March 6-8, 2018 - Sonoma, CA
Click Here For Information

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Automating Compliance / Gaps & Successes [clear filter]
Wednesday, March 7

12:20pm PST

REUSE Principles for Automating License Compliance Processes - Jonas Öberg, Free Software Foundation Europe
The REUSE principles is a set of best practices for markup of licenses and source file headers which make it possible and easy to automate license detection. Building on the successful work of the SPDX working group, the REUSE principles make use of the same standard, but adds to it. Work on making the Linux kernel compatible with the REUSE principles is ongoing, but the standard applies generally and can be used by any software project to facilitate downstream compliance.

Coupled with the REUSE principles come a set of basic tools to "lint check" a source repository to validate if it's REUSE compliant, and tools to automatically generate an SPDX compatible bill-of-materials.In this talk, Jonas Öberg will give an introduction to the REUSE principles and outline some of the work in progress as the initiative moves from licenses to copyright, and lays the foundation for other tools seeking to automate the compliance process.

avatar for Jonas Öberg

Jonas Öberg

Open Source Officer, Scania CV AB
Jonas Öberg is the Open Source Officer for Scania CV AB, putting open source in support of his childhood dream of making buses, trucks, marine engines and other things that go wroom-wroom. For 20 years, he has worked to develop the ecosystem of open source software, focusing on automation... Read More →

Wednesday March 7, 2018 12:20pm - 12:50pm PST
Sonoma Valley Room

2:00pm PST

Automating Compliance: Solving the Problem at the ‘Source' - Philippe Ombredanne, AboutCode.org, Kate Stewart & Greg Kroah-Hartman, The Linux Foundation
For years now we’ve been treating compliance with open source licenses as an afterthought, something to be done before distribution, and relying on more and more sophisticated tooling and heuristics to guess what the license is. Code sharing between projects (with different licenses!) has become common and enables much innovation, but causes the problem to only get worse. This approach has meant more resources (tooling, people, time) are needed to figure out the licensing to comply with the terms of open source licenses.   In this session, we’ll look at the the Linux kernel which while it has a LICENSE file indicating it is GPL-2.0-only, actually has over 80 licenses, expressed over 1000+ ways.   We’ll go through a simple solution that is being applied at the source code level in the Linux kernel to remove the guesswork from the tooling, and to simplify the analysis.  This technique can be applied to any open source project.  This will take us significantly closer to the goal that for every build,  you know the licenses that apply (via a simple ‘grep” if you prefer) and can automatically generate the artifacts to comply with those licenses. 

avatar for Greg Kroah-Hartman

Greg Kroah-Hartman

Linux Kernel Developer and Fellow, The Linux Foundation
avatar for Philippe Ombredanne

Philippe Ombredanne

AboutCode.org and ScanCode maintainer, AboutCode.org and nexB Inc.
Philippe Ombredanne is a passionate FOSS hacker, lead maintainer of the ScanCode toolkit and on a mission to enable easier and safer to reuse FOSS code with best in class open source tools for open source discovery, software composition analysis and license & security compliance at... Read More →
avatar for Kate Stewart

Kate Stewart

Senior Director of Strategic Programs, Linux Foundation
Kate Stewart is a Senior Director of Strategic Programs, responsible for Embedded and Open Compliance programs. Since joining The Linux Foundation, she has launched Real-Time Linux, Zephyr Project, CHAOSS, and ELISA.

Wednesday March 7, 2018 2:00pm - 2:30pm PST
Sonoma Valley Room

2:40pm PST

Scaling an Open Source Program with Automation and Tooling - James Ward, Salesforce.com
At Salesforce we do tons of open source and have created & use a number of tools to help us manage our open source processes. This session will walk through the things you can/should automate in order to scale your open source program. It will cover managing Contributor License Agreements, automating various security checks, and managing an open source request process. Come learn from what we've learned about scaling an open source program.

avatar for James Ward

James Ward

Developer Advocate, Google Cloud
James Ward is a nerd / software developer who shares what he learns with others though presentations, blogs, demos, and code. After over two decades of professional programming, he is now a self-proclaimed Typed Pure Functional Programming zealot but often compromises on his ideals... Read More →

Wednesday March 7, 2018 2:40pm - 3:10pm PST
Sonoma Valley Room

3:40pm PST

DevOps & Insurance Company: Create a Bridge between Security and Change - Jonathan Le Lous, Manulife
Integrating DevOps and Open Source tooling inside an Insurance Company as Manulife is, obviously, a challenge. Actually this challenge is not only technological, links with legacy apps, but also a cultural shift to a new security and risk era. In our journey to DevOps, people were surprised by how we have been close to security and risk teams. Most of people try to avoid them and they expected from us the same. Behind their expectation there are the same old questions 'But open source and security are not contradictory?' and 'If you would like to move faster, how could you do that with security restrictions?'.

