As usual, this event started with a number of keynotes in the morning. Eric Besson was, I must say, boring, just reading a paper, visibly without any idea of what all that was about Too bad he is the ministery in charge. When will France really take seriously IT and FLOSS in IT in particular !! When everybody is talking about debt reduction, FLOSS is such an opbvious way to contribute, that I’m still puzzled no political voluntarism is in place.
On the contrary, the region and the city showed more willingness to promote FLOSS and to report around their practice. Jean-Paul Planchou, and more over Jean-Louis Missika clearly articulated why FLOSS is so beneficial to the public sector, and why using FLOSS and Open Data is a no-brainer for a public policy, and thus why they will increase its adoption in the future.
Louis Montagne and Jean-Pierre Laisné then opened officially the OWF 2011. We then had a short presentation from Systematic, and jumped to the adoption of Open Data in UK by Nigel Shadbolt, which mentioned clearly that even if a governement doesn’t know what to do of some public data, a lot of citizens do know ! And develop tools to analyze them. This is not just about IT, but really about citizenship and politics in the original sense of the greek work polis !
Werner Knoblich, VP EMEA of Red Hat, then presented the Cloud offering at Red Hat and how its products were to the cloud, what RHEL is to a Linux distribution, or what RHEV is to KVM+libvirt… Stéphane Fermigier interrupted him during his keynote to mention that the Red Hat offering was not Open Source because he had been unable to download the software. Werner insisted on the fact it was as Open Source as the rest of what Red Hat delivers (as soon as it can) and that both CloudForms and DeltaAPI as soon they’ll be out of beta will be available largely for download.
Was then time to chose a session, and I picked up the “Open Source for industrial users” lead by Gaël Blondelle as I tried to contribute to its setup, and I’m interested by the topic, and the fact that some Governances talks were planned during it.
Here are the notes taken during these talks, and some personal comments.
- FLOSS is attractive
- Some risks involved (IP, disappearance of projects, security, licenses, …) and addressed by the Governance approach.
- Need to audit. The key is a proper process. But without tools, they won’t be respected.
- Mentioned various tools (Antelink, Blackduck, FOSSology, OpenLogic, Palamida, Protecode) – Indicated that most are commercial except FOSSology.
- P.A.H. introduced Drakkr: methodology and tooling for the Governance, to address the various risks (IP, security, tracking). All this is FLOSS as well. It contains:
- OpenSource Cartouche (alternative to SPDX). More easy to use, and more community oriented, rather than legal. License Cartouche. rights and obligations linked to FLOSS
- QSOS is another part. Spider charts available to compare FLOSS components. Competitors openBRR, OSMM, Quallos seem at their end.
- StratOS: maturity and Strategic analysis of a FLOSS. Based on QSOS.
- eCos: financial indicators around FLOSS ROI, costs analysis, comparison with proprietay. Other tool is WIBE
- Also mentioned NVD for security flaws analysis
- P.A.H Insisted on the fact that tooling (whatever) has to be used to support the process and the governance.
I already mentioned Open Cartouche previously, and I find that whole work of creating a coherent tool set around FLOSS Governance interesting and promising. Probably needs more adoption outside of France.
How to help development team manage FOSS during the whole industrial process by Guillaume Rousseau, Antelink (http://www.antelink.com)
- How to develop best tools for dev teams.
- Antelink helps you keep control of your SW integration and supply chain. Spinoff of Inria. Inria a major customer (10000 users around the forge).
- Guillaume mentioned the challenge of dealing with on-shore/off-shore dev teams, contractors and FLOSS.
- Dev is generally made of internal code, 3rd party FLOSS & commercial and Outsourced dev.
- Adressing licensing issues asap is key to reduce costs. So needs to be done at the software factory level.
- Also management of updates and security is key as well (especially 3rd party components).
- Dev team and lawyers should talk to each other. You have to provide the right tools for dev teams.
- Antelink is Part of OW2 SQUAT (SW Quality Assurance and Trustworhtiness).
- Part of the Linux Foundation Open Compliance program working on SPDX.
- Provides a large FLOSS DB (~1M projects, yes 1.000.000, twice as much as BlackDuck !!). Around the database, they developed a tool suite: Antepedia Notifier, Search and Reporter.
- Antepedia Notifier plugged around VCS to detect introduction of FLOSS components and act accordingly
- Antepedia Reporter does on demand analysus and produces reports
- Antepedia Search allows you to upload components and check their content.
