Piloting SPDX in Samsung : Case Studies and Experiences

Similar documents
Adopting SPDX in Embedded Space: Why and How?

SPDX SOFTWARE PACKAGE DATA EXCHANGE

Introduction to SPDX. Kate Stewart 5 November 2015

SPDX with Yocto Project

Explaining & Accessing the SPDX License List

OpenChain Specification Version 1.2 pc6 (DRAFT) [With Edit Markups Turned Off]

Developers Care About the License Using SPDX to Describe License Information. Jilayne Lovejoy 6 October 2015

OpenChain Specification Version 1.3 (DRAFT)

FOSSology - New Features for License Compliance in HD

An Unexpected Journey. Implementing License Matching using the SPDX License List

OpenChain Conformance 2016-H1 Specification

This slide is relevant to providing either a single three hour training session or explaining how a series of shorter sessions focused on per chapter

FOSSology SPDX in HD Speaker:

Michel Ruffin Software coordination manager

Linux and Open Source in Samsung

VMware AirWatch Product Provisioning and Staging for Windows Rugged Guide Using Product Provisioning for managing Windows Rugged devices.

FOSSology Project Information

Dandified way to package management in Yocto Project

Configure FileNet Image Services to Work with P8 Content Manager

Utilizing the Blockchain to Manage Open Source Across the Supply Chain

A 3-STEP APPROACH FOR FDA UNIQUE DEVICE IDENTIFIER (UDI) COMPLIANCE

OpenChain Conformance 2016-H1 Conformance Check

FOSS Training Reference Slides for the OpenChain Specification 1.1

SPDX and the Yocto Project Embedded Linux Conference Europe Edinburgh International Conference Centre Oct 25, 2013

CURRICULUM. Core FOSS Compliance Version 1 Designed for Version 1 of the OpenChain Specification

Moblin v2 SDK. Open Source Technology Center Presented by Bob Spencer

SECTION 10 EXCHANGE PROTOCOL

This tutorial is designed for all Java enthusiasts who want to learn document type detection and content extraction using Apache Tika.

Better Translation Technology. XTM Connect Microsoft Team Foundation Server

COMPUTER FLOOD STANDARDS

Sonatype CLM Enforcement Points - Nexus. Sonatype CLM Enforcement Points - Nexus

Let your customers login to your store after pre-approval

CURRICULUM. FOSS Training Reference Deck, Version 2 FINAL DRAFT Designed for the OpenChain Specification 1.0

JetBrains TeamCity Comparison

DevSuite Admin Guide. Date:

User Guide For LabCollector Workflow Manager

CIM Certification Program. Deborah May The Open Group

CLOSE ENCOUNTERS OF THE UPSTREAM RESOURCE

Red Hat Process Automation Manager 7.0 Migrating from Red Hat JBoss BPM Suite 6.4 to Red Hat Process Automation Manager 7.0

Ansible Tower Quick Setup Guide

Exactly User Guide. Contact information. GitHub repository. Download pages for application. Version

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

Handel-CodePipeline Documentation

Distributing JavaFX Applications with Java WebStart and Artifactory

Tanium Comply User Guide. Version 1.7.3

Data Governance for the Connected Enterprise

contribution-guide.org Release

Modern Requirements4TFS 2018 Update 1 Release Notes

A Smart Way to Manage OSS Compliance with Yocto+SPDX

MOVE BEYOND GPO FOR NEXT-LEVEL PRIVILEGE MANAGEMENT

NGFW Security Management Center

Verint EFM 15.2 FP1 Release Overview

An Introduction to Eclipse: Quick Guide. Part 1: Getting Started with Eclipse Part 2: Working with Eclipse Useful Online Guides

Oracle HCM Cloud Common Release 12. What s New

SAP HANA tailored data center integration Frequently Asked Questions

=> 1 million SPDX. Large-scale license transparency using open data, open standards and F/OSS

IBM Tivoli Directory Server

FASTtag Release Notes

Caliber Visual Studio.NET Integration Visual Studio Integration

Microsoft Windows SharePoint Services

Device Management Implementation Guide for IoT Solutions

Introduction to TIZEN Ecosystem

User Stories : Digital Archiving of UNHCR EDRMS Content. Prepared for UNHCR Open Preservation Foundation, May 2017 Version 0.5

