adopting spdx in embedded space: why and how? spdx in embedded space: why and how? ... file 1 @ open...
TRANSCRIPT
Adopting SPDX in Embedded Space: Why and How?
December 12, 2013
Suhyun Kim
Samsung Electronics.
1
About Suhyun
• Open Source Compliance Engineer since 2009
• Establishing Open Source Compliance Process
• Giving lectures and consultings to Software Developers.
• Developing and Operating http://opensource.samsung.com
• Developing utility softwares for Open Source Verification
– OSI (Open Source Self Inspector)
– AIRS (Auto IdentifieR using SPDX)
2
FOSS Verification Process
• Product Team should identify all files in their product.
• Even it’s not their own work - obtained by third party or open source.
#include <stdio.h> #include <stdlib.h> int main() { printf(“Hello, SPDX!”); funcA(); exit(0); } void funcA() { printf(“funcA called”); }
Source code
Source Code and License Identification
Tool
The tool may say: Your source code similar following files: file 1 @ Open Source project 1 : License Type A file 2 @ Open Source project 2 : License Type B file 3 @ Open Source project 3 : License Type C file 4 @ Open Source project 4 : License Type D …
3
FOSS Verification Process
• “Identify” effort is not trivial.
• Too many source files in our product.
• So, we’d like to reuse previous “Identify” result.
– For example, Open Source & Platform Code
• SmartPhones based on Tizen/Linux
• TVs based on Tizen/Linux
• Digital Cameras base on Tizen/Linux
• But we have to remove tool dependencies.
– Many servers with different configurations
– Various Commercial Tools.
4
SPDX for FOSS Verification Process
• Why SPDX?
– We can store whole essentail “identify” information into SPDX file.
– Especially, Filechecksum is very useful to judge identical file.
FileName FileType File Checksum Concluded License License Information in File Comments on License Copyright Text Artifact of Project Name … File Comment
5
SPDX for FOSS Verification Process
• Our approach (based on SPDX1.1)
– Store tool dependent information at [Creation Information]
AIRS_LABELMAP_LICENSEID Apache License Version 2.0=<LicenseID1> LGPL 2.1=<LicenseID2> AIRS_LABELMAP_COMPONENTID_VERSIONID Endian Firewall Community#EFW 2=<ComponentID1><ComponentVersion1> petris#1.13=<ComponentID2><ComponentVersion2> Apache Lucene Java#1.4.3=<ComponentID3><ComponentVersion3> Apache Commons FileUpload#1.1=<ComponentID4><ComponentVersion4>
6
SPDX for FOSS Verification Process
• Our approach (based on SPDX1.1)
– Store general information at [File Information]
<rdf:Description rdf:nodeID="A249"> <fileType rdf:resource="http://spdx.org/rdf/terms#fileType_source"/> <fileName>tools/clean-sat.c</fileName> <rdf:type rdf:resource="http://spdx.org/rdf/terms#File"/> <rdfs:comment> Identified|||Code Match|||tools/clean-sat.c|||Clonezilla|||1.2.10|||GPL 2.0 |||gpl20|||Snippet|||100%|||clonezilla-live-src-1.2.10-12-i686-pae.debian.tar.gz/source/debian/g/gnupg/gnupg_1.4.11.orig.tar.gz.---/gnupg-1.4.11/tools/clean-sat.c|||[2013/07/18(Thu) 9:48:18 pm idented by [email protected]]</rdfs:comment> <checksum rdf:nodeID="A250"/> <licenseInfoInFile rdf:resource="http://spdx.org/rdf/terms#none"/> <copyrightText rdf:resource="http://spdx.org/rdf/terms#none"/> <licenseConcluded rdf:resource="http://spdx.org/licenses/GPL-2.0+"/> <artifactOf rdf:nodeID="A20"/> <licenseComments></licenseComments>
This information will be moved to “artifactOf” field after SPDX1.2
7
SPDX for FOSS Verification Process
• AIRS (Auto IdentifieR using SPDX)
– Import “Identify” result from multiple SPDX files.
Find same checksum between both
Only one identical checksum exists?
