Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 1
Corporate Open Source Governance
Prof. Dr. Dirk Riehle
Friedrich-Alexander University Erlangen-Nürnberg
ASQF – Berlin 2016-06-02
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 2
Professorship of Open Source Software
● Dirk Riehle, professor of computer science● Focus is software engineering research incl. open source software
● At Friedrich-Alexander-University Erlangen-Nürnberg, Faculty of Engineering
● Previously held research positions at ...● SAP Labs (Palo Alto, Silicon Valley) leading the open source research group
● UBS (Swiss Bank, Zurich) leading the software engineering research group
● Previously worked in development at ...● Skyva Inc. (supply chain software startup, Boston) as software architect
● Bayave GmbH (on-demand business software, Berlin) as CTO
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 3
Industry Domains of Interest to us
● Open source governance● Inner source development● (Agile) continuous delivery● High-quality requirements● Knowledge management
Overview Group and Research Projects
© 2015 Dirk Riehle - All Rights Reserved 4
Student Projects with Industry Partners
● Recruiting● Outsourcing● Innovation● Startups
● AMOS (software tools and components)● PROD (market research, product specs)● ARCH (software architecture analysis)● NYT (interview and data analysis, other)
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 5
Cost Savings through Open Source Use
Faster
Better Cheaper
“High quality software for free.”
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 6
Fundamental (Primary) Benefits
● Faster● Open source components are immediately available
● Better● Open source components are often of high quality
● Cheaper● Open source components are free (no license fee)
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 7
Some Secondary Benefits
● Open source is open to inspect, modify● Faster: Users can help themselves, fix bugs
● Faster: Users can extend the software, develop new features
● Most open source has no or little vendor lock-in● Faster: Innovation cannot be blocked by one company
● Cheaper: Competition keeps service prices low
● Open source components are compatible● Faster, better: With standards (as reference implementations)
● Faster, better: With platforms (as de-facto implementations)
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 8
Use and Contribution Scenarios
● In-house
● In products
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 9
Fundamental Problems
● Subjected to lawsuit● because of (real or not) violation of somebody else’s
– Copyright (copyleft, license violation)
– Patent rights (patent infringement)
● Trademarks are usually not a problem
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 10
Some Secondary Problems
● Loss of exclusive IP rights
● Unwanted disclosure of● Product strategy● Software architecture
● Trade secrets
● Ignorance of security vulnerabilities
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 11
Causes → Problems → Effects
Convicted ofinfringing patents
Having toopen source
Subjectedto lawsuit
Improper use
Ungovernedcontributions
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 12
Improper Use
● Improper use of open source code, for example, by● Copying and pasting from the web
● Inclusion of libraries / components
– Either directly from the web, or
– As part of the supply chain, or
– As part of M&A activity
● may lead to getting sued for license violation or patent infringement
→ Need to govern use
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 13
Ungoverned Contributions
● Unwanted disclosure to the public, for example, by ● Ungoverned contributions to open source projects
● may lead to
– getting sued for license violation or patent infringement
– being disadvantaged in competitive situations
→ Need to govern contribution
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 14
Costs of Being Subjected to Lawsuit
● Business costs● Management distraction, loss of focus
● Unwanted disclosure of business information
● Financial costs● Legal costs
● Increased loss provisions (“Rückstellungen”)
● Reputation costs● Negative press
● Unwanted public attention
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 15
Copyright Violation Lawsuit
● Steps in process
1. Customer acquires license for Commercial Product from Software Vendor
2. Customer asks Software Vendor for source code; in all likelihood gets denied
3. Depending on license and technical coupling, this denial is a license violation
4. Customer must empower Copyright Holder to sue Software Vendor for violation
● Applies to use in products
C
may sue
OSS v2
CP
must collaborate
may askfor closed
source code
OSS
CH SV
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 16
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 17
Costs of Having to Open Source
● In case of having to open source● Business costs
– Loss of intellectual property
– Continued unwanted disclosures
– Continued managerial distraction
– Upset customers, loss of sales
● Legal costs
– Increased lawsuit vulnerability
● In case of out-of-court agreement● Financial costs
– License fees
– Legal fees
