Software Research and the Industry - Dirk Riehle's blog on everything computer science and more

2020-06-302020-07-01

The German Corona Warn App, a Legally Defective Product?

By all measures, the German Corona Warn app is already a highly successful software product. However, from the perspective of open source license compliance, it is defective. Using open source code in your product requires that you fulfill the obligations of the open source licenses of that code, and the Corona Warn app does not do that. Let me explain.

Open source code may be free to use, but it comes with strings attached, which are its licenses. An open source license spells out (1) permissions (you are allowed to use the code for free, among other things), (2) obligations to fulfill to receive the permissions (like giving credit to the original authors), and (3) prohibitions (for example, you are not allowed to claim endorsement of your work by the original open source programmers).

2020-06-292020-07-01

What is Open Collaboration?

Open collaboration was popularized by open source projects, and since has made its way into wikis and Wikipedia, the mix and remix culture and open content, open educational resources, and so forth. Just what exactly is it?

2020-06-282020-07-01

What is Open Communication?

Open source collaboration requires open communication, they say. Just what is open communication, exactly? Drawing on past research [1], here are the four principles that make communication open. Open communication is communication that is

Public: All communication takes place in the public eye, and none or very little behind closed doors; private side-discussions are discouraged.
Complete: All communication is complete to the extent possible. Assumptions are made explicit and conclusions of discussions are summarized.
Written: All communication is in written form, allowing folks to participate at their own pace; any non-written communication will be transcribed.
Archived: All communication is archived for search and later retrieval. This documents communication for those not around (or awake).

2020-06-232020-07-01

How to Have an Impact as a Software Engineering Researcher

Over on Facebook of all places, I took part in a short discussion on how, as a researcher, to have an impact on practice. It is not a convenient answer, but in my opinion, if you want to have an impact, you should go into practice yourself. You can also send your students, but this creates a generational lag of research-to-practice transfer that can span decades.

One of the suggestions of how to have an impact was to perform action research. The idea is that you are creating change in an organization where you are performing said action research. However, action research is a research method whose purpose it is to help you build out and evaluate a theory. Unless you are into critical theory, action research does not have, as a primary goal, to change industry. It is just a theory building method.

2020-06-172020-07-01

The GNU Public License v2 in the Land of Microservices

Another question I get asked is how containers and new architectural styles like microservices-based architectures relate to copyleft licenses, in particular the GPLv2 license.

First things first: I don’t recommend taking a “let’s work around this pesky license” approach. You should follow both a license’s spirit and letter; license evasion (“Umgehungsversuch”) may not hold up in court. Someone is trying to do you well, but only under certain conditions, so take it (properly) or leave it.

With that: If you package copyleft-licensed code in a container image and distribute this image, does the copyleft-licensed code affect any other container it communicates with?

2020-06-162020-06-16

How to Read Open Source License Obligations

Interpreting open source licenses requires considerable skills and experience. Ideally, engineers and lawyers work together: Lawyers know the meaning and consequences of legal terms, and engineers can make sense of it in the context of software. There are some basics, however, that help set your thinking straight.

A critical aspect is: What is a (re-)distribution ? You distribute code (binary or source, doesn’t matter), if you pass it on to another legal entity. Legal entities can be both regular people (“natural person”) or companies (“juristic person”). If the code does not cross such a boundary, it is not being distributed.

2020-06-152020-06-12

Open Source License Compliance and Work-for-Hire

A common question that I am asked in my seminar on license-compliant delivery of products that contain open source software is:

But what about a work-for-hire? We are a consulting company: As we work for our clients, and use open source software, do we have to create all those legal notices?

The answer, as so often is: It depends. With that, let’s tease the different situations apart.

2020-06-082020-06-30

Three Reasons Why Companies Are Creating Their Own Open Source Consortium

Most open source these days, certainly the most widely used open source, is developed by companies. Open source, by definition, is competitively non-differentiating, so companies can join forces in its development. To so do peacefully, however, they need good governance that preempts conflicts among the participating companies. Such governance is usually provided under the auspices of an open source foundation, of which the big three are the Apache Software Foundation, the Eclipse Foundation, and the Linux Foundation. Despite these existing foundations, many companies interested in developing a new open source software keep opting to create their own consortium.

2020-06-042020-06-04

Managing Your Open Source Supply Chain—Why and How? (Nikolay Harutyunyan, IEEE Computer Column)

I’m happy to report that the eigth article in the Open Source Expanded column of IEEE Computer has been published.

Title	Managing Your Open Source Supply Chain—Why and How?
Keywords	Open source, software supply chain
Authors	Nikolay Harutyunyan, Friedrich-Alexander-University Erlangen-Nürnberg
Publication	Computer vol. 53, no. 6 (June 2020), pp. 77-81.

Abstract: More than 90% of software products include open source components, most of which are not directly added by your own developers. Instead, they are an inseparable part of the software supply chains that virtually all companies depend on. This article covers the related risks of ungoverned open source use and provides industry best practices to practitioners.

As always, the article is freely available (local copy).

Also, check out the full list of articles.

2020-06-032020-06-03

Is Inner Source Collaboration Like Shipping Boxes Between Companies? (Hint: No!!)

Most corporate compliance departments believe developer collaboration in inner source projects is like shipping boxes with stuff (products) between the involved parties, for example, companies in a holding. Therefore, they don’t have to change anything about tax accounting and transfer pricing.

They couldn’t be more wrong.