Posts

LC3

Only 4 days until LinuxCon+ContainerCon+CloudOpen China. Register now!

It’s not too late to attend LinuxCon+ContainerCon+CloudOpen (LC3) China. See who’s attending!

Here’s what you can look forward to next week:

  1. Visionary Keynote Speakers: Junjie Cai, Alibaba Cloud; Anni Lai, Huawei; Haifeng Liu, JD.com; Todd Moore, IBM; Michelle Noorali, Microsoft; Dr. Zhexuan Song, Huawei; Linus Torvalds, Creator of Linux and Git; Liu Xin, Tencent; and more.
  2. Additional Learning Opportunities with Co-Located Events: Attend the DPDK Summit, OpenChain Workshop, Arm Innovator Asia Tour, Tencent Workshop Series, Apache ServiceComb (incubating) Day, and the FD.io DMM Seminar.
  3. 175 Sessions Across Three Days: Learn the latest developments and best practices in Linux Systems, Cloud Native Applications, Blockchain, AI, Networking, Cloud Infrastructure, and Open Source Leadership.
  4. Open Office Hours: Get 1:1 time with open source experts from AWS, ChainNova, China Mobile, Huawei, Microsoft, Red Hat, and more.

REGISTER NOW >>

Need assistance convincing your manager? Here’s a letter that can help you make the request to attend LC3.

Linux Foundation members and LF project members receive a 20% discount on registration pricing. Academic, student, non-profit and group discounts are also available. Email events@linuxfoundation.org to receive your discount code.

Sign up to receive updates on LinuxCon + ContainerCon + CloudOpen China:

现在报名LinuxCon+ContainerCon+CloudOpen

(LC3)还为时未晚。浏览参会人员!

  1. 主题演讲嘉宾: Junjie Cai,阿里巴巴云; Anni Lai,华为;Haifeng Liu,JD.com;Todd Moore,IBM;Michelle Noorali,微软;Zhexuan Song博士,华为;Linus Torvalds,Linux和Git创办人;Liu Xin,腾讯;以及更多。
  2. 同场活动的额外学习机会: 参加DPDK中国峰会、OpenChain 研讨会、Arm亚洲创新路演、腾讯研讨会系列和华为云Apache ServiceComb 孵化日,以及FD.io DMM研讨会。
  3. 三天的175个会议: 了解Linux系统、云原生应用、区块链、人工智慧、网络、云架构和开源领导力等。
  4. 开放的额外交流时段与AWS、智链、中国移动、华为、微软、红帽云及更多开源专家预约1对1交流时间

立即注册>>

需要我们帮助您说服您的经理?这是一封可以帮助您提出 LC3 参会申请的信函Linux基金会成员LF项目成员注册费可享八折优惠。学者、学生、非盈利组织及团体皆享有优惠。发电邮至 events@linuxfoundation.org取得优惠码。

2018 OS Jobs Report

The latest Open Source Jobs Report shows a strong market for open source talent, driven in part by the rapid growth of cloud technologies.

Linux expertise is again in the top spot as the most sought after open source skill, says the latest Open Source Jobs Report from Dice and The Linux Foundation. The seventh annual report shows rapidly growing demand for open source skills, particularly in areas of cloud technology.

Key findings of the report include:

  • Linux tops the list as the most in-demand open source skill, making it mandatory for most entry-level open source careers. This is due in part to the growth of cloud and container technologies, as well as DevOps practices, all of which are typically built on Linux.
  • Container technology is rapidly growing in popularity and importance, with 57% of hiring managers seeking those skills, up from 27% last year.
  • Hiring open source talent is a priority for 83% of hiring managers, up from 76% in 2017.
  • Hiring managers are increasingly opting to train existing employees on new open source technologies and help them gain certifications.
  • Many organizations are getting involved in open source with the express purpose of attracting developers.

Career Building

In terms of job seeking and job hiring, the report shows high demand for open source skills and a strong career benefit from open source experience.

  • 87% of open source professionals say knowing open source has advanced their career.
  • 87% of hiring managers experience difficulties in recruiting open source talent.

Hiring managers say they are specifically looking to recruit in the following areas:

OS Jobs skillsDiversity

This year’s survey included optional questions about companies’ initiatives to increase diversity in open source hiring, which has become a hot topic throughout the tech industry. The responses showed a significant difference between the views of hiring managers and those of open source pros — with only 52% of employees seeing those diversity efforts as effective compared with 70% of employers.

