Posts Tagged ‘FOSSology’

Gouvernance informatique: Il est temps d’y intégrer l’Open Source

2014/01/24

Dans le cadre de mes activités pour le Conseil des technologistes d’HP France, j’ai écrit un article pour le Webzine IT experts sur la l’intégration de Open Source et la gouvernance informatique disponible sur http://www.it-expertise.com/gouvernance-informatique-il-faut-integrer-lopen-source/. Un grand merci à Aurélie Magniez pour m’avoir aidé à faire cette publication.

Ci-dessous, une version légèrement modifiée qui tient compte de retours et rétablit certaines formules auxquelles je tiens, quoique moins journalistiquement correctes et certains liens (jugés trop nombreux par le Webzine, mais je tiens à citer mes sources, et Tim Berners-Lee ne les a pas inventés pour que l’on ne s’en serve pas non ? :-))

Bonne lecture !

Aujourd’hui en 2013, toutes les entités, publiques comme privées, en France, comme partout dans le monde, utilisent massivement des Logiciels Free, Libres et Open Source (abrégé en FLOSS (1)). Quelques exemples de cet état de fait sont fournis par la Linux Foundation, comme les 600 000 télévisions intelligentes vendues quotidiennement fonctionnant sous Linux ou les 1,3 millions de téléphones Andoïd activés chaque jour. Le dernier rapport de top500.org, présentant les super-calculateurs mondiaux, indique une utilisation de Linux à 96,4%. Des sociétés ayant aujourd’hui un impact quotidien sur notre environnement numérique telles que FaceBook ou Twitter ont non seulement bâti leur infrastructure sur une grande variété de FLOSS, mais ont aussi publié de grandes quantités de code et des projets complets sous licence libre. Ceci concerne aussi des acteurs plus classiques du monde de l’informatique comme HP ou IBM.

Ceci peut sembler normal, car on évolue là dans le monde du numérique, mais le phénomène touche tous les secteurs comme le montre une récente étude de l’INSEE, qui reporte que 43% des entreprises françaises d’au moins 10 personnes utilisent des suites bureautique FLOSS ou encore que 15% des sociétés de construction utilisent un système d’exploitation FLOSS par exemple. Cette large adoption se trouve corroborée par le développement de la filière FLOSS en France, comme rapporté par le CNLL, représentant en 2013 2,5 milliard d’Euros et 30 000 emplois.

Enfin, le secteur public n’est pas en reste avec la publication en septembre 2012 de la circulaire du premier ministre qui reconnait la longue pratique de l’administration des FLOSS, et incite celle-ci, à tous les niveaux, à un “bon usage du logiciel libre”, ce qui se vérifie dans certains ministères comme celui de l’intérieur ou de l’économie. Le ministère de l’éducation nationale a ainsi déployé 23 000 serveurs EOLE sous Linux et utilise de nombreux projets FLOSS pour la gestion multi-fonctions (réseau, sécurité, partage) des établissements scolaires.

Services impliqués dans la gouvernance FLOSS

Dans ce contexte d’utilisation généralisée, se posent certaines questions quant à la gouvernance particulière à mettre en place ou l’adaptation de celle existante pour accroître l’usage, la distribution, la contribution au FLOSS, tant pour les fournisseurs que pour les utilisateurs de ces technologies. En effet, les FLOSS ont des spécificités tant techniques qu’organisationnelles (rapport à la communauté, méthodologie de développement, licence utilisée) qui ont un impact sur la façon de les gérer dans une entité. La Gouvernance Open Source, aujourd’hui, doit donc être partie intégrante d’une Gouvernance Informatique.

Contrairement à ce qu’une rapide analyse pourrait laisser penser, ce n’est pas uniquement le service informatique qui est concerné par l’utilisation des FLOSS. Celle-ci touche la totalité de l’entité et le modèle de gouvernance doit donc être adapté en conséquence. En effet, le service des achats se voit souvent court-circuité par l’utilisation de composants logiciels téléchargés et non achetés en suivant les procédures qu’il met en place, le service du personnel ne dispose pas de contrats de travail statuant sur les contributions des employés à des projets FLOSS (ne parlons pas des stagiaires ou co-traitants), le service juridique doit apprendre à distinguer la licence Apache de la GPLv2, ou v3, le service de propriété intellectuelle considérer si telle modification faite à un projet FLOSS peut ou doit être reversée au projet, et dans quel contexte, voire le PDG évaluer, lors d’une scission de sa société en différentes entitées juridiques, l’impact représenté sur la redistribution de logiciels faite à cette occasion et le respect des licences utilisées. Ce ne sont que quelques exemples des questions auxquelles les entités doivent répondre dans le cadre d’une Gouvernance Informatique intégrant les FLOSS.

Ceci n’est pas un débat oiseux: il y a eu maintenant trop d’exemples allant jusqu’au procès et sur des problématiques de non-respect des licences FLOSS pour que les entreprises et services publics ignorent le problème. Les conséquences tant financières que sur leur image de marque peuvent être très importantes et causer des dommages beaucoup plus graves que ne le représente la mise en conformité (qui consiste le plus souvent en la seule publications des codes sources modifiés).

Il ne s’agit pas ici d’énoncer des éléments qui tendraient à restreindre l’utilisation des FLOSS dans une entité. Au contraire, les bénéfices de leur utilisation sont aujourd’hui trop évidents, la baisse des coûts induite par la mutualisation, les gains technologiques d’avoir des souches logicielles si versatiles et éprouvées doivent juste s’accompagner des mesures de gestion nécessaires pour en retirer tous les bénéfices annoncés. L’analyse des risques fait partie des choix quotidiens exercés au sein d’une entité et de même que pour une démarche qualité, l’impulsion doit venir du sommet de la hiérarchie de l’entité. Celle-ci doit soutenir la création des instances nécessaires à l’établissement d’une gouvernance FLOSS en leur donnant le pouvoir requis et l’interaction avec les différents services de l’entité.

Composants d’une gouvernance FLOSS

Tout d’abord, il s’agira de développer la compréhension de l’écosystème libre au sein de l’entité pour en appréhender les spécificités.

La première d’entre elles est la licence gouvernant les FLOSS. Comme pour toute utilisation d’un logiciel, ou d’un service, un utilisateur se voit décrit ses droits et ses devoirs au sein de ce document. Ceux-ci diffèrent selon que la licence est permissive (type Apache v2 par exemple), qui permet une utilisation (y compris pour des développement non-FLOSS) et une redistribution avec peu de contraintes (mentions légales et paternité par exemple). Elle permet ainsi à des sociétés de vendre des versions propriétaires d’Andoïd distribué sous Licence Apache v2 embarquées dans leurs téléphones portables. C’est ce qui permet de considérer cette licence comme “libre”. En regard on donnera également l’exemple des licences de gauche d’auteur (copyleft en anglais, type GPL v2 par exemple), qui permettent une utilisation tant que le logiciel distribué s’accompagne des sources (éventuellement modifiées) servant à le fabriquer. Elle permet à des projets comme le noyau Linux d’être développé par des milliers de développeurs tout en restant toujours accessible dans toutes ses variantes par la mise à disposition de son code source, dû à cette contrainte. C’est ce qui permet de considérer cette licence comme “libre”. Simplement les libertés sont vues ici sous l’angle du projet (qui le reste ad vitam aeternam) plutôt que sous celui de l’utilisateur comme dans l’autre cas. C’est la raison pour laquelle toutes ces licences sont considérées comme Open Source par l’OSI.

Une entité doit donc choisir les briques FLOSS qu’elle souhaite utiliser en fonction de l’usage prévu pour respecter les droits et devoirs d’usage codifiés dans les licences (ni plus ni moins qu’avec une offre non-FLOSS), sachant que, dans la plupart des cas, l’élément déclenchant l’application de la licence est la distribution du logiciel. Ainsi une société peut parfaitement utiliser un logiciel sous licence GPL v2, y faire des modifications et ne pas les publier, tant que l’usage reste interne à sa structure juridique (cas fréquent en mode utilisation de logiciel dans un département informatique). En revanche, si elle l’incorpore à un produit qu’elle commercialise, elle devra juste se mettre en conformité avec la licence et fournir en parallèle du produit un acccès aux dites sources.

Ceci n’est finalement pas si compliqué, eu égard aux gains énormes qu’elle peut en retirer en bénéficiant d’une brique logicielle éprouvée qu’elle n’a ni à développer, ni à maintenir. Dans tous les cas, il est important que son service juridique ait une compréhension des droits et devoirs des licences utilisées pour apporter le conseil requis, comme lors de la signature de contrats avec tout fournisseur.

On le voit, la formation du service juridique est à la base de la mise en place de toute gouvernance. D’autre part, il faut organiser au sein de l’entité la mise en relation entre ce service juridique et les équipes de développement. Non seulement pour qu’elles apprennent à se connaître, mais aussi pour qu’elles échangent sur leurs besoins réciproques et qu’elles comprennent comment chacune cherche à protéger l’entité pour laquelle elle oeuvre. Les uns le faisant eu égard au respect des règles de droit, ce qui comprend l’explication envers les développeurs des licences libres, les autres eu égard au mode d’utilisation des composants techniques spécifiques des équipes de développement.

