SlideShare a Scribd company logo

OpenChain, SPDX and FOSSology

Download as PPTX, PDF
Shane Coughlan, profile picture
Shane Coughlan

The document discusses the challenges of open source license compliance and the collaborative efforts being made through initiatives like OpenChain and SPDX to create a standardized process for managing licensing data. It emphasizes the importance of having a common language and tools to facilitate better compliance with less effort in the software supply chain. Various upcoming sessions and opportunities for involvement in these initiatives are also mentioned.

Technology
1 of 25
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
OpenChain, SPDX and FOSSology
OpenChain, SPDX, FOSSology Jilayne Lovejoy, Principal Open Source Counsel, ARM
We’ve come a long way, but ... Open source license compliance is still a challenge • Source code shared between projects to enable rapid development of new features • Product companies may have different focus than open source developers • Licensing focused on after development • So. Much. Open Source Software!
How we can ease the pain... via collaborative efforts in open source compliance • Common process for managing licensing data • Common language to communicate licensing data • Open source tools to generated licensing data summaries
A software supply chain where FOSS is delivered with trusted and consistent compliance information
SPECIFICATION CURRICULUM CONFORMANCE
PLATINUM MEMBERS & GOVERNING BOARD
How to get involved • By Leveraging the SPDX, OpenChain and Hyperledger Initiatives, We Can Solve the Open Source Management Supply Chain Puzzle, Mark Gisi & Sameer Ahmed, Wind River • Tuesday, 2:00-12:30, Monument Peak • OpenChain for Projects and SMEs, Jonas Öberg, FSFE • Tuesday, 4:50-5:20, Grand Sierra C/D • OpenChain working group • Wednesday, 2:00-5:00 Castle Peak B Join the general or curriculum mailing list (or both!), attend calls https://www.openchainproject.org/community 8
Software Package Data Exchange 9
What is SPDX?  Standard: • A standard format for communicating the licenses and copyrights associated with software packages  Guiding principles: • Human and machine readable • Focus on capturing facts; avoid interpretations  Vision: • To help reduce redundant work in determining software license information and facilitate compliance 10
(Part of the) Solution  A file format for license information to accompany open source packages  Benefits • Allows easy exchange of license information between companies reducing burden on both suppliers and consumers • Avoids due diligence redundancy where the same source code package is analyzed multiple times by different receivers • Ultimately yields better compliance with less effort 11
SPDX  Specification  License List  Tools
Package Information SPDX v2.0 Document contains: Document Creation Information Package Information Other Licensing InformationOther Licensing Information Other Licensing InformationFile Information Other Licensing Information Annotations Other Licensing InformationRelationships An SPDX Doc  Version 2.1 13
Document Creation Information 2.1 SPDX Version. 2.2 Data License 2.3 SPDX Identifier 2.4 Document Name 2.5 SPDX Document Namespace 2.8 Creator 2.9 Created Provide an SPDX document 14 Package Information 3.1 Package Name 3.2 Package SPDX Identifier 3.7 Package Download Location 3.8 Package Verification Code 3.12 Concluded License 3.13 All Licenses Information from Files 3.14 Declared License 3.16 Copyright Text File Information 4.1 File Name 4.2 File SPDX Identifier 4.4 File Checksum 4.5 Concluded License 4.6 License Information in File 4.8 Copyright Text 1 per document 1 per package in document 1 per file in each package
License List  ~300 Licenses • Short IDs for easy reference • Exact text of licenses • Available on SPDX® website – URLs won’t change  License Matching Guidelines • For matching licenses against those included on the SPDX License List  License Templates • Denote license text which is optional or replaceable per the license matching guidelines  Exceptions List • Common modifications to some licenses • Simple expression language for expressing  Actively maintained by SPDX Legal Team 15
How to get involved  SPDX Generation via Yocto and the New LID code License Scanner, Mark Charlebois & Craig Northway, Qualcomm Technologies • Tuesday, 11:20-11:50, Monument Peak  From EXIF to SPDX: How Persistent Metadata is Changing the World, Jonas Öberg, Free Software Foundation Europe • Tuesday, 3:30-4:00, Grand Sierra C/D  SPDX working group • Thursday, 11-4, Castle Peak B Join the technical, outreach or legal team to contribute to the spec, tools, documentation and presentations, license list and related work https://spdx.org/participate
19
An open source license system and toolkit. • Run license copyright and export control scans • Database and web UI provide a compliance workflow • Generate reports 20 Page 20
FOSSology: handing compliance tasks 21 Generate ▪ Upload an open source package to the server ▪ Select scan agents to analyze the software ▪ Review the licenses detected that scanners have found ▪ Compare and correct findings if necessary ▪ Generate report output ▪ SPDX (both formats: tag value and RDF) ▪ Spreadsheet of license information ▪ Set of File Notices applicable ▪ Export Control Information
Current version info • 3.1 info as to newest features • Who is involved • What CP is shipping/the product • How is the CP changing the world/creating bigger outcomes • How to get involved 22 Page 22
FOSSology Community 23 and more to be added …
FOSSology Project Information ▪ Making Compliance Easy: Filling in the Missing Pieces, Kate Stewart, The Linux Foundation ▪ Wednesday, 2:40-3:10, Monument Peak ▪ SW360 - An Open Component Hub, Steffen Evers, Bosch Software Innovations ▪ Wednesday, 3:20-3:50, Grand Sierra B Contribute code, ideas, documentation, testing https://www.fossology.org/about/support-fossology 24
Bringing it all together • Common language to communicate licensing data • Open source tools to generated licensing data summaries • Transparency of software licensing data • Keep licensing data current with every change or update • Common process for managing licensing data • Adoption in key projects, distributions, repositories
Bringing it all togetherStatus Goal How? Common language to communicate licensing data SPDX Open Source tools to generate licensing data summaries FOSSology, SPDX-tools Transparency of software’s licensing data ? Keep licensing data current with every source change ? Common processes to pass licensing data with OpenChain
OpenChain, SPDX and FOSSology