Overall, the 2018 Open Source Jobs Report indicates a strong market for open source talent, driven in part by the growth of cloud-based technologies. This market provides a wealth of opportunities for professionals with open source skills, as companies increasingly recognize the value of open source.

The 2018 Open Source Jobs Survey and Report, sponsored by Dice and The Linux Foundation, provides an overview of the latest trends for open source careers. Download the complete Open Source Jobs Report now.

OS Summit

Register now for Open Source Summit NA and save $300 through June 17.

Join us in Vancouver in August for 250+ educational sessions covering the latest technologies and topics in open source, and hear from industry experts including keynotes from:

  • Ajay Agrawal, Artificial Intelligence & Machine Learning Expert, Author of Prediction Machines, and Founder, The Creative Destruction Lab
  • Jennifer Cloer, Founder of reTHINKit and Creator and Executive Producer, The Chasing Grace Project
  • Wim Coekaerts, Senior Vice President of Operating Systems and Virtualization Engineering, Oracle
  • Ben Golub, Executive Chairman and Interim CEO, and Shawn Wilkinson, Co-founder, Storj Labs
  • Preethi Kasireddy, Founder & CEO, TruStory
  • Window Snyder, Chief Security Officer, Fastly
  • Imad Sousou, Corporate Vice President and General Manager, Open Source Technology Center, Intel
  • Sana Tariq, Senior Architect, E2E Service Orchestration, TELUS


Additional keynotes and the full schedule of 250+ sessions will be announced next week. Details on co-located events, evening activities, and other activities—including Speed Mentoring, First-Time Attendee Breakfast, Women in Open Source Lunch, Diversity Mixer, Kids Day, and more—will be announced shortly as well.

Register now and save $300 through June 17!

Register Now>>

LC3

Register Now for LinuxCon + ContainerCon + CloudOpen China 2018

Join 3,000 open source technologists and business leaders for education and collaboration to drive open source innovation at LC3.

VIEW THE FULL SCHEDULE>>

REGISTER NOW >>

Top 3 Reasons to Attend

  1. Visionary Keynote Speakers: Hear from thought leaders from Accenture, Alibaba, Baidu, China Mobile, Huawei, IBM, Intel, Red Hat, Tencent and more.
  2. Workshops for Additional Learning Opportunities: Attend DPDK China Summit, OpenChain Workshop, The Arm Innovator Tour, Tencent Workshop Series, or Apache ServiceComb (incubating) Day.
  3. 175+ sessions: LC3 will feature use cases, project and technology updates, and other learnings on Cloud Native, AI, IoT, Linux Systems and Development, Networking and Orchestration, Blockchain, Open Source Leadership and more.

Need assistance convincing your manager? Here’s a letter that can help you make the request to attend LC3. Register now to save $40USD/255RMB through June 18.

REGISTER NOW >>

和三千多位科技企业领导人一同加入LC3论坛,共同合作打造开源创新时代。

三大参会理由:

  1. 有远见的主题发言人:聆听来自埃森哲、阿里巴巴、百度、中国移动、华为、IBM、英特尔、红帽、腾讯等企业的专家讲座。
  2. 提供额外学习机会的会议及工作坊:参加DPDK中国峰会、OpenChain 研讨会、Arm亚洲创新巡展、腾讯研讨会系列和华为云Apache ServiceComb 孵化日。
  3. 175场以上会议:LC3论坛将涵盖与云原生、人工智能、物联网、Linux系统与开发、网络与协调、区块链、开源领导力等主题相关的用户案例,项目和科技更新报告。

查看完整的日程安排 »

立即注册 »

building leadership

The latest Open Source Guide for the Enterprise from The TODO Group provides practical advice for building leadership in open source projects and communities.

Contributing code is just one aspect of creating a successful open source project. The open source culture is fundamentally collaborative, and active involvement in shaping a project’s direction is equally important. The path toward leadership is not always straightforward, however, so the latest Open Source Guide for the Enterprise from The TODO Group provides practical advice for building leadership in open source projects and communities.  

Being a good leader and earning trust within a community takes time and effort, and this free guide discusses various aspects of leadership within a project, including matters of governance, compliance, and culture. Building Leadership in an Open Source Community, featuring contributions from Gil Yehuda of Oath and Guy Martin of Autodesk, looks at how decisions are made, how to attract talent, when to join vs. when to create an open source project, and it offers specific approaches to becoming a good leader in open source communities.

