Corporate Open Source Governance - ASQF€¦ · ASQF – Berlin 2016-06-02. ... SV sells license of CP to customer C without licensing patent ... You are responsible for corporate

Corporate Open Source Governance

© 2016 Dirk Riehle - All Rights Reserved 1


Prof. Dr. Dirk Riehle

Friedrich-Alexander University Erlangen-Nürnberg

ASQF – Berlin 2016-06-02



Professorship of Open Source Software

● Dirk Riehle, professor of computer science● Focus is software engineering research incl. open source software

● At Friedrich-Alexander-University Erlangen-Nürnberg, Faculty of Engineering

● Previously held research positions at ...● SAP Labs (Palo Alto, Silicon Valley) leading the open source research group

● UBS (Swiss Bank, Zurich) leading the software engineering research group

● Previously worked in development at ...● Skyva Inc. (supply chain software startup, Boston) as software architect

● Bayave GmbH (on-demand business software, Berlin) as CTO



Industry Domains of Interest to us

● Open source governance● Inner source development● (Agile) continuous delivery● High-quality requirements● Knowledge management

Overview Group and Research Projects


Student Projects with Industry Partners

● Recruiting● Outsourcing● Innovation● Startups

● AMOS (software tools and components)● PROD (market research, product specs)● ARCH (software architecture analysis)● NYT (interview and data analysis, other)

http://osr.cs.fau.de/category/teaching/specific/amos/



Cost Savings through Open Source Use

Faster

Better Cheaper

“High quality software for free.”



Fundamental (Primary) Benefits

● Faster● Open source components are immediately available

● Better● Open source components are often of high quality

● Cheaper● Open source components are free (no license fee)



Some Secondary Benefits

● Open source is open to inspect, modify● Faster: Users can help themselves, fix bugs

● Faster: Users can extend the software, develop new features

● Most open source has no or little vendor lock-in● Faster: Innovation cannot be blocked by one company

● Cheaper: Competition keeps service prices low

● Open source components are compatible● Faster, better: With standards (as reference implementations)

● Faster, better: With platforms (as de-facto implementations)



Use and Contribution Scenarios

● In-house

● In products



Fundamental Problems

● Subjected to lawsuit● because of (real or not) violation of somebody else’s

– Copyright (copyleft, license violation)

– Patent rights (patent infringement)

● Trademarks are usually not a problem



Some Secondary Problems

● Loss of exclusive IP rights

● Unwanted disclosure of● Product strategy● Software architecture

● Trade secrets

● Ignorance of security vulnerabilities



Causes → Problems → Effects

Convicted ofinfringing patents

Having toopen source

Subjectedto lawsuit

Improper use

Ungovernedcontributions



Improper Use

● Improper use of open source code, for example, by● Copying and pasting from the web

● Inclusion of libraries / components

– Either directly from the web, or

– As part of the supply chain, or

– As part of M&A activity

● may lead to getting sued for license violation or patent infringement

→ Need to govern use



Ungoverned Contributions

● Unwanted disclosure to the public, for example, by ● Ungoverned contributions to open source projects

● may lead to

– getting sued for license violation or patent infringement

– being disadvantaged in competitive situations

→ Need to govern contribution



Costs of Being Subjected to Lawsuit

● Business costs● Management distraction, loss of focus

● Unwanted disclosure of business information

● Financial costs● Legal costs

● Increased loss provisions (“Rückstellungen”)

