Industry Requirements for FLOSS Governance Tools to Facilitate the Use of Open Source Software in Commercial Products

Abstract: Virtually all software products incorporate free/libre and open source software (FLOSS) components. However, ungoverned use of FLOSS components can result in legal and nancial risks, and risks to a rm’s intellectual property. To avoid these risks, companies must govern their FLOSS use through open source governance processes and by following industry best practices. A particular challenge is license compliance. To manage the complexity of governance and compliance, companies should use tools and well-de ned processes. This paper investigates and presents industry requirements for FLOSS governance tools, followed by an evaluation of the suggested requirements. We chose eleven companies with an advanced understanding of open source governance and interviewed their FLOSS governance experts to derive a theory of industry requirements for tooling. We list tool requirements on tracking and reuse of FLOSS components, license compliance, search and selection of components, and architecture model for software products. For practical relevance, we cast our theory as a requirements speci cation for FLOSS governance tools. We then analyzed the features of leading governance tools and used this analysis to evaluate two categories of our theory: FLOSS license scanning and FLOSS components in product bills of materials.

Keywords: Open Source Software, FLOSS, FOSS, Open Source Governance, FLOSS governance tools, company requirements for FLOSS tools.

Reference: Harutyunyan, N., Bauer, A., & Riehle, D. (2019). Industry Requirements for FLOSS Governance Tools to Facilitate the Use of Open Source Software in Commercial Products. Journal of Systems and Software, to appear.

A preprint of the paper is available as a PDF file. This article is an expanded version, per invitation, of our OSS 2018 paper.

Open Source License Compliance in Software Supply Chains

Abstract: Almost all software products today include open-source components. However, the obligations that open-source licenses put on their users can be difficult or undesirable to comply with. As a consequence, software vendors and related companies need to govern the process by which open-source components are included in their products. A key process of such open-source governance is license clearance, that is, the process by which a company decides whether a particular component’s license is acceptable for use in its products. In this article, we discuss this process, review the challenges it poses to software vendors, and provide unanswered research questions that result from it.

Keywords: Open source licenses, open source license compliance, software supply chain, product model

Reference: Riehle, D., & Harutyunyan, N. (2019). Open-Source License Compliance in Software Supply Chains. In Fitzgerald B., Mockus A., Zhou M. (eds) Towards Engineering Free/Libre Open Source Software (FLOSS) Ecosystems for Impact and Sustainability. Springer, Singapore, pp. 83-95.

A preprint of the paper is available as a PDF file and as a web page. Alternatively, you can pay Springer for the final version.

Getting Started with FLOSS Governance and Compliance in Companies (OpenSym 2019)

Abstract: Commercial use of open source software is on the rise as more companies realize the benefits of using FLOSS components in their products. At the same time, the ungoverned use of such components can result in legal, financial, intellectual property, and other risks. To mitigate these risks, companies must govern their use of open source through appropriate processes. This paper presents an initial theory of industry best practices on getting started with open source governance and compliance, focusing on private companies. Through a qualitative survey, we conducted and analyzed 15 expert interviews in companies with advanced capabilities in open source governance. We also studied practitioner reports on existing practices for introducing FLOSS governance processes. We cast our resulting initial theory in the actionable format of best practice patterns that, when combined, form a practical handbook of getting started with FLOSS governance in private companies.

Continue reading “Getting Started with FLOSS Governance and Compliance in Companies (OpenSym 2019)”

ACM Hypertext 2019 in Hof, Germany

The ACM Hypertext 2019 conference will take place in Hof, Germany, on September 17-20, 2019. Here is the conference’s scope in its own words:

The ACM Hypertext conference is a premium venue for high quality peer-reviewed research on hypertext theory, systems and applications. It is concerned with all aspects of modern hypertext research including social media, semantic web, dynamic and computed hypertext and hypermedia as well as narrative systems and applications.

Regular paper submissions are due April 14th, 2019. Please submit plenty.

The Innovations of Open Source Kolloquium Talk at University of Hamburg

Update 2019-01-30: The talk slides and a video recording (local copy) are available now.


I got invited and will be presenting a talk in the colloquium of the computer science department at the University of Hamburg tomorrow, January 28th, 2019, at 17:00 Uhr. The talk topic are the innovations of open source and I will present a broad-brush account of open source as well as the industry problems and research challenges it poses. The talk is open to the public. Hope to see you there!

Upcoming Talk on Ten Years of Inner Source Case Studies at UC Santa Cruz

Abstract

Inner sourcing is the use of open source best practices within companies to improve engineering productivity. In 2006, I introduced inner source to SAP. After becoming a professor, my group helped further companies introduce inner source to their engineering organizations. Using three generations of projects, we report about our experiences and how we are turning those into a practical handbook for inner source governance.
Continue reading “Upcoming Talk on Ten Years of Inner Source Case Studies at UC Santa Cruz”

Upcoming Talk on Industry Best Practices for Corporate Open Source Governance of Software Supply Chains at UC Santa Cruz

Abstract

Almost all software products today incorporate open source software either directly or through software supply chains, but many companies are not properly governing their use of open source, incurring potential risks. Since 2016, I have been researching industry best practices and processes around open source governance, focusing on software supply chains. I have interviewed 20+ experts from industry-leading companies to derive their best practices. We are currently implementing some of these best practices at three companies that serve as case studies for our research. In this talk I will cover the results of our study and share some best practices with you.
Continue reading “Upcoming Talk on Industry Best Practices for Corporate Open Source Governance of Software Supply Chains at UC Santa Cruz”