Adopting SPDX in Embedded Space: Why and How?

December 12, 2013

Suhyun Kim

Samsung Electronics.

1

About Suhyun

• Open Source Compliance Engineer since 2009

• Establishing Open Source Compliance Process

• Giving lectures and consultings to Software Developers.

• Developing and Operating http://opensource.samsung.com

• Developing utility softwares for Open Source Verification

– OSI (Open Source Self Inspector)

– AIRS (Auto IdentifieR using SPDX)

2

FOSS Verification Process

• Product Team should identify all files in their product.

• Even it’s not their own work - obtained by third party or open source.

#include <stdio.h> #include <stdlib.h> int main() { printf(“Hello, SPDX!”); funcA(); exit(0); } void funcA() { printf(“funcA called”); }

Source code

Source Code and License Identification

Tool

The tool may say: Your source code similar following files: file 1 @ Open Source project 1 : License Type A file 2 @ Open Source project 2 : License Type B file 3 @ Open Source project 3 : License Type C file 4 @ Open Source project 4 : License Type D …

3

FOSS Verification Process

• “Identify” effort is not trivial.

• Too many source files in our product.

• So, we’d like to reuse previous “Identify” result.

– For example, Open Source & Platform Code

• SmartPhones based on Tizen/Linux

• TVs based on Tizen/Linux

• Digital Cameras base on Tizen/Linux

• But we have to remove tool dependencies.

– Many servers with different configurations

– Various Commercial Tools.

4

SPDX for FOSS Verification Process

• Why SPDX?

– We can store whole essentail “identify” information into SPDX file.

– Especially, Filechecksum is very useful to judge identical file.

FileName FileType File Checksum Concluded License License Information in File Comments on License Copyright Text Artifact of Project Name … File Comment

5

SPDX for FOSS Verification Process

• Our approach (based on SPDX1.1)

– Store tool dependent information at [Creation Information]

AIRS_LABELMAP_LICENSEID Apache License Version 2.0=<LicenseID1> LGPL 2.1=<LicenseID2> AIRS_LABELMAP_COMPONENTID_VERSIONID Endian Firewall Community#EFW 2=<ComponentID1><ComponentVersion1> petris#1.13=<ComponentID2><ComponentVersion2> Apache Lucene Java#1.4.3=<ComponentID3><ComponentVersion3> Apache Commons FileUpload#1.1=<ComponentID4><ComponentVersion4>

6

SPDX for FOSS Verification Process

• Our approach (based on SPDX1.1)

– Store general information at [File Information]

<rdf:Description rdf:nodeID="A249"> <fileType rdf:resource="http://spdx.org/rdf/terms#fileType_source"/> <fileName>tools/clean-sat.c</fileName> <rdf:type rdf:resource="http://spdx.org/rdf/terms#File"/> <rdfs:comment> Identified|||Code Match|||tools/clean-sat.c|||Clonezilla|||1.2.10|||GPL 2.0 |||gpl20|||Snippet|||100%|||clonezilla-live-src-1.2.10-12-i686-pae.debian.tar.gz/source/debian/g/gnupg/gnupg_1.4.11.orig.tar.gz.---/gnupg-1.4.11/tools/clean-sat.c|||[2013/07/18(Thu) 9:48:18 pm idented by developer@samsung.com]</rdfs:comment> <checksum rdf:nodeID="A250"/> <licenseInfoInFile rdf:resource="http://spdx.org/rdf/terms#none"/> <copyrightText rdf:resource="http://spdx.org/rdf/terms#none"/> <licenseConcluded rdf:resource="http://spdx.org/licenses/GPL-2.0+"/> <artifactOf rdf:nodeID="A20"/> <licenseComments></licenseComments>

This information will be moved to “artifactOf” field after SPDX1.2

7

SPDX for FOSS Verification Process

• AIRS (Auto IdentifieR using SPDX)

– Import “Identify” result from multiple SPDX files.

Find same checksum between both

Only one identical checksum exists?

Identical files have same “Identify” result?

