FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code,...
Transcript of FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code,...
![Page 1: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/1.jpg)
Introducing OpenChain A tested framework for open source compliance.
Andrew Katz www.moorcro0s.com
![Page 2: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/2.jpg)
Finance Sector Risk Management
![Page 3: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/3.jpg)
Finance Sector MIFID II
![Page 4: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/4.jpg)
Finance Sector MIFID II - Outsourcing
![Page 5: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/5.jpg)
Finance Sector MIFID II - Outsourcing
![Page 6: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/6.jpg)
MIFID II Outsourcing
“….avoid undue addiConal operaConal risk” Art 16(5)
![Page 7: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/7.jpg)
Managing Risk • Passing to provider (contractually) • Passing the risk to a third party (insurance) • IdenCfying, minimising and managing risk
![Page 8: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/8.jpg)
Managing Risk • Passing to provider (contractually) • Passing the risk to a third party (insurance) • IdenCfying, minimising and managing risk (process)
![Page 9: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/9.jpg)
SoNware-related risks • FuncConality • Security • Licensing/IP
![Page 10: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/10.jpg)
SoNware-related risks • FuncConality • Security • Licensing/IP
![Page 11: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/11.jpg)
SoNware-related risks • FuncConality • Security • Licensing/IP
![Page 12: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/12.jpg)
FuncConality • Trusted source • Quality assurance
![Page 13: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/13.jpg)
Security • Trusted source • Quality assurance • Pen-tesCng / fuzzing • Linux FoundaCon Core Infrastructure IniCaCve • SAFECode • Tooling (BlackDuck, Flexera)
![Page 14: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/14.jpg)
Licensing/IP • Trusted source • Licence compaCbility • Tooling (BlackDuck, Flexera, Quartermaster…)
![Page 15: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/15.jpg)
What if it all goes wrong?
![Page 16: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/16.jpg)
Damages InjuncCon
Outsourced provision ceases
![Page 17: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/17.jpg)
Damages InjuncCon
Outsourced provision ceases
![Page 18: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/18.jpg)
Damages InjuncCon
Outsourced provision ceases
![Page 19: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/19.jpg)
CONTEXT
![Page 20: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/20.jpg)
Modern SoNware Development
![Page 21: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/21.jpg)
Assembling components
![Page 22: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/22.jpg)
Code Club (Sandwich)
Choose a Framework
![Page 23: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/23.jpg)
Choose a Framework
Write Custom Code
Code Club (Sandwich)
![Page 24: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/24.jpg)
Choose a Framework
Write Custom Code
Use Open Source
Libraries to Solve Problems
Code Club (Sandwich)
![Page 25: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/25.jpg)
Choose a Framework
Write Custom Code
Use Open Source
Libraries to Solve Problems
Open Source Code =~ 90%
Open Source Code (~ 70%)
Custom Code (~ 10%)
Open Source Code (~ 20%)
Code Club (Sandwich)
Thanks and acknowledgement to James Zemlin, The Linux Founda9on
![Page 26: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/26.jpg)
Many different sources: Sourceforge GitHub Maven Central Repository
![Page 27: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/27.jpg)
Every component is subject to copyright*
![Page 28: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/28.jpg)
Every copyright work can only be used if correctly licensed*
![Page 29: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/29.jpg)
=> every component must be properly licensed
![Page 30: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/30.jpg)
What happens if components are not correctly licensed?
![Page 31: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/31.jpg)
Linksys WRT54G
![Page 32: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/32.jpg)
![Page 33: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/33.jpg)
Scenarios: - Infringement claim - Due diligence on IPO/funding acquisiCon - Customer due diligence - e.g. MIFID - Whole codebase inadvertently open sourced - Forced release of source code*
![Page 34: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/34.jpg)
How do you demonstrate compliance?
![Page 35: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/35.jpg)
Code analysis Licence analysis
![Page 36: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/36.jpg)
A truism about due diligence: it’s not so much about the informaCon, as the process.
![Page 37: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/37.jpg)
A truism about due diligence: it’s not so much about the informaCon, as the process.
![Page 38: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/38.jpg)
CharacterisCcs of an open source compliance programme:
![Page 39: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/39.jpg)
1. Verify that the company is compliance with licences 2. Put in place good pracCces and procedures
![Page 40: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/40.jpg)
- open source policy - training for relevant staff
- licence review policy - responsibiliCes are idenCfied, roles empowered and funded - bill of materials for products are generated - open source programme handles common licence issues - appropriate compliance materials are provided with the soNware - there is a contribuCon policy for external projects
![Page 41: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/41.jpg)
![Page 42: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/42.jpg)
![Page 43: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/43.jpg)
![Page 44: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/44.jpg)
What is OpenChain?
![Page 45: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/45.jpg)
The OpenChain project addresses the quesCon…
![Page 46: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/46.jpg)
How do I trust FOSS compliance in the supply chain?
![Page 47: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/47.jpg)
It’s: a standard to describe what organisaCons could and should do to address FOSS compliance efficiently;
![Page 48: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/48.jpg)
It: idenCfies key recommended processes and record keeping requirements for effecCve FOSS management;
![Page 49: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/49.jpg)
It: builds trust and increases efficiency, by having FOSS processes and record keeping consistent across the supply chain
![Page 50: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/50.jpg)
It consists of 3 components: 1. 2. 3.
