how todays companies are managing open source software final

How Today’s Companies are Managing Open Source Software

Karen Copenhaver, Choate, Hall & Stewart

Mark Radcliffe, DLA Piper

Addie Welch, Zenoss

Diane Honda, Extreme Networks

Webinar

November 17, 2009

Copyright © 2006 Black Duck Software, Inc. All Rights Reserved.

Speakers

Karen Copenhaver

Partner at Choate Hall & Stewart

Counsel for the Linux Foundation

Addie Welch

Vice President of legal Affairs, Zenoss

Mark Radcliffe

Partner at DLA Piper

General Counsel for the Open Source Initiative (OSI)

Diane Honda

Vice President, General Counsel Extreme Networks


Agenda

Introduction– Open Source Industry Trends– Challenges in managing open source

Case Studies in Managing Open Source– Zenoss– Extreme Networks

Summary

Q & A


The “Abundance” of Open Source

Open source projects:– 220,000+ OSS projects– Tens of billions of lines of code

From a recently completed study of commercial developer projects:– 22% of typical application/project is open

source Avg project size: ~ 700MB of code Cost to develop the OSS used: ~$26M Dozens to hundreds of components

– Sampled hundreds of commercial projects Millions of files Hundreds of GB of code


The New Pragmatism: Multi-Source Development with Open Source

YOUR COMPANY

Software Application

Open Source Software

Internally Developed

Code

Outsourced Code Development

Commercial 3rd-Party Code

Individuals

Universities

Corporate Developers

Code

Obligations


Even Large, Well Run Software Companies Have Challenges : Microsoft Windows 7 GPL Violation

The Windows 7 USB/DVD Tool Violated GPLv2 License• Code was “multi-source,” including code from an external supplier with OSS• Microsoft pulled the product from the Microsoft Store, then announced it is making the source code and binaries available

Takeaways:• Even big companies make mistakes• OSS can enter from many sources• It’s difficult to manage OSS without both process and technology


Making Abundance Manageable: What We’re Hearing

Goals for reuse/standardization of up to 80%; build / fix / fit ~20%

Scale – ad hoc use of hundreds of OSS components has led to a management/tracking/support problem

Customers are demanding to know what’s in the code they’re receiving

Need to have oversight and control

Manual governance, compliance and approval processes are: – Cumbersome/burdensome to developers

– Prone to error

– Often ignored

69% of Companies Surveyed Still Have No Corporate Policy in Place for Using OSSSource: Gartner Group September 2008


Anarchy of Abundance: Parser Proliferation

Cambridge, MA Los Gatos, CA

Bristol, UK Bangalore, India

OSS Abundance:•220,000 projects•Billions of LoC

I’ll use the parser that

has the most releases

I’ll use the parser that

has the most releases

I’ll use the same parser

from the Videon project

but see if there’s a

newer version

I’ll use the same parser

from the Videon project

but see if there’s a

newer version

I’ll use a parser with an Apache

license

I’ll use a parser with an Apache

license

Devin told me that

new parser on SF was

good

Devin told me that

new parser on SF was

good


Managing Open Source: Two Case Studies

The Top Challenges

How to Overcome them


Overview & Why OSS Management is Important

Developer of Commercial Open Source Software

Distributed under GPL v2 and Commercial License

Customers- Medium to Large Enterprise, OEM, Service Providers, Government, Outsourcers and Educational Institutions

Demand for IP indemnification

Demand for BOM (Bill of Material)

Ensure license compliance and prevent license conflict

Due Diligence review


Where we were

Geographically distributed developers

Open source advocates who wanted to use everything free

Developers were interpreting open source licenses

Spreadsheet management of third party code

“It’s just a couple of lines of code!”


OSS Management Program

Event driven manual process involves legal and engineering

Checklist based review and approval for third party code – Engineering vets necessity– Engineering provides legal with details of project, license, URL,

use in Zenoss– Legal reviews license, sets out compliance steps– Engineering implements, signs off on compliance– BOM kept on Google spreadsheet– New hires trained on process

Black Duck implementation in Process– To verify our manual BOM compilation – Automated scan of code delta on nightly build


Lessons Learned

Reinforce process and requirements frequently

Ask pointed, direct, questions; then ask them again….and again

Follow up is important

Senior management support is essential

A “champion” in engineering is key

Pay attention to all processes and sources of code (including professional services)


Managing Open Source: Two Case Studies

The Top Challenges

How to Overcome them


Overview

Extreme Networks delivers secure, converged, flexible Ethernet network products for Enterprises, Data Centers and Service Providers

Publicly traded company with presence in over 50 countries.

Over 700 employees supporting over 600 channel and strategic partners worldwide

Software is a key component and differentiator for Extreme Networks products with development centers in 3 locations.


Software Licensing

All use of third party software is based on the concepts of protection and respect. – Protection for the intellectual property rights in Extreme Networks

software Review of third party and open source licenses to maintain

proprietary rights in Extreme Networks originated code All users must accept Extreme Networks software license

terms before access

– Respect for the rights of others in their software. Engineers must be aware of the compliance requirements of

the accompanying license and ensure that they are complying with those requirements.

Extreme Networks software license terms respect and flow through third party terms


Managing Third Party Software Discovery

– Obtained a subscription to an automated scanning tool (Black Duck Software’s Protex)

– Scanned software products to obtain a complete list of the open source software contained in the products

Compliance– EULA and product warranty card modified to point customers to

website which lists the open source in each product and the associated licenses.

Control– Use of open source must get Engineering VP and legal approval.– Automated scans of software at key points in product life cycle

are now required.

Training– Required for engineers and managers


Software Licensing

Key learnings

Had better control and understanding of our use of third party software than expected

Compliance with open source licenses was fairly straight forward to achieve, harder to instill discipline in the organization to maintain– Engineering is only one organization which impacts compliance

Vendors often are not where they need to be– Can’t easily get list of open source software in their code– Can’t get source code in a timely manner when requested


Summary

The benefits of using open source software components are compelling and growing

Treat the management of open source software as an integrated, cross-functional business process

Successful management requires education, policy, automation and reinforcement and reinforcement

how todays companies are managing open source software final

Documents