Leadership Mindset

According to the guide, the open source leadership mindset involves:

  • Influence, not control
  • Transparency as a means of crowd-sourcing solutions, not as exposure
  • Leading, not herding

Building leadership can happen at all levels — from managers to developers to volunteers. Developers, for example, are often highly motivated to contribute to open source projects that matter to them and to build their reputations within the community. According to the guide, “open source is so hotly in demand that developers actively seek opportunities to develop or hone their open source chops.”

Guy Martin, Director, Open at Autodesk, Autodesk, says that when interviewing developers, he is frequently asked how the company will help the developer build his or her own open source brand.

Increase Visibility

“Raising your own company’s visibility in its open source work can thus also help recruit developers. Some companies even offer open source training to add to the appeal. Presenting the company’s open source projects at conferences and contributing code in communities are the best ways to raise your company’s visibility. Asking your developers to network with other developers and invite them aboard also tends to work well,” the guide states.

Read the complete guide to Building Leadership in an Open Source Community online now. And, see the list of all Open Source Guides for the Enterprise to learn more.  The information contained in these guides is based on years of experience and best practices from industry leaders. They are developed by The TODO Group in collaboration with The Linux Foundation and the larger open source community.  

LinuxCon

Check out the new keynote speakers and executive leadership track for LC3.

Attend LC3 in Beijing, June 25 – 27, 2018, and hear from Chinese and international open source experts from Accenture, China Mobile, Constellation Research, Huawei, IBM, Intel, OFO, Xturing Biotechnology and more.

New Keynote Speakers:

  • Peixin Hou, Chief Architect of Open Software and Systems in the Central Software Institute, Huawei
  • Sven Loberg, Managing Director within Accenture’s Emerging Technology practice with responsibility for Open Source and Software Innovation
  • Evan Xiao, Vice President, Strategy & Industry Development, Huawei
  • Cloud Native Computing Panel Discussion featuring panelists from Alibaba, Huawei, IBM, Microsoft and Tencent, and hosted by Dan Kohn, Executive Director, Cloud Native Computing Foundation

View Previously Announced Keynote Speakers>>

New Executive Leadership Track:

In addition to existing tracks across technology areas including AI, Blockchain, Networking, Cloud Native and more, LC3 2018 will feature a new Executive Leadership track on Tuesday, June 26, 2018, targeted at gathering executive business leaders across Chinese technology companies to collaborate, to share learnings, and to gain insights from industry leaders including:

  • R “Ray” Wang, head of Silicon Valley-based Constellation Research and best selling author of the Harvard Business Review Press book, Disrupting Digital Business, will share practical guidance on how to jump start growth with AI driven smart services
  • Dr. Feng Junlan, Director of the newly founded China Mobile Artificial Intelligence and Smart Operations R&D Center, will share insights on network intelligence, intelligent operations and China Mobile’s related strategic considerations and practice
  • Chao Wang, CTO of Xturing Biotechnology will talk about building Gene Sequencing tools by using container technology
  • Chenyu Xue, M2M Director of OFO will discuss the sharing economy how OFO implements an open source spirit into its company philosophy
  • Deep Learning Panel Discussion featuring panelists from Baidu, Didi, Huawei, IBM, Microsoft and Tencent, and hosted by Jim Zemlin, Executive Director, The Linux Foundation

These sessions will take place following the morning keynote sessions including Sven Loberg, Accenture; Evan Xiao, Huawei; and the Cloud Native Panel Discussion.

VIEW THE FULL SCHEDULE >>

REGISTER NOW >>

Need assistance convincing your manager? Here’s a letter that can help you make the request to attend LC3. Register now to save $40USD/255RMB through June 18.

