FossBazaar at Open World Forum (OWF), Paris, Oct-2009

Quick notes from today’s FOSSBazaar event at Open World Forum in Paris. Usual caveats on typos etc as I was writing these notes live.

Martin Michlmayr overviews FOSSBazaar

IMG_0069 (by mahemoff)

Procurement – might like to avoid, but they have a really important role to play. With open source, it’s easy to ignore procurement – why go through procurement when you can download it! Great, that saved me several weeks of work, I can go home now :). But then you ship the code a few months later with GPL.

Make FOSS “business as usual” – how acquired, chosen, used, supported, updated, project tracked, licensed, mature.

FOSSBazaar to help people manage these issues. Good to have members outside of the US (Europe and maybe some now joining from Asia) as issues are different; this is the first FOSSBazaar meeting here.

FOSSBazaar for experienced users – working together to define standards and best practices

FOSSBazaar for inexperienced users – learning about open source issues, reducing the fear

Discuss, resolve, and document the “hard” issues related to adopting FOSS in the enterprise.

Question – why is HP spending money supporting the community? Martin explains HP has some experience dealing with compliance issues. Want to share experiences, e.g. we explained how we explored Palamida; other companies might do the same with Black Duck. It’s been a really good experience, talking to people who we might otherwise have not talked to.

Open Source Compliance – View of Validos. Martin von Willebreand (lawyer basedin Finland).

IMG_0070 (by mahemoff)

Vaidos has DB of 130+ packages validated.

“Shall we use this package or not?” Validos adds legal validation

Shows DB report showing licenses being used in a package.

Talking about typical guidelines, e.g. distributing the licenses with the code. Putting license on your website isn’t really redistributing it.

Showing how they prepared a document for republication. It’s big, it’s scary, and it’s very likely necessary for legal purposes. [Kind of sad that open source gets this complex – makes me feel like just releasing all my code as public domain; losing attribution would be a shame, but the real downside would be the risk of liability if there’s no warranty. It also makes me think that licenses should be embracing the web more, instead of forcing all this stuff to be repackaged – cut-and-pasting a URL would be a good start to what is a long path.]

Martin comments FOSSBazaar has been thinking about standardising some of this license declaration stuff; and there was a parallel effort recently which he’s hoping to work with.

IP Tracking Methodology at INRIA

IMG_0074 (by mahemoff)

On the forge: 1600 projects; 400 open source.

Done various tracking and would be good to compare methodologies, work together on tools.

Discussion session – Working on a Creative Commons contract to establish relationship with contractors, ensuring they use open source the right way.

TiddlyGuv Tool (the bit with me in it)

Steve Barnes motivated the tool from his perspective as a governance administrator. I then gave a demo and explanation.

IMG_0081 (by mahemoff)

Feedback:

  • Possible to get metadata e.g. to get XML feed. [Yes. Showed the bags/tiddlers model in the browser and how you can easily get a list of JSON or txt. Made the mistake of not demoing xml, which would have taken all of 5 seconds. Take off the pro-json blinkers next time!)

  • Can I see which packages (components) are using a paricular license?

  • What does a software policy look like? Do we need them at all. [Steve explained we probably wouldn’t want to have a blanket policy like “don’t use GPL”, though others could; the tool lets you declare whatever policy you like.]

  • It should be more about training than official policies. [I explained TiddlyGuv is intended to be a tool for developers and governance authorities to work together, share information, leave comments, etc.; not a rigid policing-the-masses weapon]

FOSSology

IMG_0089 (by mahemoff)

Disclaimer that you need more than just tools and need other tools too.

Looks at every single file in a package – fuzzy match against a library of >400 known license.

Walks through demo. Can try online.

Many new features – email notifications, new licenses, tutorial section, cleanups.

Plans – new license analyser (based on phrases); concept of license categorisastion (e.g. “good license”/”commercial license”)

Question regarding international labour organisation – what happens if a child developed code and contributed it? Do they have the legal authority to donate the code etc. Is there a child labour question? Martin notes international treaties as a similar issue – notes you’re not allowed to distribute code from one country to another; how do you accept contributions across that boundary. It’s a potential FUD issue people can use against open source in government.

Community Management and Project Governance: A checklist with an attitude Charles-H Schultz

IMG_0094 (by mahemoff)

Good “HowTo”/tutorial presentation of governance on a particular projct.

Not just about making code available. but make it easy to find – e.g. when it’s on sourceforge, but not linked easily from project page.

