Open Source License Inconsistencies on GitHub [TOSEM Journal]

Abstract: Almost all software, open or closed, builds on open source software and therefore needs to comply with the license obligations of the open source code. Not knowing which licenses to comply with poses a legal danger to anyone using open source software. This article investigates the extent of inconsistencies between licenses declared by an open source project at the top level of the repository, and the licenses found in the code. We analysed a sample of 1,000 open source GitHub repositories. We find that about half of the repositories did not fully declare all licenses found in the code. Of these, approximately ten percent represented a permissive vs. copyleft license mismatch. Furthermore, existing tools cannot fully identify licences. We conclude that users of open source code should not only look at the declared licenses of the open source code they intend to use, but rather examine the software to understand its actual licenses.

Continue reading “Open Source License Inconsistencies on GitHub [TOSEM Journal]”

Open Source Software Governance: A Case Study Evaluation of Supply Chain Management Best Practices [HICSS 2023]

Abstract: Corporate open source governance aims to manage the increasing use of free/libre and open source software (FLOSS) in companies. To avoid the risks of the ungoverned use, companies need to establish processes addressing license compliance, component approval, and supply chain management (SCM). We proposed a set of industry-inspired best practices for supply chain management organized into a handbook. To evaluate the handbook, we ran a one-year case study at a large enterprise software company, where we performed semi-structured interviews, workshops, and direct observations. We assessed the initial situation of open source governance, the implementation of the proposed SCM best practices, and the resulting impact. We report the results of this study by demonstrating and discussing the artifacts created while the case study company implemented the SCM-focused governance process. The evaluation case study enabled the real-life application and the improvement of the proposed best practices.

Continue reading “Open Source Software Governance: A Case Study Evaluation of Supply Chain Management Best Practices [HICSS 2023]”

Challenges to Open Collaborative Data Engineering [HICSS 2023]

Abstract: Open data is data that can be used, modified, and passed on, for free, similar to open-source software. Unlike open-source, however, there is little collaboration in open data engineering. We perform a systematic literature review of collaboration systems in open data, specifically for data engineering by users, taking place after data has been made available as open data. The results show that open data users perform a wide range of activities to acquire, understand, process and maintain data for their projects without established best practices or standardized tools for open collaboration. We identify and discuss technical, community, and process challenges to collaboration in data engineering for open data.

Continue reading “Challenges to Open Collaborative Data Engineering [HICSS 2023]”

Creating and Growing Healthy Community Open Source Projects [PLoP 2020]

Abstract: This article presents a succinct and minimal handbook of best practices of how to create and grow community open source projects. We start with the assumption that the handbook’s user has a minimal but useful piece of software at hand that they want to open source and build a community around.

Keywords: Open source, open source projects, open source communities, creating open source projects, growing open source projects

Reference:  Riehle, D. (2020). Creating and Growing Community Open Source Projects. In Proceedings of the 27th Conference on Pattern Languages of Programs (PLoP 2020). ACM, 14 pages.

The paper can be downloaded as a PDF file.

Industry Best Practices for Component Approval in Open Source Governance [EuroPLoP 2020]

Abstract: Increasingly companies realize the value of using free/libre and open source software (FLOSS) in their products, but need to manage the associated risks. Leading companies introduce open source governance as a solution. A key aspect of corporate FLOSS governance deals with choosing and evaluating open source components for use in products. Following an industry-based research approach, we present 13 best practices in the pattern format of context-problem-solutions paired with consequences. In this paper, we cover an excerpt of the Component Approval section of our FLOSS governance handbook. This article builds upon our previous EuroPLoP publication covering Component Reuse in FLOSS governance processes, as well as other publications on the topic. Analyzing qualitative data gathered from 15 expert interviews, we derive and interconnect the common industry recommendations for reviewing, tracking, and approving open source components in a company environment. We conclude by presenting workflow templates that put various best practices in relation to each other.

