The Enterprise Open Source Blog

Open Source License Management

Posted by Aaron Mandelbaum on March 13th, 2012 in Governance, Legal & Compliance, Open Source Trends, Scanning & Provisioning

Open Source License Management:

Understanding and interpreting open source licenses is not always an easy task. Open source licenses are essentially unilateral; if you use the software, you agree to the terms of the license. There is no protracted negotiation process during which to ruminate and refine terms as is often the case for custom-developed software.

Adding to the difficulty in understanding and interpreting open source licenses is the fact that the more troublesome compliance terms have yet to be litigated, most notably the derivative works question in regards to the GNU General Public License. However, that does not mean there is no guidance.

Enterprise Open Source Scanning & Application Auditing Tasks: Outsource or Internalize?

Posted by Jesse Hood on March 5th, 2012 in Open Source Trends, Scanning & Provisioning

Scanning software code bases to identify the presence, or verify the absence, of open source materials, the associated license information, and other third party components, is now a best practice for many corporate organizations. More specifically, enterprises that are interested in achieving the goal of diligent license compliance practices, streamlined policy management, and a safe adoption strategy for open source software, have dedicated their resources to these projects.

Today’s article is a comparison of some of the pro’s and con’s involved in owning these initiatives 100% in-house or outsourcing some of the work to a company that has expertise in using source code scanning tools and analyzing open source license obligations.

The question of bringing and owning any new IT project initiative in-house vs. outsourcing the work to expert consultants is not a new one. There are many different opinions and perspectives from IT industry blogs that provide some excellent considerations on the general decision of in-house vs. outsourced. So I wont beat this one into the ground any more. This article will bring an enterprise open source management perspective to the discussion and eventual decision that needs to be made about in-house code scanning or outsourced application audit report preparations.

Using “Categorization” to Simplify Open Source License Compliance

Posted by Dave McLoughlin on February 24th, 2012 in Legal & Compliance, Open Source Trends, Scanning & Provisioning

In Jilayne Lovejoy’s recent blog entitled Open Source License Interpretation Made Easy she examines a method for interpreting open source licenses based on viewing licensing terms as a series of “if-then” statements. In this blog I’d like to take a look at providing you with a handy method to categorize terms of use into groups to further help simplify the compliance process.

Open Source Provisioning Strategies Can Help Achieve the Promised ROI

Posted by Jesse Hood on February 6th, 2012 in Open Source Trends, Scanning & Provisioning

Open source literally is a gold mine for enterprises in 2012+ and as the amount of choices increase exponentially so does the need for a provisioning strategy.

Webster’s basic definition for provisioning is to supply someone or something with provisions. Thanks Webster, I can always count on you to cut to the chase. Since we are not really writing about supplying food, water or clothing rations I had to find a more appropriate and up to date definition.

This one from webopedia describes provisioning as: The process of providing users with access to data and technology resources. The term typically is used in reference to enterprise-level resource management.

That’s pretty good, but lets dig a bit further into the nature of open source to consider the implications of effectively and safely provisioning it for an enterprise. Three of the largest open source repositories in the world publish the following data about the amount of code available:

Open Source Scanning: A Technical Perspective on Which Files to Scan

Posted by Dave McLoughlin on January 23rd, 2012 in Scanning & Provisioning

When preparing to scan your application development projects for open source software, one simple approach is to point your scanner at the root directory of your development system. But that is probably not the most efficient approach, and results may include many open source components that are not actually part of your application. Or worse, the scanner may miss components that are not present in the build environment. There are many reasons to be careful and selective about what you scan and why. Here’s a short list of considerations when preparing to scan and determine the open source used in your application.

Linear vs. Targeted: The Location and Amount of Source Code Scanning is Important

Posted by Jesse Hood on January 6th, 2012 in Scanning & Provisioning

The location and amount of source code scanning and analysis an organization should expect to do when beginning a new initiative will likely have a direct correlation to establishing or revisiting a meaningful open source policy. Retroactively auditing for open source and analyzing licenses can quickly become a much more time and resource intensive task than expected for companies that are starting these projects in 2012, mainly due the potential for large legacy code bases that have never been vetted for open source before.

This article includes a short description of how the individuals who are or will become members of an open source review board could start thinking strategically about a scanning project to maximize efficiency of limited resources.

4 Steps to Understanding an Open Source Audit

Posted by Dave McLoughlin on December 21st, 2011 in Legal & Compliance, Scanning & Provisioning

Often times, at the completion of an open source software (OSS) audit, customers will ask us “Now that I know what OSS and licenses I have, what do I do?” or “Do I have any issues?” What they are really wondering about is license compliance, are they in violation of any of the OSS licenses, or if they are not in compliance, what are the implications?

If you are familiar with common OSS licenses, you will know that quite often people are most concerned about the dreaded “copyleft” licenses, where non-compliance can potentially mean they have to provide their source code, and more importantly, their intellectual property to their customers.

So how do you tell if there are issues or if there is anything you have to do to comply with the OSS license that is in the OSS used in your application development?

Here is a simple guide to help you to begin to understand compliance issues and how to come into compliance for newly discovered OSS.

Open Source Software in Cars: Five Best Practices for Compliance

Posted by Kim Weins on December 19th, 2011 in Governance, Legal & Compliance, Open Source Trends, Scanning & Provisioning, Support

For auto companies that are using or want to use open source software, it’s important to build open source compliance processes into your development and procurement processes.

You’ve probably already heard that GM’s Chevy Volt has over 10 million lines of code – 2 million more than a fighter jet. What you may not know is that the Volt includes a lot of open source software – and the open source code used is available on the oss.gm.com website to fulfill the requirements of the GPL and LGPL licenses.

But the use of open source in cars doesn’t stop there. GENIVI, a non-profit industry alliance that includes members like BMW, Delphi and GM working to create an open source development platform for In-Vehicle Infotainment (IVI). In addition, several Android-based IVI systems have been announced and more are coming soon. The use of open source also extends to the many car-focused mobile apps for both Android and Apple platforms.

I spoke at the recent Automotive Linux Summit in Japan and shared five tips to help you ensure you are complying with the open source licenses that you use:

Open Source Provisioning and Source Code Scanning for the Enterprise

Posted by Jesse Hood on December 5th, 2011 in Scanning & Provisioning

Documenting the provisioning channel(s) of open source downloads and ongoing use of open source scanning tools are now industry best practices that minimize the potential of license violations.

So how do enterprises approach this seemingly massive challenge of so many different bits and bytes to choose from and then vet their code weeks or months after making selections?

It’s almost as simple as balancing your checkbook (if anyone even uses those general ledgers any more). Keep in mind that the first time I tried to balance a checkbook I needed some help from someone who had been doing it for a while. We all hopefully know exactly where every penny and dollar comes from in our bank accounts and hopefully know exactly where it goes when it leaves.

Learn About the Ins and Outs of Open Source Audits

Posted by Greg Bell on October 25th, 2010 in Scanning & Provisioning

As enterprise use of open source software approaches 100%, it’s becoming more imperative than ever for businesses to determine what open source software is being used, establish open source policies, and ensure open source license compliance. Litigation, loss of revenue, and compromised bargaining position are some of the risks associated with lack of open source license compliance. As a result, open source audits are becoming common requirements in a wide variety of scenarios, including mergers and acquisitions, financing, and distribution deals.