oss governance
DESCRIPTION
This session will present the 2 new projects initiated by HP around Open Source Governance:● FOSSBazaar is a community Web site gathering all type of information around Open Source Governance (Policy examples, Workflow models, White Papers, Blogs of experts, References to related projects, ...)● FOSSology is a tool helping in the evaluation of Open Source licenses really used in projects by doing code analysis, and pattern matching searches in it and reporting what had been found. A video of the Fossology Project Lead, Bob Gobeille, will be made extra for the fOSSa event.TRANSCRIPT
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Open Source Governance in the Enterprise
Bruno Cornec & Fouad BendrisOpen Source & Linux Technology ArchitectHP/Intel Solution Center
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
2
Agenda
• Introduction• Open Source in the Enterprise• What is Open Source Governance?
−Concepts−Best practices
• HP's Open Source Governance initiative−FOSSBazaar−FOSSology−HP Health Check services
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
3
• Software engineering since 1988−Mostly Configuration Management Systems (CMS), Build systems,
quality tools, on multiple commercial Unix systems
• Discover Open Source & Linux (OSL) & first contributions in 1993• Full time on OSL since 1995, first as HP reseller then @HP• Currently…
−Technology Architect on OSL for the HP/Intel Solution Center−OSL HP Ambassador−EMEA OSL HP Profession Lead−Solutions Linux Conference board member−MondoRescue, Dploy.org, Project-Builder.org project leader−LinuxCOE, mrepo, tellico contributor−Mandriva, Fedora distribution packager
Introducting myself
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
4
“Open Source” is three things
LicensesLicenses CommunityCommunity MethodologyMethodology
•You can use all three as a competitive advantageYou can use all three as a competitive advantage•The business model shifts to subscriptions and supportThe business model shifts to subscriptions and support•The more you get involved, the more you can influence/controlThe more you get involved, the more you can influence/control
Almost 60 licenses todaySome require that code changes be returned to the community at largeThese are called copyleft or reciprocalThey are not viralThis requirement is what makes the methodology workOther licenses are similar to the public domain and have few requirementsCopyrights are still a core foundational element of all open source licenses
Any collection of developers with a common interestHistorically made up of free agentsIncreasingly funded by large companies sharing development costsGovernments and academia also contributing at an increasing pace
Communal, shared developmentVarious projects each with their own subcultureGovernance models vary widely, some autocratic, others consensus basedVery few roadmaps, but some projects are starting to publish themInfluence and control is achieved by being integrated & involvedIndividuals are largely in control, not companies
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
5
Free & Open Source Software (FOSS) Licenses
freeware
SunSCSL
Microsoftshared source
source codeavailablebinary-only
source withlimitations
manyjava
libraries
no-chargesoftware
shareware
AdobeReader
GNU LGPL MIT
IBM
Mozilla
W3C
Apache
no impact onother code
copyleft
GNU GPL
FOSS
BSD
Reference URL: http://www.gnu.org/licenses/licenses.en.html
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
6
Redistribution is permitted without a need to pay fees for distributed copies.
Source code is available and may be modified.
Modified versions may be distributed with permission for others to do all the above.
FOSS goals are:
Knowledge sharing
Modification to adapt
Learn by looking inside
A FOSS is like a car whose hood is open
Free & Open Source Licenses Key Points
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
7
Open Source GovernanceConcepts
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
8 HP Proprietary 12
What is IT Governance?
Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT. (Weill & Ross, “IT Governance”)
IT Governance is the effective management of all IT assets, functions & processes in support of the enterprise’s business objectives.
IT Governance is the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business and IT. (Van Grembergen, 2002)
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
9
Scope of IT Governance
• IT operating principles− Changes brought by extensive FOSS usage
on operational principles (buy, build, reuse, ...)
• IT project portfolio• Enterprise Architecture• IT application portfolio
− Impact of mixing stacks using FOSS, evaluation of the technical fit first.
• IT finance• IT infrastructure / operations
− FOSS deployment and management impacts
• Project/Program methodology− FOSS program office addition impact, FOSS
review in the development process
• Human capital− Employee participation, performance plan
impact, employment contract impact
• Software Development Life Cycle− Interaction with FOSS communities, its viability
• IT procurement• IT sourcing
− Impact of FOSS on In/Out sourcing
• CRM / SRM
Open Source will effect many areas within an organization’s IT governance structure depending upon the organization’s business model
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
10
Open Source Governance: Why now?
