WIXLIB

Open Source Governanceand ResourcesObject Management GroupStandards for FOSS Governance WorkshopDecember 11, 2013Virginia FournierSenior Counsel, Cloud Computing and Open SourceHewlett-Packard Company1 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Agenda Open source landscape Why open source governancematters HP’s approach Available resources Q&A2 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Open source landscape Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Examples of open source softwareIt is everywhereGerrit4 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Benefits of using open source softwareHigh quality software with zero marginal costSource code can be customized for specific needsParticipation in the opensource community can bringmany benefits to anorganization’s businessDirect user input that drives improvementsGreat security record (more eyes)Low-cost tools for software developmentand distribution widely availableAvoid vendor lock-in andminimize development costsDecrease time-to-market forsoftware products and solutions5 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Industry-wide open source successes 6Operating systems: Linux (embedded, mobile, server)Web serving: Apache - the world’s most popular web serverJava middleware: Tomcat, JBoss, Spring, Struts and HibernateWeb development languages: Perl, Python, PHP, Ruby, Rails, Grails, Go and JavascriptInternet security: SSH/SSLCloud: OpenStack and CloudStackDeveloper environments: EclipseDevelopment tools: GCC and the GNU Tool ChainDatabases: MySQL, MariaDB, Drizzle, PostgreSQL and NoSQLSystem management: Nagios, CFEngine, Puppet and ChefDistributed file & print services: SambaWeb content management: Drupal, WordPress, Plone and MediaWikiVirtualization: Xen and KVMBig Data analytics: Hadoop, Cassandra, Hive, Zookeeper, Traffic Server and MemcachedWeb browsing: Firefox, Chrome and OperaOffice productivity: OpenOffice / LibreOffice Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Challenges of using open sourceTracking & Managing DataLicensing Key misunderstanding of opensource licenses: there are obligations Open source licenses and licensingcan be complex and complicated Keeping track of what open source isbeing used as products aredeveloped Keeping track of the various opensource licenses that govern differentcode bits used by an application, andhow those code bits governed bydifferent licenses interact7How is it acquired?How is it chosen?How is it used? Where?How is it supported?How is it updated and secured?How is the project tracked?How is it licensed?How mature is it? Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

How is open source software different from commercial software?Commercial Software 8Negotiated agreementWarrantiesIndemnificationSupport availableNo copyleft issuesCosts money Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.Open SourceSoftware No negotiations – takelicense “as is” No warranties No indemnification (IP) Support may not beavailable May have copyleftissues No cost

Why licenses are importantThe fact that a piece of software may be readily available for free does notmean that the software is in the public domain (it’s not like “free beer”).The copyright owner’s permission is required to copy, distribute, or modifybinary or source code under copyright law.The copyright owner’s permission is in the form of a license.Open source software and license selections have legal implications.Key message: open source software is licensed9 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Why open source governancematters Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Why open source governance is important Open source is everywhere! Open source usage & contributions often notvisible Increasing requirements for compliance IT policies & processes may be insufficiento Usage must be reviewed in context (internal vs.distribution)o Legal exposure from 60 Open Source Initiative (“OSI”)“approved” licenses (and there are many others) – manyfree & open source software (“FOSS”) packages couldbe in one producto Open source license violations may be treated/handledStreamlined processes help to reap benefitsdifferently than violations of proprietary software licenses11 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.& mitigate risks

HP’s approach Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP’s breadth in open source13DeployinternallyRedistributeContribute IPParticipate Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.EmbedHelpcustomers

HP open source activitiesReviewProcess14ProjectAlignment Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.CommunityOutreach

Evaluating open source projectsIs the project healthy? Some things to consider are:Determine the age of the projectIdentify people. Who is involved in the project?Know the date of last release.Find out if questions on mailing list get answered.Are developers open to ideas from others on mailing list?What are the license terms and can you comply with them?Do developers have a roadmap (formal or informal) for the project?15 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Case Study: OpenStack Project Project began in July 2010 13,000 individual members from 130 countries, and 850organizations; platinum sponsors include AT&T, Canonical, HP, IBM,Nebula, Rackspace, Red Hat and SUSE Havana is the latest release, October 17, 2013 Questions on mailing list and on website do get answered Developers open to ideas from other members of the community Licensed under Apache 2.0 Developers do have a roadmap for the OpenStack Project, and it’son the OpenStack website16 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Open source governance lessons learned17 Corporate-wide policies defined andcommunicated Develop open source legal expertise Corporate-wide training andawareness Inventory and track open source Need for open source reviewprocess/board Leverage tools for analysis andautomation Special interest groups Find the org champions/sponsors Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Best practices andavailable resources Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP shares best practices openlyPromoting open source governance in enterprises Forum to facilitate study ofFOSS via free data analysistools Community for FOSSgovernance; especially in ITenvironment Original FOSSology tool-setdeveloped and contributed byHP Focus is on developing andsharing information and bestpractices, education, tools Tools scan files for licensesand copyright notices Similar to Black Duck,Palamidahttp://www.fossology.org19Founded by HP and partners;now part of LinuxFoundation’s OpenCompliance undation.org/programs/legal/compliance Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Forum to standardize theformat for communicating thecomponents, licenses andcopyrights associated with asoftware package Specification drafting began ina workgroup of FOSSBazaar;now part of the OpenCompliance Programhttp://www.spdx.org

FOSSologyhttp://www.fossology.orgOpen source project builtaround an open andmodular architecture foranalyzing software20 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Linux Foundation Open Compliance Program A workgroup of the Linux Foundation Capture benefits and minimize risks ofopen source A community & knowledge-base for theexchange of best practices in:o Open source acquisition and deploymento Defining policies for governing open usageo Instituting processes for execution of thosepolicieso Identifying tools and other resources to aid theexecution of those processeso Discussing current events affecting open source21 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

SPDXSPDX standard format for communicating licenses and copyrights associated with software package Focus is on just the facts – no interpretations or legal analysisProvides a unified method for exchanging license informationAvoids due diligence redundancySPDX working group is organized under the Linux Foundation’s Open Compliance Program Intellectual property contributed by participantsSPDX data file covered under the Creative Commons CC0 1.0 Universal licenseSPDX specification covered under the Creative Commons Attribution License 3.0Structure General meeting and mailing listTeams: Technical, Business and LegalVery inclusive process 22Self-subscription for interested participantsThose willing to “do” can influence directionMailing lists, wiki, phone calls, Birds of a Feather (BOF) sessions http://spdx.org Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

A sample of available resourcesOrganizations Open Source Initiative (OSI) Free Software Foundation (FSF) FSF Free Software Licensing and Compliance Lab FSFE Freedom Task Force (FTF) gpl-violations.org Software Freedom Law CenterCommunities Linux Foundation Open Compliance Program FSFE Legal NetworkNews and journals International Free and Open Source Software Law ReviewConferences FSFE ELN (European Legal Network) EOLE - European Open Source Law EventTools FOSSology Binary Analysis Tool Open Source License Checker Proprietary tools from Black Duck, nexB, Palamida23 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Open source developer resources OpenLogic Exchange (OLEX) – Download certified open source and get supporthttp://olex.openlogic.com/ Google Code Search – Find open source software by various criteriahttp://www.google.com/codesearch GitHub – Source code hosting and collaborative developmenthttps://github.com/ SourceForge – Popular open source repositoryhttp://sourceforge.net/ Ohloh – Open source project info/insight, social networkinghttp://www.ohloh.net/24 Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Summary Open source software is pervasive and itsuse is increasing Companies should think holistically abouttheir use of open source software Companies should make informed decisionsabout open source anceContributionTooling Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.