You never manage your community; so “community management” doesn’t exist. – fair, transparent rules and governance – soft power – trust employees like you trust other contributors

TiddlyGuv-FOSSology Collaboration

I will round out the FOSSBazaar workshop series with some comments on collaboration between TiddlyGuv and FOSSology.

First, what’s FOSSology? Simply put, FOSSology in its current state is a code/license scanner. You upload content, like a RedHat ISO, and it recursively explodes it into individual files, also recognising by way of checksums when a file is duplicated (across all the RPMs in a RedHat distro, you will probably see some files appear thousands of times). It then walks through each unique file/archive and tries to determine its license. At the end, you get a report telling you, for example, that the ISO contains 2120 GPL 3 licensed packages, 175 MIT licensed packages, and so on.

The underlying philosophy is to automate the license discovery process. Let developers get on with their job pulling in what they need to, in accordance with their companies policies, and then use the tool to audit what’s there. This is in preference to requiring developers to manually declare all that info – and even if they did declare that info, it provides a suitable audit mechanism to check against their report.

TiddlyGuv will eventually keep track of projects and as much as possible, we’d like to automate the process of tracking those projects’ components and licenses. Therefore, we’d like to call on FOSSology to capture this info. As a completely orthogonal side benefit, it would be a nice proof-of-concept if two open source projects, each primarily motivated by the needs of the developers’ own organisation, could talk to each other.

I was fortunate to meet Mark Donahoe from the FOSSology team at the workshop and discuss how we might get the tools talking to each other, along with my colleague Andrew Back. The first thing to say is we all want to just get some simple proof-of-concept integration happening. This is the agile process at work – a proof-of-concept would help us understand whether it’s worth proceeding and may inspire interest from others, as well as project sponsors (at least in the case of TiddlyGuv).

We see a proof-of-concept working like this. TiddlyGuv user creates a new project; server kicks off a FOSSology code scan and updates TiddlyGuv project record with a link to the code scan report. It’s as simple as that; in the future, there might be an email notification when the code scan is complete, and other niceties, but for now, this simple story is enough. All of this would take place in the same network by the way; both TiddlyGuv and FOSSology are tools intended to be run by a company inside their own estate (rather than in “the cloud”). If we implement this integration scenario, we will probably run TiddlyGuv and FOSSology on the same box. TiddlyGuv requires Python; FOSSology requires PHP and MySQL. Not the same, but both easily installable on a run-of-the-mill Linux server.

To get this proof-of-concept working, we each have some steps to take.

Osmosoft will need to introduce a project data model, using the TiddlyWeb data structure, and the UI to maintain it. This is the biggest step for us, because we haven’t really started that yet. We will then need to introduce a TiddlyWeb plugin that kicks off FOSSology when a new code repository is specified, and to store the resulting scan ID.

On FOSSology’s side, we need two things. First, FOSSology would need to allow “upload” of a URL rather than a physical file. i.e. you could just give it the URL of an archive or a SVN URL pointing to the project root within Subversion; and FOSSology would then pull the content from there and treat it as if you had uploaded it. Second, FOSSology’s command line mode would need to return the scan ID. I believe this is generated at kick-off time, so it could be returned even though the report isn’t yet present. From the scan ID, TiddlyWeb can calculate the scan report URL, which it can store and display in the project’s TiddlyGuv page.

Since the project functionality hasn’t even begun yet, all this will take a while even to build a rudimentary proof-of-concept, but from last week’s meeting, both parties are keen to make it happen.

TiddlyGuv

I’ve just presented TiddlyGuv at the FOSSBazaar workshop, the event I wrote about yesterday. It’s a good time to introduce TiddlyGuv – I’ve mentioned it in some talks and tweeted about it on occasion, but this is its maiden appearance on Software As She’s Developed.

TiddlyGuv (that’s a code name we’ll use for a while) is a web app to support open source software governance. In promoting and supporting open source at Osmosoft, one of the activities is a governance process. This means establishing policies for open source usage and auditing projects against it. TiddlyGuv is the tool we’re developing to support this process – it will support community discussions, policy publication, project tracking, workflow, and alerts about potential problems.