● More reputation loss
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 18
Patent Infringement Lawsuit
● Setup of situation● OSS contains code that implements
patent owned by PH● SV sells license of CP to customer C
without licensing patent
● Steps in process
1. Patent holder sues customer(patent user)
2. Customer turns around, suessoftware vendor
● Applies broadly● To both use-cases
– In-house
– In products
● With or without open source
SV
OSS
PHsues for
patentinfringment
OSS
CP
C
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 19
Costs of Infringing Patents
● In case of out-of-court agreement● Business costs
– Patent fees
● Financial costs
– Settlement fees
– Legal fees
● In case of no agreement possible● Business costs
– Upset customers, loss of sales
– Missed opportunities
– Required rework
● Financial costs
– Penalties
– Legal fees
● More reputation loss
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 20
Proactive Measures against Patent Lawsuits
● Open Invention Network (OIN) founded to protect Linux● OIN owns a large patent pool that it licenses out royalty-free
● Requires that licensees agree not to enforce patterns against Linux
● Modern open source licenses include patent retaliation clauses● Users of open source, who enforce patents, loose right to use open source
● Retaliation clauses vary and are not present in older licenses, e.g. GPLv2
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 21
Patent Retaliation Lawsuit
SV1
OSS
SV2
C2
1. lawsuit
OSS
CP2
OSS
CP1
C1
2. loss of rights grant
3. “retaliation” lawsuit
● Setup of situation● Both SV1 and SV2
contribute to OSS
● Original lawsuit● SV2 sues C1 for patent
patent infringement
● C1 turns around, holdssupplier SV1 responsible
● Retaliation lawsuit● SV1 sues C2 for
copyright violation
● C2 turns around, holdssupplier SV2 responsible
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 22
It’s a Business Decision
No risk
No reward
How to manage this risk?
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 23
Governance and Compliance
● Organizational governance● Is “the way the rules, norms and [desired] actions [of an organization] are
produced, sustained, regulated and held accountable” (Wikipedia)
● Organizational compliance● Is how any behavior of and within an organization is made to comply with that
organization’s rules, norms, and desired actions [DR]
● Software-using and producing organizations● Can have all kinds of governance and compliance bodies● One form is open source governance and compliance
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 24
Open Source Governance and Compliance
● Open source governance and compliance● Is the way an organizations manages its open source engagement
● The three key forms of open source engagement● Use (of open source software in-house and in products)
● Contribution (to open source software projects)
● Leadership (of open source software projects)
● In the following, governance implies / includes compliance
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 25
Goals of Open Source Governance
● Primary goal
1. Achieve strategic goals
2. While complying with the law
● Secondary goals
3. Prevent being subjected to lawsuit
4. Minimize impact of lawsuits
● Cynics switch 2 and 3● Being lawful doesn’t mean you won’t get sued
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 26
Forms of Open Source Governance
● Defensive open source governance● To prevent “something bad happens” i.e. getting sued
● Applies mostly to use and contribution from of engagement● Is addressed in this lecture
● Offensive open source governance● To ensure “something good happens” e.g. standards setting● Applies mostly to strategic leadership of open source projects● Is addressed during business model lectures
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 27
How Open Source Makes it into Products
Client (OEM)
Supplier Tier 1
Supplier Tier n
... ...
... ...
product
closed sourcecomp #24
open sourceproj #5332
open sourceproj #152
closed sourcecomp #897
open sourceproj #21632
open sourceproj #832
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 28
Governance Domains and Processes
Roles Practices Artifacts
Governancemanagement
● CEO● Governor● Legal counsel● ...
● Define goals● Define processes● Define roles …● ...
● Open source charter● Process descriptions● Practices handbook● ...
Suppliermanagement
● Governor● Software architect● Engineering manager● Supplier, ...
● Enable audits● Require bill-of-materials● Explain governance● ...
● Audit checklist● Bill-of-materials● Educational materials● ...
Engineeringmanagement
● Governor● Engineering manager● Supplier,● ...
● Review third-party● Select component● Monitor code commits● ...
● Deliverables checklist● Component repository● Code scanner● ...
Productmanagement
● Governor● Product manager● Engineering manager● ...
● Ensure standards● Comply with licenses● Provide source code● ...
● Platform specifications● Open source licenses● Source code browser● ...
Softwaredevelopment
● Governor● Software developer● Engineering manager● ...
● Teach practices● Suggest component● Use comp. repository● ...
● Practices handbook● Code search engines● Code scanner● ...
