SlideShare a Scribd company logo

2014 10-14: GitHub plus FOSS == 1 million SPDX

Nuno Brito, profile picture
Nuno Brito

The document discusses the challenges and solutions related to managing software licenses in open source projects, highlighting the need for better tools and standards like SPDX. It outlines the large scale of open source projects and the burden on developers to appropriately apply licenses, presenting various tools and initiatives developed to facilitate this process. Additionally, it emphasizes the importance of open data and collaboration in achieving effective license transparency.

Technology
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
+ => 1 million SPDX Large-scale license transparency using open data, open standards and F/OSS http://triplecheck.net http://searchcode.com
Speaker Slide #2 Nuno Brito  Free/open source contributor since 2005  Last 12 months wrote 100k F/OSS lines of code  SPDX contributor, co-founder of TripleCheck Around the web http://nunobrito.eu
Transparency Slide #3 Take some source code as example Who developed the code? Which licenses are applicable? Was the code copied from somewhere else?
Size Slide #4 A problem of scale Open licenses? > 300 types to choose > 5 million F/OSS projects > 100 million source code files
Practice Slide #5 Applying licenses  Burden on developer (do correctly, do enough)  Expressed differently (difficult to understand)  Scaling obstacles (scarce automation) Transparency?
What do? Slide #6 Ideally, we'd have tooling that is.. a) Reachable b) Cooperative c) Free Choose two. (sad reality)
Choose three Slide #7 Choose building blocks based on: a) Open standards b) Open data c) Reachable tools Learn, write, improve. Share.
Standards Slide #8 SPDX: Open standard for software licensing  Standardizes license description  Defines Id for license terms  http://spdx.org Pro: Good docs, straightforward, getting better Cons: Slow adoption, scarce tooling
Open data Slide #9 GitHub: Targeting open data repositories  API suited for intensive access  Social coding  Largest open source code collection Pro: Reachable, diverse Cons: Repositories processed one-by-one
Tooling Slide #10 Custom-built tools for software licenses  Large-scale repository data-mining  Find applicable licenses inside content  Share millions of SPDX documents Pro: Learn by doing, modularized, single language Cons: Built from scratch, needs consolidation
Step 1 Slide #11 Desktop tool/engine to discover licenses  SPDX format as storage medium  Identify copyright and 18 license types  Java, released in Feb 2014. EUPL http://spdx.org/tools/community/triplecheck-reporter
Desktop Slide #12
File detail Slide #13
SPDX file Slide #14
Customize Slide #15
Details Slide #16 Underneath the hood  147 file extensions, 18 license types  LOC, hashes (SHA1, MD5, SHA256, SSDEEP)  Command line supported (Jenkins, cron)  Fast, 40k files/minute (Pentium IV)
Step 2 Discovering repositories with gitFinder Create a list of projects online to use as components. Get basic licensing information from each project.  Write text file with each github user (~7 million)  For each user, find repositories not forked (~10M)  Split each repository according to language (197)  For each list of language/reps, download code Slide #17
Performance Slide #18 ~70k repositories/day  Single machine (i7, 8Gb RAM, CentOS)  9 parallel threads  Resume/recover supported  Released in Jun. 2014 https://github.com/triplecheck/gitfinder
Output Slide #19
Storage? https://what-if.xkcd.com/29/ (CC BY-NC 2.5) Slide #20
Storage BigZip, +100 million files on a single download Slide #21  Flat-file, zip compression (per entry)  Fast, simple, portable. Indexed search https://github.com/triplecheck/big
How it looks Slide #22
Step 3 Slide #23 SPDX search engine  One-click SPDX creation from open data  Visualize license and copyright data  Visit at http://searchcode.com/spdx
Example Slide #24 Using the original URL..  https://github.com/iuly/europa_kernel/ =>  https://spdxhub.com/iuly/europa_kernel/
Example Slide #25
SPDX-1M “Do It Yourself” kit. Generate 1 million SPDX Slide #26  https://github.com/triplecheck/diy  1.2 million open source projects  “Arduino” for s/w licenses detection 9Gb worth of SPDX? Grab: http://triplecheck.net/public/storage/spdx.big
Screenshots Slide #27
Next step? Slide #28 F2F – pinpointing non-original code  Decompose code into blocks  Tokenize/anonymize data  Find code matches across knowledge base ETA in Dec. 2014 https://github.com/triplecheck/f2f
Preview Slide #29
Conclusion Slide #30 What is now available for everyone  Desktop tooling / detection engine  Extraction of open data in scale  Search engine for SPDX
Questions? Slide #31 http://spdx.org http://searchcode.com/spdx http://github.com/triplecheck Interesting stuff? Let us know: @nn81 @boyte #linuxcon http://xkcd.com/1118/
Backup slides Slide #32
Engine Slide #33
License DB Slide #34
Components Slide #35
Exporting Slide #36