Keywords: Commercial use of open source, component approval, FLOSS, FOSS, industry best practice, open source software, open source governance, pattern language

Reference: Harutyunyan, N. & Riehle, D. (2020). Industry Best Practices for Component Approval in FLOSS Governance. In Proceedings of the 25th European Conference on Pattern Languages of Programs (EuroPLoP ’20). ACM, article 33.

The paper can be downloaded as a PDF file.

Getting Started with Corporate Open Source Governance: A Case Study Evaluation of Industry Best Practices (HICSS 2021)

Abstract: Ope​n source software usage in companies is on the rise, often resulting in lower development costs, higher quality, and quick availability of code. However, using open source software in products comes with legal, business, and technical risks. Experienced companies prevent and address these risks through corporate open source governance. In our previous work, we studied how top-tier companies got started with corporate open source governance. We proposed a set of industry best practices on the topic, using the practical format of interconnected context-problem-solution patterns. In this study, we put the proposed state-of-the-art practices to the test by evaluating their real-life application in a case study at a Germany-based multi-billion-dollar corporation with products in four distinct industries and more than 17000 employees worldwide. In the course of two and a half years, we conducted 35 semi-structured employee interviews and workshops in five divisions of the company to assess the initial situation of open source governance, the process of getting started with governance following our recommendations, and the outcomes. In this paper, we report the results of this longitudinal case study by presenting the artifacts created while getting started with open source governance, as well as the transferability evaluation of the proposed best practices, both individually and collectively.

Keywords: Practice-based information system research, best practices, longitudinal case study, corporate open source governance, open source software, OSS, FLOSS.

Reference:  Harutyunyan, N. & Riehle, D. (2021). Getting Started with Corporate Open Source Governance: A Case Study Evaluation of Industry Best Practices. In Proceedings of the 54th Hawaii International Conference on System Sciences (HICSS 2021), pp. 6263-6274.

The paper can be downloaded as a PDF file.

Continuous Open Source License Compliance (Phipps & Zacchiroli, IEEE Computer Column)

I’m happy to report that the 12th article in the Open Source Expanded column of IEEE Computer has been published.

TitleContinuous Open Source License Compliance
KeywordsOpen Source Software, Licenses, Supply Chains, Standards, Computer Security
AuthorsSimon Phipps, Meshed Insights Ltd.  
Stefano Zacchiroli, Universite de Paris, France
PublicationComputer vol. 53, no. 12 (December 2020), pp. 115-119
Continue reading “Continuous Open Source License Compliance (Phipps & Zacchiroli, IEEE Computer Column)”

Standardizing Open Source License Compliance With OpenChain (Shane Coughlan, IEEE Computer Column)

I’m happy to report that the 11th article in the Open Source Expanded column of IEEE Computer has been published.

TitleStandardizing Open Source License Compliance With OpenChain
KeywordsCryptography, Distributed Databases, IEC Standards, ISO Standards, Legislation, Project Management, Public Domain Software, Software Development Management, Software Standards, Blockchain, Open Chain Project, ISO IEC JTC 1 PAS Transposition Process, Open Source License Compliance Standardization, Open Source Software, Standards, Licenses
AuthorsShane Coughlan, Linux Foundation
PublicationComputer vol. 53, no. 11 (November 2020), pp. 70-74
Continue reading “Standardizing Open Source License Compliance With OpenChain (Shane Coughlan, IEEE Computer Column)”

Tools for Software Composition Analysis (Philippe Ombredanne, IEEE Computer Column)

I’m happy to report that the tenth article in the Open Source Expanded column of IEEE Computer has been published.

TitleFree and Open Source Software License Compliance: Tools for Software Composition Analysis
KeywordsOpen Source Software, Software Composition, Open Source Licenses, Automation
AuthorsPhilippe Ombredanne, nexB Inc.
PublicationComputer vol. 53, no. 10 (October 2020), pp. 105-109
Continue reading “Tools for Software Composition Analysis (Philippe Ombredanne, IEEE Computer Column)”