Antelink is clearly to be followed closely, with regards to their ability to store the largest base of code and provide information out of it.
- BlackDuck has 75% of the market.
- FLOSS is ubiquitous (85% of enterprises uses it) => management complex.
- Took Mobile market as an example of growth. Impact of Android (taking the lead in less than 2 years) also on competitors. Complexity of building a complete Smartphone.
- It’s not easy to manage FLOSS. Need policy (succint, flexible), process and automation (management with spreadsheet doesn’t work anymore).
- Process is: Acquire, Approve, Catalog, Validate and Monitor.
- FLOSS ecosysem is too abundant, spread across multiple repos (own ecosystem), thousands of projects (own governance), however more demand for FLOSS developers time than what is available.
- Transparency, collaboration, meritocracy and OSI licensing are the keys for communities to innovate.
- Example of innovation:
- Danish government with its portal.
- AOL is revamping itself fully based on FLOSS.
- US Veterans health system open sourced (5 BUSD allocated to it, they pay 0,5 BUSD just for support)
- New areas: Open Source Ecology, Open Prothetics, Oilgae (algue eating oil), Open Cola, Tropical Disease
Even if Andrew (who is leading the Open Source Think Tank) has lots of connections in the FLSOS ecosystem, and generally interesting talks, this time I didn’t find the presentation much interesting. Too generic, not entering in any level of detail, probably too BlackDuck oriented (original speaker planned was Tim Yeates) and not speaking enough about FLOSS projects. A deception.
As an introduction, Didier introduced himself as leading a worldwide team of 12 persons working in Legal at HP around FLOSS. Dider then covered the following topics:
- At HP compliance is not an option, it’s mandatory. Working with the HP open Source Review Board (OSRB).
- IP infringement (Contract break) can be in some countries a criminal offense.
- We could break HP’s reputation if we are not compliant with FLOSS license.
- We’re seeing new license models coming up, creating compatibility issues.
- This is also impacting all the digital information world (data, knowledge, …)
- All that will keep lawyers busy (good for him of course :-).
- HP puts requirements on suppiers around FLOSS compliance (our telco provider e.g.) which may not completely control the production chain.
- Risk is not too much with our employees (trained), but with acquisitions (Autonomy e.g. atm) and procurement and the supply chain (thus the requirements on suppliers). Hard to scan fully. So need other way to manage the situation. So HP created a risk rate and identified high risk activities. Didier gave some concrete examples:
- Usage risks:
- Internal use is low risk
- OEM-in/out is high risk
- Reselling high revenue/volume product is high risk
- Redistribution via channel partners is medium risk (depends on partner education)
- Incorporation of critical FLOSS elements into flagship product is high risk
- Company with single product (WebOS e.g. for Palm) is critical for them so non-compliance is high risk
- Distribution with no-access to elements afterwards (e.g. to Army/NATO) is high risk
- Licenses non compliance risk:
- BSD/MIT and Apache are low risk
- GPLv2 and 3 is higher risk
- MPL is also higher risk
- New FLOSS license are more risky
- Items without licenses are very risky
- Suppliers compliance:
- SW from FLOSS project is low risk
- SW from entity with strong FLOSS culture is low risk
- SW from entity with strong corporate partnership is low risk
- SW from entity with new or weak culture is high risk
- SW from entity with start-up is high risk
- Didier from that creates a 3 axes matrix to evaluate the global risk. Example huge difference between internal use of a BSD component vs high volume mixed of licenses SW.
- Representation (termination of the contract): good but does not address reputational risk
- Warranties (damages): better but insufficient to compensate for reputational risk
- Commitments: best proactive measures:
e.g. list of FLOSS components in each package. Or easier Identify fully FLOSS components, licenses. Or even more easier again create a critical (black) list of licenses for you or ask for scanning (FOSSology – probably not easy, problem of confidentiality) or ask for external scan report or SPDX certification in the future.
- Creating local agreements with partners around Governance.
Risk mitigation. Legeal protection is:
In my opinion (not neutral of course as I’m another HP employee), it was the most interesting talk of the morning. I never had met with Didier before, just had him on the phone, and I was very impressed by his clear and didactic presentation, with the large set of examples he was giving live, and even if I’m aware of it, by the quality of the FLOSS Governance model in place at HP. Definitely worth sharing, and I’m convinced lots of entities could benefit from our views more.
It was then time to take a lunch box and start the set of afternoon sessions !