Index. Chaminda Chandrasekara 2017 C. Chandrasekara, Beginning Build and Release Management with TFS 2017 and VSTS, DOI /

Deploy Enhancements from Sandboxes

C exam IBM C IBM Digital Experience 8.5 Fundamentals

Upgrading to UrbanCode Deploy 7

Digital Forensics. Also known as. General definition: Computer forensics or network forensics

USER GUIDE. MADCAP FLARE 2018 r2. Eclipse Help

ISO/IEC INTERNATIONAL STANDARD. Information technology Software asset management Part 2: Software identification tag

Product Range 3SL. Cradle -7

Orchestrating the Continuous Delivery Process

CommandCenter Secure Gateway

Enovia to Aras. Marc Young, Managing Partner xlm Solutions

Getting started with Tabris.js Tutorial Ebook

Cisco Unified Presence 8.0

Red Hat Process Automation Manager 7.0 Planning a Red Hat Process Automation Manager installation

Introduction to Archivists Toolkit Version (update 5)

Upgrading the Cisco APIC-EM Deployment

Knative: Building serverless platforms on top of Kubernetes

The Yocto Project. Chris Young S/W Specialist SILICA Europe. Harmonising Software Development across multiple Embedded ARM SOC targets

SAP Roambi SAP Roambi Cloud SAP BusinessObjects Enterprise Plugin Guide

Welcome to Kmax Installing Kmax

ForeScout Extended Module for Tenable Vulnerability Management

Conformance Handbook for OpenChain Specification 1.1

Exactly User Guide. Contact information. GitHub repository. Download pages for application. Version

Bitte decken Sie die schraffierte Fläche mit einem Bild ab. Please cover the shaded area with a picture. (24,4 x 7,6 cm)

AD105 Introduction to Application Development for the IBM Workplace Managed Client

Power On Tizen with Web API Test Toolkit. Ling Yu, Jenny Cao

Introduction to application management

Veritas NetBackup OpsCenter Reporting Guide. Release 8.0

Tanium Discover User Guide. Version 2.x.x

ESET Remote Administrator 6. Version 6.0 Product Details

Documentation External Synchronization FirstSpirit

Elixir Repertoire supports any Java SE version 6.x Runtime Environment (JRE) or later compliant platforms such as the following:

Pass4test Certification IT garanti, The Easy Way!

Content Development Reference. Including resources for publishing content on the Help Server

Repository Management and Sonatype Nexus. Repository Management and Sonatype Nexus

1 Introduction Requirements Architecture Feature List... 4

Microsoft 365 powered device webinar series Microsoft 365 powered device Assessment Kit. Alan Maddison, Architect Amit Bhatia, Architect

Transcription:

Piloting SPDX in Samsung : Case Studies and Experiences 김영택 Young Taek Kim ytaek.kim@samsung.com Open Source Initiative. AA Lab. SE Team '13 SAMSUNG Electronics Co.

Table of Contents 1. SPDX Introduction 2. Piloting SPDX 1. Motivation in open source development process 1. Open source development process 2. Verification details and problem 3. Release detail and problem 2. Solutions with SPDX 1. Reducing the cost of verifying open source licenses 2. license notice web system 3. Future work 3. Feedback to SPDX 4. Q&A 2/31

Introduction to SPDX 3/31

Demands on roducing open source to enterprise side Need a standardized, adopted format for a S/W Bill of Materials Our suppliers aren t giving us complete licensing information for open source packages. I don t mind vetting our code, but I m sure this imported package has been analyzed a dozen times before. Every customer wants a bill of materials in a different form. software in software out Page Content Copyright 2010 by Linux Foundation 4/31

License Complexity when adopting OSS (1) Products have mixed code from many different sources Outsourced Code Development Commercial 3 rd - Party Code Internally Developed Code Code Open Source Software Obligations Your Application YOUR COMPANY TOOLS, PROCESSES Page Content Copyright 2010 by Linux Foundation 5/31

License Complexity when adopting OSS (2) An OSS Package can contain multiple OSS packages, multiple licenses. New code OSS Package OSS Package OSS Package License A License B License C License D License E One OSS Package = Many Licenses License info for OSS is not provided in a consistent, easy-touse format OSS Package License A License B License C License D License E Page Content Copyright 2010 by Linux Foundation 6/31

