Embed Size (px)
DESCRIPTION
First this talk explores the various options regarding FOSS detection, how this process can be integrated in the "software factory", and how the results can be displayed in a usable and efficient way, using different tools freely available to the open source communities like FOSSology and Antepedia Tools Suite. Secondly, we will give some example of license data that can be collected from many open source projects and show how it can be useful for communities to adopt standard like SPDX (Software Package Data Exchange), which will be presented briefly.
Citation preview
Tools for developers to ensure legal integrity of their code
Freddy Munoz, PhDProduct Manager, Antelink.
[email protected] @drfmunoz
Bruno CornecOpen Source & Linux Profession Lead EMEA, HPIntelCo.
The context
3
compile
test
integration test
package
analysis
Build Engineer
Product
Final product
???
???license?version?project?
are you sure that you know everything…?
are you sure that you are license compliant?
In your BoM
In your product
The problem
4
Available compliance tools(non-exhaustive list)
Source http://www.linuxfoundation.org/programs/legal/compliance/tools
Antepedia Notifier
Antepedia Reporter
Antepedia Notifier
Source code Binary package
5
Antepedia Tool Suite
6
Antepedia Tool Suit
AntepediaKnowledgeBase
Antepedia* Notifier
Antepedia* Reporter
Antepedia** Search
Public API
940 000 projects
210 000 000 files
** free public access* free for non-profit projects and organizations
7
Antepedia Search
Cloud serviceSingle
file
Web-browser report
Original project
License information
Release date and location
8
Antepedia Reporter
Automated On-demand Detection of Open Source Components
Export
1. HTML file
2. CSV FileAnalysis
Antepedia — the world’sLargest Knowledge Base of
open source projects
Antepedia Reporter
my.antepedia.com
9
10
Antepedia Notifier
Automated Continuos Detection of Open Source Components
Notification
1. By MAIL
2. Through Atlassian JIRA
Continuous detection
Antepedia, the world’s largest database of open source projects
Antepedia Notifier
my.antepedia.com
FOSSology - Goal
FOSS-ology : The study of FOSS
The goal of the FOSSology project is create tools and a framework to reduce fear, uncertainty, and doubt in the use, development, and distribution of open source software.FOSSology is a static analysis framework to learn what we can by scanning FOSS itself.Analyze the code, save the results in a database, report results through a Web (or scripted) interface.
A Simple FOSSology Process Flow
o Scan every single file in a package (or distro, or …)o Fuzzy match against a library of > 400 known
licenses.o Examine the non-matching portions looking for text
that could be an unknown license.o Nomos, the now GPLed license analysis tool, is
the result of 10+ years of scanning @HP
File upload screenshot
Queue management screenshot
License analysis screenshot
Meta data analysis screenshot
Bucket browser screenshot
Architecture
“The evolution of FLOSSand the Internet are
tightly coupled”
Web Resources
FOSSOlogy main site http://www.fossology.orgMailing Lists, contacts http://fossology.org/contact_usPlume details http://www.projet-plume.org/fiche/fossologyProject-Builderhttp://trac.project-builder.orgOpen Source at HPhttp://opensource.hp.comProLiant & Linux http://www.hp.com/go/proliantlinux
FOSSology users: HP, ALU, Siemens, INRIA, OW2
20
SPDX: Handling Heterogeneous Licenses
21
22
http://jwebmail.sourceforge.net/news.html
http://jwebmail.sourceforge.net/about.html
http://sourceforge.net/projects/jwebmail/
Inconsistent License
Information (1/2)
23
Source http://www.winpenpack.com/en/page.php?5
Source http://sourceforge.net/projects/winpenpack/
Inconsistent License
Information (2/2)
24
25
SPDX: Standardization
SPDX™ - A standard format for communicating the components, licenses and copyrights associated with a software package.
26
27
???