参加6月25日–27日在北京召开的LC3论坛,倾听来自埃森哲、中国移动、卫星网研究、华为、IBM、英特尔、OFO、Xturing Biotechnology等中国和国际公司的开源专家的意见和建议。

新主题发言人:

  • 侯培新,中央软件研究院开源软件与系统首席架构师,华为
  • Sven Loberg,埃森哲新兴技术实践总监,负责开源和软件创新
  • Evan Xiao,战略与行业发展部门副总裁,华为
  • 云原生计算小组讨论,由来自阿里巴巴、华为、IBM、微软和腾讯的专题讨论嘉宾组成,由云本地计算基金会的执行董事 Dan Kohn 主持

查看之前公布的主题演讲者 »

新执行领导力会议:

涵盖了人工智能、区块链、网络、云原生等技术领域的现有通道之外,LC3 2018论坛将于6月26日(周二)推出一项新的高管领导力会议,旨在汇聚中国科技公司的高管业务领导者,共同分享学习经验,并分享行业领导者的见解,此会议将包括:

  • 卫星网研究(硅谷)的负责人和畅销书作者(书籍《混乱的数字化商业》,哈佛商业评论杂志社出版) R “Ray” Wang ,将分享“如何通过人工智能驱动的智能服务推动增长”的实践指导
  • 新成立的中国移动人工智能和智能运营研发中心主任冯俊兰博士,将分享“关于网络智能、智能运营和中国移动相关战略考虑与实践”的见解
  • Xturing Biotechnology的首席技术官王朝将谈谈使用容器技术构建的基因测序工具
  • OFO的M2M总监薛晨宇将探讨共享经济——“OFO 如何在公司理念中实现开源精神”
  • 深度学习小组讨论会的嘉宾来自百度,滴滴,华为,IBM,微软和腾讯,并由Linux Foundation执行总监Jim Zemlin主持

以上会议将在上午的主题演讲后举行,将包括埃森哲的Sven Loberg,、华为的Evan Xiao,以及云本地小组讨论嘉宾。

查看完整的时间表 »

立即注册 »

需要我们帮助说服您的经理?这是一封信,用以帮助您向经理提出参加 LC3 的要求。至 6 月 18 日前,立即注册可省 40 美元/255 元人民币。

Most people know Capital One as one of the largest credit card companies in the U.S. Some also know that we’re one of the nation’s largest banks — number 8 in the U.S. by assets. But Capital One is also a technology-focused digital bank that is proud to be disrupting the financial services industrythrough our commitment to cutting edge technologies and innovative digital products. Like all U.S. banks, Capital One operates in a highly regulated environment that prioritizes the protection of our consumers and their financial data. This sets us apart from many companies who don’t operate under the same level of oversight and responsibility.

Our goal to reimagine banking is attracting amazing engineers that want to be part of the movement to reinvent the financial technology industry. During interviews, they are often surprised to find we want them to use open source project and contribute back to the open source community. Even more are blown away that we sponsor open source projects built by our engineers.

People expect that kind of behavior at a start-up, not a top bank. There is nothing traditional about Capital One and our approach to technology.

When we see opportunities, especially in technology, we deliberately pursue them. Our approach to managing technology, guided by general industry regulations and company-specific policies, provide the guardrails for using, contributing to, and launching open source software projects. The Open Source Office adopted a comprehensive risk management approach wherein we have identified clear risk ownership around when to use, contribute to, and launch open source projects.

Our journey to managing open source risk and implementing this strategic approach followed this trajectory:

  • Engineers wanted to use and contribute to open source projects.
  • Risks were identified, analyzed, and a path to managing them was mapped out with the Open Source Office, Legal, and Security teams.
  • Focus on education, with external partnerships providing guidance (Linux, TODO, etc.).
  • Momentum increased as we matured our internal partnerships with Engineering, Legal, Security, and Audit Teams.
  • Explaining and demonstrating our risk management approach to leaders secured sponsorship and resources.

Organizing Into an Office

With strong leadership support, in 2015 we formalized oversight and governance through the creation of Capital One’s Open Source Office (OSO). With strong partnerships in Legal and Security, resources accountable for advising and overseeing open source activities were established within the OSO.

Through these partnerships, the OSO team manages the company’s open source contributions, including these three crucial pillars:

  • Manage direction — Policy, guidance, and education.
  • Manage connections — Internal and external, as well as partnerships with Legal, Security, and other stakeholders.
  • Manage technologies — Support open source processes and community needs.

As a horizontal function, OSO manages the direction and risk-based approach Capital One takes with open source. We collaborated to define a corporate level policy for Open Source Software and developed educational materials and videos to guide teams and individual developers on how to manage defined risks. On a daily basis, OSO team members, along with our partners in Legal and Security, work with engineers and data scientists to understand use cases and provide guidance on how to appropriately manage risk.