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 29
Roles and Responsibilities
EM SDPMSU
GOV
LEGCEO
● Top-level management (CEO)● Responsible for overall goals, strategy
● Legal counsel (LEG)● Responsible for legal risk assessment
● Governor (GOV)● Responsible for open source governance
– Defines processes and practices
– Collaborates and mediates
– Signs-off or escalates
● Engineering manager (EM)● Responsible for product development
● Product manager (PM)● Responsible for product management
● Software developer (SD)● Responsible for product implementation
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 30
Governance Management
● Responsible● CEO
● Governor● Legal counsel
● Example practices● Define processes and practices● Define roles and responsibilities● Track state of the art in governance
● ...
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 31
Example Governance Management Practice
Define processes and practices
ContextYou are responsible for corporate open source governance. You are the first person to be given this responsibility.
ProblemProper open source governance exists only in your head. You need to educate personell and you need to achieve compliance.
SolutionDefine all relevant processes and practices as a best practices handbook. Publish the handbook internally and educate personell.
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 32
Supplier Management
● Responsible● Governor
● Legal counsel● Engineering manager
● ...
● Example practices● Define requirements for third-party components
● Define requirements in contracts with suppliers ● Define review process for third-party components
● Monitor employed third-party components
● Audit suppliers● ...
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 33
Example Supplier Management Practice
Require bill-of-materials
ContextYour products use third-party components. You don‘t have visibility into supplier open source governance.
ProblemThird-party components may incorporate open source code that violates your strategic goals, i.e. may be copyleft code.
SolutionIn contracts, ensure that all deliveries contain a bill-of-materials. At delivery time, ensure bill-of-materials is provided, then check for it.
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 34
Software Package Data Exchange (SPDX)
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 35
Component Analysis 1 / 2
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 36
Component Analysis 2 / 2
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 37
Engineering Management
● Responsible● Governor
● Engineering manager
● Example practices● Regularly educate engineering managers
● Review proposed third-party components● Provide third-party component repository● ...
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 38
Example Engineering Management Practice
Propose open source components
ContextA developer suggests to use an open source component for some competitively non-differentiating functionality.
ProblemYou can‘t decide yourself: Any open source component must be signed-off on by the open source governor of the organization.
SolutionUse the internal open source component repository. If not found, review proposed integration with governance rules. If not excluded, prepare proposal to governor for review of open source component.
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 39
Repository Management 1 / 2
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 40
Repository Management 2 / 2
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 41
Product Management
● Responsible● Governor
● Product manager
● Example practices● Regularly educate product managers
● Disclose used open source components (attribution)● Provide copyleft(ed) source code on website● ...
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 42
Example Product Management Practice
Attribute
ContextYour product is about to be released. You are assembling all collateral materials to go with the product.
ProblemAll open source licenses require attribution, i.e. you are obliged to disclose which open source software and which license is used.
SolutionCreate a list of open source components in your product and their licenses from your bill-of-materials. Create a summary file to be incorporated with the product and publish it on the web.
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 43
Example of Attribution (Website)
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 44
Software Development
● Responsible● Governor
● Software developer
● Example practices● Regularly educate software developers
● Provide readily usable component repository● Scan all code contributions (libraries, hand-written)● ...
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 45
Example Software Development Practice
Pre-check commits
ContextYou are developing software using a version control system.
ProblemUneducated or negligient developers may copy code from the web into their components and commit it to the version control system.
SolutionCheck each commit before it gets committed (pre-commit hook) using a source code scanner for license rule violation. Reject the commit in case of violation. Notify the engineering manager.
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 46
Source Code Scanner 1 / 2
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 47
Source Code Scanner 2 / 2
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 48
Tool Support for Open Source Governance
● Source code scanner● Vulnerabilities tracker● Component evaluation● Component analysis tools● Repository management
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 49
Best Practices Handbook [RL14]
5. Supplier Management
a. Ensure requirements in supplier contracts
b. Require bill-of-materials in supplier deliverables c. [...]
(i) Use standard for bill-of-materials
(ii) [...]
8. [...]6. Component Integration 7. Component Repository
3. [...]1. Governance Charter 2. Governance Management
(i) ... (ii) ... (i) ... (ii) ...
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 50
Future Governance Topics
● Governance processes● Governance certification
● Supply chain management
● Software tooling● Supplier auditing
● Architecture management
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 51
Bibliography (incl. References)
● See http://goo.gl/D8qnu
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 52
Thank you! Questions?
DR
[email protected] – http://osr.cs.fau.de
[email protected] – http://dirkriehle.com – @dirkriehle
Corporate Open Source Governance
© 2016 Dirk Riehle - All Rights Reserved 53
Credits and License
● Original version● © 2012-2016 Dirk Riehle, all rights reserved
● Contributions● ...