Why I Gray-listed Github for Open Source

Most of my software development is through my professorship, where I guide my student teams in developing (mostly) open source software. We have clear rules in place for how and which open source can be used in our projects and which can’t, like any competent organization. Mostly, it is about license compliance. We owe this to the users of our open source projects as well as our industry partners.

As a small organization, we rely on rules rather than lengthy approval processes, component repositories, and the like. One rule is to look at the source (location) of the open source project and see whether we have it white-listed, gray-listed, or black-listed. The Apache Software Foundation website is white-listed and Stackoverflow is black-listed. Github is gray-listed, meaning “it depends”.

Continue reading “Why I Gray-listed Github for Open Source”

Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)

Software vendors need to manage the dependencies of the open source components used in their products. Without this management, license compliance would be impossible, export restrictions could not be maintained, and security vulnerabilities would remain unknown to the vendor. The management of these dependencies has grown in an ad-hoc fashion in most companies. As such, vendors find it hard to learn from each other and improve practices. To address this problem, we performed exploratory single-case study research at one large established software vendor. We gathered and analyzed the key challenges of tracking and documenting open source dependencies in products. We wanted to understand whether these ad-hoc solutions could be based on a single unified conceptual model for managing dependencies. Our study suggests that underlying the various point solutions that we found at this vendor lies a conceptual model that we tentatively call the product (architecture) model. In future cross-vendor work, we will investigate whether this conceptual model can be expanded to become a unifying model for all open source dependency management.

Continue reading “Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)”

Managing the Open Source Dependency (Tomas Gustavsson, IEEE Computer Column)

I’m happy to report that the sixth article in the Open Source Expanded column of IEEE Computer has been published.

TitleManaging the open source dependency
KeywordsComputer Applications, Open Source Software
AuthorsTomas Gustavsson, PrimeKey
PublicationComputer vol. 53, no. 2 (February 2020), pp. 83-87

Abstract: Organizations use open source software in a majority of computer application programs. Here we describe some of the technical challenges and offer recommendations about how to manage open source software dependencies and avoid the most common pitfalls that might be encountered through decision-making, automated scanning, upgrading, and strategic contributions.

As always, the article is freely available (local copy).

Also, check out the full list of articles.

Public Seminars on License-Compliant Delivery of Products that Contain Open Source Software in Q1 of 2020

In the first quarter of 2020, there are several options for participating in our seminar on license-compliant delivery of products that contain open source software. Here is an overview (subject to change, mostly, additions) of public seminars.

DateLocationLanguagePartner
2020-03-06BerlinGermanMorrison Foerster

For more information and registration, please see our LCD seminar page. For seminars at FAU, please see our continuing education page.

The seminar is provided through Bayave GmbH, my consulting and training company. If you would like to book a firm-internal seminar, please get in touch directly.

Industry Best Practices for FLOSS Governance and Component Reuse (EuroPLoP 2019)

Abstract: Corporate use of open source in software products is on the rise. While this brings a number of technological and business benefits to companies, it also comes with potential legal and financial risks caused by license non-compliance and ungoverned use of open source components. Companies address these threats with free/libre and open source software (FLOSS) governance – internal guidelines and processes for using open source components in products. An essential aspect of FLOSS governance is component reuse and component repository, which enable efficient governance for the previously used components by the company’s developers. In our study, we aimed to identify the current industry best practices for FLOSS governance and component reuse. We conducted 15 expert interviews in companies with high governance maturity, analyzed these interviews and derived 19 best practices cast in the pattern format of context-problem-solution. The format was inspired by design patterns and enables higher applicability of our research results by practitioners. The 19 best practices form a handbook on FLOSS governance and component reuse that also includes workflows connecting the individual practices into process templates.