In addition to OSO managing internal connections with various teams in Capital One (Engineering, Legal, Trademarks, Security, Brand, Corporate Communications, Risk Management, Audit etc.), we actively manage our relationships with external communities such as the Linux and ApacheFoundations. We are also active members in the Open API InitiativeCloud Native Computing Foundation (CNCF) and the TODO Group. We are also actively interacting with members of our own open source project communities (e.g. Hygieia and Cloud Custodian).

Formalizing Guardrails Through a Corporate Policy and Standard

In 2016, the OSO defined a corporate level Open Source Software Policy and Open Source Software Standard based upon an example from the Linux Foundation. The policy addresses three use cases and calls out the requirements to manage risk when:

  1. Using open source software projects.
  2. Contributing to open source projects.
  3. Sponsoring open source projects

The policy also formalizes accountabilities for the three main open source stakeholders at Capital One, including:

  1. The developer/engineering community.
  2. Establishes a new strategic partnership between from diverse groups called the Open Source Steering Committee.
  3. Defines the tactical partnership between OSO, Legal, and Security within an Open Source Review Board.

image alt text

As we developed this policy and formalized accountabilities, we established the tactical partnership between OSO, Legal, and Security as the OSRB. This tactical team works to guide open source activities with the development community. We also established a strategic leadership committee named the OSS Steering Committee, a group comprised of a dozen leaders who provide strategic direction for the development community.

Taking it to the Next Level

As we look ahead in our open source journey, we plan to focus on:

  • Continue to educate our growing technology organization.
  • Strike a balance between managing risks and minimizing development bottlenecks.
  • Further automate license and security scanning and integrate it into our build process.
  • Establish and grow a robust governance function.

Specifically, in 2018 we’re focusing on education, strengthening awareness in the development community, and establishing our role as an advisor.

image alt text

Collaboration among the multiple stakeholders has been key to navigating our open source journey. Capital One is a technology driven company and we are unified across our organization on taking our open source activities to the next level in 2018.

At the end of the day, we strongly believe in the benefits of involvement in open source projects. By managing the associated risks through policies, standards, and cross-departmental collaboration, the OSO allows Capital One to fully leverage our involvement in this community.

Acknowledgments

Thank you to Nadine Hoffman and the Capital One OSPO for contributing this guide based on this original article.

This article originally appeared on GitHub as part of the TODO Group’s open source program case studies.

open source project

Matt Butcher provides tips for managing open source projects based on experience with Kubernetes Helm.

As open source technology has become more strategically important for organizations everywhere, many tech workers are choosing to or being asked to build out and oversee their own open source projects. From Google, to Netflix to Facebook, companies are also releasing their open source creations to the community. These efforts require more management than may seem apparent at first, and there is also a particular kind of “nice problem to have” that can arise. Specifically, a new open source project can suddenly take on a life of its own, growing far faster than ever imagined.

That nice problem to have was the subject of an Open Source Summit 2017 session presented by Matt Butcher, Principal Software Development Engineer at Microsoft. We covered some of his advice for open source projects in a previous post. And, here, we discuss specific project management issues Butcher has faced.

In his talk, Butcher cited examples from the Kubernetes Helm project, which grew to involve hundreds of contributors and thousands of active users in a span of 18 months..

Minefields and sparring matches

One thing Butcher and his collaborators on the Helm project learned is that managing governance and standards is an ongoing challenge. They also learned that code reviews can become “minefields of interaction,” where community members may have unexpected motives behind their messages. “I have been involved in situations where code reviews become a sparring match,” said Butcher.

“With Helm, we developed guidelines for them. They can develop in such a way that some people will just want to weigh in and show that they’re right. In some cases it’s very important to acknowledge contributions We actually have an internal rule in our core maintainers guide that says, ‘Make sure that at least one comment that you leave on a code review, if you’re asking for changes, is a positive one. It sounds really juvenile, right? But it serves a specific purpose. It lets somebody know, ‘I acknowledge that you just made a gift of your time and your resources,” he said.

Shifting perspective

Butcher also noted that team dynamics can change quickly as internal focus shifts to external focus. “At some point you’re going to release your project out into the wild, and then you’ll hit your stability marker, which might be, say, your version 1.0,” he said. “At that point your perspective changes and you say, ‘Hey, instead of huddling together to work on our team dynamics, we’re all going to face outward. That can be a touchy border to be on.”