Exist same file path? (Optional)

NO

NO

YES

YES

Source file Checksum

Checksum File “Identify” result @ SPDX1

Checksum File “Identify” result @ SPDX1

Checksum File “Identify” result @ SPDX2

Checksum File “Identify” result @ SPDX3 Checksum File “Identify” result @ SPDX3

Checksum File “Identify” result @ SPDX3

Source file Checksum

AUTO IDENTIFY Ignore

NO

YES

YES NO

8

SPDX for FOSS Verification Process

• AIRS (Auto IdentifieR using SPDX)

Execute AIRS ex) # java –jar airs.jar ai –h http://127.0.0.1 –u developer@samsung.com –p passwd –proxy-host 127.0.0.1 --proxy-port 8080 --project-id c_13_swc_developer_ai_demo_130826 --spdx-files source.rdf

[ before ]

All Auto-identified

# of Not identified yet

[ after ]

※ OSI: Open source Self Inspector (samsung in-house tool) 9

SPDX for FOSS Verification Process

• Adopting AIRS to our FOSS verification process (In Progress)

New Code

Reused Code

New Code

Reused Code

New code

Reused Code

AIRS

Without AIRS

Auto Identify

Certified Database

3) certified by company (Open Source, Platform)

2) certified by other product team.

1) certified by their previous work.

10

FOSS Distribution Process

• Uploading FOSS packages to the distribution web-site

– For Company: Save Cost / Easy to change source code after release

– For End Users: Easy to get FOSS source code

• Providing Acknowledge the usage of FOSS with Product

– Full copyright and entire text of the license agreement

– Written offer (how to obtain copy of FOSS source code)

– For Company

• Difficult to generate Acknowledgement document.

• Difficult to change after release.

– For Users

• Poor Readability

http://opensource.samsung.com

11

SPDX for FOSS Distribution Process

QR Code/URL included as part of the product documentation (in manual, on box, in device with written offer, etc.)

Ex) QRCode on box

End user visits specified Web site(OSRC) using QR Code (or connect to URL directly)

End user receives license info in the product including source code, license, and compliance contact

Uploading Source code Load Verification Result(SPDX) License Notice and QR Code(URL) created

[ Generating Open Source License Notice using SPDX ] – Easy to generate

[ Providing QR Code instead of full acknowdgement ] – Easy to Change

Admin page in opensource.samsung.com

12

SPDX for FOSS Distribution Process

• Open Source Announcement in Product and Web-Site

QR Code includes Written Offer and Web-Site URL (full license notice and source

download)

http://opensource.samsung.com/opensource/GT-B2100/seq/0

The software included in this product contains open source software.You may obtain the

complete corresponding source code for a period of three years after the last shipment of this

product by sending an email to mailto:oss.request@samsung.com. It is also possible to obtain the complete corresponding

source code in a physical medium such as a CD-ROM; a

minimal charge

Open Brower

Product Web-Site Open Source announcement in the product is Written Offer + QR Code

Open Source announcement in the web-site(OSRC) is whole information

13

SPDX for FOSS Distribution Process

• Validating uploaded source code (In Progress)

Source Codes

Source Codes

AIRS

CASE#3: Not verified source

Verification Result

CASE#2: Checking if it is FOSS or proprietary

CASE#1: FOSS source code isn’t uploaded

14

Future Work

• Contributinng AIRS to SPDX WG@Linux Foundation

http://spdx.org/spdx-tools/tools-from-the-spdx-workgroup

AIRS

Removing Tool Dependency

Reducing Dependency from SPDX evolution

Improving Performance

Considering trade-offs:

15

Future Work

• Contributinng AIRS to SPDX WG@Linux Foundation

– Removing tool Dependencies

Auto Identify API (CLI/ Function call)

SPDX Manager

Identify Abstract Layer

Protex

User Interface

IdentificationInfo AutoIdentifyService

Protex IdentificationInfo

ProtexAutoIdentify Service

SPDX Parser SPDXService

Derived from SPDX-tools

Supportable other Identification tool

Identification Tools

IdentificationInfo

IdentifyService

16