Personnellement, en tant qu’ingénieur de formation, il m’a été très bénéfique de discuter avec divers avocats spécialistes des licences libres, pour mieux comprendre leur volonté de protéger l’entreprise pour laquelle ils travaillent et comment ils devaient le faire dans ce contexte. Et réciproquement, je sais que les informations techniques et exemples parfois complexes d’agrégats de composants logiciels les aident en retour à mieux tenir compte des cas particuliers qui peuvent se faire jour. La communication sur ce sujet doit dépasser dans l’entité les structures classiques et fonctionner comme une communauté.

Du reste, la seconde spécificité du logiciel libre est le fait qu’il est développé par une communauté de personnes partageant un intérêt pour ce logiciel. Il en existe de toute taille (d’un développeur assurant tout, jusqu’à plusieurs centaines de personnes comme les larges fondations comme Apache ou OpenStack). Etudier une communauté avant d’utiliser le composant libre qu’elle produit est une bonne pratique pour avoir des informations sur sa vitalité, son organisation, sa feuille de route, en plus des caractéristiques purement techniques du composant. Certains sites comme Ohloh peuvent aider à se forger une opinion dans ce domaine, pour les projets suivis. De même qu’il peut être alors pertinent de se poser la question des modes de contributions en retour. Cela peut consister en des correctifs, du code apportant de nouvelles fonctions, de la documentation, des traductions, une animation de communauté, de l’achat de prestation intellectuelle auprès de professionnels oeuvrant sur le composant ou un soutien financier à l’organisation d’un événement permettant le rassemblement physique de la communauté. Certaines entreprises, comme la Compagnie Nationale des Commissaires aux Comptes témoignent de leurs contributions en retour envers un projet tel que LibreOffice.

Comme précédemment, chacun de ces aspects pourra faire l’objet d’une étude dans le volet Open Source de la Gouvernance Informatique. On notera que la gestion de la proprété intellectuelle sera à considérer tout particulièrement pour les contributions sous forme de code, et en liaison avec la licence utilisée. Mais cet aspect peut aussi avoir un impact sur les contrats de travail des employés, des co-traitants, des stagiaires, afin de déterminer sous quelles conditions leurs contributions sont autorisées.

Encore une fois, il s’agit d’inciter les entités utilisatrices de logiciels libres à ne pas se contenter d’être de simples utilisatrices de FLOSS, mais à être actrices de l’écosystème et à contribuer à leur tour à l’améliorer en s’intégrant dans les communautés. Le dynamisme actuel autour des FLOSS est le fait du soutien très actif de nombreux utilisateurs. Pour ne citer qu’un exemple, on regardera la synergie créée autour du projet GENIVI par ses 120+ membres, dont de nombreuses sociétés hors secteur informatique.

Enfin la dernière spécifcité du logiciel libre est la méthodologie de développement utilisée par la communauté. Quoiqu’elles soient toutes attachées à l’accès au code, elles varient énormément d’un projet à l’autre, en fonction de sa taille, de son style de gouvernance, des outils utilisés et de son historique. Mais il est important pour une entité qui souhaite interagir avec une communauté d’en comprendre la culture. Si le noyau Linux a une méthodologie organisée autour d’un “dictateur bénévole” (Linus Torvalds) qui prend les ultimes décisions et de ses lieutenants, nommés, en qui il a toute confiance pour prendre les décisions concernant une branche de développement, d’autres projets comme OpenStack cherchent à adopter le mode le plus “méridémocratique” en procédant à l’élection des représentants techniques des branches du projet par les développeurs, et à celle des représentants au conseil d’administration par la totalité des membres de la fondation, quels que soient leurs rôles. Le processus d’intégration continue d’OpenStack implique des étapes précises pour y ajouter un patch par exemple. Cela nécessite d’abord une application sur l’arbre courant sans erreur, avant de devoir recevoir deux votes positifs puis de satisfaire le passage de l’ensemble des tests automatiques prévus. Et ceci s’applique aussi bien aux représentants techniques des branches du projet qui proposent des centaines de patches par an, ou au contributeur occasionnel faisant une modification mineure de documentation. En revanche, celui qui souhaite soumettre une modification sur le noyau Linux devra passer par des listes de diffusion où les échanges peuvent parfois se révéler vifs, et s’adapter aux desiderata potentiellement différents des mainteneurs de branches.

Bonnes pratiques de gouvernance FLOSS

Face à tous ces aspects de ce monde foisonnant, certaines bonnes pratiques simples peuvent permettre aux entreprises de faire les bons choix et de s’assurer une utilisation optimale des FLOSS en en tirant le meilleur profit sans mettre à risque leur bonne réputation par des actions mal vues des communautés.

Une première bonne pratique peut consister à créer un comité Open Source. Par exemple, pour un grand groupe, il peut être utile pour la direction générale de nommer des représentants des différents services (achats, ressources humaines, informatique, technique, juridique, propriété intellectuelle) pour définir la politique à mettre en place. Ce comité devra se réunir régulièrement, tant dans la phase de définition de la partie Open Source de la Gouvernance Informatique, qu’ultérieurement pour la réviser sur la base des retours des utilisateurs et l’évolution de projets. Il devra également avoir les moyens associés à ses missions. Un groupe de travail du Syntec Numérique a développé, pour les aider dans cette activité, des contrats types pour leurs fournisseurs, leur demandant de préciser avec leur livraison logicielle, l’inventaire exhaustif des licences utilisées. Une présentation sur les contrats faite au sein de ce groupe pourra être aussi consultée avec profit. La FSF France propose aussi des avenants de contrats de travail type pour les employés contribuant à des projets libres, et l’AFUL des modèles économiques et financement de projets FLOSS ou de communautés. Il sera ensuite facile de donner des missions et des pouvoirs plus étendus à ce groupe de personnes quand l’utilisation des FLOSS augmente. Dans le cadre d’une PME, un correspondant FLOSS sera sans doute suffisant (comme il peut y avoir un correspondant sécurité ou CNIL), tâche qui pourra même être sous-traitée à des sociétés specialisées dans le domaine.

Une fois le comité/correspondant nommé et la politique FLOSS établie, il faudra prévoir des cycles de formations. D’une part pour le service juridique pour le cas où il manquerait de compétences sur le domaine spécifique des licences libres. La société Alterway propose par exemple une formation par un juriste pour des juristes. D’autre part, en interne, auprès de l’ensemble du personnel pour expliquer cette nouvelle politique FLOSS.

En parallèle, il est important d’avoir une vision précise de l’utilisation actuelle des FLOSS dans son entité. Notamment pour vérifier que leur utilisation est conforme aux licences sous lesquelles ils sont utilisés. Les non-conformités sont plus souvent dûes à la méconnaissance qu’à une réelle volonté d’enfreindre les licences. Cette tâche peut paraître fastidieuse de prime abord, mais elle est à mon sens fondamentale pour se prémunir, en particulier si votre activité vous amène à redistribuer du logiciel à vos clients. Heureusement des outils existent pour automatiser ce travail d’inventaire et faciliter l’analyse des licences utilisées. Le premier à recommander est libre: FOSSology a été développé par HP pour son utilisation interne, puis rendu libre en 2007 sous licence GPLv2. Il collecte dans une base de données toutes les meta-données associées aux logiciels analyés (il peut traiter des distributions Linux entières sans problème) et permet l’analyse des licences réellement trouvées dans le code depuis une interface Web. De nombreuses entités outre HP comme Alcatel-Lucent, l’INRIA ou OW2 l’utilisent, y compris pour certains, en couplage avec leurs forges de développement. Mais son accès libre et sa facilité de mise en oeuvre ne le réserve pas qu’aux grands groupes et il devrait être systématiquement utilisé comme complément naturel d’un gestionnaire de source, ou d’outillage d’intégration continue. En complément, des outils non-FLOSS peuvent également aider à ce travail d’inventaire en donnant accès à des bases préétablies de composants connus et déjà inventoriés et fournissent de nombreuses autres fonctions. La société française Antelink, émanation de l’INRIA, a développé une grande expertise dans ce domaine et a couplé son outillage avec FOSSology. D’autres acteurs tels que Blackduck et Palamida ont également un outillage complémentaire à considérer.

On pourra de plus prévoir ultérieurement un mode de déclaration des usages de FLOSS, voire, si les requêtes sont nombreuses et régulières, créer un comité de revue spécifique en charge de les évaluer et de les approuver.

Enfin certains documents de référence tel que le Guide Open Source du Syntec Numérique, les fondamentaux de la Gouvernance des logiciels libres, la vision des grandes entreprises sur la gouvernance et maturité de l’Open Source et le site de référence FOSSBazaar pourront permettre un approfondissement des sujets évoqués et donner des bonnes pratiques additionnelles quant à la mise en oeuvre d’une gouvernance Open Source.