● Reputation costs● Negative press

● Unwanted public attention



Copyright Violation Lawsuit

● Steps in process

1. Customer acquires license for Commercial Product from Software Vendor

2. Customer asks Software Vendor for source code; in all likelihood gets denied

3. Depending on license and technical coupling, this denial is a license violation

4. Customer must empower Copyright Holder to sue Software Vendor for violation

● Applies to use in products

C

may sue

OSS v2

CP

must collaborate

may askfor closed

source code

OSS

CH SV





Costs of Having to Open Source

● In case of having to open source● Business costs

– Loss of intellectual property

– Continued unwanted disclosures

– Continued managerial distraction

– Upset customers, loss of sales

● Legal costs

– Increased lawsuit vulnerability

● In case of out-of-court agreement● Financial costs

– License fees

– Legal fees

● More reputation loss



Patent Infringement Lawsuit

● Setup of situation● OSS contains code that implements

patent owned by PH● SV sells license of CP to customer C

without licensing patent

● Steps in process

1. Patent holder sues customer(patent user)

2. Customer turns around, suessoftware vendor

● Applies broadly● To both use-cases

– In-house

– In products

● With or without open source

SV

OSS

PHsues for

patentinfringment

OSS

CP

C



Costs of Infringing Patents

● In case of out-of-court agreement● Business costs

– Patent fees

● Financial costs

– Settlement fees

– Legal fees

● In case of no agreement possible● Business costs

– Upset customers, loss of sales

– Missed opportunities

– Required rework

● Financial costs

– Penalties

– Legal fees

● More reputation loss



Proactive Measures against Patent Lawsuits

● Open Invention Network (OIN) founded to protect Linux● OIN owns a large patent pool that it licenses out royalty-free

● Requires that licensees agree not to enforce patterns against Linux

● Modern open source licenses include patent retaliation clauses● Users of open source, who enforce patents, loose right to use open source

● Retaliation clauses vary and are not present in older licenses, e.g. GPLv2



Patent Retaliation Lawsuit

SV1

OSS

SV2

C2

1. lawsuit

OSS

CP2

OSS

CP1

C1

2. loss of rights grant

3. “retaliation” lawsuit

● Setup of situation● Both SV1 and SV2

contribute to OSS

● Original lawsuit● SV2 sues C1 for patent

patent infringement

● C1 turns around, holdssupplier SV1 responsible

● Retaliation lawsuit● SV1 sues C2 for

copyright violation

● C2 turns around, holdssupplier SV2 responsible



It’s a Business Decision

No risk

No reward

How to manage this risk?



Governance and Compliance

● Organizational governance● Is “the way the rules, norms and [desired] actions [of an organization] are

produced, sustained, regulated and held accountable” (Wikipedia)

● Organizational compliance● Is how any behavior of and within an organization is made to comply with that

organization’s rules, norms, and desired actions [DR]

● Software-using and producing organizations● Can have all kinds of governance and compliance bodies● One form is open source governance and compliance



Open Source Governance and Compliance

● Open source governance and compliance● Is the way an organizations manages its open source engagement

● The three key forms of open source engagement● Use (of open source software in-house and in products)

● Contribution (to open source software projects)

● Leadership (of open source software projects)

● In the following, governance implies / includes compliance



Goals of Open Source Governance

● Primary goal

1. Achieve strategic goals

2. While complying with the law

● Secondary goals

3. Prevent being subjected to lawsuit

4. Minimize impact of lawsuits

● Cynics switch 2 and 3● Being lawful doesn’t mean you won’t get sued



Forms of Open Source Governance

● Defensive open source governance● To prevent “something bad happens” i.e. getting sued

● Applies mostly to use and contribution from of engagement● Is addressed in this lecture

● Offensive open source governance● To ensure “something good happens” e.g. standards setting● Applies mostly to strategic leadership of open source projects● Is addressed during business model lectures



How Open Source Makes it into Products

Client (OEM)

Supplier Tier 1

Supplier Tier n

... ...

... ...

product

closed sourcecomp #24

open sourceproj #5332


closed sourcecomp #897





Governance Domains and Processes

Roles Practices Artifacts

Governancemanagement

● CEO● Governor● Legal counsel● ...

● Define goals● Define processes● Define roles …● ...

● Open source charter● Process descriptions● Practices handbook● ...

Suppliermanagement

● Governor● Software architect● Engineering manager● Supplier, ...

● Enable audits● Require bill-of-materials● Explain governance● ...

● Audit checklist● Bill-of-materials● Educational materials● ...

Engineeringmanagement

● Governor● Engineering manager● Supplier,● ...

● Review third-party● Select component● Monitor code commits● ...

● Deliverables checklist● Component repository● Code scanner● ...

Productmanagement

● Governor● Product manager● Engineering manager● ...

● Ensure standards● Comply with licenses● Provide source code● ...

● Platform specifications● Open source licenses● Source code browser● ...

Softwaredevelopment

● Governor● Software developer● Engineering manager● ...

● Teach practices● Suggest component● Use comp. repository● ...

● Practices handbook● Code search engines● Code scanner● ...