SPDX roduction (1) Software Package Data exchange - A standard format for communicating the components, licenses and copyrights associated with a software package. - Hosted at the Linux Foundation whose goal is to facilitate compliance with free/open source software licenses and the exchange of such information between companies. - 30 participants Open Source Organizations End-Users Integration & Services Device OEMs Applications OS Distributions Systems Semiconductor Vendors and others Page Content Copyright 2010 by Linux Foundation 7/31

SPDX roduction (2) SPDX as Software Bill of Materials Your code Software Bill of Materials (BOM) OSS Package OSS Package Outsourced SW 3 rd party SW Companies combine OSS with other software? Creating an accurate bill of materials Page Content Copyright 2010 by Linux Foundation 8/31

Benefit Benefits of standardizing - Allows easy exchange of license information between companies, reducing the burden of both suppliers and consumers - Avoids due diligence redundancy where the same source code package is analyzed multiple times by different receivers - Provides a unified method for exchanging license information Embedded & SW Supply Chains Save Time/Money Better Compliance Unified Method Avoid redundancy Open Source Developers Help Users Comply With Your Licenses Consumers of SW & OSS Understand Licensing of the Code You Use Easy Exchange Page Content Copyright 2010 by Linux Foundation 9/31

List of Standard Licenses License repository - List of most common licenses (100+) - Include common exceptions - Standardized license names - Exact text of licenses - Available on SPDX website URLs won t change - Short names adopted by OSI Support permanent URL https://spdx.org/licenses/ Page Content Copyright 2010 by Linux Foundation 10/31

SPDX Specification (1) Document Information Creation Information Package Information File Information Licensing Information Review Information SPDX Version and Licensing How and when created Package identification, copyright and licensing File by file identification, copyright and licensing Text of licenses that are not in SPDX standard list Log of 3 rd party reviews File is in RDF/XML or tag value form and can be converted to/from spreadsheets. Page Content Copyright 2010 by Linux Foundation 11/31

SPDX Specification (2) Document Information Creation Information Identification - Formal Name of Package (Full name given by originator and version information) - Unique ID (to unambiguously map a file to a package) - Package Download Location (download URL) Package Supplier and Originator Licensing for Package SPDX Version and Licensing - Declared License- License that has been asserted for the package - Concluded License- License that Creator concluded - List of file licenses How and when created Copyright Text Package Information File Information Licensing Information Review Information Package identification, copyright and licensing File by file identification, copyright and licensing Text of licenses that are not in SPDX standard list File Name File Type (source, binary, archive) File CheckSum Declared License Log of 3 rd party reviews Concluded License (license determined by SPDX file creator) License Text in File File is in RDF/XML or tag value form an dcan be converted to/from spreadsheets. Copyright Text Artifact of Project Name (from which project it came) Page Content Copyright 2010 by Linux Foundation 12/31

Tools and Version of SPDX Open Source Tools (hosted on SPDX Git Repo. http://spdx.org/tools) - SPDX Compare Utility - License RDFa Generator - RDF to HTML Pretty Prer - SPDX Viewer - Spreadsheet to RDF/Tag Value xlator - RDF/Tag Value to Spreadsheet xlator - License file generator (from Spreadsheet) - Spreadsheet template Versions - Current version: 1.1 - Working on version 2.0 13/31

Piloting SPDX - Motivation through open source development 14/31

Open source development process prf( Hello, SPDX! ); funca(); void prf( funca called ); prf( Hello, SPDX! ); funca(); void prf( funca called ); SPDX Piloting scope OSS DISCOVERY Development Verification Release for Obligation satisfaction Search proper OSS package Develop using OSS packages Verify with Verification Tool Source Code Disclosure Open source Package License checking Open source Package Check from * Hosting Site * License Notice file prf( Hello, SPDX! ); funca(); void prf( funca called ); #include main() <stdio.h> { prf( Hello, SPDX! ); funca(); prf( Hello, SPDX! ); prf( Hello, SPDX! ); funca(); void funca(); prf( funca called ); void void SPDX! ); prf( funca called ); prf( Hello, funca(); prf( funca called ); void prf( funca called ); #include main() <stdio.h> { prf( Hello, SPDX! ); funca(); prf( Hello, SPDX! ); funca(); prf( Hello, SPDX! ); funca(); void prf( funca called ); void void prf( funca called ); prf( funca called ); Verification Tool License Notice check out Identify(Audit) by Reviewer Open source Package #include main() <stdio.h> { prf( Hello, SPDX! ); funca(); prf( Hello, SPDX! ); funca(); prf( Hello, SPDX! ); funca(); void prf( funca called ); void void prf( funca called ); prf( funca called ); Notice Notice Notice 15/31