More Related Content

PDF
03 Intro Firecat LAN
Evan Merrill
 
PDF
nexB - Software audit for product release
nexB Inc.
 
PDF
RPKI Tutorial
Bangladesh Network Operators Group
 
PDF
OWF14 - Open Source & Software Supply Chain
Paris Open Source Summit
 
PPTX
Managing Open Source Software Supply Chains
nexB Inc.
 
PPT
Managing Software Inventories & Automating Open Source Software Compliance
nexB Inc.
 
PPT
Open Source ETL
David Morris
 
PPTX
Rightsizing Open Source Software Identification
nexB Inc.
 
03 Intro Firecat LAN
Evan Merrill
 
nexB - Software audit for product release
nexB Inc.
 
RPKI Tutorial
Bangladesh Network Operators Group
 
OWF14 - Open Source & Software Supply Chain
Paris Open Source Summit
 
Managing Open Source Software Supply Chains
nexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
nexB Inc.
 
Open Source ETL
David Morris
 
Rightsizing Open Source Software Identification
nexB Inc.
 

Similar to OpenChain, SPDX and FOSSology (20)

PDF
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
Shane Coughlan
 
PDF
SBOM Implementation Reality - From Crawl to Walk, the SPDX Lite Profile for t...
Shane Coughlan
 
PDF
SPDX 2.0: introduction
Kate Stewart
 
PDF
Welcome to the FOSS4G Community
Jody Garnett
 
PPT
An Open Source Case Study
webhostingguy
 
PDF
Open Source Compliance Automation Capability Map
Shane Coughlan
 
PPTX
FOSSology and OSS-Tools for License Compliance and Automation
Gaurav Mishra
 
PDF
Identifying third party software with ScanCode
nexB Inc.
 
PDF
Open source software governance with DejaCode
nexB Inc.
 
PPTX
Optimizing The Cost Of Open Source Software Management
Protecode
 
PPT
Open source technology
aparnaz1
 
PPTX
Presentation for the v0finder and Labrador
Tae-Hyoung Choi
 
PDF
SBOM Study Group Kick-Off 2024-07-30-SPDX-Lite
Shane Coughlan
 
PPTX
Where’s the license?
Protecode
 
DOCX
Resume_Aritra_Talukdar
Aritra Talukdar
 
PDF
Open Source Software, Distributed Systems, Database as a Cloud Service
SATOSHI TAGOMORI
 
PDF
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
FINOS
 
PDF
Autopsy 3.0 - Open Source Digital Forensics Conference
Basis Technology
 
PPT
Open Source in the Enterprise
Social Media Performance Group
 
PDF
Open Source Journey in Moxa: Build up Open Source Office in Hardware Manufact...
Shane Coughlan
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
Shane Coughlan
 
SBOM Implementation Reality - From Crawl to Walk, the SPDX Lite Profile for t...
Shane Coughlan
 
SPDX 2.0: introduction
Kate Stewart
 
Welcome to the FOSS4G Community
Jody Garnett
 
An Open Source Case Study
webhostingguy
 
Open Source Compliance Automation Capability Map
Shane Coughlan
 
FOSSology and OSS-Tools for License Compliance and Automation
Gaurav Mishra
 
Identifying third party software with ScanCode
nexB Inc.
 