In the case of Helm, team members reached out in unexpected ways during the early growth phase. “We did some crazy stuff when we were launching it,” Butcher said. “We actually had kind of an internal semi-formal policy that you would pair with people who came in and had big problems, which resulted in random people from the team joining meetings with people they’d never met and saying, ‘Hey, tell me about your problem and let me see if I can help.’  The whole point of this was to try and actively pull people into the community and get them engaged right away.”

Timelines are guidelines

Butcher stressed that project managers should “know what they’re building and be ruthless about sticking to it.” That means, in some cases, that timelines are guidelines. “You want to commit to timelines, because that’s respectful to the community,” he said. “On the flip side, you also are trying to keep your core contributors motivated. You don’t want them to feel undue pressure. In many cases the community understands that you are at the liberty of the contributors and sometimes something does come up. At times, we had to go back to the community and say, ‘we couldn’t do it because the Kubernetes team isn’t ready for us yet, so we’re going to have to wait a little while.”

You can learn more about open source project management in The Linux Foundation’s growing collection of Open Source Guides for the Enterprise. These free online guides cover starting an open source project, improving your open source impact, participating in open source communities, and more.

Share your knowledge and expertise at Open Source Summit North Americahappening August 29-31 in Vancouver BC. Proposals are being accepted through April 29th.

Open Source Summit

Submit your proposal to speak at OS Summit before the April 29th deadline.

Share your knowledge and expertise by speaking at Open Source Summit North America, August 29-31 in Vancouver BC. Proposals are being accepted through April 29th.

As the leading technical conference for professional open source, Open Source Summit gathers developers, sysadmins, DevOps professionals, architects and community members from across the globe for education and collaboration across the ecosystem.

As open source continues to evolve, so does the content that Open Source Summit covers, and we’re excited to announce new content areas that will be covered this year in addition to those that continue to be of critical importance to our attendees.

This year’s tracks/content will cover the following areas:

  • Cloud Native Apps/Serverless/Microservices
  • Infrastructure & Automation (Cloud / Cloud Native / DevOps)
  • Linux Systems
  • Artificial Intelligence & Data Analytics
  • Emerging Technologies & Wildcard (Networking, Edge, IoT, Hardware, Blockchain)
  • Community, Compliance, Governance, Culture, Open Source Program Management (in the Open Collaboration Conference tracks)
  • Diversity & Inclusion (in the Diversity Empowerment Summit )
  • Innovation at Apache/In Apache Projects (in the Apache Software Foundation track)
  • Cloud & Container Apprentice Linux Engineer Tutorials Track (geared towards attendees new to using Linux and open source based cloud & container technologies)

SUBMIT YOUR TALK  >>

Our program chairs are ensuring that we increase content for our sysadmin, devops and software architecture audience this year as well, based on feedback received from 2017, so please submit talks geared towards any of these audience types, as well as community managers, program office management, and of course developers.

On that note, we are pleased to announce our 2018 Program Chairs, Track Chairs and Program Committee:

Program Co-Chairs:

  • Robyn Bergeron, Ansible Community Architect, Red Hat
  • Donnie Berkholtz, VP, IT Service Delivery, Carlson Wagonlit Travel
  • Greg Kroah-Hartman, Linux Kernel Developer
  • Bryan Liles, Staff Engineer, Heptio

Track Chairs:

  • Jono Bacon, Community Strategy Consultant, Author & Speaker (Open Collaboration Conference)
  • Rich Bowen, Vice President of Conferences, Apache Software Foundation (Innovation at Apache)
  • Nithya Ruff, Senior Director, Open Source Practice, Comcast (Diversity Empowerment Summit)
  • Behan Webster, Converse in Code (Apprentice Track)

Program Committee:

  • Laura Abbott, Fedora Kernel Engineer, Red Hat
  • Zaheda Bhorat, Head of Open Source Strategy, Amazon Web Services
  • James Bottomley, Distinguished Engineer, IBM
  • Joe Brockmeier, Senior Evangelist, Linux Containers, Red Hat
  • Jessie Frazelle, Software Engineer, Microsoft
  • Michelle Noorali, Software Engineer, Microsoft
  • Daniel Whitenack, Data Scientist, Lead Developer Advocate, Pachyderm

Register & Save

Not submitting, but planning to attend? Register now and save $300 with early bird pricing.

Interested in sponsoring?

Showcase your thought leadership among a vibrant open source community and connect with top influencers driving today’s technology purchasing decisions. Learn more »

The key to open source compliance is knowing what’s in your code, right down to the exact versions of the components, says Ibrahim Haddad.

