provides software and services that enable enterprises
Live Chat 1-888-673-6564
The Enterprise Open Source Blog
  • Home
  • Search
  • Contact Us
  • Products and Support
  • Services
  • Enterprise OSS Blog
  • Wazi Technical Blog
  • Resources Library
  • Cloud Services
  • Partners
  • Customers
  • Community
  • Company
  • Careers
  • News and Events

Subscribe by Email

Your email:

Most Popular Posts

  • Enterprise Apache Tomcat 7 Clustering - Designing an Efficient, Reliable and Productive Application Server Cluster
  • Open Source Virtual Whiteboards and Dimdim Review
  • An Enterprise Apache Tomcat Clustering Guide
  • Supporting CentOS In The Cloud With Windows Azure
  • VLC License Change: A lesson in perseverance
  • An In-Depth Look at Tomcat’s Clustering Mechanisms
  • Apache HTTP Server: New Features for Version 2.4
  • Why Closed Source is Better Than Open Source
  • Access Serial Ports through Ruby
  • Building Bots With Kids

Current Articles | RSS Feed RSS Feed

Reflections on 2011: Milestones in Open Source Compliance

Posted by Jilayne Lovejoy on Thu, Dec 29, 2011
  
Email This Email Article  
Tweet  
  

What has 2011 meant for open source legal issues and license compliance?  Regardless of what holiday you celebrate or whether you celebrate at all, it seems this time of year inspires reflection.  As I gaze out my office window at the snow-sprinkled Rocky Mountains, I can't help but apply that same reverie to the open source software world. What significant events have occurred? Which legal cases have been decided? How have we grown? Where are we going?

Of course, those questions are answered both objectively and subjectively.  Objectively in the sense that some events, cases, or growth are significant enough for anyone in this world to notice.  Subjectively in the sense that the perspective of some events, cases, or growth is intrinsically filtered by the lens through which we each look - in my case, the lens of a law geek (because anyone who enjoys reading appellate opinions, is, ipso facto, at least a little geeky) who is ever-increasingly embracing her techno-geek side (much to the delight of some of my co-workers) and fully embedded in the world of open source license interpretation and compliance.

1) SPDX Workgroup, organized under the Linux Foundation umbrella, releases version 1.0 of the Software Package Data Exchange® (SPDXTM) standard.  An impressive collaborative effort by industry and community participants came to fruition with the official release of SPDX, a standard format for communicating software provenance, open source license, and copyright information across the supply chain.  By creating a standardized way to report this information, efficiency is increased by reducing redundant work, thus allowing more focus and effort on open source license compliance.  This critical first step will provide a stepping stone to enable further developments to aide reporting and compliance as industry leaders adopt and adapt SPDX.

2)  The Regional Court of Berlin confirms that users are indeed allowed to modify and install GPL software shipped as part of the firmware of an embedded device.  This case involved plaintiff, AVM, which makes Linux-based DSL routers and defendant, Cybits, which makes an internet filtering device.  Cybits' device is installed on the AVM router by downloading the firmware, running a program that modifies the Linux kernel to add a user-space program, and re-installing the modified version.  AVM filed suit claiming, among other things, any modification of any software included with the firmware constitutes copyright infringement.  The court reasoned that the firmware is a collective work; because the GPL clearly grants the right to modify, those portions of the router firmware that are licensed under GPL can be modified. Thus, AVM cannot restrict such activity.  While this outcome may not sound shocking, with so little jurisprudence on the interpretation of open source licenses, judicial confirmation of what the open source world has come to assume is always worthy of attention.   (For more details about the case, check out FSFE's writeup or LWN's article which includes the legal perspective from gpl-violations.org lawyer, Till Jaeger.)

3)  Open source software adoption leaves the era of denial.  When performing open source audits for our customers, we always ask what open source software, if any, is in the codebase to be scanned.  This is really a trick question, as we know that every audit we have performed has revealed more open source software present than expected.  However, we've noticed a shift in the answers.  It was not so long ago that we occasionally heard, "we don't use any open source" as an answer or what we would refer to as denial.  In 2011, the answers have changed to resemble something more like acceptance, along with an increased sophistication in the types of questions customers ask.  This is confirmed by Gartner research which found that over half of respondents use open source software as part of their IT strategy.  Yet, Gartner also found that most organizations have yet to adopt an open source policy or governance framework.  Perhaps 2012 will be the year of responsibility and action.

What 2011 events concerning open source legal issues and license compliance were notable to you?  More importantly, how will navigate 2012 in this regard?

Is your company aware of or involved with SPDX?  If you are not yet familiar with SPDX, learn more at www.spdx.org, or better yet, join general mailing list or participate on one of the three teams - legal, technical, or business.

Is someone in your legal department staying abreast of legal developments related to open source software?  If not, make it a New Year's resolution to check in with various FOSS blogs and news sites on occasion.  I'd recommend Groklaw, FSFE's news page, Heather Meeker's Copyleft Currents blog, and opensource.com .

Where on the denial-acceptance-responsibility open source software continuum is your company?  If you are still struggling to accept your addiction, perhaps educating yourself on open source audits is the place to start. If you have embraced your open source software dependence, but have yet to create an open source policy, then check out our Open Source Policy Builder.

Subscribe to The Enterprise Open Source Blog via email

Follow @openlogic
Follow @jilaynelovejoy
View Jilayne Lovejoy's profile

This work is licensed under a Creative Commons Attribution 3.0 Unported License
.

