Upload
dinhcong
View
221
Download
1
Embed Size (px)
Citation preview
Leveraging Open Source in
Cloud-based Applications
31 August 2012
LinuxCon North America / CloudOpen
Kamyar Emami COO Protecode Inc. [email protected]
Agenda
Open Source Software – It’s Everywhere!
– Reality of Software Development Today -> Software BoM Complexity
– Software IP & Code Portfolio Tracking Challenges
Open Source Software License Spectrum
– Permissive vs Copyleft Licenses
– Distribution-based vs Cloud-based Applications
Managing License Obligations
– Approaches to License Management
– Open Source Software Adoption Process (OSSAP) – Best Practices
Q & A
2
Open Source Software – It’s Everywhere!
99% of Global 2000 companies will incorporate open source into their operations by
2016*.
50% of organizations surveyed have adopted open-source software (OSS) solutions
as part of their IT strategy*.
33% of responding organizations have a formal OSS policy in place*.
79% of IT developers use open source in their development projects**.
30% of respondents cited benefits of increased innovation as reason for adopting
OSS solutions*.
"Gaining a competitive advantage has emerged as a significant reason for adopting
an OSS solution”*.
“Programming has become more of a combination of piecing together existing
components and adding your special sauce than it is an endeavor started from
scratch”***.
*Gartner’s survey of 547 IT leaders in 11 countries, 2011
**Forrester Research (Jeff Hammond, LinuxCon, Aug. 10, 2010)
***TMCnet (Rich Tehrani, 2012) 3
Cloud + Open Source = Business Agility
80% of new commercial enterprise apps will be deployed on cloud
platforms in 2012*.
50% cited business agility as their primary reason for adopting cloud
applications**.
65% said that responding faster to the business is an important
driver for cloud computing***.
25%+ is the growth rate of public cloud infrastructure, applications
and platforms****.
*IDC, 2011
**Survey of 500 IT decision-makers by SandHill, 2010
***InformationWeek, 2010
****Gartner, 2011
4
Software IP and Code Portfolio Challenge
Load Build
DO WE KNOW WHAT’S IN OUR
SOFTWARE?!
End Product
Organization
Own Commercial
Open
Source
Firm’s
Code base
Outsourcing
Contracting
Crowd Sourcing
7
Contamination in software projects is common –
sometimes unintentional
OSS Compliance – Problem? What Problem?
We do not have a problem
We understand the issues & are considering
options
We are looking for tools to manage the problem
We have a serious problem and need a
solution now
Protecode Survey of 70 companies in NA and Europe, 2011
8
Why is Software IP important?
Intellectual Property Management impacts enterprise value
– Software is a significant source of effort and investment • Exposure to third party rights
• Protecting own rights
Impact on commercial transactions
– Representations and warranties, IP indemnity clauses
– Real or perceived IP risks lower M&A value
A company’s financial health could depend on it
– Litigations, lawsuits, penalties, out of court settlements • Oracle vs Google
• Microsoft vs Alcatel-Lucent (mp3)
• Welte vs Dlink, vs Fortinet
• Cisco vs Linksys
• Cisco vs GPL in iPhone
• FSF (Free Software Foundation) vs Open-TV
• SCO vs IBM (proprietary software found in open source)
• SFLC vs Monsoon Multimedia (Busybox product) vs Verison vs Xtrasys
• Veritas vs Microsoft
9
10
Veritas vs Microsoft
In Veritas Operating Corporation v. Microsoft Corporation, the Court was asked to consider a motion by
Microsoft for a dismissal of claims brought by Veritas alleging, among other things, that Microsoft had
misappropriated certain trade secrets of Veritas and infringed Veritas’ copyright when it developed and
incorporated Logical Volume Manager (LVM) into its operating system products. In considering the
motion, the Court observed that only 54 lines of code, or 0.03% of a code base of almost 160,000 lines,
had been identified by Veritas as having been infringed. In addition, with the exception of two lines, the
section of code in question was not copied verbatim. Instead, Microsoft changed the code by upgrading
the programming language from C to C++.
In denying one of Microsoft’s arguments for dismissal of the copyright infringement claim, that the amount
of code copied was de minimis, the Court noted that even where a relatively small quantity of code is
copied, a finding of substantial similarity can still be made if the copied code is sufficiently important to
the operation of the new program or gives the new program distinctive features or makes it more
desirable.
Veritas versus Microsoft,
United States district court
Western district of Washington at Seattle
Case NO. C06-0703-JCC (2008)
Software License Spectrum
Copyleft Licenses Permissive Licenses Proprietary Licenses
MIT EPL GPL Commercial
BSD LGPL AGPL
Apache
Weak Strong
Less “Freedom”
11
Permissive and Copyleft Licenses
“Permissive”-licensed OSS comes with permission to modify and
redistribute without necessarily making the source code available to others
on the same terms
– E.g. BSD License
“Copyleft”-licensed OSS generally requires modified version to be provided
under the same license (subject to specific license requirements).
– In some cases merely linking GPL code with other code may require that the
combination to be licensed under GPL. • E.g. GPL 2.1,
12
Facts About Using OSS
The manner in which OSS is used has significant implications
– Modified or Unmodified
– Commercial or non-Commercial
– Internal use or External release
– Linked or Incorporated
– Hosted Service or Distributed
Combining OSS with other OSS or Proprietary code
– When combining OSS licenses, need to ensure license compatibility
– When combining OSS with proprietary code, several factors would
determine whether the code can remain proprietary
• This sub-branch is one of the most complex areas of OSS practice!
13
vs
GPLv3 states that: “…you have certain
responsibilities if you distribute copies of the
software…you must make sure that they, too,
receive or can get the source code.”
AGPLv3 states that: “…your modified version
must prominently offer all users interacting with
it remotely through a computer network … an
opportunity to receive the corresponding source
of your version…”
Distribution vs Cloud-Based
14
GPL Licenses Compatibility – Take Note!
http://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses
15
Approaches to License Management
License Management is most effective when applied early in Software Development Life Cycle
16
OSS Adoption Maturity Model
Voluntary policy compliance with Legal Advice
Manual search and code review
In-house Tools
Automated Scanning with Reference Database
Integrated suite of tools within SDLC
17
Small projects could be managed manually – Time consuming, prone to error
Automated Solutions – Bring focus to policies and enforcement – Help create a software inventory (or BoM) – Speed up the discovery stage – Generate various reports
Software Analysis Options
18
Manual Automated*
Preventive
Corrective
Internal or External Software
Audit
Education, Policies, Trust (!)
Open Source Commercial
Commercial
* Always requires some manual verification/confirmation
Open Source Software Adoption Process (OSSAP) Best Practices Survey
Protecode Survey of 70 companies in NA and Europe, 2011
8-Step OSS Management and Adoption Process
– Establish a licensing policy
– Deploy a pre-approval process
– Assess existing portfolio
– Screen incoming 3rd party code
– Schedule regular code scans
– Monitor check-in into s/w library
– Monitor real-time development
– Perform assessment prior to shipping
19
Conclusion
Third party content, including open source, is everywhere
– An open source and third-party code policy needs to be adopted and enforced
Management of licenses and other attributes of 3rd party code should be
viewed as an extension of a quality process
– All external code that is used need to be identified and tracked
License management can be applied at different stages
– before product shipment,
– at developer’s desktop, or
– anywhere in between
Managing 3rd party software licenses involves a process
Automated solutions accelerate the discovery stage, simplify record keeping
and reporting
– Regular analysis can significantly reduce on-going effort
20