how todays companies are managing open source software final
TRANSCRIPT
How Today’s Companies are Managing Open Source Software
Karen Copenhaver, Choate, Hall & Stewart
Mark Radcliffe, DLA Piper
Addie Welch, Zenoss
Diane Honda, Extreme Networks
Webinar
November 17, 2009
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 2
Speakers
Karen Copenhaver
Partner at Choate Hall & Stewart
Counsel for the Linux Foundation
Addie Welch
Vice President of legal Affairs, Zenoss
Mark Radcliffe
Partner at DLA Piper
General Counsel for the Open Source Initiative (OSI)
Diane Honda
Vice President, General Counsel Extreme Networks
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 3
Agenda
Introduction– Open Source Industry Trends– Challenges in managing open source
Case Studies in Managing Open Source– Zenoss– Extreme Networks
Summary
Q & A
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 4
The “Abundance” of Open Source
Open source projects:– 220,000+ OSS projects– Tens of billions of lines of code
From a recently completed study of commercial developer projects:– 22% of typical application/project is open
source Avg project size: ~ 700MB of code Cost to develop the OSS used: ~$26M Dozens to hundreds of components
– Sampled hundreds of commercial projects Millions of files Hundreds of GB of code
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 5
The New Pragmatism: Multi-Source Development with Open Source
YOUR COMPANY
Software Application
Open Source Software
Internally Developed
Code
Outsourced Code Development
Commercial 3rd-Party Code
Individuals
Universities
Corporate Developers
Code
Obligations
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 6
Even Large, Well Run Software Companies Have Challenges : Microsoft Windows 7 GPL Violation
The Windows 7 USB/DVD Tool Violated GPLv2 License• Code was “multi-source,” including code from an external supplier with OSS• Microsoft pulled the product from the Microsoft Store, then announced it is making the source code and binaries available
Takeaways:• Even big companies make mistakes• OSS can enter from many sources• It’s difficult to manage OSS without both process and technology
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 7
Making Abundance Manageable: What We’re Hearing
Goals for reuse/standardization of up to 80%; build / fix / fit ~20%
Scale – ad hoc use of hundreds of OSS components has led to a management/tracking/support problem
Customers are demanding to know what’s in the code they’re receiving
Need to have oversight and control
Manual governance, compliance and approval processes are: – Cumbersome/burdensome to developers
– Prone to error
– Often ignored
69% of Companies Surveyed Still Have No Corporate Policy in Place for Using OSSSource: Gartner Group September 2008
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 8
Anarchy of Abundance: Parser Proliferation
Cambridge, MA Los Gatos, CA
Bristol, UK Bangalore, India
OSS Abundance:•220,000 projects•Billions of LoC
I’ll use the parser that
has the most releases
I’ll use the parser that
has the most releases
I’ll use the same parser
from the Videon project
but see if there’s a
newer version
I’ll use the same parser
from the Videon project
but see if there’s a
newer version
I’ll use a parser with an Apache
license
I’ll use a parser with an Apache
license
Devin told me that
new parser on SF was
good
Devin told me that
new parser on SF was
good
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 9
Managing Open Source: Two Case Studies
The Top Challenges
How to Overcome them
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 10
Overview & Why OSS Management is Important
Developer of Commercial Open Source Software
Distributed under GPL v2 and Commercial License
Customers- Medium to Large Enterprise, OEM, Service Providers, Government, Outsourcers and Educational Institutions
Demand for IP indemnification
Demand for BOM (Bill of Material)
Ensure license compliance and prevent license conflict
Due Diligence review
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 11
Where we were
Geographically distributed developers
Open source advocates who wanted to use everything free
Developers were interpreting open source licenses
Spreadsheet management of third party code
“It’s just a couple of lines of code!”
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 12
OSS Management Program
Event driven manual process involves legal and engineering
Checklist based review and approval for third party code – Engineering vets necessity– Engineering provides legal with details of project, license, URL,
use in Zenoss– Legal reviews license, sets out compliance steps– Engineering implements, signs off on compliance– BOM kept on Google spreadsheet– New hires trained on process
Black Duck implementation in Process– To verify our manual BOM compilation – Automated scan of code delta on nightly build
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 13
Lessons Learned
Reinforce process and requirements frequently
Ask pointed, direct, questions; then ask them again….and again
Follow up is important
Senior management support is essential
A “champion” in engineering is key
Pay attention to all processes and sources of code (including professional services)
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 14
Managing Open Source: Two Case Studies
The Top Challenges
How to Overcome them
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 15
Overview
Extreme Networks delivers secure, converged, flexible Ethernet network products for Enterprises, Data Centers and Service Providers
Publicly traded company with presence in over 50 countries.
Over 700 employees supporting over 600 channel and strategic partners worldwide
Software is a key component and differentiator for Extreme Networks products with development centers in 3 locations.
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 16
Software Licensing
All use of third party software is based on the concepts of protection and respect. – Protection for the intellectual property rights in Extreme Networks
software Review of third party and open source licenses to maintain
proprietary rights in Extreme Networks originated code All users must accept Extreme Networks software license
terms before access
– Respect for the rights of others in their software. Engineers must be aware of the compliance requirements of
the accompanying license and ensure that they are complying with those requirements.
Extreme Networks software license terms respect and flow through third party terms
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 17
Managing Third Party Software Discovery
– Obtained a subscription to an automated scanning tool (Black Duck Software’s Protex)
– Scanned software products to obtain a complete list of the open source software contained in the products
Compliance– EULA and product warranty card modified to point customers to
website which lists the open source in each product and the associated licenses.
Control– Use of open source must get Engineering VP and legal approval.– Automated scans of software at key points in product life cycle
are now required.
Training– Required for engineers and managers
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 18
Software Licensing
Key learnings
Had better control and understanding of our use of third party software than expected
Compliance with open source licenses was fairly straight forward to achieve, harder to instill discipline in the organization to maintain– Engineering is only one organization which impacts compliance
Vendors often are not where they need to be– Can’t easily get list of open source software in their code– Can’t get source code in a timely manner when requested
Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.
Page 19
Summary
The benefits of using open source software components are compelling and growing
Treat the management of open source software as an integrated, cross-functional business process
Successful management requires education, policy, automation and reinforcement and reinforcement
Q & A