During this presentation we will go through our technology stacks included Kubernetes, Docker, Microservices... and see how has been our approach to integrate security strategy in our open source platform. Our Gaps & Successes...

avatar for Jonathan Le Lous

Jonathan Le Lous

Field CTO, Capgemini
VP Cloud/DevOps @ Paris Open source Summit 2019; Open Source Contributor for 15 years; France/Canada. For 15 years I have been passionate helping organizations being LeanAgile and modernizing their App Portfolios and Software Development Life Cycle. Using DevOps, Cloud, PaaS, Containers... Read More →

Wednesday March 7, 2018 3:40pm - 4:10pm PST
Sonoma Valley Room

4:20pm PST

Leveraging Open Source Projects for Open Source Management - Steffen Evers, Bosch Software Innovations
Correct handling of Open Source in a commercial context is a challenge. Every company needs to build up and maintain their own processes to face this challenge. A sophisticated tooling seems to be inevitable. While managing Open Source every day it seems reasonable to also collaborate with the Open Source Community on the Open Source Management System itself.

Bosch Software Innovations uses and supports an Open Source approach on tool level (e.g. Eclipse SW360, Fossology ) as well as on standard level (e.g.Open Chain, SPDX ) to continuously improve the Open Source Management System and to collaborate with suppliers,customers and partners.

avatar for Steffen Evers

Steffen Evers

Director Open Source Services, Bosch Software Innovations GmbH
Steffen Evers leads the "Open Source Services" team of Bosch Software Innovations. The team provides development services for open source software (OSS) that is essential for Bosch. It also consults on strategy, community work, software management and compliance processes in the area... Read More →

Wednesday March 7, 2018 4:20pm - 4:50pm PST
Sonoma Valley Room

5:00pm PST

Tackling Compliance for Containers with Tern - Nisha Kumar, VMware
You've converted your service infrastructure into microservices running in containers, ready to be deployed to the cloud. To meet your software compliance obligations, you analyze some of the images to find all the packages installed and you realized that some of them are unrecognizable or shouldn't even be there. How did they get in there? You now realize that you will have to do this exercise for all of the containers you have created and may even have to redo some or most of your containerizing work. How will you accomplish this?

In this talk, Nisha Kumar will discuss some best practices on how to build compliant containers from the ground up, how Tern, an open source project, attempts to extract package metadata from an existing container, and how the container distribution ecosystem can improve for the benefit of everyone working with containers.

avatar for Nisha Kumar

Nisha Kumar

Open Source Engineer, VMware
Nisha Kumar is an Open Source Engineer at VMware’s Open Source Technology Center. She is one of the maintainers of Tern, a container image inspection tool for OSS license compliance. She has spoken at several events including All Things Open, SCaLE, and a previous KubeCon.

Wednesday March 7, 2018 5:00pm - 5:30pm PST
Sonoma Valley Room
Thursday, March 8

11:20am PST

License Information Management - Case Study - Steve Winslow & Kate Stewart, The Linux Foundation
License Information Management - Case Study (Steve Winslow and Kate Stewart, The Linux Foundation): For modern open source software projects, license compliance presupposes that a developer or distributor can determine what licenses are present in a codebase. Managing, locating and maintaining license information for a large open source project is often far more complex than simply posting a single LICENSE.txt file. In this tutorial, Steve Winslow and Kate Stewart will present real-world examples to demonstrate techniques and best practices for identifying applicable licenses, handling license compatibility, and communicating license information to a project's contributors and users.

avatar for Kate Stewart

Kate Stewart

Senior Director of Strategic Programs, Linux Foundation
Kate Stewart is a Senior Director of Strategic Programs, responsible for Embedded and Open Compliance programs. Since joining The Linux Foundation, she has launched Real-Time Linux, Zephyr Project, CHAOSS, and ELISA.
avatar for Steve Winslow

Steve Winslow

Director of Strategic Programs, The Linux Foundation
Steve Winslow is Director of Strategic Programs at The Linux Foundation. He runs The Linux Foundation’s license scanning and analysis service, advising projects about licenses identified in their source code and dependencies. Steve is also involved with projects including SPDX... Read More →

Thursday March 8, 2018 11:20am - 11:50am PST
Kenwood 1

12:00pm PST

SPDX vs The Spreadsheet - A Governance Fight to the Death - Yev Bronshteyn, Black Duck Software
How do you keep track of open source usage when every division or subsidiary has its own development process, its own preferred tech stack(s), and its own methodology of component tracking (or lack thereof)? Did you answer “with a spreadsheet”? You're not alone, but there is a better way. In this talk we’ll go through the organizational and technical challenges of keep track of open-source across the heterogenous enterprise, and discuss how SPDX, Linux Foundation's open, standards-based mechanism of tracking, aggregating, and exchanging Bill of Materials (BOM) data enables open source governance at scale.