Identical files have same “Identify” result?
Exist same file path? (Optional)
NO
NO
YES
YES
Source file Checksum
Checksum File “Identify” result @ SPDX1
Checksum File “Identify” result @ SPDX1
Checksum File “Identify” result @ SPDX2
Checksum File “Identify” result @ SPDX3 Checksum File “Identify” result @ SPDX3
Checksum File “Identify” result @ SPDX3
Source file Checksum
AUTO IDENTIFY Ignore
NO
YES
YES NO
8
SPDX for FOSS Verification Process
• AIRS (Auto IdentifieR using SPDX)
Execute AIRS ex) # java –jar airs.jar ai –h http://127.0.0.1 –u [email protected] –p passwd –proxy-host 127.0.0.1 --proxy-port 8080 --project-id c_13_swc_developer_ai_demo_130826 --spdx-files source.rdf
[ before ]
All Auto-identified
# of Not identified yet
[ after ]
※ OSI: Open source Self Inspector (samsung in-house tool) 9
SPDX for FOSS Verification Process
• Adopting AIRS to our FOSS verification process (In Progress)
New Code
Reused Code
New Code
Reused Code
New code
Reused Code
AIRS
Without AIRS
Auto Identify
Certified Database
3) certified by company (Open Source, Platform)
2) certified by other product team.
1) certified by their previous work.
10
FOSS Distribution Process
• Uploading FOSS packages to the distribution web-site
– For Company: Save Cost / Easy to change source code after release
– For End Users: Easy to get FOSS source code
• Providing Acknowledge the usage of FOSS with Product
– Full copyright and entire text of the license agreement
– Written offer (how to obtain copy of FOSS source code)
– For Company
• Difficult to generate Acknowledgement document.
• Difficult to change after release.
– For Users
• Poor Readability
http://opensource.samsung.com
11
SPDX for FOSS Distribution Process
QR Code/URL included as part of the product documentation (in manual, on box, in device with written offer, etc.)
Ex) QRCode on box
End user visits specified Web site(OSRC) using QR Code (or connect to URL directly)
End user receives license info in the product including source code, license, and compliance contact
Uploading Source code Load Verification Result(SPDX) License Notice and QR Code(URL) created
[ Generating Open Source License Notice using SPDX ] – Easy to generate
[ Providing QR Code instead of full acknowdgement ] – Easy to Change
Admin page in opensource.samsung.com
12
SPDX for FOSS Distribution Process
• Open Source Announcement in Product and Web-Site
QR Code includes Written Offer and Web-Site URL (full license notice and source
download)
http://opensource.samsung.com/opensource/GT-B2100/seq/0
The software included in this product contains open source software.You may obtain the
complete corresponding source code for a period of three years after the last shipment of this
product by sending an email to mailto:[email protected]. It is also possible to obtain the complete corresponding
source code in a physical medium such as a CD-ROM; a
minimal charge
Open Brower
Product Web-Site Open Source announcement in the product is Written Offer + QR Code
Open Source announcement in the web-site(OSRC) is whole information
13
SPDX for FOSS Distribution Process
• Validating uploaded source code (In Progress)
Source Codes
Source Codes
AIRS
CASE#3: Not verified source
Verification Result
CASE#2: Checking if it is FOSS or proprietary
CASE#1: FOSS source code isn’t uploaded
14
Future Work
• Contributinng AIRS to SPDX WG@Linux Foundation
http://spdx.org/spdx-tools/tools-from-the-spdx-workgroup
AIRS
Removing Tool Dependency
Reducing Dependency from SPDX evolution
Improving Performance
Considering trade-offs:
15
Future Work
• Contributinng AIRS to SPDX WG@Linux Foundation
– Removing tool Dependencies
Auto Identify API (CLI/ Function call)
SPDX Manager
Identify Abstract Layer
Protex
User Interface
IdentificationInfo AutoIdentifyService
Protex IdentificationInfo
ProtexAutoIdentify Service
SPDX Parser SPDXService
Derived from SPDX-tools
Supportable other Identification tool
Identification Tools
IdentificationInfo
IdentifyService
16