Read More

0 Comments Click here to read/write comments
Tags: Legal & Compliance, Compliance, Open Source Trends, Legal

3 Steps to Developing an Effective Open Source Governance Process

Posted by Josh Simpson on Tue, Dec 27, 2011
  
Email This Email Article  
Tweet  
  

Each organization has different needs around Open Source Software (OSS), and the reality is that most companies today utilize OSS in one way or another.  Whether you’re a strong proponent of open source and want to maximize the benefits to your organization or you’re looking to exercise control to mitigate the risks, every company should prepare themselves for the inevitability of open source software with an effective governance strategy.

In a study released February 2011, Gartner surveyed 547 IT leaders and showed that over half of enterprises have adopted OSS as a part of their IT strategies, yet less than 1 in 3 had an open source policy in place.  Anecdotally, I can tell you my experiences match these results. Approximately 3 in 10 people I speak with tell me they have a formal OSS policy (and of those that do, 2 of the 3 aren’t very familiar with it).Before we get started, here are a few key aspects of governance to make sure we’re all on the same page:

    • Provisioning – The provisioning aspect of governance refers to the control and visibility you have into the origin of the source code.

    • Inventory – Keeping an accurate and up to date inventory of OSS in your environment enables you to focus your governance efforts around the packages and licenses that have an impact on your Compliance status.

    • Requests and Approvals – Instituting a process for requests and approvals fosters communication and accountability while allowing you to proactively evaluate software that enters your environment (often without a purchase request, bypassing existing controls).

    • Auditing – Once you’ve established a policy and a process, you need to check up on it, fine-tune it if any problems arise, and verify what you’re finding in your inventory.


Take a moment and consider the facets of governance above…do they look familiar?  You probably have a similar process in place for the rest of the software you use, whether it’s for Commercial-Off-The-Shelf software, 3rd party code, or internally developed applications.  Open source software can and should be included as part of your existing IT governance framework, and this post is designed to help you be successful in creating an effective open source governance process.

1.  Understanding Your Status Quo


Before you start making any changes, evaluating tools, or raising the alarm bells that you could be at risk for non-compliance, make sure you know your current situation in and out.  You can’t expect change when you don’t know where you’re starting from, and how would you know what to change in the first place?

Call me a new-age hippy Boulderite if you want, but I just took a few introductory yoga classes, and one of the things we learned is that the most important thing you can do is show up and be present.  Whether or not you can execute the postures like a yoga master is unimportant, just by showing up and connecting with your breath, you’ve taken the first step in your practice…and practice is what it is, you don’t just go in there and do it right, you constantly have to make adjustments and keep working at it.  As they say, practice makes perfect.

Open source governance can begin the same way.  Choose to be present – take in your surroundings and take the first step by articulating where you are today.  Here are a few questions you might consider or ask your colleagues to get a better understanding of your current situation:

    • Do you know what OSS is being used today?

    • Do you know what licenses are associated with the OSS you use?

    • Is there a list?  Do you keep a spreadsheet of OSS?  Who is responsible for maintaining the list of known OSS?

    • Do developers declare their usage?  Is there an analysis that takes place as part of the build process?

    • Is there a request and approval process already?  Who is responsible for submitting and reviewing requests?  How long does the process typically take?  What organizational groups are involved in this process?

    • Finally, even if there aren’t any formal processes, how have these things been handled in the past?


If you’re satisfied with the way things work today, then you should feel good about knowing that.  If there are inconsistencies, unnecessary delays in the process, or confusion, then that will become evident, too.  Keep in mind that this is not a time for judgment, blame, or even correction…just take stock and start being mindful, and think about how your current efforts fit in with your existing governance model.

2.  Build Your Business Case


Hopefully by this point, you’ve also read Greg Bell’s article on “3 Steps to Jumpstart Your Open Source Policy” and have started to develop one of your own. This step is a prerequisite for developing a governance process – you need to establish your unique perspective on OSS before you can implement a process to manage it according to the principles you’ve defined.  Because you’ve likely gotten other teams involved in that process, you’ll have already begun facilitating the communication and transparency necessary for effective governance.

Now you can start generating awareness.  Educate yourself and your teams about the way things are, and the way they could be.  If it makes sense in your company, consider the monetary damages of non-compliance with OSS licenses to measure your risk.  Think about the cost savings you can achieve by moving proprietary applications to OSS solutions.  Plan for any outside expertise you may need to bring in, tools you might need to manage governance or scan your inventory, and make sure you have sponsorship in case you need funding.

The most important thing to keep in mind is that you’re doing this for a good reason – to maximize efficiency and mitigate risks.  Try to think about it as a permissive, transparent, and collaborative process.  More and more often, you’re going to find that OSS seems like an attractive choice (if you’re not already actively using it), so embrace that and find ways to keep it above the board.  You’re not trying to create a Big Brother, police-state atmosphere…that never works anyways (see: Prohibition).

3.  Develop the Process


Finally, it’s time to get to work on creating your governance process.  In building the policy and business case, you should have a good idea of the goals you want to achieve and problems you want to solve.  Now you can work on putting those goals into practice.

For this step you might need to invest in additional resources, like a consultant or tools that help you scan your inventory, track downloads and manage the request and approval workflow, such as OpenLogic Exchange (OLEX)…but really think about whether the process itself, the goals you want to achieve, and how you can get there.  You might find you already have the tools and resources you need, or you can try the freely available resources at the Linux Foundation.  In Ragavan Srinivasan’s article about “Best Practices for Creating an Open Source Governance Process”, he points out that it might be tempting to design your process around available tools, but doing so could result in a sub-optimal process that could be tied to a proprietary solution.

