Trust Goal: Secure and Appropriate Usage of Open Source Software


Scope

 
This Goal is about the secure and responsible use of OSS. It covers in particular compliance and dependency management policies. It is about aiming for the state of the art in implementing the right processes.

Resources

Feel free to contribute for the benefit of all. Check out how to contribute.

Title

Description

Link

Best Practices for Code ReviewsA bit commercial at the end but an interesting take on what code review is about.Web page
What is Code Review?A didactic read on code review found on Red Hat's Open Practice Library.Web page
Getting Started with FLOSS Governance and Compliance in CompaniesAn article by Dirk Riehle about FLOSS governance and compliance in companies.PDF
ScancodeScanCode detects licenses, copyrights, package manifests & dependencies, and more, by scanning the actual code base. It provides mechanisms to check for policy compliance.Web site
REUSE SoftwareStandardised best practices for labelling copyright and licensing in one's own code.
Provides helpful resources and tools to achieve and maintain compliance.
Web page
[FR] MOOC on Free (libre) culture[French Only]
This is a 6 part course on the free culture, introduction to Copyrights, Intellectual Property, open source licensing 
Web page
Six open source security myths debunked - and eight real challenges to consider, ZDNetSecurity and open source, a hot topic addressed without passion - this article brings reasoned and humble answers.Web page
Recommended Open Source Compliance Practices for the EnterpriseA book by Ibrahim Haddad, from the Linux Foundation, about open-source compliance practices for the enterprise.PDF
OWASP Dependency checkOWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.Web page
OSS Review ToolkitA suite of tools to assist with reviewing Open Source Software dependencies. Web page
OpenChain CertificationThe certification questionnaire from the OpenChain project to assess one's compliance.Web site
FossaFast, portable, and reliable dependency analysis for any codebase. Web page
Free and Open Source Software License Compliance: Tools for Software Composition AnalysisBy Philippe Ombredanne, nexB Inc., a nice post on understanding what open source code is included in your software and creating the so-called bill of materials before you can actually deliver it.Web page
OpenChainThe standard behind a supply chain where open source is delivered with trusted and consistent compliance information.Web site
FOSS Governance CollectionAn amazing collection of governance documents put together by Vick Brasseur: bylaws, code of conducts, IPR policies etc.Web page
The FOSSology ProjectAn up-to-date introduction to FOSSology and FOSS compliance by the Linux FoundationPDF

You must be logged in to contribute 

Suggested content

The legal basis for Open Source

  • What is copyright
  • What is IP
  • What are patents
  • IP in the US vs. IP in Europe vs. IP
  • IP - standards - FRAND (in a nutshell)
  • Example of an Open Source "generic" license text
  • Open Source license infrigement ; what risks
  • Case studies from <company>

OSS License stewardship

  • The Free Software Foundation (FSF)
  • The Open Source Initiative (OSI)
  • The Open Source Definition (OSD) : https://opensource.org/osd
  • Others ? CERN, EU, Inria,  etc.

License categories

  • Strong Reciprocity Obligation (e.g. GPL, Affero) With this license, adaptations and derivative works must keep the term of the license as it is.  This license is commonly called “strong copyleft” and known as causing a “viral effect” that is despite the pejorative sense, not mandatorily negative depending the business objectives. This will be described later in this document.
    • copyleft : GNU GPL, Affero 
    • Why might these licenses be interesting to use ? ("true sharing", avoid "hidden" re-use, promote shared commons ...)
  • Standard Reciprocity Obligation (e.g. LGPL, MPL, EPL) The distribution terms of the license must be maintained. However, if the source code is combined with another source code to create a new work, the standard reciprocity obligation does not apply to the combined work.
    • Semi-copyleft : GNU LGPL, MPL, EPL
  • No reciprocity Obligation (e.g. BSD, MIT) These licenses are also known as permissive licenses. These licenses have no distribution terms. A proprietary software can use or integrate a software with permissive license without any obligation. Why might these licenses be interesting to use ? (more business "friendly" …)

Compliance

  • What and where in the organisation Where does compliance come in the SDLC, Process description and process stakeholders, 
    • How does <company> do compliance (up front, continuous, just before delivery ...),
  • Good practices when publishing and distributing source code Source file headers, License text, REUSE.software help
  • Special cases / info LGPL on mobile devices, Android

Compliance Tools & Processes

  • Process
    • How to contribute to external projects
    • How to publish a project under a OSS licence ?
    • How to distribute a project (binaries and/or source code) ?
  • Where to get help (OSS Tooling Group, OpenChain ...) 
  • Fossology Why, Introduction, Understanding what it does and it's limitations, Example of results
    • Practical exercises Simple program/application, Complex program/application, Mobile phone application
  • Other tools SW360, Open Source Review Toolkit, Scancode Toolkit, Black Duck, Flexera FlexCode Insight, etc.

Engineering considerations

  • Dynamic linked libraries vs. static linked libraries
  • Software architecture and design, implications on licensing Front End, Back End, Mobile apps, Embeded software, Standalone Software
  • Technical interlinking between pieces of software, and the implication on licensing heritage (contamination) eg static or dynamic linking, network communications, etc.
  • Architectural implications
  • Network access
  • Designing for collaboration
  • Respects general programming guidelines imposed by the OSS projects.

Software reuse considerations

  • Languages and central component repositories
  • CI/CD tool chains and deoendency management tools
  • Challenges of software reuse Vulnerability monitoring, Compliance verification, Regression testing