際際滷

際際滷Share a Scribd company logo

Tools for developers to ensure legal integrity of their code - Antelink OWF

A
Antelink

The document discusses various tools that software developers can use to ensure the legal integrity of their code, including checking for open source license compliance. It describes the Antepedia tool suite which includes the Antepedia Notifier, Antepedia Reporter, and Antepedia Search tools. The Antepedia Notifier provides continuous detection of open source components, the Reporter provides on-demand detection and export of analysis results, and Search allows searching their database of over 940,000 open source projects and 210,000,000 files. It also summarizes FOSSology, an open source license compliance tool that scans software to analyze licenses and metadata. Finally, it discusses SPDX, a standard format for communicating license and copyright information associated with software

1 of 27
Downloaded 17 times
Tools for developers to ensure legal integrity of their code Freddy Munoz, PhD freddy.munoz@antelink.com Product Manager, Antelink. @drfmunoz Bruno Cornec Open Source & Linux Profession Bruno.Cornec@hp.com Lead EMEA, HPIntelCo.
The context
The problem are you sure that you In your product know everything? ??? compile test analysis integration test package Product Build Engineer Final product ??? In your BoM license? version? project? are you sure that you are license compliant? 3
Available compliance tools (non-exhaustive list) Antepedia Antepedia Antepedia Notifier Notifier Reporter Source code Binary package Source http://www.linuxfoundation.org/programs/legal/compliance/tools 4
Antepedia Tool Suite 5
Antepedia Tool Suit Antepedia 940 000 projects Knowledge 210 000 000 files Base Public API Antepedia* Antepedia* Notifier Reporter Antepedia** Search ** free public access 6 * free for non-profit projects and organizations
Antepedia Search Single file Cloud service Web-browser report Original project License information Release date and location 7
Antepedia Reporter my.antepedia.com Antepedia the worlds Largest Knowledge Base of open source projects 1. HTML file Export Antepedia Reporter 2. CSV File Analysis Automated On-demand Detection of Open Source Components 8
9
Antepedia Notifier Antepedia, the worlds my.antepedia.com largest database of open source projects Continuous detection 1. By MAIL Notification 2. Through Antepedia Notifier Atlassian JIRA Automated Continuos Detection of Open Source Components 10
FOSSology - Goal FOSS-ology : The study of FOSS The goal of the FOSSology project is create tools and a framework to reduce fear, uncertainty, and doubt in the use, development, and distribution of open source software. FOSSology is a static analysis framework to learn what we can by scanning FOSS itself. Analyze the code, save the results in a database, report results through a Web (or scripted) interface.
A Simple FOSSology Process Flow o Scan every single file in a package (or distro, or ) o Fuzzy match against a library of > 400 known licenses. o Examine the non-matching portions looking for text that could be an unknown license. o Nomos, the now GPLed license analysis tool, is the result of 10+ years of scanning @HP
File upload screenshot
Queue management screenshot
License analysis screenshot
Meta data analysis screenshot
Bucket browser screenshot
Architecture
Web Resources FOSSOlogy main site http://www.fossology.org Mailing Lists, contacts http://fossology.org/contact_us Plume details http://www.projet-plume.org/fiche/fossology Project-Builder http://trac.project-builder.org Open Source at HP http://opensource.hp.com ProLiant & Linux http://www.hp.com/go/proliantlinux FOSSology users: HP, ALU, Siemens, The evolution of FLOSS INRIA, OW2 and the Internet are tightly coupled
SPDX: Handling Heterogeneous Licenses 20
21
Inconsistent License Information (1/2) http://sourceforge.net/projects/jwebmail/ http://jwebmail.sourceforge.net/about.html http://jwebmail.sourceforge.net/news.html 22
Inconsistent Source http://sourceforge.net/projects/winpenpack/ License Information (2/2) Source http://www.winpenpack.com/en/page.php?5 23
24
SPDX: Standardization SPDX - A standard format for communicating the components, licenses and copyrights associated with a software package. 25
26
??? 27

More Related Content

Tools for developers to ensure legal integrity of their code - Antelink OWF

  • 1. Tools for developers to ensure legal integrity of their code Freddy Munoz, PhD freddy.munoz@antelink.com Product Manager, Antelink. @drfmunoz Bruno Cornec Open Source & Linux Profession Bruno.Cornec@hp.com Lead EMEA, HPIntelCo.
  • 3. The problem are you sure that you In your product know everything? ??? compile test analysis integration test package Product Build Engineer Final product ??? In your BoM license? version? project? are you sure that you are license compliant? 3
  • 4. Available compliance tools (non-exhaustive list) Antepedia Antepedia Antepedia Notifier Notifier Reporter Source code Binary package Source http://www.linuxfoundation.org/programs/legal/compliance/tools 4
  • 6. Antepedia Tool Suit Antepedia 940 000 projects Knowledge 210 000 000 files Base Public API Antepedia* Antepedia* Notifier Reporter Antepedia** Search ** free public access 6 * free for non-profit projects and organizations
  • 7. Antepedia Search Single file Cloud service Web-browser report Original project License information Release date and location 7
  • 8. Antepedia Reporter my.antepedia.com Antepedia the worlds Largest Knowledge Base of open source projects 1. HTML file Export Antepedia Reporter 2. CSV File Analysis Automated On-demand Detection of Open Source Components 8
  • 9. 9
  • 10. Antepedia Notifier Antepedia, the worlds my.antepedia.com largest database of open source projects Continuous detection 1. By MAIL Notification 2. Through Antepedia Notifier Atlassian JIRA Automated Continuos Detection of Open Source Components 10
  • 11. FOSSology - Goal FOSS-ology : The study of FOSS The goal of the FOSSology project is create tools and a framework to reduce fear, uncertainty, and doubt in the use, development, and distribution of open source software. FOSSology is a static analysis framework to learn what we can by scanning FOSS itself. Analyze the code, save the results in a database, report results through a Web (or scripted) interface.
  • 12. A Simple FOSSology Process Flow o Scan every single file in a package (or distro, or ) o Fuzzy match against a library of > 400 known licenses. o Examine the non-matching portions looking for text that could be an unknown license. o Nomos, the now GPLed license analysis tool, is the result of 10+ years of scanning @HP
  • 16. Meta data analysis screenshot
  • 19. Web Resources FOSSOlogy main site http://www.fossology.org Mailing Lists, contacts http://fossology.org/contact_us Plume details http://www.projet-plume.org/fiche/fossology Project-Builder http://trac.project-builder.org Open Source at HP http://opensource.hp.com ProLiant & Linux http://www.hp.com/go/proliantlinux FOSSology users: HP, ALU, Siemens, The evolution of FLOSS INRIA, OW2 and the Internet are tightly coupled
  • 21. 21
  • 22. Inconsistent License Information (1/2) http://sourceforge.net/projects/jwebmail/ http://jwebmail.sourceforge.net/about.html http://jwebmail.sourceforge.net/news.html 22
  • 23. Inconsistent Source http://sourceforge.net/projects/winpenpack/ License Information (2/2) Source http://www.winpenpack.com/en/page.php?5 23
  • 24. 24
  • 25. SPDX: Standardization SPDX - A standard format for communicating the components, licenses and copyrights associated with a software package. 25
  • 26. 26
  • 27. ??? 27