Verification process details - Identify Identify Effort - Confirm the original copyright & license of source codes. Verification tool can produce multiple matched result reviewer need to audit them. - The work is labor-ensive and time-consuming for reviewers. Source code Identify Effort prf( Hello, SPDX! ); funca(); void prf( funca called ); Matched Result GPL A Reviewer should audit matched result Verification Verification Result Result Document Document Verification Tool BSD It is GPL? BSD? originator tracing.. Multiple results are matched. (Each results can have different license obligation) Example) GPL source code needs to be released, and need to put up a GPL License notice BSD license notice needed but source code may not be released to public Reviewer s TODO Trace the originality of source code (web surfing using MD5 value of source file, visiting release site, or compare/analyzing various versions) Labor ensive, Time-consuming 16/31

Problems of identification Redundancy of identification. - Identification data cannot be shared with other company. - The Reviewer has to repeat identification effort. Inconsistency of identification result Redundancy Redundancy Source code prf( Hello, SPDX! ); funca(); void prf( funca called ); RESULT: MATCHED Code snippet Source code GPL A to B Source code prf( Hello, SPDX! ); funca(); void prf( funca called ); RESULT: MATCHED Code snippet Source code GPL B to C Source code prf( Hello, SPDX! ); funca(); void prf( funca called ); RESULT: MATCHED Code snippet Source code GPL Verification Tool BSD Verification Result Document Verification Tool BSD Verification Result Document Verification Tool BSD Verification Result Document prf( Hello, SPDX! ); funca(); void prf( funca called ); BSD GPL BSD Result can be changed via repeated identification 17/31

Release process details Source code disclosure License Notice - Included in pages of the manual - Included in the product itself. Source codes published on web site 1 Release (Obligation satisfaction) Source Code Disclosure Source code prf( Hello, #include SPDX! ); <stdio.h> funca(); prf( Hello, SPDX! ); funca(); void prf( Hello, SPDX! ); funca(); prf( funca called ); void prf( funca void called ); prf( funca called ); Upload Notice in manual Notice in product 2 License Notice Notice Notice 18/31

Problems of license notice Cost of pring manual pages. Cost of changing license info - Firmware upgrade or License Modification (by human error, etc ) - Re-pring license notice, new binary release Source codes published to product site 1 Release (Obligation satisfaction) Source Code Disclosure Source code prf( Hello, #include SPDX! ); <stdio.h> funca(); prf( Hello, SPDX! ); funca(); void prf( Hello, SPDX! ); funca(); prf( funca called ); void prf( funca void called ); prf( funca called ); Upload Notice in manual Notice in product 2 License Notice Notice Notice Cost of pring manual pages Cost of Binary Release when License modification occured 19/31

Piloting SPDX usage 20/31

Reducing the cost of verifying open source licenses Reducing re-verification cost - Auto Identify using SPDX format Source code RESULT: MATCHED Code snippet Source code prf( Hello, SPDX! ); funca(); void prf( funca called ); GPL SPDX format including Identification data AIRS Identify ONLY newly added or modified sources Verification Tool BSD Verification Result Document Verification Tool AUTO IDENTIFY AIRS Identify ONLY newly added or modified sources Verification Tool 21/31

AIRS(Auto Identify Using SPDX) Introduction(1) AIRS - Standalone program including Auto identify functionality - Interface for legacy system JAVA library type or CLI Main function - SPDX Export Function Export identification data as SPDX file format Use file comment field to include identification data - Auto Identify Function Identify exported identification data to new system [ content of exported SPDX file ] Identification data is written in SPDX File 22/31