Companies across all industries use, participate in, and contribute to open source projects, and open source compliance is an integral part of the use and development of any open source software. It’s particularly important to get compliance right when your company is considering a merger or acquisition. The key, according to Ibrahim Haddad, is knowing what’s in your code, right down to the exact versions of the open source components.

Ibrahim Haddad

Haddad often writes about compliance with the aim of simplifying what can be a complex and daunting process. Recently, Haddad, who is Vice President of R&D and Head of the Open Source Group at Samsung Research America, wrote Open Source Audits in Merger and Acquisition Transactions, a free ebook from The Linux Foundation. In the book, Haddad provides a practical guide to open source audits in merger and acquisition (M&A) transactions and offers tips for improving general open source compliance preparedness. We reached out to Haddad to understand more about the importance of compliance and audits in the open source world.

The Linux Foundation: A common perception is that using open source software means you do not have to worry about negotiating licenses, fees, and other complications associated with proprietary software. So, why should enterprises care about compliance?

Ibrahim Haddad: It is true that open source software has to a large extent simplified the process of software procurement. The traditional procurement model for proprietary software has always been heavy on the front end, as it involves trial and evaluation, negotiation related to possible customizations, licensing terms, fees, and several other factors. With open source, it is still true that you should evaluate the software, compare it to other possible alternatives, and evaluate if the license of that software is in line with how you plan to use it.

However, this is generally the extent of the initial effort. Once you ship a product, you then must demonstrate that you have respected the terms of the licenses attached to the open source components. That may mean providing a written office, publishing all copyright, attribution and license notices, and/or making available source code including any modifications you have introduced.  Obligations will vary based upon the terms of the open source license and how the code is used.

Companies must make open source compliance an engineering priority, as it is the best way to display their fulfillment of the license obligations. If a company is unable to demonstrate compliance and is unwilling to become compliant when challenged, the owners of the copyright on the open source software may decide to revoke the license.  The company could easily end up in a very difficult space where they may need to recall products and re-engineer around the code.

The Linux Foundation:  In my opinion, there are two primary aspects of Open Source — consumption and contribution. What role does compliance play in these cases? 

Haddad: I agree that the two primary aspects of open source are using and contributing. An enterprise can choose open source components and deploy them in their software stack. An enterprise can also decide that certain open source components are strategic to their products and contribute to these components, inject new dynamics in the projects, and steer them in a technical direction that is favorable to their products.

In the first case, compliance is a critical aspect of the “usage” model. A product or software stack that incorporates open source and is being made commercially available must demonstrate open source compliance. This is essential, and no enterprise should risk their profitability with incomplete compliance.

In my mind, contributing involves a different type of compliance than what is implied through the “usage” model. My recommendation and actual practice for code contribution is to follow an internal process that includes:

  1.     Scan source code intended for contribution to identify its origin and license.
  2.     Ensure you have the rights to contribute it under the project’s license.
  3.     Get your company’s approval for that contribution – and in the case of CLA, also getting approval to sign the CLA on behalf of your company before making the contribution.

I will explain my logic for these three steps:

On 1: It is necessary to identify all the code planned for contribution, and any licenses upon it. This step will also help you identify any possible incompatibilities between the licenses of the contribution and the target project. If the code you plan to contribute and the target project have incompatible licenses, or if you discover the code was copied from somewhere else, then you will need resolve the issue before your code submission.

On 2: This step ensures that you are not accidentally open sourcing third-party proprietary code.  This can be a problem in big internal projects with legacy code.

On 3: In most companies, ongoing contributions require approval following whatever internal process that has been set in place. That process should also address who can sign and submit a CLA as an individual contributor (employee of company X), or on behalf all contributors from company X.

Following these steps, you will be able to significantly minimize legal or compliance risks resulting from using or contributing to open source projects.

The Linux Foundation: If you do serve external customers, but you are not shipping any code, then you are simply offering a service. Do you have to be compliant in that case also?

Haddad: I would like to highlight two use cases here. The first is using open source software in your company for internal purposes: IT, testing, evaluation, etc. In such cases, there are no compliance requirements because it is never distributed.

The second case involves offering online (or web) services to clients using software that incorporates open source software. In that specific case, some licenses such as the GNU Affero General Public License (AGPL) do require companies to comply with the license obligations, even if the software itself never changes hands.

