DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …
Transcript of DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …
![Page 1: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/1.jpg)
© 2021 Carlo Piana - Array
OPEN SOURCE COMPLIANCEOPEN SOURCE COMPLIANCEINTEGRATED ININTEGRATED INDEVELOPMENTDEVELOPMENTAlberto Pianon, Carlo Piana –
Linaro connect - 8 September 2021
Array
![Page 2: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/2.jpg)
© 2021 Carlo Piana - Array
IN GENERALIN GENERAL
![Page 3: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/3.jpg)
© 2021 Carlo Piana - Array
WHYWHYCompliance is required for many reasons:
Legal‒
Social (R-E-S-P-E-C-T!)‒
Ecosystem‒
![Page 4: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/4.jpg)
© 2021 Carlo Piana - Array
HOW (IN A NUTSHELL)HOW (IN A NUTSHELL)Different levels:
Making sure you are compliantWhat’s inside your code base (what are you reusing)What is the licensing of inbound-outboundThrough a process
‒
Making your downstream aware you are compliant, facilitateadoption:
SPDXSoftware Bill of MaterialsREUSE OpenChain (ISO 5230)
‒
https://www.reuse.software
https://www.openchainproject.org/
![Page 5: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/5.jpg)
© 2021 Carlo Piana - Array
WHENWHENTwo main appraches:
Post-mortemContinuous (CI/CD/CC)
‒
‒
![Page 6: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/6.jpg)
© 2021 Carlo Piana - Array
ENTER ALLSCENARIOSENTER ALLSCENARIOS(CODENAME)(CODENAME)
![Page 7: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/7.jpg)
© 2021 Carlo Piana - Array
WHAT (CHALLENGES)WHAT (CHALLENGES)An entire multikernel OS (mainly portable, IoT devices etc.)‒
Based on Yocto / Bitbake‒
For different target platforms‒
Thousand packages, all in one‒
![Page 8: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/8.jpg)
© 2021 Carlo Piana - Array
OUR APPROACHOUR APPROACHOS in full open since day #1Compliance, OpenChain fundamental building blocksThe first step of a long journeyAn example for others
‒
‒
‒
‒
![Page 9: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/9.jpg)
© 2021 Carlo Piana - Array
WHOWHOStarted as an internal project at HuaweiNearly entirely rebuilt from scratch (HarmonyOS OpenHarmony AllScenariOS (working title)Soon to be donated to Eclipse Foundation (not official)Working Group already establishedDevelopment team fully briefed and on board with the processNoi Techpark BolzanoArray
‒
‒
‒
‒
‒
‒
‒
![Page 10: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/10.jpg)
© 2021 Carlo Piana - Array
HOWHOWScancode Fossology‒
Integrated in a CI/CD (Via a Gitlab CI Pipeline)‒
Audit Team‒
Aliens4Friends‒
SPDX‒
REUSE‒
Not Clearly Defined‒
Dashboard‒
![Page 11: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/11.jpg)
© 2021 Carlo Piana - Array
FOSSOLOGYFOSSOLOGYwhat it does and what it help us to dowhat it doesn’t do:
code snippets? yes, but it’s no anti-plagiarism toolit’s not a comprehensive tool:
needs input (source packages) from some other toolsome other tool has to collect output, generate SBOMand elaborate stats
‒
‒
‒
![Page 12: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/12.jpg)
© 2021 Carlo Piana - Array
FOSSOLOGY: THE PROBLEMFOSSOLOGY: THE PROBLEMFossology requires a lot of human work (auditors)
hundreds of packages, hundreds of thousands of fileshundreds of man-days (auditing)
‒
Do it the Open Source way, avoiding reinventing the wheeland reusing others’ (trusted) work
‒
![Page 13: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/13.jpg)
© 2021 Carlo Piana - Array
THE SOLUTION: DEBIAN MATCHINGTHE SOLUTION: DEBIAN MATCHINGDebian is like a trusted “friend” that vouches for the “alien”packagesreuse copyright/license information which has already beencollected and maintained by humans@Debian, and aremachine readable (DEP5)DEP5 specs: every file must have a copyright and a license inthe debian/copyright file of the Debian packagedebian/copyright is machine readable, we can reuse allmetadata!
‒
‒
‒
‒
![Page 14: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/14.jpg)
© 2021 Carlo Piana - Array
THE SOLUTION: DEBIAN MATCHINGTHE SOLUTION: DEBIAN MATCHINGit does not solve everything:
not always a full match in Debiannot all packages may be found in Debiannot all debian/copyright files are machine readable :(
‒
but it really helps and saves a substantial amount of humanwork
‒
![Page 15: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/15.jpg)
© 2021 Carlo Piana - Array
BACK TO THE COMMUNITYBACK TO THE COMMUNITYAliens4Friends (open source)‒
All compliance documents, procedures, artifacts‒
Dashboard‒
All under Apache license, where permitted‒
Including SBOM‒
Database of decisions‒
Upstream to ClearlyDefined (very likely)‒
Upstream REUSE fix / MR‒
![Page 16: DEVELOPMENTDEVELOPMENT INTEGRAINTEGRATED INTED IN OPEN …](https://reader030.fdocuments.us/reader030/viewer/2022020707/61feb45d78bc25570919f260/html5/thumbnails/16.jpg)
© 2021 Carlo Piana - Array
This work is licensed under a 4.0Presentation made using and a workflow with
Creative Commons - Attribution - ShareAlikeReveal.js Markdown reveal-md