Best practices for using open source software in the enterprise
2 likes4,055 views
Marcel de Vries discusses best practices for using open source software in enterprises. He notes that 80% of software is based on open source components and that awareness is key. He demonstrates how to use an artifact repository like Nexus to publish components after builds, scan for licenses and vulnerabilities, and gain insights. While repositories help with transparency and analysis, additional tools and processes are needed for component selection, community engagement, and contribution management to fully address open source usage in enterprises.
Best practices for using open source software in the enterprise
- 1. Marcel de Vries CTO Xpirit Best Practices for Using Open Source Software in the Enterprise
- 2. About me: Marcel de Vries mdevries@xpirit.com @marcelv http://fluentbytes.comXpirit Also regional director
- 3. How software is built • 80% is based on components + your code + glue code => new product • Components dominantly are now open source • Build on the shoulders of giants by using free software components in your products
- 5. Look at average ASP.NET website • ASP.NET itself • Entity framework • JQuery • Angular • Bootstrap • … 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
- 6. The new Microsoft • Microsoft embraces open source in many areas now • Did you know Azure provides many different flavors of Linux distributions? • Did you know Microsoft open sourced important parts of their development platform? – ASP.NET MSBuild – SignalR .NET Core (CLR & FW) – Roslyn compilers WCF
- 7. The .NET Foundation .NET API for Hadoop WebClient .NET Compiler Platform ("Roslyn") .NET Map Reduce API for Hadoop .NET Micro Framework ASP.NET MVC ASP.NET Web API ASP.NET Web Pages ASP.NET SignalR Composition (MEF2) Entity Framework Linq to Hive MEF (Managed Extensibility Framework) OWIN Authentication Middleware Rx (Reactive Extensions) Web Protection Library Windows Azure .NET SDK Windows Phone Toolkit WnsRecipe Mimekit Xamarin.Auth Xamarin.Mobile Couchbase for .NET Miguel de Icaza (Xamarin) Laurent Bugnion (IdentityMine) Niels Hartvig (Umbraco) Anthony van der Hoorn (Glimpse) Paul Betts (GitHub) Nigel Sampson (Compiled Experience) http://www.dotnetfoundation.org Mailkit System.Drawing
- 8. Best practices in OSS for the enterprise • In the Microsoft eco system we are just getting started • How do you come up with best practices already? – Look at the eco systems that have been using OSS for a long time • E.g. Java ecosystem – My personal experience as Technology manager, CTO in terms of risk awareness • Experiences based on consulting engagements where I worked in heterogeneous environment
- 9. Challenge to the enterprise • Developers want freedom to use open source software – It is highly encouraged by modern development tools like Visual Studio – NuGet, NPM (node), Bower, Maven, etc. • How can I empower my developers, without bringing my company at risk? • I see my .NET developer use open source now, how can I cope with this and still keep them happy?
- 10. Open source software • What are the implications in the enterprise? What is open source? Publish open source software What are common business models? When can I publish Oss? What do I need to accept contributions? Consuming open source software What are the Licenses implications? Are there known Vulnerabilities? How well are these sources maintained? How can we keep that in control?
- 11. What is open source anyway? “Computer software with its source code made available under a license in which the copyright holder provides the rights to study, change and distribute the software to anyone and for any purpose” St. Laurent, Andrew M. (2008). Understanding Open Source and Free Software Licensing. O'Reilly Media. p. 4. ISBN 9780596553951
- 12. According to the Open Source Definition, the license must not: • Discriminate against persons or groups • Discriminate against fields of endeavour • Be specific to a product • Restrict other software http://opensource.org/osd What is a license?
- 14. Copyleft License implications • Distribution triggers obligations – And in some cases using on a network also trigger obligations (AGPL) • Obligations are: • Disclosing the source code of your product; • Making your product available under that copyleft license; • Licensing your patents that read on the software. • Once your product is available under a copyleft license any recipient can use it and distribute it without charge.