• Compelling FOSS value proposition leading to increased pervasiveness.
• FOSS usage & contributions often unclear, under the radar. 80% of IT environments WW (Gartner) include or will include open source SW, but less than 10% are conscious of the risks incurred.
• Increasing worldwide requirements for compliance – Distribution & acquisitions issues.
• Current IT policies and processes not designed for open source:
−Usage must be reviewed in context.
−Legal exposure from ~60 OSI “approved” licenses (HP tracks 200+).
−License violations can have different consequences than traditional software.
Best practices and streamlined processes required to reap benefits and mitigate risks => Eliminate (perceived) risk of using Open Source.
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
11
Why FOSS is any different than Commercial Software?
To use commercial software in your development process,
you must go through….
Procurement!
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
12
Accepting and Managing Open Source
• The question is not if an enterprise should use FOSS, but rather when, how, where, and with whom.
• FOSS is unavoidable, it's even already there.• Questions that need to be answered:
−How is FOSS chosen and acquired?−Where does it come from?−How and where is it used?−How is it supported?−What version should I be running?−Is it LSB compliant?−What are the license obligations?−How is it deployed, managed, updated and secured?−How is it tracked (how is the project tracked)?
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
13
“The goal of all of this is to reduce a barrier to adoption of FOSS by enterprises. When you can understand it and you can manage it, the FUD factor goes away.”
Christine Martino, as quoted in Matt Asay’s CNET blog on 2008-01-27
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
14
What is Open Source Governance?
Image source: http://www.niehs.nih.gov/kids/illusion/illusions7.htm
Open source governance is a framework of policies, processes and tools that helps an organization effectively manage all of its interactions with open source software resulting in optimal use and reduced risk.
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
15
Depends on who you ask ...
• What OSS is contained in this product I just purchased from my ISV partner? (Procurement)
• What are the license obligations for using this OSS in our company's products? (Legal)
• Which of these open source LDAP servers will best suit my IT infrastructure? (IT Department)
• Is this open source xml parser really going to save me 20% of my engineer's time? (Engineering manager)
• So, you work on our flagship management software product, but you also want to contribute to nagios? (IP Department)
• Will statically linking this OSS library to my application cause me any problems? (S/W developer)
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
16
Open Source GovernanceBest practices
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
17
HP’s interaction with FOSS
• Internal Usage−OpenLDAP, Jabber (XMPP), bind (DNS), postfix (SMTP), sympa,
mediawiki, etc…
• Incorporated in our Software Products−OpenView, Insight Manager, SSSTK, PSP, … many software products
including kernel modules
• Ship Open Source Distributions−Red Hat, Suse, Debian, etc…
• Embedded in our hardware products−Printers, televisions, storage devices, etc…
• Active participants in the communities−Contributors in dozens of projects (including Linux, Debian, Samba,
bind, sympa, ...)−Maintainers in several projects (including Debian, LinuxCOE,
MondoRescue, cciss, ...)http://opensource.hp.com/opensource_projects.html
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
18
Training and awareness
Policy and processes
Automated tools and workflow
“Golden” repository of software and metadata
Open source librarian and quality assurance
Open Source Governance Maturity Model
Most customers
HP todayLevel
5
4
3
2
1
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
19
HP Open Source Governance IP
Tools Agents:
License analysis Source code reuse Linux kernel taint
analysis LSB compliance
(conceptual) Code repository (in
development) Meta data (in
development) OSRB portal / proposal
tracking system
Best Practices (HP internally-developed)• Defined and communicated corporate-
wide policies (training, awareness & knowledge base)
• Open Source Program OfficeCentral place where all open source activities are understood for consistent communication inside/outside the company. Reponsible of http://opensource.hp.com and HP's promotion.
• Open Source Review BoardCore Governance process evolving throughout years, controlled by a virtual team of Open Source experts.Control FOSS used, delivered, shipped, new FOSS products, employee contributions, ...
