Upcoming Talk on Industry Best Practices for Corporate Open Source Governance of Software Supply Chains at UC Santa Cruz


Almost all software products today incorporate open source software either directly or through software supply chains, but many companies are not properly governing their use of open source, incurring potential risks. Since 2016, I have been researching industry best practices and processes around open source governance, focusing on software supply chains. I have interviewed 20+ experts from industry-leading companies to derive their best practices. We are currently implementing some of these best practices at three companies that serve as case studies for our research. In this talk I will cover the results of our study and share some best practices with you.

Continue reading “Upcoming Talk on Industry Best Practices for Corporate Open Source Governance of Software Supply Chains at UC Santa Cruz”

Why You Should not Let Developers Scan Their Code for Open Source Violations 4/4

As discussed in prior posts [1] [2] [3], companies need to take stock of the open source software code in their products. Otherwise, they will not be able to correctly comply with the licenses of the open source code they use. Taking stock means scanning and analyzing your product code, and who else to turn to but your current developers who wrote the code?

The problems start, if such a clean-up is not properly budgeted for. On top of regular feature development, developers are now supposed to sift through old code, analyze it, and possibly even replace unwanted open source code? This is unlikely to lead to the desired results. The obvious conflicts of interest are:

Continue reading “Why You Should not Let Developers Scan Their Code for Open Source Violations 4/4”

The Challenge of Scanning Your Product Code for Open Source 3/4

There is a lot of open source in pretty much every software product these days. Engineering managers are often surprised about how much (in particular, if they have a policy of “no open source”). Taking a look is not just an exercise in curiosity, it is actually a necessity to know exactly what open source code is in your products. Without this knowledge, you don’t know which open source licenses you need to comply with, and if you are not compliant, you cannot legally correctly ship your product.

Continue reading “The Challenge of Scanning Your Product Code for Open Source 3/4”

Getting Started With Open Source License Compliance 2/4

Open source license compliance is the process of ensuring that any product that you deliver to customers (more precisely, any distribution you make to recipients) complies with the licenses of the open source code used within that product. As it turns out, this is both a simple process (at 10000 feet) and a rather complicated process when it comes to details. Here is the 10000 feet perspective.

Step 1 is to know what is in your code. If you never took stock, you don’t know, trust me. If you don’t know, you need to create a so-called bill of materials, that is a list of open source code snippets and components that made it into your product. You can try to do this by hand, but will probably fail in any but the most trivial cases. Tools can help you to walk through your code, identify license texts, and point out similarities to known open source code, so that you can determine your product’s bill of materials.

Continue reading “Getting Started With Open Source License Compliance 2/4”

License Clearance in Software Product Governance [Book Chapter]

I recently participated in an NII Shonan workshop on open source ecosystems. As a follow-up, we are preparing a book of articles. I’m contributing a chapter on “license clearance in software product governance”. Obviously, open source plays an important role. Please find abstract and paper below.

Abstract: Almost all software products today include open source components. However, the obligations that open source licenses put on their users can be difficult or undesirable to comply with [25] [14] [20]. As a consequence, software vendors and related companies need to govern the process by which open source components are included in their products [21] [7]. A key process of such open source governance is license clearance, that is, the process by which a company decides whether a particular component’s license is acceptable for use in its products [19] [4] [15]. In this article, we discuss this process, review the challenges it poses to software vendors and provide unanswered research questions that result from it.

Read the full paper as HTML or as a PDF. The final reference will be announced once the book has been published.

Upcoming Talk on Corporate Open Source Governance in Berlin (in German)

Ich halte zwischen 20-40 Industrievorträge im Jahr. Es sind zuviele, um diese kontinuierlich zu bewerben. Hier aber möchte ich auf einen Vortrag in Berlin hinweisen, im Rahmen des ASQF, zum Thema Corporate Open Source Governance.

Governance von Open Source im Unternehmen und in Produkten

Open-Source-Software ist immer kostenlos und häufig von hoher Qualität. Anwender können den ggf. kostspieligen Hersteller-Lock-In vermeiden, da der Quelltext mit entsprechenden Nutzungsrechten immer bereit steht. Allerdings kommt die Nutzung von Open-Source-Software im Unternehmen und in Produkten mit ihren eigenen Risiken. Die Nutzung von Open Source kann zu Rechtsklagen führen, deren Konsequenz finanzieller und Reputationsverlust sein können. Aus dem Grund muss die Nutzung von Open-Source-Software entsprechenden Governance-Prozessen unterworfen werden. In diesem Vortrag gebe ich einen Überblick über die verschiedenen Aspekte und Erfolgsmethoden der Open-Source-Governance und -Compliance. Sie reichen von der Nutzung qualitativ hochwertiger Open-Source-Komponenten bis hin zur Leitung von Open-Source-Projekten, um strategische Ziele des Unternehmens zu erreichen.

Datum: 2016-06-02
Uhrzeit: 18-20:00 Uhr
Ort: Frauenhofer FOKUS, Kaiserin-Augusta-Allee 31, 10589 Berlin

Public Upcoming Talks on Open Source and Inner Source

A bit belated, I’m happy to announce two upcoming talks:

  • Tomorrow, 2015-02-05, 16:00, at Mills college (California Bay Area, United States) (flyer) about Sustainable Open Source
  • On 2015-02-19 at Lero, the Irish Software Engineering Research Centre (Galway, Ireland) (flyer) about Inner Source at SAP

Both talks are accessible to the public, see the flyers.

Business Risks and Governance of Open Source in Software Products (in German) [HMD Journal]

Titel: Geschäftsrisiken und Governance von Open-Source in Softwareprodukten

Zusammenfassung: In fast jedem Softwareprodukt, auch in großer Standardsoftware, sind heute Open-Source-Komponenten enthalten. Die Hersteller dieser Software müssen die Geschäftsrisiken, die mit der Integration von Open-Source-Software in kommerzielle Produkte verbunden sind, verstehen und vernünftig managen. Dieser Artikel zeigt ein Modell verschiedener rechtlicher, technischer und sozialer Risiken auf, die durch unkontrollierten Einsatz von Open-Source-Software entstehen und erläutert ausgewählte Erfolgsmethoden der Open-Source-Governance, die von führenden Firmen angewandt werden. Das Modell ist das Analyseergebnis von fünf mit großen deutschen Softwareherstellern geführten Interviews sowie weiterer Literaturrecherche.

Continue reading “Business Risks and Governance of Open Source in Software Products (in German) [HMD Journal]”