- 15. Copyleft and Cloud • In general, using modified Copy left sources do not need to be published when used in cloud solution • Cloud service is in general not considered distribution, but use of the software – So does not trigger copy left obligations • Except for following licenses: – AGPL – European Union Public License – Common Public License
- 16. CONTRIBUTING TO OPEN SOURCE
- 17. OSS Contribution Funnel • Be able to understand what it does • Can easily pick it up and use • Download • Fork / Follow / FavouriteUse • Log bugs • Answer questions • Write blog posts • Fix / add documentation • Fix typos Contribute Time • Actually contribute code patches that fix bugs / improve test cases • Contribute entirely new features • Translate • Maintain platforms Contribute Code • Become a core committer (get write access) • Accept / validate code contributions • Nurture new people • Stick around • Influence the direction of the project Own
- 18. Publishing open source • What do you need when you want to publish open source software? • You need to know who worked on the software – Each individual is a copyright holder! – If you don’t know, you are at risk going forward, you need to chase them down • How about I publish software on my blog? – You are still the copyright holder and need to set license terms for others to be able to use it!
- 19. A Contributor License Agreement (CLA) defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source license. From Wikipedia, the free encyclopedia
- 20. Why would I publish my product as OSS? • Open source is a proven viable business model • Company builds and contributes to the open source software • Company builds premium components they sell • Company provides premium services – e.g. SaaS versions of the product, or consulting services
- 22. Consuming open source software Use of components creates a SOFTWARE SUPPLY CHAIN DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION
- 23. Licenses are one part of the story, but what about… HEARTBLEEDEverything was secure until, suddenly it wasn’t Introduced December 2011 Discovered April 2014 Lot of instances fixed, but still not all!
- 24. Consuming open source software If you’re not using secure COMPONENTS you’re not building secure APPLICATIONS DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION
- 25. You need to know what is used in your enterprise! How can we empower developers in using open source but be risk aware?
- 26. What can we learn from the Java space? • They use artifact repositories to pull their packages from and push their packages to – Provides a single point where you can ask questions about the software • In the Microsoft ALM tools, we are used to – Use Version control repositories for our sources – Use network drop locations for our build products – Use the web to pull our packages
- 27. Consuming open source software DEVELOPMENT BUILD AND PUBLISH PRODUCTION COMPONENT SELECTION
- 28. When you have a repo in place, you can…. • Scan for licenses in use • Scan for known vulnerabilities • Scan for popularity
- 29. Meet the artifact repository • There are different flavors out there – Alternatives are archiva, Artifactory, Nexus – You can look at a comparison at: http://docs.codehaus.org/display/MAVENUSER/Maven+Repository +Manager+Feature+Matrix • For my demos I am using Sonatype Nexus – The one I most commonly encountered in my engagements with customers – Supports the Microsoft Eco system with NuGet!
- 31. Great but not all OSS comes from NuGet How can you know what is in your enterprise, because just using a proxy does not cut it?
- 32. How to publish to repo after build By publishing your product back to the artifact repository, you can now scan your software on use of OSS
- 33. Consuming open source software DEVELOPMENT BUILD AND PUBLISH PRODUCTION COMPONENT SELECTION
- 34. DEMO Publish to artefact repo
- 35. Great! Now I have an artifact repository, how does that solve my needs?
- 36. We need a way to scan my repository and answer my important questions
- 38. Part of the puzzle • Artifact repositories can help you – Empower your developers to build on shoulders of giants – Analyze what is in use • Source code or binaries – Give insights in your exposure to known vulnerabilities in OSS components • There are things you need to figure out yourself – What OSS do we pick for certain parts of the system – How do you select the right component with an abundance of choice? – How do you engage with communities? – How to manage contributions to OSS?
- 39. What we not covered • Integrating license and vulnerability scans as part of your continuous delivery pipeline • Defining policies for what you allow – Component Lifecycle Management tooling – Can plug into your build system or your delivery pipelines • People and Perception – Developer bias – Developer satisfaction – Not looking at the other side of the fence
- 40. Summary • There is more to open source than sources • Understand licensing • Understanding the OSS ecosystem • OSS usage impacts your business • Set up a strategy to know what you are using • Artifact repository can help you solve parts of the puzzle – Make them part of your Continuous Delivery Pipeline
- 41. Questions? • Xpirit Magazine in your TechDays bag with cool articles on e.g: – Hololens programming – Azure Service Fabric – Application Insights http://fluentbytes.com @marcelv mdevries@Xpirit.com Need help? Contact us