Keywords: Open Source Software, FLOSS, FOSS, Open Source Governance, Best Practice, Commercial Use of Open Source, Component Repository, Component Reuse, Industry Best Practice, Introduction of FLOSS in Companies, Pattern, Pattern Language

Reference: Harutyunyan, N., & Riehle D. (2019). Industry Best Practices for FLOSS Governance and Component Reuse. In Proceedings of the 24th European Conference on Pattern Languages of Programs (EuroPLoP 2019). ACM, article no. 21.

The paper is available a PDF file.

How to Select Open Source Components (Diomidis Spinellis, IEEE Computer Column)

I’m happy to report that the fifth article in the new Open Source Expanded column of IEEE Computer has been published.

TitleHow to select open source components
KeywordsOpen Source Software, Licenses, Documentation, Computer Bugs, Software Project Management
AuthorsDiomidis Spinellis, Athens University of Economy and Business
PublicationComputer vol. 52, no. 12 (December 2019), pp. 103-106

Abstract: With millions of open source projects available on forges such as GitHub, it may be difficult to select those that best match your requirements. Examining each project’s product and development process can help you confidently select the open source projects required for your work.

As always, the article is freely available (local copy).

Also, check out the full list of articles.

Getting Started With Open Source Governance (Jeff McAffer, IEEE Computer Column)

I’m happy to report that the fourth article in the new Open Source Expanded column of IEEE Computer has been published.

TitleGetting Started With Open Source Governance
KeywordsCompanies, Licenses, Security, Software, Law
AuthorsJeff McAffer, GitHub
PublicationComputer vol. 52, no. 10 (October 2019), pp. 92-96

Abstract: Using and managing open source is essential in modern software development. Here we lay out a framework for thinking about open source engagement and highlight the key steps in getting started.

As always, the article is freely available (local copy).

Also, check out the full list of articles.

The JDownloader Immune System for Continuous Deployment (HICSS 53)

Abstract: Continuous deployment can reduce the time from a source code change to a newly deployed application significantly. Increased innovation speed can make all the difference in a competitive market situation. However, deploying at high frequency requires high speeds of discovering bugs in the deployed software. Using the JDownloader file download manager as our example, we present a fitness model to evaluate a continuously deployed software during operation for expected behavior, present the design and implementation of a monitoring component, and evaluate the model and its implementation using data from JDownloader’s multi-million member strong user base. Our evaluation finds that there had been thousands of undetected bugs, and that newly created bugs can be detected and reported 16 times faster than before.

Keywords: Continuous deployment, continuous delivery, immune system

Reference: Rechenmacher, T., Riehle, D., & Weber, M. (2020). The JDownloader Immune System for Continuous Deployment. In Proceedings of the 53rd Hawaii International Conference on System Sciences (HICSS 2020), pp. 6559-6568.

Download: The paper is available a PDF file.

What Microservices Can Learn From Enterprise Information Integration (HICSS 53)

Abstract: Microservices are an architectural style in which each service typically provides the complete stack of functions from a user or application programming interface through a domain model all the way to storage for that model. As a consequence, querying conjunct data from different microservices becomes a non-trivial engineering task. In this article, we review older and established general data integration theory in the enterprise context and then compare current microservice practice with enterprise information integration (EII) theory as an established approach to data integration. We find that microservices do not utilize all possible approaches for data integration that are common in enterprises. Specifically, microservices use middleware only partially and databases are not used at all to integrate data. Therefore, we further investigate whether, when, and how these two approaches can be used in a microservices context and present our findings. With our findings, we (i) clear the way for fellow researchers to investigate and improve unused integration strategies with microservices and (ii) raise the awareness of practitioners that some integration strategies may not work out of the box with microservices as they do in EII.

Keywords: Microservices, data integration, enterprise Information integration, EII

Reference: Schwarz, G. & Riehle, D. (2020). What Microservices Can Learn From Enterprise Information Integration. In Proceedings of the 53rd Hawaii International Conference on System Sciences (HICSS 2020), pp. 5513-5522.

Download: The paper is available a PDF file.