Open source software governance with DejaCode
nexB Inc.
 
Optimizing The Cost Of Open Source Software Management
Protecode
 
Open source technology
aparnaz1
 
Presentation for the v0finder and Labrador
Tae-Hyoung Choi
 
SBOM Study Group Kick-Off 2024-07-30-SPDX-Lite
Shane Coughlan
 
Where’s the license?
Protecode
 
Resume_Aritra_Talukdar
Aritra Talukdar
 
Open Source Software, Distributed Systems, Database as a Cloud Service
SATOSHI TAGOMORI
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
FINOS
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Basis Technology
 
Open Source in the Enterprise
Social Media Performance Group
 
Open Source Journey in Moxa: Build up Open Source Office in Hardware Manufact...
Shane Coughlan
 
Ad

More from Shane Coughlan (20)

PPTX
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Shane Coughlan
 
PDF
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
Shane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting - 2025-06-16
Shane Coughlan
 
PPTX
OpenChain Tooling Work Group - 2025-07-02
Shane Coughlan
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PDF
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
Shane Coughlan
 
PPTX
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
Shane Coughlan
 
PPTX
OpenChain @ InnerSource Summit 2024 - 2024-11-20
Shane Coughlan
 
PPTX
OpenChain Korea Work Group Meeting #24 - 2024-11-26
Shane Coughlan
 
PDF
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
Shane Coughlan
 
PDF
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
Shane Coughlan
 
PPTX
OpenChain China Work Group Presentation @ OSCAR 2024
Shane Coughlan
 
PPTX
OpenChain Japan Community Day - 2024-10-17
Shane Coughlan
 
PPTX
ETRI EOST2024 Seoul Keynote - 2024-10-15
Shane Coughlan
 
PDF
OpenChain Webinar- The Role of Data in the Supply Chain of AI - 2024-10-10
Shane Coughlan
 
PPTX
OpenChain Webinar - AI Legal Landscape - Slides
Shane Coughlan
 
PDF
OpenChain Telco SBOM Guide Overview - 2024-09-25
Shane Coughlan
 
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Shane Coughlan
 
The 3rd OSPO Summit - China (Beijing - 2025-06-12)
Shane Coughlan
 
OpenChain Korea Work Group Meeting - 2025-06-16
Shane Coughlan
 
OpenChain Tooling Work Group - 2025-07-02
Shane Coughlan
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
OpenChain Webinar - AboutCode - Practical Compliance in One Stack – Licensing...
Shane Coughlan
 
OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30
Shane Coughlan
 
OpenChain @ InnerSource Summit 2024 - 2024-11-20
Shane Coughlan
 
OpenChain Korea Work Group Meeting #24 - 2024-11-26
Shane Coughlan
 
Compliance and Integrity in the Software Supply Chain with Software Heritage:...
Shane Coughlan
 
Fujitsu’s OSS standards conformance and AI Management System Standardization ...
Shane Coughlan
 
OpenChain China Work Group Presentation @ OSCAR 2024
Shane Coughlan
 
OpenChain Japan Community Day - 2024-10-17
Shane Coughlan
 
ETRI EOST2024 Seoul Keynote - 2024-10-15
Shane Coughlan
 
OpenChain Webinar- The Role of Data in the Supply Chain of AI - 2024-10-10
Shane Coughlan
 
OpenChain Webinar - AI Legal Landscape - Slides
Shane Coughlan
 
OpenChain Telco SBOM Guide Overview - 2024-09-25
Shane Coughlan
 
Ad

Recently uploaded (20)

PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
What is a Computer? Input Devices /output devices
GulJan8
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
August Patch Tuesday
Ivanti
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 