Therefore, regardless of how you use the open source software, I am a strong believer in the value of going through a compliance process to identify open source code, applicable licenses and usage models. I believe that good compliance practices are also good engineering practices.

The Linux Foundation: What was the motivation behind writing Open Source Audits in M&A Transactions? Who is the main audience of the book?

Haddad: I mainly had three motivations for writing this book:

  • The first motivation was the lack of documentation around the open source audit process that must take place prior to a merger or an acquisition. If you search online for documentation on this topic, you will not find much outside of the advertisements from various compliance services providers.
  • The second motivation is saving time. I get many inquiries about this process and having such a document is great to share when I am asked about it. In addition, I thought that if I am able to produce a document that highlights the process and explains it, maybe this will encourage others to write about it and share their experiences and recommended practices.
  • The third motivation was related to innovation in the compliance space that was not getting the attention it deserves. For example, the “Blind Audit” model from FOSSID AB where your compliance service provider can complete the audit without having access or even looking at the source code. This level of privacy and security is highly desirable.

The target audience of the book is anyone interested or involved in ensuring open source compliance. Although the ebook focuses on the specific process during an M&A transaction, it offers various recommendations on how to be compliant. These recommendations apply to any company that uses open source. Therefore, if you are an engineer, legal counsel, someone who works in software procurement, or anyone who is involved in open source in their organization, then you will get something out of reading the book.

The Linux Foundation: Compliance can be a challenge when you use a lot of open source projects with many license mixes. What practices would you suggest to companies to help them with their compliance efforts?

Haddad: I think we have come a long way in the open source compliance domain. Back in the early 2000s, open source compliance was really misunderstood, in large part because it was a developing domain. Today, open source compliance is well understood and most companies have a good enough understanding of the licenses and what needs to be done to stay in compliance. My view is that the top challenges are related to scale and building compliance into the software supply chain.

Of the two challenges I just mentioned, scale is the hardest, and it covers multiple dimensions. One is scaling at the project level, when you are dealing with hundreds of open source components and potentially thousands of open source snippets. The other dimension is scaling to address the complexities of a product with an arbitrary number of licenses involved. The way to deal with that is twofold: process and automation. In November 2016, The Linux Foundation published an ebook entirely dedicated to this topic: Open Source Compliance in the Enterprise.  It offers a guide for how best to use open source code in products and services and participate in open source communities in a responsible way.

The second challenge is building trust in the software supply chain, and there are several initiatives that are geared for that purposes. The most prominent projects are OpenChain and SPDX, both hosted at The Linux Foundation. The SPDX initiative has created a standard method to communicate software components, licenses and copyright information associated with the software. In addition, the OpenChain project is offering a systematic approach for companies to build their compliance efforts and be in conformance of various levels of compliance. They are also offering a training curriculum that companies can adopt and customize for their internal use.

For organizations that rely heavily on open source for their products/software stacks, it is essential for them to participate in these efforts. When you look at the errors that lead to non-compliance, we’ve notice that large companies have significantly improved their internal compliance practices. However, many compliance issues are still being propagated via the software supply chain, from upstream suppliers whose compliance practices are not as rigorous. The final product integrator is responsible for compliance obligations even if they did not create the code they distribute, so this is a relevant issue throughout the entire supply chain. Both SPDX and OpenChain help minimize the compliance gap and ensure proper compliance when software changes hands.

The Linux Foundation: What would be your top recommendations for companies who are major consumers of open source software but are not well versed in ensuring compliance?

Haddad: I have one recommendation: know what is in your code, right down to the exact versions of the open source components. This statement sounds simple but it involves setting up a compliance policy and process, investing in tooling and automation, training employees, and assigning someone (or a small team) to oversee the overall effort.

Also remember that open source compliance is an ongoing process, not a destination. Maintaining good compliance practices enables companies to be prepared for a possible acquisition, sale, or product or service release. For this reason, companies are highly encouraged to invest in building and improving upon their open source compliance programs.

There are also many resources available, so please check them out:

  • Open Source Compliance in the Enterprise is a practical guide for enterprises on how to best use open source in products and services in a legal and responsible way.
  • Practical GPL Compliance is a guide for startups, small businesses, and engineers, particularly focused on complying with the versions of the GNU General Public License (GPL).
  • OpenChain Curriculum is designed to help organizations meet the training and process requirements of the OpenChain Specification. It can also be used for general open source training.
  • The Linux Foundation offers a free open source compliance course for developers.