Roles and Responsibilities

EM SDPMSU

GOV

LEGCEO

● Top-level management (CEO)● Responsible for overall goals, strategy

● Legal counsel (LEG)● Responsible for legal risk assessment

● Governor (GOV)● Responsible for open source governance

– Defines processes and practices

– Collaborates and mediates

– Signs-off or escalates

● Engineering manager (EM)● Responsible for product development

● Product manager (PM)● Responsible for product management

● Software developer (SD)● Responsible for product implementation



Governance Management

● Responsible● CEO

● Governor● Legal counsel

● Example practices● Define processes and practices● Define roles and responsibilities● Track state of the art in governance

● ...



Example Governance Management Practice

Define processes and practices

ContextYou are responsible for corporate open source governance. You are the first person to be given this responsibility.

ProblemProper open source governance exists only in your head. You need to educate personell and you need to achieve compliance.

SolutionDefine all relevant processes and practices as a best practices handbook. Publish the handbook internally and educate personell.



Supplier Management

● Responsible● Governor

● Legal counsel● Engineering manager

● ...

● Example practices● Define requirements for third-party components

● Define requirements in contracts with suppliers ● Define review process for third-party components

● Monitor employed third-party components

● Audit suppliers● ...



Example Supplier Management Practice

Require bill-of-materials

ContextYour products use third-party components. You don‘t have visibility into supplier open source governance.

ProblemThird-party components may incorporate open source code that violates your strategic goals, i.e. may be copyleft code.

SolutionIn contracts, ensure that all deliveries contain a bill-of-materials. At delivery time, ensure bill-of-materials is provided, then check for it.



Software Package Data Exchange (SPDX)



Component Analysis 1 / 2



Component Analysis 2 / 2



Engineering Management


● Engineering manager

● Example practices● Regularly educate engineering managers

● Review proposed third-party components● Provide third-party component repository● ...



Example Engineering Management Practice

Propose open source components

ContextA developer suggests to use an open source component for some competitively non-differentiating functionality.

ProblemYou can‘t decide yourself: Any open source component must be signed-off on by the open source governor of the organization.

SolutionUse the internal open source component repository. If not found, review proposed integration with governance rules. If not excluded, prepare proposal to governor for review of open source component.



Repository Management 1 / 2



Repository Management 2 / 2



Product Management


● Product manager

● Example practices● Regularly educate product managers

● Disclose used open source components (attribution)● Provide copyleft(ed) source code on website● ...



Example Product Management Practice

Attribute

ContextYour product is about to be released. You are assembling all collateral materials to go with the product.

ProblemAll open source licenses require attribution, i.e. you are obliged to disclose which open source software and which license is used.

SolutionCreate a list of open source components in your product and their licenses from your bill-of-materials. Create a summary file to be incorporated with the product and publish it on the web.



Example of Attribution (Website)



Software Development


● Software developer

● Example practices● Regularly educate software developers

● Provide readily usable component repository● Scan all code contributions (libraries, hand-written)● ...



Example Software Development Practice

Pre-check commits

ContextYou are developing software using a version control system.

ProblemUneducated or negligient developers may copy code from the web into their components and commit it to the version control system.

SolutionCheck each commit before it gets committed (pre-commit hook) using a source code scanner for license rule violation. Reject the commit in case of violation. Notify the engineering manager.



Source Code Scanner 1 / 2



Source Code Scanner 2 / 2



Tool Support for Open Source Governance

● Source code scanner● Vulnerabilities tracker● Component evaluation● Component analysis tools● Repository management



Best Practices Handbook [RL14]

5. Supplier Management

a. Ensure requirements in supplier contracts

b. Require bill-of-materials in supplier deliverables c. [...]

(i) Use standard for bill-of-materials

(ii) [...]

8. [...]6. Component Integration 7. Component Repository

3. [...]1. Governance Charter 2. Governance Management

(i) ... (ii) ... (i) ... (ii) ...



Future Governance Topics

● Governance processes● Governance certification

● Supply chain management

● Software tooling● Supplier auditing

● Architecture management



Bibliography (incl. References)

● See http://goo.gl/D8qnu

http://goo.gl/D8qnu



Thank you! Questions?

DR

[email protected] – http://osr.cs.fau.de

[email protected] – http://dirkriehle.com – @dirkriehle

mailto:[email protected]

http://osr.cs.fau.de/

mailto:[email protected]

http://dirkriehle.com/

http://twitter.com/dirkriehle



Credits and License

● Original version● © 2012-2016 Dirk Riehle, all rights reserved

● Contributions● ...

Documents

Corporate Open Source Governance - ASQF€¦ · ASQF – Berlin 2016-06-02. ... SV sells license of CP to customer C without licensing patent ... You are responsible for corporate