You’ll want to make sure the process you build does the following:

    • Provides an accurate picture at your current inventory

    • Provides an intuitive workflow for Requests and Approvals

    • Stores information and decisions in a central location where everyone can access it

    • Allows you to leverage existing decisions and avoid duplicating efforts of license reviews and package selection

    • Includes a regular and periodic review of processes to ensure they are effective

    • Follows industry best practices, like those of Bank of America


Now that you understand your status quo, have established your goals, and have organizational support (and maybe even funding!), you’re well on the way to implementing an effective open source governance process that will keep you on top and aware of the impact of OSS in your organization.

Please feel free to leave any comments or suggestions of your own!

Follow @openlogic

Subscribe to Enterprise Open Source by Email

View Josh Simpson's profile
Follow @JoshSimpsonCO

This work is licensed under a Creative Commons Attribution 3.0 Unported License
.

Read More

0 Comments Click here to read/write comments
Tags: Compliance, Governance, Open Source Trends, Legal

Open Source Support: Gaps in Internal Expertise

Posted by Aaron Mandelbaum on Sun, Dec 25, 2011
  
Email This Email Article  
Tweet  
  

The need for Enterprise Level open source support continues to rise, as does the adoption of OSS in the enterprise.  The interest of cutting costs and accelerating development is tops of everyone’s mind as we head into 2012, and an uncertain economy.  Budgets are tight and goals are as aggressive as ever for what is sure to be an exciting year with the inclusion of cloud technology in most IT budgets around the globe.

There is a responsibility facing enterprises to produce higher yields from the resources that have been allotted, and adoption of OSS is the answer many are looking to for that reprieve.  Costs can be cut without compromising functionality by making the switch to open source software, however, use of such software can also expose a company to unexpected and unacceptable obligation and risk depending on the terms of the license that governs its use and distribution.  Not to mention the concerns that come along with the replacement of commercial software with regards to your team’s open source expertise and preparedness.

A top challenge facing enterprises when adopting new open source technologies are gaps in internal expertise.   Therein lies the need to leverage a 3rd party for Enterprise Level, commercial grade support options, in order to address these gaps in training, internal expertise, technical performance, and business process.  It is not uncommon for developers to be familiar with a new open source technology, but lack the extensive hands-on experience necessary to use it in production or migrate away from a proprietary solution.

Interesting to note that just last week the French Government tendered for open source support.  The tender details a need for support on hundreds of packages, covering two-thirds of the countries twenty-two ministries, spanning three years time, at a price of two million Euros.  Pretty amazing.

With all of the excitement and discussion regarding support options, it is however, highly common, that many searches for OSS support solutions are ultimately concluded with a choice of the status quo.  The decision to make no change at all, after exploring alternative solutions, happens frequently for a multitude of reasons.

Recently we surveyed our customers to find out what their top challenges were when they began looking for a 3rd party Open Source support provider.

The #1 answer was: Lack of information that was unique to their specific needs

We heard over and over that the information that they initially received was “generic”, a “blanket solution”, written from a “30,000 foot view”.  Our research showed that people in your position are looking for information that is unique to their enterprise to make the most appropriate decision in an efficient amount of time.

I thought it might be appropriate at this point, to share with you, one of our most popular resources, the Support Evaluation Kit Download.

As a result of the feedback we received, the kit will walk you through:

  • Detailed analysis of support options including key questions to consider when evaluating these options

  • A comprehensive support worksheet that will help you profile your organization’s open source usage and apply support coverage scenarios

  • Case studies detailing how OpenLogic’s aggregated support model helps enterprises that use multiple open source packages but lack expertise or don’t want to tie up internal resources with support issues


For those of you that are leveraging open source software to cut costs and accelerate development, can you answer yes to these key questions?

  • Are your open source deployments properly tuned and optimized?

  • Is your team up to speed on the latest versions and related technologies?

  • Is your open source policy up to date, effective, and enforced?


If you answered no to any of the above, your organization may not be getting the full benefits of open source – and may be at risk for problems down the road.

Whether you have been using OSS for years or you are considering a switch, either way, gaps in the internal expertise within your organization may be hurting the potential effectiveness of your open source initiatives.

What are your biggest challenges when searching for an open source support solution?

Subscribe to Enterprise Open Source by Email

 

Follow @openlogic
Follow @AaronMandelbaum
View Aaron Mandelbaum's profile

This work is licensed under a Creative Commons Attribution 3.0 Unported License
.

Read More

0 Comments Click here to read/write comments
Tags: Support, Training

Android Dominates Despite Being "Least Open" Open Source Project

Posted by Amanda DePaul on Thu, Dec 22, 2011
  
Email This Email Article  
Tweet  
  

When choosing a mobile operating system, those who pick Android often choose it for the fact that it's an open source project. Which is why I was surprised to see the recent report from VisionMobile, suggesting that based on its research stacking open source projects against each other, Android is the least open project of them all. VisionMobile ranked projects like Mozilla, Linux and Eclipse against Android in four main categories: access, development, derivatives and community. Android scored lowest in three of the four categories, ending up dead last in all but development. Here’s a breakdown of the findings:


    • Android came in last in access because its source code is created behind closed doors. That is, public developers don’t get a hold of the code until Google decides it’s absolutely ready to be released to the public. This can sometimes take up to nine months – contrary to the ideology that open source project code should be freely updated and available to all developers, all at the same time.