![Page 51: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/51.jpg)
It consists of 3 components: 1. SpecificaCon 2. 3.
![Page 52: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/52.jpg)
It consists of 3 components: 1. SpecificaCon 2. Curriculum 3.
![Page 53: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/53.jpg)
It consists of 3 components: 1. SpecificaCon 2. Curriculum 3. Conformance
![Page 54: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/54.jpg)
SpecificaCon …defines a core set of requirements that every compliance program must sa9sfy.
![Page 55: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/55.jpg)
SpecificaCon …defines a core set of requirements that every compliance program must sa9sfy.
![Page 56: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/56.jpg)
Curriculum …provides the educa9onal founda9on for FOSS solu9ons and processes
![Page 57: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/57.jpg)
Curriculum …provides the educa9onal founda9on for FOSS solu9ons and processes
![Page 58: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/58.jpg)
Conformance …the way an organisa9on can demonstrate its conformance with the specifica9on
![Page 59: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/59.jpg)
Conformance …the way an organisa9on can demonstrate its conformance with the specifica9on
![Page 60: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/60.jpg)
Find out more at: openchainproject.org/spec openchainproject.org/curriculum openchainproject.org/conformance
![Page 61: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/61.jpg)
The aim: to build trust, by crea9ng a web of organisa9ons which are conformant with the OpenChain specifica9on
![Page 62: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/62.jpg)
“There is nothing in the OpenChain specifica9on which well-run FOSS-developing companies are not likely to be doing already.”
![Page 63: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/63.jpg)
What does conformance require?
![Page 64: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/64.jpg)
You need a FOSS policy, and you need to show that relevant staff know about it and have access to it.
![Page 65: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/65.jpg)
Relevant staff need training in - your FOSS policy, - basic licensing law, concepts and principles, - internal roles and responsibiliCes
![Page 66: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/66.jpg)
You must have a process to… - establish the appropriate licence for each component used - determine the restricCons and obligaCons applicable to each licence
![Page 67: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/67.jpg)
You must have appointed someone with responsibility for - FOSS liaison (external) - FOSS compliance (internal) …and the roles must be sufficiently senior, and properly resourced.
![Page 68: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/68.jpg)
You must have a process to… - create and establish a bill of materials for relevant soNware; and - ensure that the licences etc. for each item are correctly assigned
![Page 69: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/69.jpg)
Your licence management processes must idenCfy and deal appropriately with common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility)
![Page 70: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/70.jpg)
You must have prepared the appropriate materials accompanying a distribuCon of the soNware to ensure compliance with the licences, such as source code, offer noCces, asribuCons, NOTICE.TXT, licence text
![Page 71: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/71.jpg)
You must have a policy covering contribuCons by the organisaCon to FOSS projects.
![Page 72: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/72.jpg)
You must cerCfy that you comply with the specificaCon’s requirements.
![Page 73: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/73.jpg)
You can self-cerCfy, but as the OpenChain project evolves, we expect organisaCons to seek external, independent verificaCon.
![Page 74: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/74.jpg)
Roadmap…. - members will encourage/prefer/require compliance from suppliers - eases supplier due diligence - standardises availability of compliance documents - warranty of compliance - virtuous circle
![Page 75: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/75.jpg)
CASE STUDIES
![Page 76: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/76.jpg)
SoNware company selling cloud services to pension providers Their regulated clients require DD on the code as part of their own risk management. They are now able to provide those clients with the materials required by OpenChain cerCficaCon 20 developers, c100 different packages.
![Page 77: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/77.jpg)
SoNware company providing sector-specific SaaS soNware to a verCcal market 2000 components in code 200 developers Introducing Black Duck to handle compliance Internally generated need, but starCng to get quesCons from customers. Ongoing
![Page 78: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/78.jpg)
B2M SoluCons Providing management soNware and services to help companies manage their estate of mobile devices Customers include big UK companies, and resellers include Japanese mobile device providers (already OpenChain members) Manual compliance: <100 components, around 15 developers.
![Page 79: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/79.jpg)
SUMMARY
![Page 80: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/80.jpg)
Open source is widespread Infringement risk is an important consideraCon in compliance, procurement and M&A Risk can be assessed by analysing code and licensing Risk can be managed by implemenCng a sensible open source inclusion and use policy - such as OpenChain AdopCng OpenChain conformance will increase efficiency in the supply chain.
![Page 81: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/81.jpg)
OpenChain provides the framework for compliance: other projects address specific pracCcal compliance issues: SPDX - licence taxonomy SW360 - licence compliance project and catalogue management FOSSology - licence and asribuCon text scanning and management Quartermaster - dynamic tooling for licence compliance
![Page 82: FINOS 2018 Presentation 2018/OSSF... · common FOSS use cases (e.g. copyleN, modified code, licence incompaCbility) You must have prepared the appropriate materials accompanying](https://reader035.fdocuments.in/reader035/viewer/2022071213/603cc669307edc133f55233e/html5/thumbnails/82.jpg)
moorcrofts.com orcro.co.uk
www.openchainproject.org