More Related Content

PDF
Software Heritage: let's build together the universal archive of our software...
Codemotion
 
PDF
Making Open Source Hardware IoT with Raspberry Pi
Leon Anavi
 
PDF
IoT Prototyping using BBB and Debian
Mender.io
 
PDF
FOSDEM 2017: Making Your Own Open Source Raspberry Pi HAT
Leon Anavi
 
PPTX
Concepts of Open source
Nikhil Kumar Singh
 
PPTX
N-ary Trees for C Programming Language
John Spence
 
ODP
Create IoT with Open Source Hardware, Tizen and HTML5
Leon Anavi
 
ODP
Introduction to Free and Open Source Software (FOSS)
Dong Calmada
 
Software Heritage: let's build together the universal archive of our software...
Codemotion
 
Making Open Source Hardware IoT with Raspberry Pi
Leon Anavi
 
IoT Prototyping using BBB and Debian
Mender.io
 
FOSDEM 2017: Making Your Own Open Source Raspberry Pi HAT
Leon Anavi
 
Concepts of Open source
Nikhil Kumar Singh
 
N-ary Trees for C Programming Language
John Spence
 
Create IoT with Open Source Hardware, Tizen and HTML5
Leon Anavi
 
Introduction to Free and Open Source Software (FOSS)
Dong Calmada
 

What's hot (20)

PPTX
Open Source Software Concepts
JITENDRA LENKA
 
PDF
The Ring programming language version 1.5.1 book - Part 14 of 180
Mahmoud Samir Fayed
 
PDF
Philosophy of Open Source - SFO17-TR01
Linaro
 
PDF
For the Love of Tux: Linux on RISC-V
Drew Fustini
 
PPT
Open Source and Free Software
King Fahad University for Petroleum and Minerals
 
PDF
Introduction to FOSS, SRM University
Atul Jha
 
PPTX
Benefits of Opensource Products
Anju Merin
 
PDF
Python at a glance
Mohammad Rafiee
 
PDF
Dynamic hacking with Guile (FOSDEM 2011)
Igalia
 
PPT
The open source philosophy
Gautam Krishnan
 
PDF
MSR09.ppt
Ptidej Team
 
PDF
Free and open source software
Frederik Questier
 
PPT
GNU GPL, LGPL, Apache licence Types and Differences
Iresha Rubasinghe
 
ODP
Fundamentals of Free and Open Source Software
Ross Gardler
 
PPTX
Kivy report
shobhit bhatnagar
 
PPT
Open Source Presentation
Adhoura Academy
 
PDF
Avoiding the tragedy of the commons: some lessons from the Software Heritage ...
OW2
 
PPTX
Free and Open Source Software
iwilldo4u
 
ODP
Foss Presentation
Ahmed Mekkawy
 
PDF
Using oss and hacker culture at an internet company at osc/tokyo 2014/03/01
Hiro Yoshioka
 
Open Source Software Concepts
JITENDRA LENKA
 
The Ring programming language version 1.5.1 book - Part 14 of 180
Mahmoud Samir Fayed
 
Philosophy of Open Source - SFO17-TR01
Linaro
 
For the Love of Tux: Linux on RISC-V
Drew Fustini
 
Open Source and Free Software
King Fahad University for Petroleum and Minerals
 
Introduction to FOSS, SRM University
Atul Jha
 
Benefits of Opensource Products
Anju Merin
 
Python at a glance
Mohammad Rafiee
 
Dynamic hacking with Guile (FOSDEM 2011)
Igalia
 
The open source philosophy
Gautam Krishnan
 
MSR09.ppt
Ptidej Team
 
Free and open source software
Frederik Questier
 
GNU GPL, LGPL, Apache licence Types and Differences
Iresha Rubasinghe
 
Fundamentals of Free and Open Source Software
Ross Gardler
 
Kivy report
shobhit bhatnagar
 
Open Source Presentation
Adhoura Academy
 
Avoiding the tragedy of the commons: some lessons from the Software Heritage ...
OW2
 
