Summary
• There is more to open source than sources• Understand licensing• Understanding the OSS ecosystem• OSS usage impacts your business• Set up a strategy to know what you are using• Artifact repository can help you solve parts of the
puzzle– Make them part of your Continuous Delivery Pipeline
Questions?
• Xpirit Magazine in your TechDays bag with cool articles on e.g:– Hololens programming– Azure Service Fabric– Application Insights
http://fluentbytes.com@[email protected] help? Contact us