    • Android also ranked the lowest in the derivatives category because Google limits the manufacturers who can have Android Market on their devices. They must meet certain requirements and be certified to be able to advertise that the Market is available. On the contrary, other open source projects allow you to distribute code freely and use the product trademark without adhering to any requirements.

    • VisionMobile dubbed Android least open in the community category because of a lack of a tiered system for rights – that is, one’s status doesn’t dictate access.


The report essentially sums up Android’s lack of transparency in the governance program – VisionMobile ranked Android at 23% open compared to a whopping 84% for Eclipse. No other project ranked less than 58%. But the real question is, does that rating really matter for the success of Android?

I’d say the answer is no. Android’s popularity completely contradicts its dismal ranking in the study. There are more than 300,000 apps available for Android as of October 2011 and more than 88% of those apps are created using open source software (per a study conducted by OpenLogic last year – check out the webinar here). In addition, Android recently surpassed iOS in the market – a recent study by Nielson found that in the three months leading up to August 2011, 56% of those who purchased smartphones chose Android. Clearly, developers and the general public alike aren’t fazed by whatever VisionMobile deemed disappointing.

What do you think of Android’s recent open source ranking? Will it change your opinion of the operating system?

Follow @openlogic

Subscribe to Enterprise Open Source by Email

Read More

0 Comments Click here to read/write comments
Tags: Open Source Trends

4 Steps to Understanding an Open Source Audit

Posted by Dave McLoughlin on Tue, Dec 20, 2011
  
Email This Email Article  
Tweet  
  

Often times, at the completion of an open source software (OSS) audit, customers will ask us "Now that I know what OSS and licenses I have, what do I do?" or "Do I have any issues?" What they are really wondering about is license compliance, are they in violation of any of the OSS licenses, or if they are not in compliance, what are the implications?

If you are familiar with common OSS licenses, you will know that quite often people are most concerned about the dreaded "copyleft" licenses, where non-compliance can potentially mean they have to provide their source code, and more importantly, their intellectual property to their customers.

So how do you tell if there are issues or if there is anything you have to do to comply with the OSS license that is in the OSS used in your application development?

Here is a simple guide to help you to begin to understand compliance issues and how to come into compliance for newly discovered OSS.

1) Familiarize yourself with the basics of OSS licensing

There are two basic types of OSS licenses: permissive and “copyleft” (or restrictive). Permissive licenses are concerned primarily with giving credit where credit is due (A.K.A. attribution), protecting copyrighted material, and disclaiming of warranty (protecting the authors from lawsuits). While “copyleft” or restrictive licenses are characterized by two basic concepts: 1) providing the source code of the licensed work and/or 2) keeping the work under the original license.

The most common permissive licenses are Apache, BSD, and MIT licenses. The most common copyleft licenses are the GNU General and Lesser General Public License (GPL and LGPL), the Mozilla Public License (MPL), the Eclipse Public License (EPL) and the Common Development and Distribution License (CDDL).

Once you understand the basic differences between permissive and copyleft licenses you are armed to begin making an assessment of the results. Did you discover code that is under a strict “copyleft” license like the GPLv2 and you didn't know it was in there? Or is everything under permissive licenses like the BSD, Apache or MIT license?

2) Get to know the licenses in your application

Unfortunately, there is no shortcut here; you have to read the licenses associated with the OSS in your product.

Be careful what you read! For example, a developer may include a README file with an OSS work that says, “This work is licensed under a BSD-style license, please see the LICENSE.TXT for details.” If you make the assumption that you don’t have to read the license, and simply need to comply with the terms of the BSD license, you may be unpleasantly surprised. It’s not uncommon for OSS developers to take a license, like the BSD, and add a “couple” additional terms of use.
What if one of those additional terms of use is something you can’t or are not prepared to comply with?

I highly recommend, as you read through each license, begin to create a “compliance checklist.” This is reducing the terms of use into steps you will need to do to comply with the license. This will include things like, including a copy of the original license with your application or putting attribution text in your software documentation.

3) Understand when you have to comply

When you read a license, look for "triggers" in the terms of use, i.e., when a particular term of use comes into play. For example a “copyleft” license may only require you to provide source code in cases where the original OSS has been modified. In this example you can think of "modification" as the trigger. Some other common triggers include: form of distribution (source or binary), who it's distributed to (employees, customers, contractors), how it's combined with your code, (embedded or intermingled with code), and how your proprietary code uses or calls the OSS (statically or dynamically linked, called via an API or command line interface).

4) And finally understand your usage vis-à-vis the triggers

Once you know you have a license that has requirements triggered on modification, find out if you have modified any of the original OSS source code. Understand how the OSS and your code are combined. Understand where and how the OSS is used in your application or product.

By taking these relatively simple steps: 1) get a good basic understanding of OSS licenses, 2) familiarize yourself and learn the specific licenses that apply to the OSS you use, 3) understand when compliance terms are triggered, and 4) understand when your code triggers compliance steps, then you will have a solid grasp of the issues you face as you use OSS in your application development.

Here are a few links to learn more about OSS licenses:

OSS licensing standardization and education - http://www.opensource.org/
Copyleft licenses - en.wikipedia.org/wiki/Copyleft

For more help and information on OSS auditing and compliance.

Follow @openlogic

Subscribe to Enterprise Open Source by Email

Read More

0 Comments Click here to read/write comments
Tags: Legal & Compliance, Scanning & Provisioning, Scanning, Compliance, Governance, Open Source Trends, Legal, Security

Open Source Software in Cars: Five Best Practices for Compliance

Posted by Kim Weins on Sun, Dec 18, 2011
  
Email This Email Article  
Tweet  
  

For auto companies that are using or want to use open source software, it’s important to build open source compliance processes into your development and procurement processes.

Read More

0 Comments Click here to read/write comments
Tags: Legal & Compliance, Scanning & Provisioning, Scanning, Compliance, Governance, Open Source Trends, Legal, Support, Security

Developing The Cloud Mindset

Posted by Peter Williams on Thu, Dec 15, 2011
  
Email This Email Article  
Tweet  
  

From the moment I got a real taste of the freedom and flexibility of cloud computing I never wanted to go back. My first experience was more than three years ago at a tiny startup. The idea of cloud computing was pretty novel then, but after that first release I was hooked. I had never noticed before but managing physical hardware is like walking knee deep in water.

Just reading and thinking about the cloud can't do it justice. On the surface it seems like just yet another way to run your apps. Once you start working with the cloud -- particularly the PaaS variety -- it's power to help you get stuff done quickly becomes obvious. Anything that helps get stuff done is worth grabbing onto and exploiting for all it is worth.

Developers are often a bit resistant to using PaaS clouds. We chose this profession because of our deep and abiding love of computers. I have fond memories of my first computer. The smell of new hardware when you open the box is something i look forward to (mmm, outgassing). Obsessing over esoteric aspects of hardware, software and network setups is the norm for developers. Giving up selecting, unpacking and setting up hardware is sad. Just read what the people behind the excellent stackoverflow have to say. They are not anomalies. Those of us that love computers have a hard time just renting them.

These visceral reactions miss the point, though. We don't get paid to play with computers all day. We are here to develop applications that provide value. The flexibility and automation potential of the cloud allows developers to deliver more value faster and cheaper than we ever could on real hardware.

The ability to deploy my applications on a pre-configured OSS software stack without having to ask for permission or wait on anyone else, is huge. That capability allows me to provide more value because more of my time is directed at solving real problems, rather than dealing with red tape.

Cloud computing also allows for dramatic improvements how applications are managed. Consider how netflix deploys their software. Having the capacity to deploy entirely duplicated setups allows for much safer and predictable deployments. There is no way you would get approval to purchase and maintain enough spare capacity to deploy like that on real hardware. In the cloud the impossible is cheap and easy.

OpenLogic's CloudSwing brings the benefits of cloud computing to developers with a minimal learning curve. The pre-configured platforms, supported open source software and cloud provider neutrality of CloudSwing are designed to improve productivity.

What do you think the biggest benefits of cloud computing is to developers?

Follow @openlogic

Subscribe to Enterprise Open Source by Email
0 Comments Click here to read/write comments
Tags: Open Source Trends, The Cloud

I Don't Distribute. Is Compliance Really Necessary?

Posted by Rebecca Shockey on Tue, Dec 13, 2011
  
Email This Email Article  
Tweet  
  


The short answer is yes, compliance is necessary even if you don’t distribute.  Let’s discuss some of the reasons.  This question comes up in sales conversations frequently and is usually a result of an internal discussion at a prospect’s company.

Read More

0 Comments Click here to read/write comments
Tags: Legal & Compliance, Compliance, Legal

3 Steps to Jumpstart Your Open Source Policy

Posted by Greg Bell on Sun, Dec 11, 2011
  
Email This Email Article  
Tweet  
  

Developing and maintaining an open source policy is the foundation of an effective enterprise open source governance process. An open source policy that is current, comprehensive, adaptable, and continually reviewed will help guide your organization to increased open source usage where appropriate while reducing potential open source license violations.

When was the last time you reviewed and updated your company’s open source policy? If it’s been a year or more – or even worse, if you don’t yet have a formal, written open source policy – make a resolution to start the new year with a renewed focus on creating or updating your policy and aligning your open source governance processes with it.

Fortunately, there are a ton of great articles, examples, and suggestions available to help guide your efforts. Here’s a list of three easy steps to jumpstart your open source policy, plus a bunch of free policy and governance resources to help you get stated on the right track.

1. Bone Up On Open Source Policy Best Practices


You may not have experience writing an open source policy. Heck, you may not even be a lawyer (and for the record, I’m not either). That’s fine. No matter your level of experience and expertise, following best practices is as good a place to start as any.

One of the first open source policy resources I always recommend is Stormy Peters’ excellent article, Best Practices for Creating an Open Source Policy. Although several years old now, this article remains an essential primer for anyone engaged in open source policy creation or review. Stormy outlines everything from why you need a policy to critical components to the key questions you should consider as you create or update your company’s policy.

A fantastic companion to Stormy’s piece is Ragavan Srinivasan’s article, From Policy to Process: Best Practices for Creating an Open Source Governance Process. While the scope of Ragavan’s article goes well beyond open source policies, he does an excellent job of explaining the importance of policies as part of the overall enterprise open source governance process.

2. Evaluate Your Current Open Source Policy


Odds are you have some form of open source policy, even if it’s informal, poorly documented, or specific to a particular department or group within your organization. Start with whatever you have and conduct a thorough review with the key stakeholders in your organization – typically representatives from legal, engineering, procurement, and management – to establish the current state of your policy, identify areas that need improvement, and agree upon next steps.

