Agenda
How FOSS gets into the Enterprise
How FOSS should get into the Enterprise
How the Enterprise should manage FOSS
1998
"Open Source" is coined, foundation of the Open Source Initiative (non-profit)
1984
Project GNU at MIT, Richard Stallman, the Free Software Foundation
1991
Linus Torvalds releases the first Unix-like kernel for GNU software, building the GNU/Linux operating system
1994
Foundation of Red Hat for Linux commercial support and distribution
1995
A community of developers starts work on the Apache Web Server
1997
Eric Raymond publishes The Cathedral and the Bazaar
Free, as defined by the Free Software Foundation
Open, as defined by the Open Source Initiative
Source, although source is not enough!
Software, we focus on software, not hw, books, ...
Academic Licenses• Relatively short and simple, easy to specify few restrictions Example: BSD, MIT
Permissive Licenses• Modifications/enhancements may remain proprietary• Distribution in source code or object code permitted provided copyright notice & liability disclaimer are included and contributors’ names are not used to endorse productsExample: Apache Software License v2.0
Types of FOSS Licenses
Partially Closable• Useful when licensing libraries or extensible applications• Modifications to the library must be distributed under similar terms while the whole program can remain closedExamples: MPL, GNU LGPL
Reciprocal• Requires to make improvements or enhancements available under similar terms• Licensee must distribute “work based on the program” and cause such works to be licensed at no charge under similar termsExample: GPL
Types of FOSS Licenses - continued
License Incompatibility
This is a major concern as free and open source software was intended to create a broad set of reusable components that can be mixed and work together.
Compatibility is determined by comparing restrictions
Usually it is one-way compatibility where code can only move up the chain of control from academic to reciprocal licensing terms.
The Windows 7 USB/DVD Tool Violated GPLv2 License
• Code was “multi-source,” including code from an external supplier with OSS
• Microsoft pulled the product from the Microsoft Store, then had to make the source code and binaries available
Takeaways:• Even big, well run companies
make mistakes• OSS can enter from many
sources in the supply chain• It’s difficult to manage OSS
without both process and technology
Compliance flaws...
InfringementValuationNegative publicityLost revenueSupport costsVulnerability
(VOIP Phone)
(Wireless Router)
(GPS Navigation)
(Network Attached Storage)
(WiMax, other )
(iPhone WIP300)
(Home Hub Router)
HDTVs
Compliance flaws...
These vulnerabilities discovered within 24 hours of release
Easily avoided with the right solution
Security flaws...
Cost of defectsMinimal when issues are detected early in lifecycle
Grows 100-1,000X late in the lifecycle
Invest time and process to choose good code up front vs fixing problems later
Capers Jones, Applied software measurement: assuring productivity and quality, 1999.
Recognise issues up front
How FOSS gets into the Enterprise
How FOSS should get into the Enterprise
How the Enterprise should manage FOSS
Business enabler
Accelerate Time to Market
Use open source software to avoid reinventing
the wheel
Increase Innovation & Product Capability
Readily available to fill out feature list
Focus internal resources on valuable new features that
provide strong value to customers or
differentiation against competitors
Control Development Costs
Reuse to lower development and licensing costs
Improve development and group productivity
How Companies handle FOSS...Deny usage of FOSS
Anger over unexpected loss of control
Crash plan, remediation to FOSS,
lawyers meetings...
No return...
...and then?
How FOSS gets into the Enterprise
How FOSS should get into the Enterprise
How the Enterprise should manage FOSS
• Open source discovery• Review and selection• Code management• Maintenance and support• Compliance program• Community interaction• Executive oversight
A Policy isn't just for developers...
Keep a component Keep a component catalogcatalog to support compliance and securityto support compliance and security
How FOSS gets into the Enterprise
How FOSS should get into the Enterprise
How the Enterprise should manage FOSS
CercaI codici da utilizzare
all'interno delle applicazioni
SelezionaI codici sulla base della policy e dei metadata chiave
ApprovaIl codice sulla base delle policy aziendali
SviluppaIl codice approvato utilizzando gli strumenti preferitiValida
Che solo codici autorizzati vengono usati
MonitoraL'uso del codice e
l'impatto sulle applicazioni complesse
Used by permission of Black Duck Software, Inc.
10 Best Practices from FOSS adopters
Appoint an OSS stewardCreate a comprehensible policyFrontload acquisition processes, adapt RFTRequire project leaders to identify OSS dependenciesUse EA to regulate exploitation and maintenanceTrust teams - but verify with code-scanning utilitiesMaintain a repository of preapproved OSS componentsDon't dwell on processes and artifacts; focus on outcomesDon't expect perfection, and plan for remediationSet a contribution policy – it will happen over time anyway
Attributions
http://bit.ly/gGDsAy
Source: Box.net
Source: TheDailyWTF.com
Brajeshwar on Flickr, License a-nc-sa
Top Related