avatar for Yev Bronshteyn

Yev Bronshteyn

Senior Software Engineer - Alliances, Black Duck Software/Synopsys
Yev Bronshteyn is a Senior Software Engineer at Black Duck Software, working on solutions for open source governance and security. He is a contributor to the SPDX technical team, which defines the Linux Foundation standard for documenting deep software package information with linked... Read More →

Thursday March 8, 2018 12:00pm - 12:30pm PST
Kenwood 1

1:50pm PST

The Need for Build-time Analysis in Open Source Compliance Tooling: Lessons Learned from the Quartermaster Prototype - Mirko Boehm, Endocode AG
Quartermaster aims art building an industry standard of tooling that supports the Open Source license compliance workflow. It's workflow engine integrates existing scanning and reporting tools, and integrates into CI/CD processes. It offers API endpoints against which toolmakers, communities and service providers can integrate their products into the open source and open data model of the elemental toolchain. Development of the Quartermaster prototype resulted in a number of key findings, especially that source packages alone do not identify and convey sufficient license information, or that the product build process may be the best time to check compliance. The presentation introduces the Quartermaster project, the novel approach it takes on implementing Open Source compliance tooling, and how the lessons learned from the prototype influenced the Quartermaster toolchain architecture.

avatar for Mirko Boehm

Mirko Boehm

Director, Open Source Governance and Compliance, Endocode AG
Free and Open Source Software contributor. Founder, Endocode. Director, Linux System Definition, Open Invention Network. KDE contributor since 1997 (including several years on the KDE e.V. board). Visiting lecturer and researcher at the Technical University of Berlin. FSFE Team Germany... Read More →

Thursday March 8, 2018 1:50pm - 2:20pm PST
Kenwood 1

2:30pm PST

OSS Review Toolkit: Automating FOSS Reviews within CI/CD - Thomas Steenbergen, HERE Technologies
In an ideal world, a FOSS review is highly automated and done often and early so that any FOSS issues - whether technical, licenses or security - can be caught and resolved as they appear. The OSS community currently lacks review tooling that is compatible with modern SW development practices like using package managers, continuous integration and continuous delivery (CI/CD).

Without this review capability, FOSS projects often are released without clear metadata, resulting in reduced adoption and number of contributions thereby making the projects less successful.

In this talk we present a new tool called OSS Review Toolkit (ORT) that enables highly automated OSS reviews within CI/CD by combining existing FOSS dependency and scanning tools with ClearlyDefined, a platform to discover, curate and share FOSS component metadata.

avatar for Thomas Steenbergen

Thomas Steenbergen

Head of Open Source, HERE Technologies
Thomas Steenbergen is the Head of Open Source at HERE Technologies (www.here.com). HERE is the open location platform company, which enables people, enterprises and cities to harness the power of location. He has been an active contributor to the SPDX specification since 2015, helping... Read More →

Thursday March 8, 2018 2:30pm - 3:00pm PST
Kenwood 1

3:30pm PST

Scanning Your Code with ScanCode: Automating FOSS Compliance with AboutCode - Philippe Ombredanne, nexB
The ScanCode toolkit and the AboutCode.org projects are a suite of open source tools to help vet code for origin and license and comply with open source licensing obligations. This is a tutorial on practical use and deployment of these free tools to accelerate vetting and automate open source compliance.

avatar for Philippe Ombredanne

Philippe Ombredanne

AboutCode.org and ScanCode maintainer, AboutCode.org and nexB Inc.
Philippe Ombredanne is a passionate FOSS hacker, lead maintainer of the ScanCode toolkit and on a mission to enable easier and safer to reuse FOSS code with best in class open source tools for open source discovery, software composition analysis and license & security compliance at... Read More →

Thursday March 8, 2018 3:30pm - 4:00pm PST
Kenwood 1

4:10pm PST

Staying on Top of Trademark Confusion with Kodi, a Consumer-focused Open Source Project - Nathan Betzen & Keith Herrington, XBMC Foundation
Kodi (previously known as XBMC), the consumer-focused open source media center software, has more than 30 million active users worldwide. Thousands of aspiring entrepreneurs have seen Kodi's success and sought to profit off of it in myriad legal and illegal ways. Sometimes this means pretending to be Kodi. Sometimes, this means marketing Kodi as something other than what it actually is.

In this talk, Nathan and Keith will discuss using trademark, business ties, marketing, and even word of mouth to combat the resulting spread of misinformation.

avatar for Nathan Betzen

Nathan Betzen

Board Member, XBMC Foundation
Nathan has been working with Kodi (previously XBMC) since 2009, providing community support, managing projects, and handling organizational and legal issues. Nathan took the lead in the effort to rename the project from XBMC to Kodi and trademark it worldwide.
avatar for Keith Herrington

Keith Herrington

Board Chairman, Kodi Foundation
Keith started working on XBMC when it was ported to the Apple TV and regularly interacts with companies like Amazon, eBay, and content providers both to protect the Kodi trademark and further business relationships.

Thursday March 8, 2018 4:10pm - 4:40pm PST
Kenwood 1