© 2021 Carlo Piana - Array
OPEN SOURCE COMPLIANCEOPEN SOURCE COMPLIANCEINTEGRATED ININTEGRATED INDEVELOPMENTDEVELOPMENTAlberto Pianon, Carlo Piana –
Linaro connect - 8 September 2021
Array
© 2021 Carlo Piana - Array
IN GENERALIN GENERAL
© 2021 Carlo Piana - Array
WHYWHYCompliance is required for many reasons:
Legal‒
Social (R-E-S-P-E-C-T!)‒
Ecosystem‒
© 2021 Carlo Piana - Array
HOW (IN A NUTSHELL)HOW (IN A NUTSHELL)Different levels:
Making sure you are compliantWhat’s inside your code base (what are you reusing)What is the licensing of inbound-outboundThrough a process
‒
Making your downstream aware you are compliant, facilitateadoption:
SPDXSoftware Bill of MaterialsREUSE OpenChain (ISO 5230)
‒
https://www.reuse.software
https://www.openchainproject.org/
© 2021 Carlo Piana - Array
WHENWHENTwo main appraches:
Post-mortemContinuous (CI/CD/CC)
‒
‒
© 2021 Carlo Piana - Array
ENTER ALLSCENARIOSENTER ALLSCENARIOS(CODENAME)(CODENAME)
© 2021 Carlo Piana - Array
WHAT (CHALLENGES)WHAT (CHALLENGES)An entire multikernel OS (mainly portable, IoT devices etc.)‒
Based on Yocto / Bitbake‒
For different target platforms‒
Thousand packages, all in one‒
© 2021 Carlo Piana - Array
OUR APPROACHOUR APPROACHOS in full open since day #1Compliance, OpenChain fundamental building blocksThe first step of a long journeyAn example for others
‒
‒
‒
‒
© 2021 Carlo Piana - Array
WHOWHOStarted as an internal project at HuaweiNearly entirely rebuilt from scratch (HarmonyOS OpenHarmony AllScenariOS (working title)Soon to be donated to Eclipse Foundation (not official)Working Group already establishedDevelopment team fully briefed and on board with the processNoi Techpark BolzanoArray
‒
‒
‒
‒
‒
‒
‒
© 2021 Carlo Piana - Array
HOWHOWScancode Fossology‒
Integrated in a CI/CD (Via a Gitlab CI Pipeline)‒
Audit Team‒
Aliens4Friends‒
SPDX‒
REUSE‒
Not Clearly Defined‒
Dashboard‒
© 2021 Carlo Piana - Array
FOSSOLOGYFOSSOLOGYwhat it does and what it help us to dowhat it doesn’t do:
code snippets? yes, but it’s no anti-plagiarism toolit’s not a comprehensive tool:
needs input (source packages) from some other toolsome other tool has to collect output, generate SBOMand elaborate stats
‒
‒
‒
© 2021 Carlo Piana - Array
FOSSOLOGY: THE PROBLEMFOSSOLOGY: THE PROBLEMFossology requires a lot of human work (auditors)
hundreds of packages, hundreds of thousands of fileshundreds of man-days (auditing)
‒
Do it the Open Source way, avoiding reinventing the wheeland reusing others’ (trusted) work
‒
© 2021 Carlo Piana - Array
THE SOLUTION: DEBIAN MATCHINGTHE SOLUTION: DEBIAN MATCHINGDebian is like a trusted “friend” that vouches for the “alien”packagesreuse copyright/license information which has already beencollected and maintained by humans@Debian, and aremachine readable (DEP5)DEP5 specs: every file must have a copyright and a license inthe debian/copyright file of the Debian packagedebian/copyright is machine readable, we can reuse allmetadata!
‒
‒
‒
‒
© 2021 Carlo Piana - Array
THE SOLUTION: DEBIAN MATCHINGTHE SOLUTION: DEBIAN MATCHINGit does not solve everything:
not always a full match in Debiannot all packages may be found in Debiannot all debian/copyright files are machine readable :(
‒
but it really helps and saves a substantial amount of humanwork
‒
© 2021 Carlo Piana - Array
BACK TO THE COMMUNITYBACK TO THE COMMUNITYAliens4Friends (open source)‒
All compliance documents, procedures, artifacts‒
Dashboard‒
All under Apache license, where permitted‒
Including SBOM‒
Database of decisions‒
Upstream to ClearlyDefined (very likely)‒
Upstream REUSE fix / MR‒
© 2021 Carlo Piana - Array
This work is licensed under a 4.0Presentation made using and a workflow with
Creative Commons - Attribution - ShareAlikeReveal.js Markdown reveal-md