OpenChain, SPDX and FOSSology

  • 2. OpenChain, SPDX, FOSSology Jilayne Lovejoy, Principal Open Source Counsel, ARM
  • 3. We’ve come a long way, but ... Open source license compliance is still a challenge • Source code shared between projects to enable rapid development of new features • Product companies may have different focus than open source developers • Licensing focused on after development • So. Much. Open Source Software!
  • 4. How we can ease the pain... via collaborative efforts in open source compliance • Common process for managing licensing data • Common language to communicate licensing data • Open source tools to generated licensing data summaries
  • 5. A software supply chain where FOSS is delivered with trusted and consistent compliance information
  • 7. PLATINUM MEMBERS & GOVERNING BOARD
  • 8. How to get involved • By Leveraging the SPDX, OpenChain and Hyperledger Initiatives, We Can Solve the Open Source Management Supply Chain Puzzle, Mark Gisi & Sameer Ahmed, Wind River • Tuesday, 2:00-12:30, Monument Peak • OpenChain for Projects and SMEs, Jonas Öberg, FSFE • Tuesday, 4:50-5:20, Grand Sierra C/D • OpenChain working group • Wednesday, 2:00-5:00 Castle Peak B Join the general or curriculum mailing list (or both!), attend calls https://www.openchainproject.org/community 8
  • 10. What is SPDX?  Standard: • A standard format for communicating the licenses and copyrights associated with software packages  Guiding principles: • Human and machine readable • Focus on capturing facts; avoid interpretations  Vision: • To help reduce redundant work in determining software license information and facilitate compliance 10
  • 11. (Part of the) Solution  A file format for license information to accompany open source packages  Benefits • Allows easy exchange of license information between companies reducing burden on both suppliers and consumers • Avoids due diligence redundancy where the same source code package is analyzed multiple times by different receivers • Ultimately yields better compliance with less effort 11
  • 13. Package Information SPDX v2.0 Document contains: Document Creation Information Package Information Other Licensing InformationOther Licensing Information Other Licensing InformationFile Information Other Licensing Information Annotations Other Licensing InformationRelationships An SPDX Doc  Version 2.1 13
  • 14. Document Creation Information 2.1 SPDX Version. 2.2 Data License 2.3 SPDX Identifier 2.4 Document Name 2.5 SPDX Document Namespace 2.8 Creator 2.9 Created Provide an SPDX document 14 Package Information 3.1 Package Name 3.2 Package SPDX Identifier 3.7 Package Download Location 3.8 Package Verification Code 3.12 Concluded License 3.13 All Licenses Information from Files 3.14 Declared License 3.16 Copyright Text File Information 4.1 File Name 4.2 File SPDX Identifier 4.4 File Checksum 4.5 Concluded License 4.6 License Information in File 4.8 Copyright Text 1 per document 1 per package in document 1 per file in each package
  • 15. License List  ~300 Licenses • Short IDs for easy reference • Exact text of licenses • Available on SPDX® website – URLs won’t change  License Matching Guidelines • For matching licenses against those included on the SPDX License List  License Templates • Denote license text which is optional or replaceable per the license matching guidelines  Exceptions List • Common modifications to some licenses • Simple expression language for expressing  Actively maintained by SPDX Legal Team 15
  • 16. How to get involved  SPDX Generation via Yocto and the New LID code License Scanner, Mark Charlebois & Craig Northway, Qualcomm Technologies • Tuesday, 11:20-11:50, Monument Peak  From EXIF to SPDX: How Persistent Metadata is Changing the World, Jonas Öberg, Free Software Foundation Europe • Tuesday, 3:30-4:00, Grand Sierra C/D  SPDX working group • Thursday, 11-4, Castle Peak B Join the technical, outreach or legal team to contribute to the spec, tools, documentation and presentations, license list and related work https://spdx.org/participate
  • 17. 19
  • 18. An open source license system and toolkit. • Run license copyright and export control scans • Database and web UI provide a compliance workflow • Generate reports 20 Page 20
  • 19. FOSSology: handing compliance tasks 21 Generate ▪ Upload an open source package to the server ▪ Select scan agents to analyze the software ▪ Review the licenses detected that scanners have found ▪ Compare and correct findings if necessary ▪ Generate report output ▪ SPDX (both formats: tag value and RDF) ▪ Spreadsheet of license information ▪ Set of File Notices applicable ▪ Export Control Information
  • 20. Current version info • 3.1 info as to newest features • Who is involved • What CP is shipping/the product • How is the CP changing the world/creating bigger outcomes • How to get involved 22 Page 22
  • 22. FOSSology Project Information ▪ Making Compliance Easy: Filling in the Missing Pieces, Kate Stewart, The Linux Foundation ▪ Wednesday, 2:40-3:10, Monument Peak ▪ SW360 - An Open Component Hub, Steffen Evers, Bosch Software Innovations ▪ Wednesday, 3:20-3:50, Grand Sierra B Contribute code, ideas, documentation, testing https://www.fossology.org/about/support-fossology 24
  • 23. Bringing it all together • Common language to communicate licensing data • Open source tools to generated licensing data summaries • Transparency of software licensing data • Keep licensing data current with every change or update • Common process for managing licensing data • Adoption in key projects, distributions, repositories
  • 24. Bringing it all togetherStatus Goal How? Common language to communicate licensing data SPDX Open Source tools to generate licensing data summaries FOSSology, SPDX-tools Transparency of software’s licensing data ? Keep licensing data current with every source change ? Common processes to pass licensing data with OpenChain