Free and Open Source Software
iwilldo4u
 
Foss Presentation
Ahmed Mekkawy
 
Using oss and hacker culture at an internet company at osc/tokyo 2014/03/01
Hiro Yoshioka
 
Ad

Similar to 2014 10-14: GitHub plus FOSS == 1 million SPDX (20)

PPT
Android Developer Meetup
Medialets
 
PDF
Automate your iOS deployment a bit
Michał Łukasiewicz
 
PDF
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
ODP
Ubucon 2013, licensing and packaging OSS
Nuno Brito
 
PDF
Open frameworks 101_fitc
benDesigning
 
PDF
Hacking the Kinect with GAFFTA Day 1
benDesigning
 
PDF
Module 18 (linux hacking)
Wail Hassan
 
PDF
Become Rick and famous, thanks to Open Source
Geeks Anonymes
 
PPT
2nd ARM Developer Day - mbed Workshop - ARM
Antonio Mondragon
 
PDF
Introduction to License Compliance and My research (D. German)
dmgerman
 
PPTX
Scanning Docker Images with ScanCode.io
Michael Herzog
 
PDF
Software Heritage, a revolutionary infrastructure for software source code, O...
OW2
 
PDF
OpenNTF Webinar 05/07/13: OpenNTF - The IBM Collaboration Solutions App Dev C...
Niklas Heidloff
 
PPTX
Lab Handson: Power your Creations with Intel Edison!
Codemotion
 
PPTX
Microsoft Embracing Open Source Technologies
Ricardo Peres
 
PDF
Software Heritage: Archiving the Free Software Commons for Fun & Profit
Speck&Tech
 
PDF
DT2014-15 S01: Digital Toolbox
Carlos Cámara
 
PDF
UnDeveloper Studio
Christien Rioux
 
ODP
Open source freeopensource & linux
Manura Perera
 
PDF
Tech Talk - Blockchain presentation
Laura Steggles
 
Android Developer Meetup
Medialets
 
Automate your iOS deployment a bit
Michał Łukasiewicz
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
Ubucon 2013, licensing and packaging OSS
Nuno Brito
 
Open frameworks 101_fitc
benDesigning
 
Hacking the Kinect with GAFFTA Day 1
benDesigning
 
Module 18 (linux hacking)
Wail Hassan
 
Become Rick and famous, thanks to Open Source
Geeks Anonymes
 
2nd ARM Developer Day - mbed Workshop - ARM
Antonio Mondragon
 
Introduction to License Compliance and My research (D. German)
dmgerman
 
Scanning Docker Images with ScanCode.io
Michael Herzog
 
Software Heritage, a revolutionary infrastructure for software source code, O...
OW2
 
OpenNTF Webinar 05/07/13: OpenNTF - The IBM Collaboration Solutions App Dev C...
Niklas Heidloff
 
Lab Handson: Power your Creations with Intel Edison!
Codemotion
 
Microsoft Embracing Open Source Technologies
Ricardo Peres
 
Software Heritage: Archiving the Free Software Commons for Fun & Profit
Speck&Tech
 
DT2014-15 S01: Digital Toolbox
Carlos Cámara
 
UnDeveloper Studio
Christien Rioux
 
Open source freeopensource & linux
Manura Perera
 
Tech Talk - Blockchain presentation
Laura Steggles
 
Ad

More from Nuno Brito (6)

PDF
Triplechecheck induction-presentation-sample
Nuno Brito
 
PDF
Stop look and listen before you talk
Nuno Brito
 
PPT
Lifes Good In Portugal
Nuno Brito
 
PPTX
Managing business relationships
Nuno Brito
 
PDF
Explaining the WinBuilder framework
Nuno Brito
 
PDF
White paper - Adhoc 2.0
Nuno Brito
 
Triplechecheck induction-presentation-sample
Nuno Brito
 
Stop look and listen before you talk
Nuno Brito
 
Lifes Good In Portugal
Nuno Brito
 
Managing business relationships
Nuno Brito
 
Explaining the WinBuilder framework
Nuno Brito
 
White paper - Adhoc 2.0
Nuno Brito
 

Recently uploaded (20)

PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 

2014 10-14: GitHub plus FOSS == 1 million SPDX

  • 1. + => 1 million SPDX Large-scale license transparency using open data, open standards and F/OSS http://triplecheck.net http://searchcode.com
  • 2. Speaker Slide #2 Nuno Brito  Free/open source contributor since 2005  Last 12 months wrote 100k F/OSS lines of code  SPDX contributor, co-founder of TripleCheck Around the web http://nunobrito.eu
  • 3. Transparency Slide #3 Take some source code as example Who developed the code? Which licenses are applicable? Was the code copied from somewhere else?
  • 4. Size Slide #4 A problem of scale Open licenses? > 300 types to choose > 5 million F/OSS projects > 100 million source code files
  • 5. Practice Slide #5 Applying licenses  Burden on developer (do correctly, do enough)  Expressed differently (difficult to understand)  Scaling obstacles (scarce automation) Transparency?
  • 6. What do? Slide #6 Ideally, we'd have tooling that is.. a) Reachable b) Cooperative c) Free Choose two. (sad reality)
  • 7. Choose three Slide #7 Choose building blocks based on: a) Open standards b) Open data c) Reachable tools Learn, write, improve. Share.
  • 8. Standards Slide #8 SPDX: Open standard for software licensing  Standardizes license description  Defines Id for license terms  http://spdx.org Pro: Good docs, straightforward, getting better Cons: Slow adoption, scarce tooling
  • 9. Open data Slide #9 GitHub: Targeting open data repositories  API suited for intensive access  Social coding  Largest open source code collection Pro: Reachable, diverse Cons: Repositories processed one-by-one
  • 10. Tooling Slide #10 Custom-built tools for software licenses  Large-scale repository data-mining  Find applicable licenses inside content  Share millions of SPDX documents Pro: Learn by doing, modularized, single language Cons: Built from scratch, needs consolidation
  • 11. Step 1 Slide #11 Desktop tool/engine to discover licenses  SPDX format as storage medium  Identify copyright and 18 license types  Java, released in Feb 2014. EUPL http://spdx.org/tools/community/triplecheck-reporter
  • 16. Details Slide #16 Underneath the hood  147 file extensions, 18 license types  LOC, hashes (SHA1, MD5, SHA256, SSDEEP)  Command line supported (Jenkins, cron)  Fast, 40k files/minute (Pentium IV)
  • 17. Step 2 Discovering repositories with gitFinder Create a list of projects online to use as components. Get basic licensing information from each project.  Write text file with each github user (~7 million)  For each user, find repositories not forked (~10M)  Split each repository according to language (197)  For each list of language/reps, download code Slide #17
  • 18. Performance Slide #18 ~70k repositories/day  Single machine (i7, 8Gb RAM, CentOS)  9 parallel threads  Resume/recover supported  Released in Jun. 2014 https://github.com/triplecheck/gitfinder
  • 21. Storage BigZip, +100 million files on a single download Slide #21  Flat-file, zip compression (per entry)  Fast, simple, portable. Indexed search https://github.com/triplecheck/big
  • 22. How it looks Slide #22
  • 23. Step 3 Slide #23 SPDX search engine  One-click SPDX creation from open data  Visualize license and copyright data  Visit at http://searchcode.com/spdx
  • 24. Example Slide #24 Using the original URL..  https://github.com/iuly/europa_kernel/ =>  https://spdxhub.com/iuly/europa_kernel/
  • 26. SPDX-1M “Do It Yourself” kit. Generate 1 million SPDX Slide #26  https://github.com/triplecheck/diy  1.2 million open source projects  “Arduino” for s/w licenses detection 9Gb worth of SPDX? Grab: http://triplecheck.net/public/storage/spdx.big
  • 28. Next step? Slide #28 F2F – pinpointing non-original code  Decompose code into blocks  Tokenize/anonymize data  Find code matches across knowledge base ETA in Dec. 2014 https://github.com/triplecheck/f2f
  • 30. Conclusion Slide #30 What is now available for everyone  Desktop tooling / detection engine  Extraction of open data in scale  Search engine for SPDX
  • 31. Questions? Slide #31 http://spdx.org http://searchcode.com/spdx http://github.com/triplecheck Interesting stuff? Let us know: @nn81 @boyte #linuxcon http://xkcd.com/1118/