A few things about TiddlyGuv:

  • TiddlyGuv is in progress, it’s not complete and still needs work around a clean installation package. (We’re currently re-working how all this is done with TiddlyWeb verticals; once that’s done, there will be a package so people can try it out.) In any event, the code in some form is online in Trac.
  • TiddlyGuv is a web app. No surprise there :).
  • TiddlyGuv motivated the comments plugin, which has now been used in various other projects, including the live TiddlyWeb documentation wiki.
  • TiddlyGuv is built on the TiddlyWiki-TiddlyWeb stack, like TiddlyDocs. We see a general trend of CMS apps emerging on this stack, which has been called TiddlyCMS. (TiddlyCMS is an architectural pattern.) The aim is that TiddlyCMS apps share a large suite of common components such as the comments plugin.
  • TiddlyGuv is open source. The license hasn’t been finalised, but will likely be BSD, same as TiddlyWiki. We hope other organisations use TiddlyGuv in ther own organisations; TiddlyWiki and TiddlyWeb offer highly flexible architectures which lend themselves to adaptability.

Functionally, the first thing we’re aiming for is a tool with document wiki, for general discussion about open source usage, and a license portal, showing a list of licenses and information about each one. The comments plugin ensures each document and each license can be commented on too. All of this is there today, albeit in an untested state. Later on, we will add info about projects and further still, a workflow tool – for example, “Once the project form has been submitted, it must be reviewed by two named reviewers. They will each receive an email notification when a project is ready for review.” We would want the system to follow rules like that, and we would want to allow site administrators to maintain such rules. The TiddlyWiki model is to encapsulate rules like that inside tiddlers. I foresee some kind of Javascript-powered Domain-Specific Language (DSL).

The FOSSBazaar slide pack:

The feedback from the workshop was positive; there’s interest in the project and there was also interest from one vendor of a commercial product about ways to introduce the wiki or commenting aspects into an existing product. A good example of this sort of thing is Amazon – the way it has a structured product page, which incorporates a forum and a wiki. It raises some interesting architectural issues about how a TiddlyWiki/TiddlyWeb app could be embedded onto a page as a widget-style component, with identity and permissioning handled too. I also had an extended discussion with Mark Donohoe about how TiddlyGuv could talk to FOSSology. Of which, more in the next post.

FOSSBazaar Workshop

I’ve been at the FOSSBazaar workshop in SF for the past couple of days – an afternoon session and a session this morning. It’s part of the Linux Summit, FOSSBazaar being a workgroup of the Linux Foundation (though it’s not Linux-specific). (It was news to me that Good Friday isn’t an official public holiday in the US.) FOSSBazaar is an industry consortium focusing on open source usage in the enterprise, in particular open source governance. I attended because I have been developing a tool at Osmosoft to support enterprise open source governance, codenamed TiddlyGuv. I’ll say more about TiddlyGuv in the next post, but here are some notes I recorded at the session.

The notes here are mainly from yesterday’s session – brainstorming about where FOSSBazaar should be heading and what activities to perform. Today’s session was several presentations, one being mine on TiddlyGuv. For the record, the talks were: Krugle, Osmosoft overview (from my colleaugue Andrew Back), TiddlyGuv (me), INRIA, Qualypso, and Fossology (another open source project in this space which we’ve talked to previously and will hopefully collaborate with in the future; more in a later post).

These are iphone notes; spelling and grammar caution!

FossBazaar – Open source governance community – managing open source within an organisation – Share best practices …

started in jan 2008.

State of FOSSBazaar website: Blogs are healthy, forums need attention – would be good to have some discussion amongst ourselves. Whitepapers could be added to.

Qualypso project overview: an organisation encouraging open source adoption esp in Europe. Aiming to set up 6 competence centres -initially some funded by European commission and eventually private or regional funded.

mention of EUPL – recent European license – some unusual features – translated into multiple languages and gpl-compatible

Discussion about what kind of people are targeted by FOSSBazaar – important to think about developers not just managers/lawyers/etc because (a) they can often be an entry point into other parts of the organisation; (b) they often have policies forced on them so regardless of their view, good to target them too to support and promote open source usage. eg should I be using GPL?

Discussion about projects fossbazaar partner could collaborate on to add value and raise profile. The value compared to other organizations would be to offer expertise and experiences from the real world of organisations/companies. Most of the session involved brainstorming those projects. There was a pragmatic focus on packaging the info up neatly as handbooks, “top 10” lists etc, and thinking about SEO. The notes from this brainstorming session were written up during the meeting and I can reproduce them below (thanks to Ragavan Srinivasan who wrote them up during the meeting and Martin Michlmayr for making them available).


