Why I Gray-listed Github for Open Source

Most of my software development is through my professorship, where I guide my student teams in developing (mostly) open source software. We have clear rules in place for how and which open source can be used in our projects and which can’t, like any competent organization. Mostly, it is about license compliance. We owe this to the users of our open source projects as well as our industry partners.

As a small organization, we rely on rules rather than lengthy approval processes, component repositories, and the like. One rule is to look at the source (location) of the open source project and see whether we have it white-listed, gray-listed, or black-listed. The Apache Software Foundation website is white-listed and Stackoverflow is black-listed. Github is gray-listed, meaning “it depends”.

Continue reading “Why I Gray-listed Github for Open Source”

Please Help Keep our Language Precise: Single-Vendor Open Source is Neo-Proprietary Source, not Closed Source

When the Open Source Initiative defined open source, it focused only on the license, and ignored the process. Smart entrepreneurs quickly discovered that they could provide to the world their product as open source code and benefit from it, while strictly controllling the process to keep competition at bay. This is called single-vendor open source.

Single-vendor open source is not closed source, not even “the new” closed source. The following 2×2 matrix illustrates the distinction between license and process:

Continue reading “Please Help Keep our Language Precise: Single-Vendor Open Source is Neo-Proprietary Source, not Closed Source”

Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)

Software vendors need to manage the dependencies of the open source components used in their products. Without this management, license compliance would be impossible, export restrictions could not be maintained, and security vulnerabilities would remain unknown to the vendor. The management of these dependencies has grown in an ad-hoc fashion in most companies. As such, vendors find it hard to learn from each other and improve practices. To address this problem, we performed exploratory single-case study research at one large established software vendor. We gathered and analyzed the key challenges of tracking and documenting open source dependencies in products. We wanted to understand whether these ad-hoc solutions could be based on a single unified conceptual model for managing dependencies. Our study suggests that underlying the various point solutions that we found at this vendor lies a conceptual model that we tentatively call the product (architecture) model. In future cross-vendor work, we will investigate whether this conceptual model can be expanded to become a unifying model for all open source dependency management.

Continue reading “Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study (OSS 2020 Paper)”

The Ecosystem of openKONSEQUENZ, a User-Led Open Source Foundation (OSS 2020 Paper)

Companies without expertise in software development can opt to form consortia to develop open source software to meet their needs, as an alternative to the build-or-buy decision. Such user-led foundations are little understood, due to a limited number of published examples. In particular, almost nothing is known about the ecosystems surrounding user-led foundations. Our work seeks to address this gap, through an exploratory qualitative survey of openKONSEQUENZ, from the German energy sector. We find that the technological goals are quite homogeneous, independent of a participant’s role in the ecosystem, but that economic conflicts exist between foundation members and supplier companies due to the consortium’s efforts to transform the software market structure to limit dependency on specific vendors.

Continue reading “The Ecosystem of openKONSEQUENZ, a User-Led Open Source Foundation (OSS 2020 Paper)”

Sorting out the Ethical Licensing Mess

Software developers who give the world, for free, usage rights to the code they write often use open source licenses to make this gift legally explicit. These free usage rights (and then some) are encoded in all valid open source licenses, next to the obligations one has to fulfill to receive the rights grant. Recently, the desire of some developers has surged to tie their gift to causes they care about. Some want to protect Chinese workers from abusive working hours, some want to stop companies from working with US immigrations, and some want to ensure that users vaccinate their children and themselves according to current medical best practice.

Continue reading “Sorting out the Ethical Licensing Mess”

Public Seminars on License-Compliant Delivery of Products that Contain Open Source Software in Q1 of 2020

In the first quarter of 2020, there are several options for participating in our seminar on license-compliant delivery of products that contain open source software. Here is an overview (subject to change, mostly, additions) of public seminars.

2020-03-06BerlinGermanMorrison Foerster

For more information and registration, please see our LCD seminar page. For seminars at FAU, please see our continuing education page.

The seminar is provided through Bayave GmbH, my consulting and training company. If you would like to book a firm-internal seminar, please get in touch directly.