As you get started on this phase of the process check out our on-demand webinar, Boost Your Open Source Policy: How to Evaluate and Improve Your Company’s Policy. In this session our CEO Steven Grandchamp leads a panel discussion with open source veterans from several Fortune 100 organizations who share their first-hand experience creating, maintaining, and implementing open source policies. This resource will help you understand not only how to get started with the evaluation process, but also how align your policy with changing needs and goals and communicate and implement the final policy document.

Another on-demand webinar worth your time during this phase is Developing an Open Source Governance and Compliance Program at Bank of America, in which Don D’Angelo, Senior Vice President of Open Source Product Management at Bank of America, shares invaluable tips from his experiences creating an open source policy and governance processes. This one will help you understand what an industry-leading open source policy looks like and how your evaluation process can set the groundwork for future policy greatness.

3. That Policy Ain’t Gonna Write Itself


Sooner or later you’re going to have to put pen to paper and translate all those best practices, examples, and tips to practical policy statements that are specific to your organization’s open source usage model. When you’re ready to start working on your open source policy, check out our free (and recently updated and expanded) Open Source Policy Builder, which walks you through all the questions your formal policy should answer, including:

    • Which open source licenses are approved for use in your company’s products?

    • Is open source distributed in your company’s products?

    • Who’s responsible for understanding license terms and conditions and ensuring compliance with them?

    • What kind of security or integrity review is required during procurement?

    • Are employees allowed to contribute to open source projects?

    • Are employees allowed to speak publicly about the company’s open source usage?


Finally, if at all possible check out examples of other organizations’ open source policies – particularly companies in your industry and/or with similar usage models. Many governmental organizations publish their policies (for example, check out the policies posted on Civic Commons), which may be at least interesting to read if not directly applicable. Additional examples might be found through colleagues at other companies, professional organizations or industry meetings, posting questions on LinkedIn groups, and conducting web searches. In short, take advantage of the community nature of open source and ask others for help – people are likely to share any information and resources they can to help you successfully and safely use open source software.

Have other open source policy resources to suggest? Please leave a comment!

Follow @openlogic
Follow @gbellcolorado
Subscribe to The Enterprise Open Source Blog by Email

Read More

0 Comments Click here to read/write comments
Tags: Compliance, Governance, Legal

Tomcat Support for an Old Web Application

Posted by Aaron Mandelbaum on Thu, Dec 08, 2011
  
Email This Email Article  
Tweet  
  

In my experience, people having issues with Tomcat web applications are usually experiencing new issues, from old applications, and are definitely some of the hardest to resolve.

Read More

0 Comments Click here to read/write comments
Tags: Support

Top 3 Reasons Why Open PaaS Rocks

Posted by Rod Cope on Tue, Dec 06, 2011
  
Email This Email Article  
Tweet  
  

So, why does Open PaaS rock?  I'll tell you, but first a little background.

As of today, a quick search of OLEX, Github, and SourceForge shows a total of 4,028 cloud-related open source projects in the world.  Google Code shows 163 million results when searching for "cloud".  That's a whole lot of cloudy open source.

Open source is ubiquitous and the cloud is ubiquitous, so it's not surprising that there's a lot of open source in the cloud (most public clouds are built on components such as Xen) and a lot of cloud in open source (projects like fog and OpenStack).  In this context, it makes sense that there are a number of providers talking about "Open PaaS", a marriage of open source and the cloud that allows developers to rapidly deploy their applications in a cloud while avoiding restrictions related to proprietary vendor licenses and the like.

I think it means more than that, however.  In a previous post (How Open is Open? A PaaS Scorecard), I established some criteria for judging open PaaS solutions that I'll summarize here:

Open PaaS makes it easy to deploy open source stacks in the cloud of your choice, either public or private, without constraining you to particular components or versions or locking you in to a particular vendor's proprietary technology.  You also don't have to worry about having your data held hostage because an Open PaaS implementation gives you direct access to your data at all times - no barrier to porting or exporting.  Finally, you can get development and production support on the open source components you deploy from any vendor you choose.

In a nutshell, Open PaaS is all about protecting your freedom to choose.

Without further ado, here are the Top 3 Reasons Why Open PaaS Rocks:

    • Any cloud - deploy wherever you want, including multiple public and private clouds

    • Any technology - Rails, Tomcat, LAMP, Node.js, Django, Redis, memcached, you name it - and no limits on components or versions

    • No lock-in - no proprietary scripting languages, no data stranglehold, no friction to porting or exporting anything, multiple support options


OpenLogic's CloudSwing is an Open PaaS that helps get you up and running with the open source stack of your choice on the cloud of your choice in a matter of minutes.  Don't worry about being restricted to just a few stacks or open source packages because you can add anything you like.  After all, it's your application.  You should be able to do anything you want with it.  You'll also get direct access to every virtual machine you deploy, which means you can take your code and data with you at any time.  We respect your freedom to leave so you'll have the confidence to stay.  You can also get developer or production SLA-backed support from us on any of the 700+ open source components we certify or you can get help from another vendor or internal staff.  As always, the choice is yours.

What do you think - is Open PaaS the perfect solution to life in the cloud?
Follow @openlogic
Follow @RodCope

Subscribe to Enterprise Open Source by Email

Read More

0 Comments Click here to read/write comments
Tags: Open Source Trends, The Cloud

Open Source Provisioning and Source Code Scanning for the Enterprise

Posted by Jesse Hood on Sun, Dec 04, 2011
  
Email This Email Article  
Tweet  
  

Documenting the provisioning channel(s) of open source downloads and ongoing use of open source scanning tools are now industry best practices that minimize the potential of license violations.