Et pour ceux qui souhaiteraient être accompagnés dans la démarche, des sociétés telles que Smile, Alterway, Linagora, Atos, Inno3 ou HP disposent de prestations d’aide à la mise en oeuvre d’une gouvernance Open Source. Mais que vous le fassiez seuls ou accompagnés, il est temps et j’espère que cet article vous aura donné quelques clefs pour intégrer l’Open Source dans votre politique de Gouvernance Informatique.

(1): Dans tout ce document, on utilise le terme de FLOSS comme terme générique recouvrant aussi bien la notion de « logiciel libre », « Free Software » qu’« Open Source », tout en sachant que des nuances existent.

Finally time to publish pb 0.12.2

2013/03/01

As you can see with the few messages I had time to post on this blog, the end of 2012 start of 2013 has been pretty busy, and I’m late in delivering the 2 projects I’m leading. So this week, I decided it was time to make a 0.12.2 version of pb, and make it available. Was asked by my colleagues of FOSSology, specially to add Fedora 18 support, so I also build my VMs to make packages on this distro.

BTW, a bit of ranting for Fedora once more: no perl by default :-(, and no ifconfig nor route command either which is breaking MondoRescue of course, and I guess tons of other software around. These guys don’t care about past, but don’t provide compatibility tools either !! So I’ll have to make new patches, just to do the same as what was done, but with another command again. Not to speak of systemd which I still have issues to deal with :-( That doesn’t make stuff go faster !

Anyway, the version is now out, no official bugs fixed, but a lot of small stuff here and there which were desrving a release. No time to test Fedora 17/18 VE yet, so you’ll have to do that yourself if you want. I also had a look at virsh usage in combination with pb, and it’s again not as easy as it could seem to be. Especially port redirection I’m easily using by launching qemu-kvm manually with the -redir or hostfwd option doesn’t seem to be possible with the user mode network through virsh (neither manager nor CLI). Will have to post on their ML to see how they do that, if they can !

And MondoRescue has been very late. I really need to publish a verion, but I still have some blocking bugs I really would like to get rid of: CTRL+ALT+DEL not working anymore during restore, some LVM issues on RHEL, some grub issues on SLES… Hopefully at the end of next week I’ll have made progresses.

Of course patches are much easy to integrate, but I receive more bug reports than them ;-)

And also back to preparing the HP internal TES event, Solutions Linux confs, submitting to LinuxCon, working on an FLOSS ITIL stack, learning more OpenStack, looking at Intel’s TXT…. so many things I’d like to do or learn and will never have time to ! Maybe at least I’ll talk about that another time.

FLOSS governance news

2012/08/31

While at LinuxCon in San Diego, the SPDX working group of the Linux Foundation announced its 1.1 version of its specification. Quite an achievement, and probably the start of its real adoption by Open Source projects … providing enough tool do support it, and help projects in their identification tasks. I hope lots of large FLOSS consumers (HP included) will start contributing SPDX descriptions to upstream projects, helping them adopting it as it brings value on both side.

And one way to help will probably the support of this 1.1 SPDX spec by FOSSology in the future. For now the news around the tool is that a public instance is available, hosted by the Universty of Nebraska. This is a good news for Open Source projects that will be able to assess easily their licenses with it, without having the hassle to install and maintain their own ! Hopfully, more forges (as what OW2 has done) will also provide that service to the projects they’re incubating.

Just be aware that the code you’ll upload to that instance will be available for everybody to see, so do not post non-FLOSS code there, if you want it to remain secret ! If you’re developing closed source software, then install you’re own FOSSology instance instead !

Time to finish my FOSSology presentation update for tomorrow’s talk !

Presenting FOSSology at LinuxCon, San Diego next week

2012/08/21

I always find strange to be accepted as a speaker to LinuxCon on a subject for which I’m much less an expert than the other ones I proposed for which I’m leading the projects ! It happened last year for the EMEA event, and same stuff again this year for the US one.

But I won’t be criticizing here, as it’s my first possibility to visit the US west coast, and also my first time as a speaker to LinuxCon US so Champagne !! So I’ll be talking about FOSSology, the HP sponsored GPL Licenses analyzer tool.

So if you happen to be around, and want to discuss abour FLOSS, MondoRescue, Project-Builder.org, HP and Open Source, or something else such as early music, then feel free to come and talk. Well I’m sure you won’t come to see me, won’t you, but once you’re there to see the stars, just come and say hello ;-)

First Day at LinuxCon EMEA 2011

2011/11/09

First LinuxCon ever in EMEA this year !! I’m more than happy to see it at least on our continent, and was glad to be selected to give there a talk (after the one I had made in Brasil last year).

As every conference, this one is starting with keynotes.

Keynote on a world without Linux – Jim Zemlin (Linux Foundation)

Jim was celebrating here the 20 years of Linux. He looked at how would be the world without Linux and the answer as you can guess it is nowhere ! He underlined the high number of Android devices, bind on Linux naming the Internet, and he also looked at so;e quotes and predictions from Bill Gates/Steve Ballmer to show the evolution – from the caner up to Miscrosoft contributing to the Linux kernel this year ! He also used lots of video presented on the Linux Foundation Web site. Jim is absolutely partial, and that’s good to hear ;-)

Kernel Hackers Round table (Linus Torvalds, Paul McKenney, Alan Cox, Thomas Gleixner moderated by Lennart Poettering)

Some notes of that open discussion. Linus put emphasis on not breaking user space. He gave the example of the introduction of a 2.6.40 version instead of 3.0 to help some programs to remain compatible ! He underlined that breaking things on purpose should be avoided, and counter-examples were given of security issues that forced the kernel community to break the kernel ABI. Linus used to run an old a.out binary from years ago (COFF format) to ensure the compatibility level, even if it has not done so for some time now. Linus said that the Open Source approach makes modifications much more easy and allow to deal with kernel complexity better (contrary to common belief that would imply that managing such a large community without stritc rules and methods would be impossible.

The average age of the kernel summit participants is increasing of one year every year said Linus ;-) Which is linked to the maturity of the community, and the fact that it takes time to take over subsystems. There are lots of new contributors, including young ones, making very few changes. There is not really an age problem in their opinion. Thomas also added that you need a balanced aproach that only older people can bring in a project of that size and complexity.

Linus said that ARM made some stupid decisions and had a lack of standards until very recently, especially with regards to x86 where Intel is playing the game fairly. Kernel support for ARM is 10 times the size of Intel’s because of the need to support multiple variant. Which Linus is sad about as he thinks this is the most important platform outside x86. But they are getting better, Linus is much happier today than 6 months ago even if there is still work to do.

Linus mentioned that he runs 3 (three) FireWall to protect his environment ! And I thought I was paranoid zith my 2 ;-). About SMP he first said who cares ? Now zith the high number of cores everywhere, even in phones, it’s seen just as normal. So who cares about cgroups, VMM, … Well, some need it and are ready to pay for the penalty. And who knows how it will evolve.

At the end Linus said that he is trusting people sending patches not companies.

It’s always interesting to hear what these guys have to say, and anyway Linus is my hero ;-)

Tizen – Dawn Foster (Intel)

I was interested to hear what was behind Tizen just announced recently. I was a bit disappointed as no architecture has been validated yet, so nothing concrete to announce here :-(

Tizen is HTML5 based for application development and offers WAC API (favour code reuse across platforms/devices) and it provides a FLOSS ecosystem.
The first release is expected to be in Q1CY12.
The transition from Meego is possible, but Tizen is not a derivative from Meego, it’s a new project and some Meego maintenance activity for 1.2 is still planned. Compliance will also be reviewed compared to Meego and they want to have it less rigid.

Dawn said that they would rather publish what exists and is in place, rather than what was done with Meego (announces made too early).
She insisted on the various communities, and means of communication (IRC, ML, Wiki, …)

She gave the mic to a representative of the Mer project which goal is to take Meego code into a new direction (Core optimized for HTML5/QML/JS) (Cf: http://merproject.org).

The question around Qt availability is not clear now. Anyway once open sourced, the community could make it happen ;-)

As said earlier, the architecture is still not out, and should be really soon now. The devices targeted are Handset, TV, smart phones, tablets…
They want to align more the Governance model and the reality of the governance with regards to Meego.

So promising, but not yet concrete. Also remains to see the position of this new OS compared to Android and …WebOS ;-)

File and Storage Systems – Ric Wheeler (Red Hat)

Ric started by mentioning that Linux has a world class storage, supporting a wide variety of device types, and scales well (GB/s of IO, IOP increase for PCI-e, 100′s of TB).
So what’s wrong ? Well, e.g. keeping up with competition’s management platforms (VMWare in particular) especially around storage management. He underlined that standards around array offload functions are not driven by Linux companies. And that ease of use on Linux is still hard. Linux has several level of layers (MD, DM, LVM, FS, mount options)

Linux has powerful and sophisticated CLI tools, but no good library today to manage storage (no abstraction layer, typically around snapshoting e.g.).
Making things easier implies identifying common operations per use case, a common API, reducing the options of mount and mkfs, and avoid jargon (LUN, ALUA, barrier, …).

He then mentioned some ongoing projects:

  • Btrfs: single interface to LVM, RAID, ease of use.
  • Fsadm: keep the stack but provide a simple interface. (controls FS and LVM)
  • Standardized options between FS and kill dead options. Default options are critical
  • Oracle storage connect (Joel Becker) in python recently open sourced. GPL/Proprietary license for plugins from EMC/HP/…
  • Libstoragemanagement (Tony Asleson – Red Hat) under the LGPL and look for interesting contributors. similar to the Oracle project: a vendor neutral API to allow for storage array management (cloning, mirroring, snapshots, …).

There are vendor APIs: VAAI (vSphere API for Array Integration) and also work on automatic offload operations.
Ric took the snapshot example: btrfs do it at FS level, LVM at block dev, storage arrays at HW). Users should be able to choose.He also cited the copy example: for SCSI (SCSI token based copy offload) and NFS (in NFS4.2 as server side copy)

Ric has the art of making these complex topics very easy to understand by his abilty to syntheticly present them, and give a good overview of where we are and where we go.

I skipped the Mission impossible session, which I found not that interesting, after attending a couple of minutes, in contrast to a very promising title.

Freedom out of the Box! – Bdale Garbee (HP)

Impossible however to miss that one ! Bdale is another one of my FLOSS heros ;-)

Bdale started by explaining what the FreedomBox was: A personal server running FLOSS designed to create and preserve personal privacy, running on cheap power-efficient plug computer server that individuals can install in their own homes.

Political aspects as well as privacy aspects (who shares what with whom) were clearly explained and this was obvious that this new device is thus contributing to building a privacy-respecting federated alternatives to contemporary social networks.

As its cousin the OLPC, It favours mesh networking.
The software is based on the Debian project (focussing on freedom as well, being international, multi-architecture, and benefiting from a strong infrastructure). Bdale indicated that the future Debian stable should have everything to create a FreedomBox out of the box.

Bdale then described the FreedomBox Foundation (FBF) relying on 4 pilars (technology, user experience, publicity and fund raising with industry relations). Ease of use is central, as some pieces of software are complex to configure.
The FBF has now various Working groups, so contributors have plenty of areas to contribute to !

DreamPlug was first selected for the implementation platform (made by GlobalScale Technologies) using a Marvell Kirkwood (ARM on chip) processor with 512 MB of RAM + 2 GB of Flash + a 2 GB microSD card for the kernel and root FS + 2 x Gb Ethernet ports + Wifi + USB + e-SATA + SD socket + audio. Quite amazing in such a form factor !
The Marvell uAP chosen has some technical challenges (FW and driver outside of kernel tree – which probably won’t change in the future – user space tools were binary only, now GPL). They gave their modifications back for GPL u-boot (better late than never ;-)

How to trust first a Freedom Box ? A study is ongoing with Smartphones to facilitate initial key exchange (Stefano Maffuli). Debcamp before Debconf 2011 was useful to create a great community to work on various topics.
First application to appear could be a secure XMPP chat one

This topic, is a very sensible one currently, after the population move in arabic countries. Privacy should remain a concern of every day, as our freedom, not only in software, is precious, and technology should be here to help us reinforce it rather than alienate us. Bdale is supporting a great initiative, first of this type, and that should allow us in the future to have a real P2P Social Network, not control by a central entity.

The it was time for me to jump on stage:
FOSSology a GPL compliance tool – Bruno Cornec (HP)

FOSSology is still a unique tool, developped by a great team lead by Bob Gobeille (HP), and deserve that we pass time to advertise it. I made a status of the current versions and their features, calling for more contributions to enhance the platform. I was happy to meet with the dutch translator of the tool, and to have some interesting questions about SPDX support, leading to some animated talks !

The lack of web/ftp availability for the project, due to the Linux Foundation infrastructure is still hurting the project, as well as SPDX. Hopefully this shold be solved soon now.

12 years of FLOSS license Compliance: A historical perspective – Bradley M. Kuhn (SFC)

Bradley started by explaining the GPL quickly. He compared it to the US constitution.
He also explained how it works in theory and in reality, especially when people don’t respect it.
If social presure doesn’t work, you need to go to court for copyright enforcement (same as the MPAA !) but for good reasons. (at least we hope !)

GNU Emacs was the first GPL’d program and its copyright was never infringed.
GCC was the second. More interesting for proprietary SW companies. Next (the company) was the first GNU GPL violator (so Steve Jobs !!) with the Objective C front-end. Violation was resolved quickly with code publication.

GNU tar was used by lots of backup companies, which were also violating the GNU GPL. Sysadmin found them, and all but one violator came into compliance. Last GNU tar enforcement was mid-2002. The company decided to remove tar and rewrite it.

Nothing concrete for SFC to get from a court (money or injunction – already done – but no code, which is the ultimate goal)

Bradley then reminded the Linksys (Cisco) history with busybox (Erik Andersen) and Linux (Harald Welte). Compliance takes soooo long. In that case, Broadcom was the upstream. Source was finally released, but the driver remained proprietary (due to FCC policy prohibiting it). OpenWRT FLOSS project spawned from that release. Harald was frustrated by the time it took in the FSF to launch that action and he created gpl-violations.org in order to go to court earlier than what FSF was doing. He organised 8 lawsuits in Germany (2005-2008) getting mostly injunctions.

How to fund enforcements ? The violators should be paying. (The SFC had a compliance program costing 10kUSD per Software which is too expensive so doesn’t work).

He acknowledged that dual licensing (a la MySQL) is a corruption of the GPL.
SF Conservancy is helping Erik Andersen since mid-2006 with copyright enforcement (request queue is > 300 right now). Lawsuits become necessary. Goal is to settle with full compliance (get the source code). Money and injunction is a consolation price only.

He then explained how bad some OEMs are by not providing code to their customers and letting them be accused of violations.

He then talked about the build environment underlining that normaly the GPLv2 forces people to also release script to compile and also to install. The GPLv3 phrases it even better.

He advertized a lot FOSSology vs BlackDuck, mentioning anyway that it doesn’t solve the redistribution issue (which is a human task to do, where tool are just helping). He mentioned that there is a free software to scan binaries (didn’t give the name however).

He also mentioned that HP was a fair participant to the ecosystem, Scott Peterson (now at Google) being very responsive to his queries around compliance questions.

Another view, more centered around trials and legal actions, that have become a necessity to have our licences respected. I just hope I’ll never have to be involved in this myself, as it sounds like a lot of headaches in perspective !!

Some pictures of this event are available on Picasa, and I was so happy with my new Nikon D7000 which makes so great pictures in such difficult conditions. I’ll have a problem going back to the D70 now ;-)

First day at OWF 2011 – Afternoon

2011/10/03

After lunch, it was time to come back in the “Open Source for industrial users” track lead by Gaël Blondelle.

Increasing industries speed to innovate with FLOSS by Dominique Toupin, Ericsson

  • Dominique started by asking a question: Does speed really matter ?
  • He rapidly concluded that yes, of course. He gave some examples of projects initiated by Elon Musk, such as Zip2 sold to Compaq in 1999, Paypal. Or Tesla (Electricity car) and also SpaceX. All were very complex systems elaborated in a short time thanks to Open Source. Same is true for Google/Android.
  • You end up with better features by doing Open Innovation and teaming up experts from different companies.
  • This is also valid inside your company: whole greater than the sum of the parts. And you’re not locked in.
  • Only 15% of RFE are really implemented in commercial products. In FLOSS, when a feature is key, you can do it yourself or buy someoneelse’s time so that it is realized at 100%.
  • People tend to oppose FLOSS to commercial, make to buy. It’s not the case. FLOSS is commercially supported, so just take the best of both worlds to fullfill your need of speed.
  • Requiring tools across the whole chain (and expensive ones) slow down your service activity, whereas using FLOSS tools in development brings speed to the service part. And you gain time with existing knowledge from universities or company acquired.
  • FLOSS allows to dedicate the extra budget gained on licenses costs into the features you need.
  • E/// has an Open Source Core team.

A very pragmatic approch exposed by Dominique, showing clearly tradeoffs needed at industrial level.