• Open Source Policy Manual• Legal FOSS expertise
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
20
HP Open Source Program Office
Proposals:(New &
Resubmit)OSRBPre-
Review
AttorneyReview
Feedback: Go/No Go, Add’l Info
GoOSRB
IPReview
OSRB check
for Add’l info
SubmitterGo
OSRBFinal
Review
Go
Approved.Reject
On-hold
Request for Add’l info
OSRB
Automated Communications
Manual Activities
Fast track
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
21
HP's Open Source Governance initiativeNew community initiatives
Major IP contributions
New HP services
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
22
HP FOSS Governance Initiative
23 7 mars 2008
Major HP's intellectual property contribution: • An international open source community
program launched focussed on FOSS governance including− FOSSBazaar: a Web based community to develop, share
and provide information and industry best practices to take advantage of FOSS benefits, Founded by HP along with partners: Coverity, Google, Linux Foundation, Novell, Olliance Group, OpenLogic and SourceForge
− FOSSology: a Web based community to develop an architectural framework and tools to analyze FOSS, founded by HP.
SIs/VARs
Academia
Gov/Pub Sector
Corp Developers
ISVs &IHVs
ServiceProviders
IT Mgmt
Developing and supporting the utilization of open
standards
−An ecosystem• Centered on FOSSBazaar• Partners/Corp and academia developers, best
practices and tools• HP C&I and Partners Services• HP SW BTO solutions
−Bridging
• The FOSS and the Business Communities
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
23
Why is HP investing in FOSSBazaar and FOSSology?
• Our FSI customers have asked HP to open source our governance tools.
• Demonstrate HP’s leadership and strong commitment to the Open Source movement.−Small projects and/or vendors have begun to address some of this
need in a piece-meal fashion.
• This initiative is not in competition with any other organization or individual:−Anyone can join FOSSBazaar and access the documentation and tools,
download, modify, and use what is provided.
−Any contributor can join FOSSology.
−Competition is for products (Open Logic, Palamida, Black Duck, Krugle) and services.
• Enable C&I FOSS governance service revenue.• Leverage the power of many to speed-up the adoption of FOSS.
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
24
FOSSBazaar
• A workgroup of the Linux Foundation• HP’s FOSS Governance Fundamentals document
• HP Whitepapers:
− “Best practices in open source governance”
− “Open source governance: Critical business considerations and strategies”
• Assessment guides:
− Open source Governance Maturity Self-assessment survey
− Open source Supportability Assessment (OSSA) tools & process
• Moderated forums
− General/getting started, legal & licensing, policy and process, security, lifecycle management, support
• Blogs authored by industry experts
• News articles
• Links providing access to sponsors/vendors
− (i.e. HP’s C&I services, OpenLogic), other open source communities of interest (i.e. openBRR)
• Tools area, − Link to FOSSology project
For FOSS users & experts in businesses, institutions & governments.
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
25
FOSSology
Open Source Software Repository
Meta-dataDatabase
Agents
OSS Discovery &Extraction
License Detection
Code Reuse
Integration TestingResults
Vulnerability/SecurityMonitor
LSB Complianceand others…
ReportGeneration
HP Initial IP 1st Half ‘08HP contribution Future ideas
•Makes it easier to inventory, study and evaluate free and open source software. −Dedicated to the development of
Governance tools. −Encompassing a code repository, a
meta-data database, and an open source license detection agent•Add’l agents will be developed over time
−Based on an extensible architecture designed by HP (Nomos) •Enable anyone to create and easily plug-in new functionality.
−Academia, enterprise researchers & developers interested in deploying FOSS
•Download site for the FOSSology tool Software: http://www.fossology.org
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
26
Key Paradigm
• Enablement (manual process not viable)• Efficiencies (improved TCO)• Agility (improved time-to-market)• Reliability (license detection)• Scalability (single package as well as
complete distribution)
Tools are NOT a replacement for Open Source governance processes but will improve the processes by providing:
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
27
Open Source Health Check - What is it?
• A set of services to diagnose the use of Open Source in an enterprise
• Designed to answer 3 key questions−What OSS is used in my
company?−Where is it being used?−How is it being used?
• Diagnosis is base for eventual process improvement
18 November 2009 FOSS Governance / Bruno Cornec / HP
Open Source Governance in the Enterprise
28
”Changes are never easy to make. There is comfort and safety in tradition, but change must come, no matter how painful or expensive it may be.”
Bill Hewlett
Contact
Thanks
[email protected] (Linux Solution Consultant in the
HP/Intel Solution Center)
http://www.hp.com/linux
Linus Torvalds, Richard Stallman, Eric Raymond, Nat Makarevitch, René Cougnenc, Eric Dumas, Rémy Card, Phil Robb, Michael Wenig among others, for their work and devotion to the Open Source Software cause... and my family for their patience :-)