AIRS(Auto Identify Using SPDX) Introduction(2) Pros of Auto Identify - Identify when SHA1 checksum is identical whether absolute file path is not same. It can be identified even if the directory structure is changed, - Various options Select the most recent reviewed file in case multiple identical files exists. (or not) Overwrite existing identification data (or not) Identify only when absolute file path is the same.(or not) Use exported SPDX file s REPORT Data Identification Data File Checksum N Compare File Checksum Y Review all files same file exist? 1 Only one identical file exists AI Code Identify Data 1 Only one same file Y Only one identical file exists? 2 Multiple identical files, Have same identification data. AI N Multiple same file exists 2 identical identification data Y identical files have identical identification data? 3 (OPTION) Multiple identical files, Same file-name(absolute file path) AUTO IDENTIFY 3 same Y N Different data (OPTION) same file name(path)? N code.c AI t.cpp base. c code.c algo.c [ Auto identify flow chart ] [ Auto identify Rules] 23/31

AIRS(Auto Identify Using SPDX) Introduction(3) Running AIRS - Auto-identify target project with source project s SPDX file. [ before ] # Not identified yet Execute AIRS ex) # java jar airs.jar ai h http://127.0.0.1 u developer@samsung.com p passwd proxy-host 127.0.0.1 --proxy-port 8080 --project-id c_13_swc_developer_ai_demo_130826 --spdx-files source.rdf [ after ] All Auto-identified OSI: Open source Self Inspector (samsung in-house tool) 24/31

license notice web system Reduce license notice cost - Only QR Code/URL pred on the pages of the manual - No need to change binary or manual whenever license notice needs to be changed. Automate license notice by using standard form Automate by using SPDX(standard form) Provide QR Code/URL on product or the pages of the manual Department A Department B Department C AIRS AIRS AIRS SPDX Export Upload SPDX, insert product data http://opensource.samsung.com Product Binary Manual Pages CD + + + 25/31

license notice web system (2) [ License Notice on web site using SPDX ] Write product information Load Verification Result(SPDX) License Notice and QR Code(URL) created Admin page in opensource.samsung.com [ End User Scenario ] QR Code/URL included as part of the product documentation (in manual, on box, in device with written offer, etc.) End user visits specified Web site(osrc) using QR Code (or connect to URL directly) End user receives license info in the product including source code, license, and compliance contact Ex) QRCode on box 26/31

Future work (1) Build Auto-identify Database in Samsung - Collection of certified identification data. - Data contents Frequently used open source package for every products. Packages of main branch module in specific platform. Identification Data - RDF(SPDX) Format [ IT & mobile division ] Auto Identify AIRS Auto-identify DataBase [ Visual Display division ] [ Pring Solution division ] 27/31

Future work (2) Support various verification tool - Currently AIRS supports only Protex. - Designed to be compatible with various tools (abstract layer) Improve auto-identify function - Identify when code snippet is same even if the file checksum is different - More detail options. FOSS friendly - Using SPDX Parser(from SPDX-tools) - Planning contribution of AIRS User Interface Auto Identify API (CLI/ Function call) Derived from SPDX-tools SPDX Manager SPDXService SPDX Parser Other verification tool supportable Identify Abstract Layer IdentificationInfo AutoIdentifyService Protex Palamida Protecode Protex IdentificationInfo ProtexAutoIdentify Service Palamida IdentificationInfo PalamidaAuto IdentifyService Protecode IdentificationInfo ProtecodeAuto IdentifyService [ AIRS Architecture ] 28/31

Feedback to Standard 29/31

Feedback to SPDX Modification of Artifact of Project fields - Cardinality: Optional, One Optional, one or many - Specific derived-file information is necessary Currently, DOAP is used less detailed. Package Hierarchy - Deal with sub-packages (no specification) - Connectivity to other packages Patternize license comment - Provide license comment patterns for better-automation - ex) This file is derived from APACHE-COMMONS.jar <derivedfrom>apache-commons.jar</derivedfrom> Force common rule for file path - File path is important for comparing/auto-identifying. Path can be started from./, /, <package_file_name>/ - Common rule is necessary. Summary of Derived project information in package info - When details of derived project are needed, only file info section can give them, however this way can produce highly redundant data. 30/31

Q&A 31/31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback