Posts Tagged ‘SPDX’

FLOSS governance news

2012/08/31

While at LinuxCon in San Diego, the SPDX working group of the Linux Foundation announced its 1.1 version of its specification. Quite an achievement, and probably the start of its real adoption by Open Source projects … providing enough tool do support it, and help projects in their identification tasks. I hope lots of large FLOSS consumers (HP included) will start contributing SPDX descriptions to upstream projects, helping them adopting it as it brings value on both side.

And one way to help will probably the support of this 1.1 SPDX spec by FOSSology in the future. For now the news around the tool is that a public instance is available, hosted by the Universty of Nebraska. This is a good news for Open Source projects that will be able to assess easily their licenses with it, without having the hassle to install and maintain their own ! Hopfully, more forges (as what OW2 has done) will also provide that service to the projects they’re incubating.

Just be aware that the code you’ll upload to that instance will be available for everybody to see, so do not post non-FLOSS code there, if you want it to remain secret ! If you’re developing closed source software, then install you’re own FOSSology instance instead !

Time to finish my FOSSology presentation update for tomorrow’s talk !

Second day at Solutions Linux 2011

2011/05/12

I attended in the morning the round table on Governance lead by ALexandre Zapolsky (Linagora)

3 companies were represented:

Alterway (created in 2006) – 10 MEUR – 120 people (Represented by Véronique Torner)
Activities: Consulting – Hosting – Training
Governance for large enterprise (Open CIO Summit)

Smile (created in 1991) – 33 MEUR – 10 years on FLOSS – 540 people (Represented by Patrice Bertrand)
Activities: FLOSS integration, Web site/Intranet development,
Leading the FLOSS Working Group at Syntec Numérique.

Linagora (created in 2000) – 13 MEUR – 130 people (Represented by Michel Marie Maudet)
Activities: SW Editor (OBM) – OSSA – Consulting

Véronique said that 3 years ago in the CIO Summit, CIOs thought they had no Open Source.
This year, they have representatives from Safran, Ministère de la Justice, PriceMinistère, Nature et Découverte, La Poste, Auchan. Hidden before at infra level. Now seen at CIO level. So will to control and govern.

Patrice said 3 years ago that Gartner revealed the presence of FLOSS in the enterprise.
Contacts were performed with Carrefour, Véolia, EDF. Enterprises do not see how to do Contributions.
Purchasingdepartment is one of the entities interested by the governance aspects. CIOs want to rationalize.

Michel-Marie mentioned that Linagora worked with Carrefour, Air France, Renault on these topics.
CIOs have to mitigate risks wrt Oracle, Microsoft, SAP, IBM (MISO) which represent 80% of their budgets and thusthey have a policy of diversification and of cost reduction.

Véronique mentioned that the recent crisis revealed Open Source and allowed to dialog with CEOs on the topic. FLOSS was considered as an entry level/low cost solution before. It’s now considered for its true qualities, creating value in the enterprise.

Patrice reported that studies put quality before price, even if price remains in the scope.
Price reduction is coming from the packaged offered proposed by the various actors. Cost reduction is done due to the economy of scale (when deploying hundreds, thousands of SW).

Véronique underlined that in the infrastructure space, FLOSS has been key for deployment. On some other areas (apps like CMS), the cost difference may be less important. Sharepoint may be at 0EUR inside a large enterprise, so what is the benefit of a drupal there. This has to be worked in other ways. Some customers said that Red Hat is sometimes more expensice than a proprietary solution.

Michel-Marie asked what is the value here: lots of SW are deployed but 80% of its functions is unused. CIOs today consider more the value brought. In the management/monitoring area, the BMC/IBM offerings are like Christmas trees but stick less to customer needs. The right term is to be cost effective. Some customers say today that they have more problems to find competencies around commercial solutions than on FLOSS ones, because engineer schools have adopted massively FLOSS technos. It’s now the reverse of what it was still 5 years ago.

La Poste Governance representative precised that the goal is to work on technical cost reduction (Nagios praised), but they realized rapidly that they should work on value analysis more precisely, and that the value is in the people (more agile), so cost is similar to proprietary solutions, but FLOSS gives much less problems on the long run (open formats, archiving constraints, …)

Alexandre then orientated the discussion now around the Governance aspects themselves, and what policy to put in place.

Patrice said that FLOSS governance consists of writing in a document what the enterprise want in term of FLOSS adoption, derived in term of support, RH, contributions, … Maturity is not there on his side in France.

Véronique has seen organizational models in place, with people dedicated to FLOSS governance (La Poste is precisely an example with a FLOSS IT central group + dedicated teams recommending solutions + a small legal aspect). In the Société Général Bank, there is no split, it’s handled as commercial products. Safran has on his side a more formal legal approach on FLOSS.

Michel-Marie mentioned a methodology that has been developed to help CIOs. Around 10 weeks of assessment (20 architects of Air France e.g. were met and interviewed) to summarize needs, what worked, what didin’t and which FLOSS Solutions could be involved. Recommandations from other customers are shared and expected. Second step is to benchmark per vertical, size of company, usage models (simple user or OEM providers such as ALU). Third step is to build the governance (technology program, policy doc, solution reference architectures). Bouygues Telecom has positioned Oracle for critical DBs, and FLOSS ones (PostgreSQL) for non-critical ones. Then there is a need to measure, during time, FLOSS adoption. They recommend to put in place a FLOSS Center of Expertise (ALU has 150 persons for that).

Commercial SW vendors do the evangelization by meeting refgularly with customers to present new versions, evolutions, … in the FLOSS area, enterprise sneed to put in place a specific team to monitor the FLOSS ecosystem, create reference architecture and also to support themselves (or not) and deal with it. Véronique presents that CIOs hope to give the support to a single actor, and also fear the lack of an editor behind the Software.

Smile teamed up with OpenLogic to solve the support aspects for enterprises (L1-2,5 done by Smile and L3 by OpenLogic – having commiters in a large set of communities).
Patrice also mentioned the importance of the inventory with tools (such as Black Duck, FOSSology), and new models of FLOSS development (mutualized development with FLOSS such as GENIVI or OPEES)

Michel-Marie precised that they specify reference architectures with customers, creating a base of a large number of components and work on the support as a single point of contact (Note that HP and Linagora have partnered in France to use this model for customers). Re-insurance and patch reversion to the communities/editors is then handled by that actor in charge of support. Currently OSSA offering from Linagora is used by 50 customers. Air France created a “Blue Hat” base.

Véronique has around 10 customers for support, and some other more specific contracts. Patrice mentioned 10 customers as well with a starting offering.
Véronique also insisted on industrialization of FLOSS, with their experience around PHP. Voyage-SNCF is one of the customers benefiting from their work in that area.

Patrice mentioned that this is an area (customer developing Software) where governance on FLOSS is key. There are legal constraints, licenses and IP to respect, training to be performed up to the developer.
Michel-Marie explained that there is a need to guide developers with Software Engineering frameworks, e.g. pointing to the right versions of libraries, forcing a ticket for evolution.
Véronique thought that there is a lack of knowledge of FLOSS usage in the enterprise. They miss “geeks” and legal background.

Guillaume Rousseau (Antelink) made a testimony of what leaded INRIA to identify IP rights on their SW base (660000 bricks). What is the tooling to put in place to manage hundreds of thousands of components ? Patrice indicated that putting in place a central repository is a goal of the governance process, but it creates frustration at developer level by controling them tightly (pre-dev control), or pass tools that control a posteriori (afterwards) the conformity to rules (in a continuous build chain). Véronique mentions that another approach is to integrate developers to the governance program, in order to gain adoption.

Michel-Marie mentioned they have a much smaller base (300) that they are monitoring, but consider they have the one really used by their customers. Only a small part of customers embed FLOSS in their products and need more fine control. Others are users of bricks, more well-known and less risky.

Question from the audience on how to Open Source an internally developed SW. Recommandations from Patrice are that there is a need to be pro-active on the topic (Case of EDF). Véronique had requests from ISVs, more on a marketing aspect. They can help around the development aspects, quality aspects, licensing aspects.

Then some conferences where made:

Open Source Cartouche by Philippe-Arnaud Haranger (Atos Origin – Team Pascal Pujo)

Study made around an Aerospatial customer.
9 years of devs, and strong willingness to use FLOSS components.
Study showed incompatible licenses. Copy/Paste of code in 2000+ bricks.
Quote: “My God ! What have been done ?”

Licensing wasn’t a priority (they already didn’t document)
Code contamination is made on purpose, because they need it, and is due to local teams, outsourcing, and external application maintenance.
Consequences: licenses not respected, proprietary code tainted (PI loss)
Open Source was favoured, but in reality they created risks.

Solutons: Strong governance (creates too many constraints in general) or Tooling (cost, but efficient) or Manual Audit (cost, complex, impact) or take risk (costs and impact) or open source the SW (anyway conformity required, but impact as irreversible).
The earlier it’s done the less it costs.

Solution is Open Source Cartouche (what is around the Pharaon) – derived from QSOS.
Identify licenses and the recursivity of components integrated
It’s a structural approach beforehands, instead of scan afterwards (even if this is also required)
Put more trust in the FLOSS, Avoid contamination and protect community works.
Presenter asked the possibility of using this formalism in FOSSology ?

Some Remarks on my side:
I asked the question: What is the position vs SPDX ? I think they are probably in competition, and that they forget to consider it before launching something on their side. What is important is to have a standard adopted. The answer was that there is a fear of Blackduck that may create problems for communities. Their standard proposal is simpler than SPDX so more pragmatic, and thus propably easier to adopt by FLOSS projects. And the team is open to make required adaptations. However, it won’t work as a franco-french stuff !! I think we need an SPDX lite if we aim at being adopted by FLOSS projects, as the current status of the project is just only understandable by lawyers. I’ll try to generate some discussions around that on the SPDX ML.

Thinking about all this I think it would be valuable as well to lauch a new initiative to create the CERT/CVE base of licenses violations, working on the same model (disclosure after problem is solved).

Governance deployment return of experience by Guillaume Degroisse (Consulting Lead Linagora)

Goal Today: being independant from MISO.
Quality and Interoperability are considered before price.
Problems of adoption: Using standards of the market. Lack of performant FLOSS solution on some specific areas.

Bouygues has 150 own persons developing using Agile methods with lots of FLOSS components (not outsourced, and localized in France)
CIOs have to consider organisation, competence management, purchasing, legal and providers aspects. All these topics ar part of the FLOSS governance plan he has to put in place.
Guillaume also detailed what was covered during the round table around LInagora’s approach (Assessment, OSSA, CoE)

FOSSOlogy by … Bruno Cornec (HP)
25′ around the reasons of its creation/open sourcing, features and focus on upcoming 1.4.0

Return of experience on mutualization by David Duquenne (OpenWide Technology)

Enterprise have to deal with apps modernization.
Presentation focused on value creation at apps dev.

From innovation to industrialization: Technology assessment, R&D, Architecture and Integration, method and tools for industrialization. These leads to a framework definition
The goal is to share that Java Framework (Improve Foundations) across enterprises (having an Open Source base and community driven, and specificities intergated as components in this framework).
He insisted on the lack of java competencies. They deliver some Cobol to java trainings, espeically in-house.

Alliance Informatique has developed 100+ apps using Improve Foundation.
RSI wanted to fusion different IT systems.
Renault looked at homogeneize hundreds of projects (International). More interested to contribute. Renault will help Open Wide to develop the framework at international level
Atos Origin is also using it for 3000 screnn migrations

Gains: integration of non-java devs. and mobility of resources is key.

Passed the rest of the day discussing with various people. Had in particular a long and very interesting discussion with Erwan Velu who work at Zodiac, where they are developing a SIT (Seat Integrated Technology) all based on FLOSS (Linux/Debian, vlc, webkit, ELF, …) and have done an impressive job at making a nice looking, very responsive interface. I just hope that most companies I’m traveling with will adopt it soon ! And good news: they’re hiring :-) So if you want to work in a interesting area, way to go !

And they’re not the only one trying to recruit. I know that Wallix and Linagora at least are looking for good profile. All good news for our sector, which show indirectly the wealth of FLOSS !


Follow

Get every new post delivered to your Inbox.

Join 100 other followers