Efficient and safe FLOSS strategy by Michel Ruffin, ALU (on behalf of Philippe Richard, VP of Corporate CTO)

  • Size matters: 79000 employees, 27900 patents, 27000 developers, 130 countries, numerous suppliers and outsourcing, multiple acquisitions per year (=> deal with legacy), life cycle from 1 to 20 years. Makes developing the Governance process “interesting”.
  • Trend towards becoming an integrator of FLOSS with more complex SW stacks, reducing however the development costs during time.
  • ALU’s strategy is going to FLOSS to remove supplier lock-in, much more than to reduce costs.
  • Between 20%-80% of FLOSS components in their products (40% in average). Importance to create internal communities to discuss FLOSS related topics. FLOSS adoption means innovation, speed, freedom, new business model (moving from a HW/SW supplier into a service supplier)
  • ALU is a contributor of FLOSS (even if not known). By paying providers (10+MUSD), providing patches/bug fixes to tools, Corba/Mico, Plan9. Also sponsoring OWF, FOSSBazaar, Systematic, OVA, Carrier Grade Linux (LF).
  • For ALU, it matters to respect the philosophy behind the words of the license and thus contribute.
  • Strong FLOSS Governance process started in 2002. Process evolving constantly (taking in account new techno/licenses/acquisition/…) 160 people trained 1 week to be FLOSS validators. 1000 people trained on a basic tutorial. 3500 FLOSS components in ALU DB. Clauses in supplier contracts (propagation to their own suppliers). ALU willing to share the governance process with other companies. ALU would like to standardize these clauses with the Compliance group of the LF.
  • R&D is declaring FLOSS usage. ALU is also automating the BoM by scanning code (BlackDuck/protex and FOSSology)
  • All this is available as much as possible on the Internet (However, I was not able to find easily the oprtal mentioned in Michel’s slides :-()
  • On top of the process, you need to check that it’s applied (start with CxO, R&D – even if they think they know), Communication). Then improve the process, deal with exceptions, stay flexible, and stronger during time.
  • Resources to support the process needs to be allocated accordingly. Use tools to automate and to detect issues and inform executives.
  • Challenges around stuff like Maven, SPDX adoption, partnership with other companies …

ALU presented a strong Governance model, including now suppliers, and is willing to share best practices with others in order to improve the ecosystem. Network Equipment Providers are clearly taking seriously this area.

Business model of co-development on FLOSS by Denis Pillat, Service Delivery Manager for ALM at ST Microelectronics and Laurent Charles, Enalean

  • Custopmer (ST) funded the development and save on the maintenance by contributing to the product Tuleap (a FLOSS ALM).
  • Customers’ developments are also supported by the partner (Enalean).
  • Strong internal usage of the forge (120000/40000 users) so central, with requirements around robustness and availability (ran 24×7) and long life cycle, but with an improved TCO. If budget is cut, needs independance from provider.
  • ST is not an ISV, team role is to support deployment and integration in ST landscape.
  • Solution retained is a mix of in-house and outsourced solution.
  • Using and adapting a FLOSS costs as it requires backporting features each time with new versions, and ST is not scaled to cope with the rythm of a FLOSS project.
  • Code and features from ST are reviewed with Enalean so easy to integrate. The partnership is of good quality. And also good quality of contributions.
  • For ST, FLOSS increases motivation of contributors with their work recognized and exposition, and they work more on creative parts, and less on maintenance tasks.

I think the presentation would have been more effective if ST would have been the only speaker (or speak more). The track isn’t aimed at promoting companies, but really share return of experience around FLOSS adoption.

TopCased return of experience (http://www.topcased.org) by Pierre Gaufillet, Airbus

  • Pierre first presented some characteristics of an airplane development in size throughout the years:
    • 4 kB for Concorde
    • 4 M for the A320
    • 12M for the A330
    • 500MB for A380
    • Life cycle: 40 years – A300 family (started in 1972 and production stoped in 2007 and support till 2050 = 78 years). Tools need to be there for a very long time.
  • Code is increasing. Quality is mandatory
  • Historically, development of their own tools to check quality. Not their core business. Moved to a buy approch.
  • Internal tools transfered to editors, who tried to sell them on larger scale, which failed as too costly and too specific. Some examples:
    • For Autan (Airbus name) => Attol (Marben) => Attol (Attol-Testware) => RTRT (Rational) => RTRT (IBM)
    • For RTRT they succeeded, but Airbus has anyway problems with the life cycle of this tool.
    • Scade (Airbus + Schneider) => Verilog => CS => Telelogic => Esterel Tech.
    • Geode (Airbus) => Verilog => Telelogic even died !
  • no more control on these tools by Airbus anymore. Sometimes can’t even buy a license anymore.
  • Topcased started in 2004. Reduce dev costs using model based System Engineering.
  • Integrated universities and academic partners.
  • Topcased aims to produce tools for embedded domain on critical system, on the descending branch of the V life cycle.
  • Community around topcased includes Airbus, CS, CNES, Thalès, EADS, Atos, AdaCore, INSA, EnSEEIHT, Toulouse Univs, Inria, Irisa, Laas, Onera at start. Now additional new partners such as Turbomeca, Continental, Obeo, Carnegie Mellon, CEA
  • 2006: First FLOSS release. (One year to solve licensing aspects)
  • 2007: V1.0 and then one major version per year synchro with Eclipse. Minor every 2 months.
  • 45 subprojects from model editors to code plan generator, model simulator to property generator.
  • 2011 first TopCased conference (> 100 persons)
  • Allows competitors to work jointly on components.
  • 12 components are in use today (A350)
  • However, an organization is missing to improve quality and IP control, maturity assessment, VLTS build system, roadmaps. OPEES (ITEA project) aims at fixing that.

I really like this presentation (that I first heard partly during the Think Tank 2010). It clearly shows the huge problems that software development still needs to solve in order to support such life cycles. Raises questions such as how to motivate a community to maintain software for so long time, typically. Also how to preserve build environement, especially when the hardware is changing as rapidly as it is today.

It was then time for me to change session and move to the Governance track lead by Martin Michlmayr.

I contributed briefly to a join talk with Antelink.

Tools for developers to ensure legal integrity of their code by Freddy Munoz, Antelink and Bruno Cornec, HP.

Freddy explained in more details what Guillaume covered in his talk of the morning, and went through the details of Antelink Notifier, Reporter and Search. For myself I covered rapidly FOSSology, giving its main features and also the latests developments realized. Of course, as the project is hosted by the Linux Foundation, as long as they keep the systems away from Internet for forensic, it will be difficult to have access to the project :-( But hopefully, it will be back soon.

Identify the obligations of FLOSS by Benjamin Jean

  • a License (or contract) is a tool made of rights and obligations, a scope and trigger
  • Writers can be foundations or Companies
  • Number of licenses increases (70 referencesd by OSI, >50 by FSF, 1000 by Black Duck, 400 FOSSology)
  • Benjamin gave some statistics:
    • For Black Duck 43% is GNU GPLv2, 11% is MIT, 7% is Artistic
    • For OpenLogic 32% is Apache, 21% is LGPLv2.1, 14.4% is GPLV2
  • We need clarification: a common nomenclature (detailed and scalable) & descriptive
  • International standardization body is a good way, but very expensive, and not driven
  • Benjamin proposes a first classification based on obligations (to give, to do, to not do.)
  • Rights are harmonized across definitions (some more rights depending on licenses or some missing)
  • The real differences are around trigger, scope and obligations. Benjamin then detailed those:
  • Obligations have no common definition whereas a standard would be useful for projects, industry
  • Scope can be very limited (permissive), limited (GPL/GPL sometimes, CeCILL-C, MPL), standard/legal (EPL, EUPL, OSL) or large (GPL, CeCILL)
  • Trigger: Distribution (GPL), Usage (RPL), External deployments (AGPL, EUPL, …)
  • License compatibility could also be classified between limited and extended. Cf also work done at the Inria, described on their Web site in the Innovation part, Free Software then the guide.
  • This classification can also easily be valid across countries and thus not being dependant of local legal rules.

Benjamin’s approach was extremely sharp and that session was really deserving belonging to the ‘Think’ part of the OWF ! This approach by obligations could really improve the situation of licenses compatibilities and help all the actors of our FLOSS ecosystem.

I had still a bit of time to discuss with him, Martin and Marc Picornell before leaving the event and benefot from the fact I was in Paris to attend a concert at the Chatelet Theater performed by the National Orchestra lead by D. Gatti. Ravel, Dukas, Debussy and Enesco made a radical change for the end of the day !

You can see some of the pictures took during OWF 2011 at https://picasaweb.google.com/112434061686721373729/OWF2011

First day at OWF 2011 – Morning

2011/09/30

As usual, this event started with a number of keynotes in the morning. Eric Besson was, I must say, boring, just reading a paper, visibly without any idea of what all that was about :-( Too bad he is the ministery in charge. When will France really take seriously IT and FLOSS in IT in particular !! When everybody is talking about debt reduction, FLOSS is such an opbvious way to contribute, that I’m still puzzled no political voluntarism is in place.

On the contrary, the region and the city showed more willingness to promote FLOSS and to report around their practice. Jean-Paul Planchou, and more over Jean-Louis Missika clearly articulated why FLOSS is so beneficial to the public sector, and why using FLOSS and Open Data is a no-brainer for a public policy, and thus why they will increase its adoption in the future.

Louis Montagne and Jean-Pierre Laisné then opened officially the OWF 2011. We then had a short presentation from Systematic, and jumped to the adoption of Open Data in UK by Nigel Shadbolt, which mentioned clearly that even if a governement doesn’t know what to do of some public data, a lot of citizens do know ! And develop tools to analyze them. This is not just about IT, but really about citizenship and politics in the original sense of the greek work polis !

Werner Knoblich, VP EMEA of Red Hat, then presented the Cloud offering at Red Hat and how its products were to the cloud, what RHEL is to a Linux distribution, or what RHEV is to KVM+libvirt… Stéphane Fermigier interrupted him during his keynote to mention that the Red Hat offering was not Open Source because he had been unable to download the software. Werner insisted on the fact it was as Open Source as the rest of what Red Hat delivers (as soon as it can) and that both CloudForms and DeltaAPI as soon they’ll be out of beta will be available largely for download.

Was then time to chose a session, and I picked up the “Open Source for industrial users” lead by Gaël Blondelle as I tried to contribute to its setup, and I’m interested by the topic, and the fact that some Governances talks were planned during it.
Here are the notes taken during these talks, and some personal comments.

Proper Tooling critical for FLOSS by Philippe-Arnaud Harranger, Atos (http://www.drakkr.org)

  • FLOSS is attractive
  • Some risks involved (IP, disappearance of projects, security, licenses, …) and addressed by the Governance approach.
  • Need to audit. The key is a proper process. But without tools, they won’t be respected.
  • Mentioned various tools (Antelink, Blackduck, FOSSology, OpenLogic, Palamida, Protecode) – Indicated that most are commercial except FOSSology.
  • P.A.H. introduced Drakkr: methodology and tooling for the Governance, to address the various risks (IP, security, tracking). All this is FLOSS as well. It contains:
    • OpenSource Cartouche (alternative to SPDX). More easy to use, and more community oriented, rather than legal. License Cartouche. rights and obligations linked to FLOSS
    • QSOS is another part. Spider charts available to compare FLOSS components. Competitors openBRR, OSMM, Quallos seem at their end.
    • StratOS: maturity and Strategic analysis of a FLOSS. Based on QSOS.
    • eCos: financial indicators around FLOSS ROI, costs analysis, comparison with proprietay. Other tool is WIBE
    • Also mentioned NVD for security flaws analysis
  • P.A.H Insisted on the fact that tooling (whatever) has to be used to support the process and the governance.

I already mentioned Open Cartouche previously, and I find that whole work of creating a coherent tool set around FLOSS Governance interesting and promising. Probably needs more adoption outside of France.

How to help development team manage FOSS during the whole industrial process by Guillaume Rousseau, Antelink (http://www.antelink.com)

  • How to develop best tools for dev teams.
  • Antelink helps you keep control of your SW integration and supply chain. Spinoff of Inria. Inria a major customer (10000 users around the forge).
  • Guillaume mentioned the challenge of dealing with on-shore/off-shore dev teams, contractors and FLOSS.
  • Dev is generally made of internal code, 3rd party FLOSS & commercial and Outsourced dev.
  • Adressing licensing issues asap is key to reduce costs. So needs to be done at the software factory level.
  • Also management of updates and security is key as well (especially 3rd party components).
  • Dev team and lawyers should talk to each other. You have to provide the right tools for dev teams.
  • Antelink is Part of OW2 SQUAT (SW Quality Assurance and Trustworhtiness).
  • Part of the Linux Foundation Open Compliance program working on SPDX.
  • Provides a large FLOSS DB (~1M projects, yes 1.000.000, twice as much as BlackDuck !!). Around the database, they developed a tool suite: Antepedia Notifier, Search and Reporter.
    • Antepedia Notifier plugged around VCS to detect introduction of FLOSS components and act accordingly
    • Antepedia Reporter does on demand analysus and produces reports
    • Antepedia Search allows you to upload components and check their content.

Antelink is clearly to be followed closely, with regards to their ability to store the largest base of code and provide information out of it.

Good Governance drives Innovation by Andrew Aitken, Olliance Group (Blackduck) (http://www.blackducksoftware.com)

  • BlackDuck has 75% of the market.
  • FLOSS is ubiquitous (85% of enterprises uses it) => management complex.
  • Took Mobile market as an example of growth. Impact of Android (taking the lead in less than 2 years) also on competitors. Complexity of building a complete Smartphone.
  • It’s not easy to manage FLOSS. Need policy (succint, flexible), process and automation (management with spreadsheet doesn’t work anymore).
  • Process is: Acquire, Approve, Catalog, Validate and Monitor.
  • FLOSS ecosysem is too abundant, spread across multiple repos (own ecosystem), thousands of projects (own governance), however more demand for FLOSS developers time than what is available.
  • Transparency, collaboration, meritocracy and OSI licensing are the keys for communities to innovate.
  • Example of innovation:
    • Danish government with its portal.
    • AOL is revamping itself fully based on FLOSS.
    • US Veterans health system open sourced (5 BUSD allocated to it, they pay 0,5 BUSD just for support)
    • New areas: Open Source Ecology, Open Prothetics, Oilgae (algue eating oil), Open Cola, Tropical Disease

Even if Andrew (who is leading the Open Source Think Tank) has lots of connections in the FLSOS ecosystem, and generally interesting talks, this time I didn’t find the presentation much interesting. Too generic, not entering in any level of detail, probably too BlackDuck oriented (original speaker planned was Tim Yeates) and not speaking enough about FLOSS projects. A deception.

FLOSS licensing in the supply chain by Didier Patry, HP (http://opensource.hp.com)

As an introduction, Didier introduced himself as leading a worldwide team of 12 persons working in Legal at HP around FLOSS. Dider then covered the following topics:

  • At HP compliance is not an option, it’s mandatory. Working with the HP open Source Review Board (OSRB).
  • IP infringement (Contract break) can be in some countries a criminal offense.
  • We could break HP’s reputation if we are not compliant with FLOSS license.
  • We’re seeing new license models coming up, creating compatibility issues.
  • This is also impacting all the digital information world (data, knowledge, …)
  • All that will keep lawyers busy (good for him of course :-).
  • HP puts requirements on suppiers around FLOSS compliance (our telco provider e.g.) which may not completely control the production chain.
  • Risk is not too much with our employees (trained), but with acquisitions (Autonomy e.g. atm) and procurement and the supply chain (thus the requirements on suppliers). Hard to scan fully. So need other way to manage the situation. So HP created a risk rate and identified high risk activities. Didier gave some concrete examples:
  • Usage risks:
    • Internal use is low risk
    • OEM-in/out is high risk
    • Reselling high revenue/volume product is high risk
    • Redistribution via channel partners is medium risk (depends on partner education)
    • Incorporation of critical FLOSS elements into flagship product is high risk
    • Company with single product (WebOS e.g. for Palm) is critical for them so non-compliance is high risk
    • Distribution with no-access to elements afterwards (e.g. to Army/NATO) is high risk
  • Licenses non compliance risk:
    • BSD/MIT and Apache are low risk
    • GPLv2 and 3 is higher risk
    • MPL is also higher risk
    • New FLOSS license are more risky
    • Items without licenses are very risky
  • Suppliers compliance:
    • SW from FLOSS project is low risk
    • SW from entity with strong FLOSS culture is low risk
    • SW from entity with strong corporate partnership is low risk
    • SW from entity with new or weak culture is high risk
    • SW from entity with start-up is high risk
  • Didier from that creates a 3 axes matrix to evaluate the global risk. Example huge difference between internal use of a BSD component vs high volume mixed of licenses SW.
  • Risk mitigation. Legeal protection is:

    • Representation (termination of the contract): good but does not address reputational risk
    • Warranties (damages): better but insufficient to compensate for reputational risk
    • Commitments: best proactive measures:
      e.g. list of FLOSS components in each package. Or easier Identify fully FLOSS components, licenses. Or even more easier again create a critical (black) list of licenses for you or ask for scanning (FOSSology – probably not easy, problem of confidentiality) or ask for external scan report or SPDX certification in the future.
    • Creating local agreements with partners around Governance.

In my opinion (not neutral of course as I’m another HP employee), it was the most interesting talk of the morning. I never had met with Didier before, just had him on the phone, and I was very impressed by his clear and didactic presentation, with the large set of examples he was giving live, and even if I’m aware of it, by the quality of the FLOSS Governance model in place at HP. Definitely worth sharing, and I’m convinced lots of entities could benefit from our views more.

It was then time to take a lunch box and start the set of afternoon sessions !

Meeting during LinuxCon in Prague or OWF in Paris

2011/09/05

I’m happy to have been informed that my proposal of presentation around FOSSology for LinuxCon 2011 in Prague has been accepted (too bad the others on MondoRescue or Project-Builder.org weren’t. Hopefully a next time).

However, for Project-Builder.org you can attend the presentation during the upcoming Open World Forum in Paris and discuss with me about everything Open Source and Linux and HP !

So some way to meet across Europe soon with you :-)

Second day at Solutions Linux 2011

2011/05/12

I attended in the morning the round table on Governance lead by ALexandre Zapolsky (Linagora)

3 companies were represented:

Alterway (created in 2006) – 10 MEUR – 120 people (Represented by Véronique Torner)
Activities: Consulting – Hosting – Training
Governance for large enterprise (Open CIO Summit)

Smile (created in 1991) – 33 MEUR – 10 years on FLOSS – 540 people (Represented by Patrice Bertrand)
Activities: FLOSS integration, Web site/Intranet development,
Leading the FLOSS Working Group at Syntec Numérique.

Linagora (created in 2000) – 13 MEUR – 130 people (Represented by Michel Marie Maudet)
Activities: SW Editor (OBM) – OSSA – Consulting

Véronique said that 3 years ago in the CIO Summit, CIOs thought they had no Open Source.
This year, they have representatives from Safran, Ministère de la Justice, PriceMinistère, Nature et Découverte, La Poste, Auchan. Hidden before at infra level. Now seen at CIO level. So will to control and govern.

Patrice said 3 years ago that Gartner revealed the presence of FLOSS in the enterprise.
Contacts were performed with Carrefour, Véolia, EDF. Enterprises do not see how to do Contributions.
Purchasingdepartment is one of the entities interested by the governance aspects. CIOs want to rationalize.

Michel-Marie mentioned that Linagora worked with Carrefour, Air France, Renault on these topics.
CIOs have to mitigate risks wrt Oracle, Microsoft, SAP, IBM (MISO) which represent 80% of their budgets and thusthey have a policy of diversification and of cost reduction.

Véronique mentioned that the recent crisis revealed Open Source and allowed to dialog with CEOs on the topic. FLOSS was considered as an entry level/low cost solution before. It’s now considered for its true qualities, creating value in the enterprise.

Patrice reported that studies put quality before price, even if price remains in the scope.
Price reduction is coming from the packaged offered proposed by the various actors. Cost reduction is done due to the economy of scale (when deploying hundreds, thousands of SW).

Véronique underlined that in the infrastructure space, FLOSS has been key for deployment. On some other areas (apps like CMS), the cost difference may be less important. Sharepoint may be at 0EUR inside a large enterprise, so what is the benefit of a drupal there. This has to be worked in other ways. Some customers said that Red Hat is sometimes more expensice than a proprietary solution.

Michel-Marie asked what is the value here: lots of SW are deployed but 80% of its functions is unused. CIOs today consider more the value brought. In the management/monitoring area, the BMC/IBM offerings are like Christmas trees but stick less to customer needs. The right term is to be cost effective. Some customers say today that they have more problems to find competencies around commercial solutions than on FLOSS ones, because engineer schools have adopted massively FLOSS technos. It’s now the reverse of what it was still 5 years ago.

La Poste Governance representative precised that the goal is to work on technical cost reduction (Nagios praised), but they realized rapidly that they should work on value analysis more precisely, and that the value is in the people (more agile), so cost is similar to proprietary solutions, but FLOSS gives much less problems on the long run (open formats, archiving constraints, …)

Alexandre then orientated the discussion now around the Governance aspects themselves, and what policy to put in place.

Patrice said that FLOSS governance consists of writing in a document what the enterprise want in term of FLOSS adoption, derived in term of support, RH, contributions, … Maturity is not there on his side in France.

Véronique has seen organizational models in place, with people dedicated to FLOSS governance (La Poste is precisely an example with a FLOSS IT central group + dedicated teams recommending solutions + a small legal aspect). In the Société Général Bank, there is no split, it’s handled as commercial products. Safran has on his side a more formal legal approach on FLOSS.

Michel-Marie mentioned a methodology that has been developed to help CIOs. Around 10 weeks of assessment (20 architects of Air France e.g. were met and interviewed) to summarize needs, what worked, what didin’t and which FLOSS Solutions could be involved. Recommandations from other customers are shared and expected. Second step is to benchmark per vertical, size of company, usage models (simple user or OEM providers such as ALU). Third step is to build the governance (technology program, policy doc, solution reference architectures). Bouygues Telecom has positioned Oracle for critical DBs, and FLOSS ones (PostgreSQL) for non-critical ones. Then there is a need to measure, during time, FLOSS adoption. They recommend to put in place a FLOSS Center of Expertise (ALU has 150 persons for that).

Commercial SW vendors do the evangelization by meeting refgularly with customers to present new versions, evolutions, … in the FLOSS area, enterprise sneed to put in place a specific team to monitor the FLOSS ecosystem, create reference architecture and also to support themselves (or not) and deal with it. Véronique presents that CIOs hope to give the support to a single actor, and also fear the lack of an editor behind the Software.

Smile teamed up with OpenLogic to solve the support aspects for enterprises (L1-2,5 done by Smile and L3 by OpenLogic – having commiters in a large set of communities).
Patrice also mentioned the importance of the inventory with tools (such as Black Duck, FOSSology), and new models of FLOSS development (mutualized development with FLOSS such as GENIVI or OPEES)

Michel-Marie precised that they specify reference architectures with customers, creating a base of a large number of components and work on the support as a single point of contact (Note that HP and Linagora have partnered in France to use this model for customers). Re-insurance and patch reversion to the communities/editors is then handled by that actor in charge of support. Currently OSSA offering from Linagora is used by 50 customers. Air France created a “Blue Hat” base.

Véronique has around 10 customers for support, and some other more specific contracts. Patrice mentioned 10 customers as well with a starting offering.
Véronique also insisted on industrialization of FLOSS, with their experience around PHP. Voyage-SNCF is one of the customers benefiting from their work in that area.

Patrice mentioned that this is an area (customer developing Software) where governance on FLOSS is key. There are legal constraints, licenses and IP to respect, training to be performed up to the developer.
Michel-Marie explained that there is a need to guide developers with Software Engineering frameworks, e.g. pointing to the right versions of libraries, forcing a ticket for evolution.
Véronique thought that there is a lack of knowledge of FLOSS usage in the enterprise. They miss “geeks” and legal background.

Guillaume Rousseau (Antelink) made a testimony of what leaded INRIA to identify IP rights on their SW base (660000 bricks). What is the tooling to put in place to manage hundreds of thousands of components ? Patrice indicated that putting in place a central repository is a goal of the governance process, but it creates frustration at developer level by controling them tightly (pre-dev control), or pass tools that control a posteriori (afterwards) the conformity to rules (in a continuous build chain). Véronique mentions that another approach is to integrate developers to the governance program, in order to gain adoption.

Michel-Marie mentioned they have a much smaller base (300) that they are monitoring, but consider they have the one really used by their customers. Only a small part of customers embed FLOSS in their products and need more fine control. Others are users of bricks, more well-known and less risky.

Question from the audience on how to Open Source an internally developed SW. Recommandations from Patrice are that there is a need to be pro-active on the topic (Case of EDF). Véronique had requests from ISVs, more on a marketing aspect. They can help around the development aspects, quality aspects, licensing aspects.

Then some conferences where made:

Open Source Cartouche by Philippe-Arnaud Haranger (Atos Origin – Team Pascal Pujo)

Study made around an Aerospatial customer.
9 years of devs, and strong willingness to use FLOSS components.
Study showed incompatible licenses. Copy/Paste of code in 2000+ bricks.
Quote: “My God ! What have been done ?”

Licensing wasn’t a priority (they already didn’t document)
Code contamination is made on purpose, because they need it, and is due to local teams, outsourcing, and external application maintenance.
Consequences: licenses not respected, proprietary code tainted (PI loss)
Open Source was favoured, but in reality they created risks.

Solutons: Strong governance (creates too many constraints in general) or Tooling (cost, but efficient) or Manual Audit (cost, complex, impact) or take risk (costs and impact) or open source the SW (anyway conformity required, but impact as irreversible).
The earlier it’s done the less it costs.

Solution is Open Source Cartouche (what is around the Pharaon) – derived from QSOS.
Identify licenses and the recursivity of components integrated
It’s a structural approach beforehands, instead of scan afterwards (even if this is also required)
Put more trust in the FLOSS, Avoid contamination and protect community works.
Presenter asked the possibility of using this formalism in FOSSology ?

Some Remarks on my side:
I asked the question: What is the position vs SPDX ? I think they are probably in competition, and that they forget to consider it before launching something on their side. What is important is to have a standard adopted. The answer was that there is a fear of Blackduck that may create problems for communities. Their standard proposal is simpler than SPDX so more pragmatic, and thus propably easier to adopt by FLOSS projects. And the team is open to make required adaptations. However, it won’t work as a franco-french stuff !! I think we need an SPDX lite if we aim at being adopted by FLOSS projects, as the current status of the project is just only understandable by lawyers. I’ll try to generate some discussions around that on the SPDX ML.

Thinking about all this I think it would be valuable as well to lauch a new initiative to create the CERT/CVE base of licenses violations, working on the same model (disclosure after problem is solved).

Governance deployment return of experience by Guillaume Degroisse (Consulting Lead Linagora)

Goal Today: being independant from MISO.
Quality and Interoperability are considered before price.
Problems of adoption: Using standards of the market. Lack of performant FLOSS solution on some specific areas.

Bouygues has 150 own persons developing using Agile methods with lots of FLOSS components (not outsourced, and localized in France)
CIOs have to consider organisation, competence management, purchasing, legal and providers aspects. All these topics ar part of the FLOSS governance plan he has to put in place.
Guillaume also detailed what was covered during the round table around LInagora’s approach (Assessment, OSSA, CoE)

FOSSOlogy by … Bruno Cornec (HP)
25′ around the reasons of its creation/open sourcing, features and focus on upcoming 1.4.0

Return of experience on mutualization by David Duquenne (OpenWide Technology)

Enterprise have to deal with apps modernization.
Presentation focused on value creation at apps dev.