So how do enterprises approach this seemingly massive challenge of so many different bits and bytes to choose from and then vet their code weeks or months after making selections?

It’s almost as simple as balancing your checkbook (if anyone even uses those general ledgers any more).  Keep in mind that the first time I tried to balance a checkbook I needed some help from someone who had been doing it for a while.  We all hopefully know exactly where every penny and dollar comes from in our bank accounts and hopefully know exactly where it goes when it leaves.

The same methodology is applied to a corporate open source policy management strategy.  Clearly in today’s globally distributed business world this practice is a bit more complex than your personal finances but the general ideas are the same.  Open source adoption now demands a similar level of attention as your bank account does for both technical and legal reasons.  If you are following the analogy so far, unless bankruptcy is the goal, documenting provisioning and regular source code scanning are critical.

With a little education, understanding, and the right tools in place an organization’s OSS management system will absolutely succeed for the foreseeable future of their industry.

Would you deposit a check into your bank account if you were not 99-100% certain of the origin?  How about accepting a foreign draft or wire transfer?  Didn’t think so…  Cash is the exception, for today’s analogy we will put cash in a category similar to commercially licensed open source products, nothing wrong with cash, I love the stuff!  Easy to use but I rarely find it just lying around, usually have to work hard for it, and know who gave it to me when it comes my way.

This discussion is focused on the community distributions of open source that are under OSS licenses and can be freely downloaded from the net at no cost.  Enterprises are now thinking about their open source adoption strategy in similar context to a bank account.  I have to authorize for money to go into my bank account, even if someone else is depositing it I have to give him or her permission to do so by consenting the account information.

If there is a 1 or 2% chance that I don’t know exactly where the money (code and licenses) is provisioned from, why it’s coming into my bank account (past corporate firewall), and thinking ahead as to what I am budgeting that money for (where, when, why this code will be used) then it probably shouldn’t be there to begin with.

The OLEX repository has enterprise certification criteria that need to be met before any open source code or binary can be provisioned from it as a download.  In a corporate setting with an open source policy in place I can declare in OLEX why I think downloading a specific product is a good idea; what I will be using it for, how I will be using it, and where it will finally end up. By doing so I have quickly documented critical information to help me and my colleagues understand the business need, the usage model, and evaluate the technical and legal sustainability of my new OSS environment.

At some point I will have to spend my money…  In most places in the world we are free to spend our money on just about anything we want.  Similarly today in 80-90% of corporate open source environments the products and license’s can be used in just about any way the end users would like to.  However if I haven’t accurately documented the provisioning of money (code and licenses) into my bank account (corporate data center, SVN/CVS repository, build environments, etc…) then I could easily be setting myself up for disaster.

Regular inventory and source code scanning is a lot like balancing the checkbook; it’s become a long-term strategic initiative for success. Source code scanning ensures that any OSS environment is accurately documented; if we miss something in the provisioning stage we can catch it during the source code scanning exercise and re-evaluate to make good decisions, do some education, and possibly remediation.  Granted the many license types and potential modifications of source code can make source code scanning more like algebra or trigonometry than addition and subtraction but that is why there are highly specialized source code scanning analysis tools and experts to help enterprises get started.

Stay tuned as in a few weeks we’ll explore more technical details of how to successfully approach open source application auditing on a massive amount of valuable legacy code… similar to auditing a massive inheritance of wealth combined in monetary and physical properties.

Please add additional comments below!

Follow @openlogic
Follow @JesseH303
View Jesse Hood's profile
Subscribe to Enterprise Open Source by Email

Read More

0 Comments Click here to read/write comments
Tags: Scanning & Provisioning, Scanning, Open Source Trends

3 Ways to Justify Cost Savings for an Enterprise Move to the Cloud

Posted by Aaron Mandelbaum on Thu, Dec 01, 2011
  
Email This Email Article  
Tweet  
  

Cloud Technology is providing enterprises with new opportunities to cut costs and improve productivity.  In a recent survey conducted by KPMG (Of the Big 4 Accounting Firms), 75% of total respondents said they needed to show a cost savings to justify an enterprise move into the cloud.  The survey also revealed that some companies have allotted more than 20% of their 2012 IT budget to Cloud software and services.

3 areas the cloud will provide enterprises with cost savings opportunities:

    • Labor

    • Software

    • Hosting


The opportunities are made possible by the positive impact that cloud solutions are having on:

    • Automation

    • Virtualization

    • Standardization



Labor
Some estimates show that 67% of global enterprises' IT budgets are allocated to labor with 40% of this budget dedicated to application development and maintenance.  Specifically,  a 2010 IBM internal study of its own distributed infrastructure showed labor to be over 60% of the total operational cost per year.  Cloud technology will decrease the necessary person-to-server ratio over time as more applications begin running on automated platforms in the cloud.  With IT labor spend in excess of 60%, as IBM referenced in their findings, comes the biggest opportunity for cost reductions via increased capabilities of automation and decreased labor dollars earmarked to manage the infrastructure.

Software
The average enterprise has hundreds of applications making software the second largest expenditure for enterprise IT budgets at approximately 16%.  The increased accessibility of software through enhanced virtualization allows companies to leverage a pay-for-what-you-use model and reduce overall software licensing and maintenance costs.  By utilizing cloud based solutions, what was once a previously fixed cost can now be absorbed as a variable cost to be strategically optimized over time.