Potential ideas:

  • Common patch contributor agreement – SFLC may be working on this. SFLC and LF are working on this
  • Authoritative source of license information: scan code; there are legal issues
  • Standardized way to communicate license to users (README? INSTALL.TXT?LICENSE.TXT? XML?) Document/Guidelines?
    • SFLC published a legal primer that could serve as a starting point. (Need link)
    • Maybe a “HOWTO” or cookbook could be added to primer
    • Get projects on board who will adopt the process
    • Potential projects to work with as pilot: Apache, Eclipse (may already be doing this?), KDE
    • Should this expand beyond just license text standardization to IPR policy standardization along the lines of what Eclipse seems to be doing?
    • Publish Wall of Fame with a badge.
  • Open source governance best practices guide book
    • Benefit if done by a neutral organization
    • Create editorial structure, then get content from each of the partners
    • e.g. creating an OSRB, what to include in a policy
    • FOSS Governance Fundamentals document is quite updated; this one could be more detail
    • Ask Andrew/Olliance for content
    • Create outline, then ask partners to contribute
  • General guide on the licenses, how to interpret them
    • Three books (Rosen, St. Laurent, Van Lindberg) – perhaps we should link to them on FB?
    • Icons to represent licenses ?
  • Survey data?
    • Governance focused (do we have an analyst company as a partner?)
    • Ask TonyW if a student who could do this
    • Start by making a survey of LF members; but that won’t include end-users
    • Make it repeatable; do it every quarter or year
    • Look at trends
    • Ask multiple people in one company and compare what they say (production, developer, manager etc view); show gaps in knowledge
  • Top 10 list of considerations (vulnerabilities, distributing software that contains GPL, license/legal papers; etc.); make sure solutions are included, not just problems or risks
  • Interviews with companies that have mature FOSS governance processes – HP, others? QualiPSo member
  • Common problems with popular FOSS libraries (tomcat, gSOAP etc.)?
    • Work with the projects to get answers (Ask FB)?
    • e.g. Project may have no clear license, work with the developer and remove ambiguity.
    • Magnifying the fine print on some projects/licenses.
  • World’s funniest license interpretations by developers/businesses (funny in a scary way)
  • What to do when you are undergoing some major business changes? (Mergers/acquisitions, divesting part of your company, etc.)
  • FOSS licensing for Dummies?
  • Read this before you do anything else list?
    • SFLC primer?
    • Books from above?
  • FTF (Freedom Task Force) has a lot of documents that are in draft stage, but perhaps we could host them on FB?
  • Grab fossbazaar on identica/twitter before someone squats!
  • Content syndication – cio.com, etc.
  • Outreach to India, China, Eastern Europe, etc.?
  • L10N of content?
    • How do we get the community to help with this?
    • Hugely important.
  • Hosted version of FOSSology? Legal issue? Competing technology?
    • Concern: You may end up with a comment board, all prefixed with IANAL. Problems, but no fixes
    • Why could we not adopt a Coverity/security remediation style approach?
    • Would BD/Palamida/Others be interested in doing this as part of FB (give open source projects access to their Tools behind closed doors as a way for the projects to earn the badge) – will need to address confidentiality, record keeping. We also need more lawyers to donate time to SFLC.
  • A policy builder that OpenLogic has built?
  • Some kind of tooling on FB (like an iPhone app people want to share, just as an example)
  • Start with a small set of core FOSS projects, see if we can get them to standardize on how they represent licenses, give them badges and use them as examples to go after more FOSS projects. This allows us to fix the license ambiguity problem at the root instead of every downstream user having to resolve this.
  • Perhaps we can have projects publish testimonials, maybe start with new projects or projects that don’t have a lot of adoption yet.
  • What are some non-license/legal issues we want to work on?
    • Have a better reputation and build more credibility.
  • Case studies gets another vote. Be generic so you don’t have to name names.
  • Boeing, Lockheed, BAE, BT, all have talked about their open source governance best practices in public. AFIS conference (DoD conf. On FOSS). We have presentations.
  • Forums: what are the strangest place you’ve found licenses in?
  • Forums: OSRB: to allow companies to have comparisons of OSRB

User categories:

  • My company won’t let me use FOSS – HELP!!!
  • My manager thinks we don’t use FOSS – how do I break the news?
  • What is this FOSS thing I keep hearing about?
  • I’ve been asked to create an OSRB/FOSS Center of Excellence for my company – what do I do?

Marketing * Top 10 theme related to governance * SEO * Social networking * Reach out to journalists * Webinar series (lead generation) * Press releases * Get more in-bound links: e.g. syndicating content * Create more partnerships & get links: e.g. with QualiPSo * Newsletter * Twitter: e.g. most active forum topic this week

Next steps:

  • Add “best practices” on FOSSBazaar
  • Create outline for Governance best practices document
  • Define use scenarios (e.g. “new to open source”) and show content depending on what they need
  • Top 10 lists
  • Interviews