From innovation to industrialization: Technology assessment, R&D, Architecture and Integration, method and tools for industrialization. These leads to a framework definition
The goal is to share that Java Framework (Improve Foundations) across enterprises (having an Open Source base and community driven, and specificities intergated as components in this framework).
He insisted on the lack of java competencies. They deliver some Cobol to java trainings, espeically in-house.

Alliance Informatique has developed 100+ apps using Improve Foundation.
RSI wanted to fusion different IT systems.
Renault looked at homogeneize hundreds of projects (International). More interested to contribute. Renault will help Open Wide to develop the framework at international level
Atos Origin is also using it for 3000 screnn migrations

Gains: integration of non-java devs. and mobility of resources is key.

Passed the rest of the day discussing with various people. Had in particular a long and very interesting discussion with Erwan Velu who work at Zodiac, where they are developing a SIT (Seat Integrated Technology) all based on FLOSS (Linux/Debian, vlc, webkit, ELF, …) and have done an impressive job at making a nice looking, very responsive interface. I just hope that most companies I’m traveling with will adopt it soon ! And good news: they’re hiring :-) So if you want to work in a interesting area, way to go !

And they’re not the only one trying to recruit. I know that Wallix and Linagora at least are looking for good profile. All good news for our sector, which show indirectly the wealth of FLOSS !

First day at Solutions Linux 2011

2011/05/12

Summary of my first day at Solution Linux 2011. I was in charge of co-leading the community track with Anne Nicolas. We hosted the following sessions for which I took some notes:

Mageia
Mickael Scherer (Mageia) presented “a Fork of a distribution: Mageia derived from Mandriva”
(He made an interesting relationship between Forks and Catholicism vs Protestantism as an historical reference)
Reason of fork => community vs entreprise
History of relationships:

  • 2000: cooker: R&D opened from Mandrake/Mandriva and idea of foundation considered
  • 2003/2004: resources sharing (compile cluster)
  • 2005: conspiracy@zarb.org sharing problems met.
  • 2006: Steering committee between employees and contributors.
  • 2007: Foundation mentioned at RMLLs – fondation@zarb.org
  • 2008: AUFML – Assoc of users.
  • 2009: Assembly to followup on
  • 2010: Mageia created to avoid Mandriva closure. Going further than a distro.

Mageia details:
More open governance – Association created + contributors (not creating a company as unfair wrt Mandriva) – Model based on a Council + Board. Renewed by 1/3
Mickael then mentioned some issues:

  • Pb1: Infrastructure: Not starting from nothing. Want to reuse and be at a high level from scratch.
    Code reuse is easy. Bugs reused is more complex (Customized bugzilla under Mandriva control).
    Hosting ? Gandi, Lost Oasis, Dedibox helped a lot.
  • Pb2: Brand management: Audit of code to remove mandriva – manual, underestimated.
  • Pb3: Comm: with original project. Even if angry vs some people, it’s better to avoid hostility. Split of identity (contributing to Mageia vs Mandriva) – Press contact is required for a distro
  • Pb4: Community. Feedback was important – 1100 mails just the first week ! Managing the enthusiasm. => Split tasks – People want to change everything ! DO a planning. Avoid the Vaporware effect (as said by LWN that will need to review that)
  • Pb5: Details management.

Logo: guidelines posted. Process to listen and need of transparency. Even if their choice is not chosen, they know why and get explanations. No blund choice.

OPEES
Presentation made by Gael Blondelle. Works for Obeo (Obeo is Strategic member of Eclipse) – OPEES Project Lead

OPEES goal is Open Source for long life cycle projects.
It’s an Open Platform for thre Engineering of Embedded systems

Ensure the long term availability of FLOSS tools for Critical systems (life impact, very high costs).
Example: A300 Airbus life cycle: 35 Years. Support = 78 years
(1972 project started -2007 production stopped) – Support till 2050
On board software development for very long life cycle products.

Ericsson: Base station for mobile – General life cycle of 30/40 years (electro-mecanical telephony centrals created in 1920 and still used in 1980)

Will FLOSS bring success is not yet known. But what is known is that commercial SW failed (example: Verilog made Geode, then bought by Telelogic, then bought and killed by IBM) Not counting the change of support contracts, costs, …

Decision by Airbus and Aerospace Valley in 2004: Adopting FLOSS with Topcased
(UML modelers and code generation). Used since 2008 to write code in A350 (next generation).
In 2009 the main Topcased contributor was bought, and TopCased devs stopped there. But thanks to the FLOSS approach, other contributors were found to lead the project.

Problem: How to create a community ?

In a classical commercial world: 20% of requests from customers accepted, control in editors hands.
Industrial users have specific constraints. So creating a FLOSS community made of individuals, companies, VARs, vendors should allow to cover 80% of users needs in a generic fashion. The 20% remaining implemented as specific devs.
OPEES is coming from a traditional industrial world, not even a SW world. But they come to the FLOSS approach based on the 4 liberty of the GPL.
It also helps manage IP issues.
Open Code and Open Formats enable migration, interoperability, extensibility, and protect from vendors lock-in.
But FLOSS isn’t sufficient. There are needs for:

  • Community management
  • Ecosystem dev
  • Very Long Time support (10+ years) – Virtualization is a possibility
  • Need to have technology vendors oriented towards industrial users

OPEES mission is to ensure cross users company ecosystem (not one for Airbus, one for Thalès, …)
Governance near from Eclipse one. In Eclipse 1,5 years of maintenance. LTS support added (7/8 Years).
What adds OPEES: maturity assessment, industry oriented governance, labels, certification process enablement, Very Long Time SUpport
OPEES: ITEA research center 35 EMEA members – AdaCore, Obeo, Airbus, Inria, E///, CNES, EADS Astrium, Linagora, Atos, Thalès, + Universities

Next steps:
Have a legal entity to sustain the effort after 2012 (end of ITEA project).
Grow the community (transportation – rail, cars, energy – nuclear, …) made of researchers and employees, not individuals

Coclico

Convergence of the FLOSS forges communities.
Re-dynamising SW forges (Minalogic and Systematic support)
Coordination by Bull + Orange Labs, Xerox, Inria.

Forge: collaborative platform for sw dev (born in 1999 with sf.net). Means both the service and the SW itself
Partners: Codendi (Xerox), FusionForge (ex GForge), Novaforge (Bull)

Problems to solve: Identity management (SSO + roles), interoperability (with other forges – avoids data locking – not the first concern), tracability of specs, continuous integration, use SCRUMM method, work station integration (Eclipse plugin addition)
Specificities of the forges:

  • Codendi: Application Life cycle management (sf.net fork in 2001) GPLv2, 25000 users, 4000 projects, on http://www.codendi.org Fully opened 2 years ago => increased download numbers.
  • NovaForge: TM of BULL. Based on lots of FLOSS bricks (SVN, Mantis, PHPBB, Hudson, ExoPLatform) AGPL. Focus on data project confidentiality (due to BULL work activities). Migration of OW2 ongoing. Bull business model is around services (internal tool open sourced)
  • FusionForge: Fork os sf.net named GForge. Lack of evolutions around GForge after some years. Some french admins created FusionForge in 2009. Integration of extensions. More EMEA contributions (Germany), mediawiki integration, incr”easing # of commits.

Community of Xchanges: PlanetForge.org (Wiki, ML, planet, µ-blogs)
Organisation of forgers meetings ;-)

Mainly convergence between Codendi and FusionFOrge (common plugins, projects models). Problems to sync release cycles between company supported ones vs community based ones (evolution of projects vs customer needs).

OSLC-CM (Open Services for Life Cycle – Change Management): interoperability standard and ontology used for forges interoperability (coclico, trac, redmine)
OSLC + Eclipse/Mylyn for work station dev/forge integration
Exchanges with Qualipso and Helios. Contributions to ForgePlucker (based on E. Raymond rant originally, and now sustained by coclico) and Mailman.

Following these 3 presentations, I animated a round table to cover the topic of this track: 2011, year of the forks. We had various natures of speakers Rodrigue Le Gall from BonitaSoft and Julien Mathis from Merethis who where representing Open Source projects having a strong relationship with their respective company, Charles Schulz representing the Open Document Foundation, and Jean-Marc Fontaine for the AFUP, french association of PHP users, both of them representing direct communities.
We were able to cover various topics, from animation of communities, relationship of companies with the ommunity around the underlying projects, reason of forks, support from tools to maintain communities, brand management impact, the LibreOffice vs OpenOffice latest news, I found it very lively and interesting in content, and I hope visitors enjoyed it as I did.

Rest of the day was passed evoking Mageia evolutions, and discussing with various relationships that I can meet only once per year during this event. In particular I had a long chat with Guillaume Rousseau from Antelink, which is the firm behind Antepedia, database gathering more than 660 000 projects for reference. (too bad mine are not in it :-)) Among other things we discussed of governance, market needs, and I tried of course to convince him to open source his product in order to ease the integration in forges, and allow its easy adoption by large corporation who are the natural consumers of such a product, in the line of FOSSology. Of course, this is always more difficult for a young and starting company, especially on a niche market but some others already showed it was possible.


Follow

Get every new post delivered to your Inbox.

Join 100 other followers