Hosting
As the complexity of the enterprise grows, so too does the need for a more powerful hosting infrastructure.  It is estimated that hosting accounts for 8% of the typical global enterprise IT budget.  Enterprises are now presented with an alternative to the traditional, fixed, capital expenditure (CAPEX) model that has been so common for enterprise hosting spend previously.  The new integration of public and/or private cloud hosting, will offer the enterprise an operational (OPEX) pay as you go model that can also(software) be absorbed as a variable cost and optimized over time.  The enterprise could also experience a reduction in power and cooling costs due to the increased efficiency in the use of the on site IT infrastructure.

It was only a few weeks ago when Warren Buffet invested $10.7 Billion into IBM, and rationalized the move by saying, “It’s a company that helps IT departments do their jobs better.”

Read More

0 Comments Click here to read/write comments
Tags: Open Source Trends, The Cloud
All Posts
Next Page
Error sending email
Email sent successfully

Email article
Email To : 
Your name : 
Message : (maximum 200 characters)

Enterprise OSS Blog Policy

If you read a post on The Enterprise OSS Blog, please leave a comment. Let us know what you think, even if it's just a few words. Comments do not require approval, but they are moderated.OpenLogic reserves the right to remove any comments it deems inappropriate.

 

click-to-chat-with-a-live-open-source-expert

get-a-quote-on-support

download-the-support-evaluation-kit

schedule-a-deep-discovery-demo

Most Popular Posts

  • Enterprise Apache Tomcat 7 Clustering - Designing an Efficient, Reliable and Productive Application Server Cluster
  • Open Source Virtual Whiteboards and Dimdim Review
  • An Enterprise Apache Tomcat Clustering Guide
  • Supporting CentOS In The Cloud With Windows Azure
  • VLC License Change: A lesson in perseverance
  • An In-Depth Look at Tomcat’s Clustering Mechanisms
  • Apache HTTP Server: New Features for Version 2.4
  • Why Closed Source is Better Than Open Source
  • Access Serial Ports through Ruby
  • Building Bots With Kids

Connect With Us!

Browse by Tag

  • 2013 (2)
  • Agile (1)
  • Apache (2)
  • apache tomcat (1)
  • AS 7 (1)
  • as7 (1)
  • Auditing (5)
  • Azure (2)
  • Budget (1)
  • BusyBox (1)
  • CentOS (3)
  • Closed Source Software (1)
  • cloud (4)
  • clustering (1)
  • CMS (1)
  • Code Scanning (1)
  • commercial distribution (1)
  • Community (4)
  • compliance (39)
  • C-Suite (1)
  • Database (1)
  • developers (2)
  • DevOps (15)
  • Drupal (1)
  • enterprise software (2)
  • foss (5)
  • Gitbhub (1)
  • Governance (36)
  • guide (1)
  • Hadoop (2)
  • HBase (2)
  • http 2.4 (1)
  • httpd 2.4 (1)
  • Java (1)
  • javascript (1)
  • jboss (3)
  • JBoss Cluster (1)
  • Joomla (1)
  • Legal (21)
  • Legal & Compliance (62)
  • Legal and Compliance (2)
  • license compliance (1)
  • Licenses (12)
  • Linux (4)
  • lisp code (1)
  • martin fowler (1)
  • Mobile (3)
  • mod_cluster (2)
  • MySQL (1)
  • Neal Ford (1)
  • open source (19)
  • open source compliance (1)
  • open source components (1)
  • open source events (1)
  • Open Source Governance (2)
  • open source legal issues (1)
  • Open Source Licensing (3)
  • Open Source Management (38)
  • Open Source Policy (3)
  • open source software (15)
  • Open Source Software Adoption (4)
  • open source software policy (1)
  • Open Source Training (1)
  • Open Source Trends (337)
  • Open Source vs. Commercial Software (3)
  • OSS (5)
  • OSS Packages (2)
  • PaaS (1)
  • paredit (1)
  • picketlink (1)
  • Policy (4)
  • PostgreSQL (1)
  • Presentations (1)
  • Programming (2)
  • red hat (1)
  • RHEL (1)
  • Ruby (1)
  • Scanning (27)
  • Scanning & Governance (12)
  • Scanning & Provisioning (30)
  • Security (13)
  • Shibboleth (1)
  • software compliance (1)
  • Software Development (2)
  • Software Development Lifecycle (7)
  • software infrastructure (1)
  • Solr (1)
  • Support (48)
  • Support & Services (2)
  • SUSE (1)
  • Technical Governance (1)
  • The Cloud (35)
  • The C-Suite (2)
  • tomcat (4)
  • Training (9)
  • Ubuntu (1)
  • Uncategorized (69)
  • Windows (1)
  • Windows Azure (1)
  • Wordpress (1)
  • Zookeeper (1)
Home | Search | Contact Us | Products and Support | Services | Enterprise OSS Blog | Wazi Technical Blog | Resources Library | Cloud Services | Partners | Customers | Community | Company | Careers | News and Events
Products
OpenLogic Exchange (OLEX)
License Compliance Module
OSS Discovery
OSS Deep Discovery
OpenUpdate
Services
Open Source Support
CentOS Support
Scanning & Compliance
Open Source Training
Professional Services
Solutions
Support & Indemnification
Open Source Governance
Open Source Scanning
Open Source Provisioning
Consulting & Training
Contact Us
1-888-673-6564

© 2013 OpenLogic, Inc. All rights reserved.
Site Map  |  Privacy Policy