Today, Andreas (Andi) Bauer presented some of our work on managing open source dependencies in software products. Please watch the talk below (local copy). The presentation is based on the same-name research paper.
Most of my software development is through my professorship, where I guide my student teams in developing (mostly) open source software. We have clear rules in place for how and which open source can be used in our projects and which can’t, like any competent organization. Mostly, it is about license compliance. We owe this to the users of our open source projects as well as our industry partners.
As a small organization, we rely on rules rather than lengthy approval processes, component repositories, and the like. One rule is to look at the source (location) of the open source project and see whether we have it white-listed, gray-listed, or black-listed. The Apache Software Foundation website is white-listed and Stackoverflow is black-listed. Github is gray-listed, meaning “it depends”.Continue reading “Why I Gray-listed Github for Open Source”
Software vendors need to manage the dependencies of the open source components used in their products. Without this management, license compliance would be impossible, export restrictions could not be maintained, and security vulnerabilities would remain unknown to the vendor. The management of these dependencies has grown in an ad-hoc fashion in most companies. As such, vendors find it hard to learn from each other and improve practices. To address this problem, we performed exploratory single-case study research at one large established software vendor. We gathered and analyzed the key challenges of tracking and documenting open source dependencies in products. We wanted to understand whether these ad-hoc solutions could be based on a single unified conceptual model for managing dependencies. Our study suggests that underlying the various point solutions that we found at this vendor lies a conceptual model that we tentatively call the product (architecture) model. In future cross-vendor work, we will investigate whether this conceptual model can be expanded to become a unifying model for all open source dependency management.Continue reading “Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)”
I’m happy to report that the sixth article in the Open Source Expanded column of IEEE Computer has been published.
|Title||Managing the open source dependency|
|Keywords||Computer Applications, Open Source Software|
|Authors||Tomas Gustavsson, PrimeKey|
|Publication||Computer vol. 53, no. 2 (February 2020), pp. 83-87|
Abstract: Organizations use open source software in a majority of computer application programs. Here we describe some of the technical challenges and offer recommendations about how to manage open source software dependencies and avoid the most common pitfalls that might be encountered through decision-making, automated scanning, upgrading, and strategic contributions.
Also, check out the full list of articles.
In the first quarter of 2020, there are several options for participating in our seminar on license-compliant delivery of products that contain open source software. Here is an overview (subject to change, mostly, additions) of public seminars.
The seminar is provided through Bayave GmbH, my consulting and training company. If you would like to book a firm-internal seminar, please get in touch directly.
Abstract: Corporate use of open source in software products is on the rise. While this brings a number of technological and business benefits to companies, it also comes with potential legal and financial risks caused by license non-compliance and ungoverned use of open source components. Companies address these threats with free/libre and open source software (FLOSS) governance – internal guidelines and processes for using open source components in products. An essential aspect of FLOSS governance is component reuse and component repository, which enable efficient governance for the previously used components by the company’s developers. In our study, we aimed to identify the current industry best practices for FLOSS governance and component reuse. We conducted 15 expert interviews in companies with high governance maturity, analyzed these interviews and derived 19 best practices cast in the pattern format of context-problem-solution. The format was inspired by design patterns and enables higher applicability of our research results by practitioners. The 19 best practices form a handbook on FLOSS governance and component reuse that also includes workflows connecting the individual practices into process templates.
Keywords: Open Source Software, FLOSS, FOSS, Open Source Governance, Best Practice, Commercial Use of Open Source, Component Repository, Component Reuse, Industry Best Practice, Introduction of FLOSS in Companies, Pattern, Pattern Language
Reference: Harutyunyan, N., & Riehle D. (2019). Industry Best Practices for FLOSS Governance and Component Reuse. In Proceedings of the 24th European Conference on Pattern Languages of Programs (EuroPLoP 2019). ACM, article no. 21.
The paper is available a PDF file.
I’m happy to report that the fifth article in the new Open Source Expanded column of IEEE Computer has been published.
|Title||How to select open source components|
|Keywords||Open Source Software, Licenses, Documentation, Computer Bugs, Software Project Management|
|Authors||Diomidis Spinellis, Athens University of Economy and Business|
|Publication||Computer vol. 52, no. 12 (December 2019), pp. 103-106|
Abstract: With millions of open source projects available on forges such as GitHub, it may be difficult to select those that best match your requirements. Examining each project’s product and development process can help you confidently select the open source projects required for your work.
Also, check out the full list of articles.
I’m happy to report that the fourth article in the new Open Source Expanded column of IEEE Computer has been published.
|Title||Getting Started With Open Source Governance|
|Keywords||Companies, Licenses, Security, Software, Law|
|Authors||Jeff McAffer, GitHub|
|Publication||Computer vol. 52, no. 10 (October 2019), pp. 92-96|
Abstract: Using and managing open source is essential in modern software development. Here we lay out a framework for thinking about open source engagement and highlight the key steps in getting started.
Also, check out the full list of articles.
Abstract: Almost all software products today include open-source components. However, the obligations that open-source licenses put on their users can be difficult or undesirable to comply with. As a consequence, software vendors and related companies need to govern the process by which open-source components are included in their products. A key process of such open-source governance is license clearance, that is, the process by which a company decides whether a particular component’s license is acceptable for use in its products. In this article, we discuss this process, review the challenges it poses to software vendors, and provide unanswered research questions that result from it.
Keywords: Open source licenses, open source license compliance, software supply chain, product model
Reference: Riehle, D., & Harutyunyan, N. (2019). Open-Source License Compliance in Software Supply Chains. In Fitzgerald B., Mockus A., Zhou M. (eds) Towards Engineering Free/Libre Open Source Software (FLOSS) Ecosystems for Impact and Sustainability. Springer, Singapore, pp. 83-95.
Abstract: Commercial use of open source software is on the rise as more companies realize the benefits of using FLOSS components in their products. At the same time, the ungoverned use of such components can result in legal, financial, intellectual property, and other risks. To mitigate these risks, companies must govern their use of open source through appropriate processes. This paper presents an initial theory of industry best practices on getting started with open source governance and compliance, focusing on private companies. Through a qualitative survey, we conducted and analyzed 15 expert interviews in companies with advanced capabilities in open source governance. We also studied practitioner reports on existing practices for introducing FLOSS governance processes. We cast our resulting initial theory in the actionable format of best practice patterns that, when combined, form a practical handbook of getting started with FLOSS governance in private companies.Continue reading “Getting Started with FLOSS Governance and Compliance in Companies (OpenSym 2019)”