Presentation is loading. Please wait.

Presentation is loading. Please wait.

Centre for Development of Advanced Computing Chennai 103/1/12 Open Source Compliance Program Vidhyalakshmi A CDAC chennai

Published byBrittany Shaw Modified over 8 years ago

Similar presentations

Presentation on theme: "Centre for Development of Advanced Computing Chennai 103/1/12 Open Source Compliance Program Vidhyalakshmi A CDAC chennai"— Presentation transcript:

1 Centre for Development of Advanced Computing Chennai 103/1/12 Open Source Compliance Program Vidhyalakshmi A CDAC chennai Vidhiyalakshmia@cdac.in

2 Centre for Development of Advanced Computing Chennai 203/1/12 Open Source Compliance Program Overview OSS policy / Policy formation Adaptation of business process Supply chain responsibilities Review and approval of OSS use. Verification steps and Process adherence audit OSS Inventory and record keeping(OSS Repository) Code distribution mechanism Staffing and Training Organizing compliance function

3 Centre for Development of Advanced Computing Chennai 303/1/12 OSS Policy Insist use of OSS in the business environment. An organizational policy enables the company to incorporate and use OSS in their products. The policy is signed by a senior executive and is communicated to the entire workforce.

4 Centre for Development of Advanced Computing Chennai 403/1/12 OSS Policy The policy addresses Roles and responsibilities for compliance actions. Review and approval process for use of OSS. Guidelines for contributions to community projects. Core processes. The management team endorses the policy.

5 Centre for Development of Advanced Computing Chennai 503/1/12 Adaptation of business process Fitting OSS compliance within the context of existing business processes. Existing business processes modified with OSS compliance activities. Supply Chain’s supplier selection procedures to be tailored.

6 Centre for Development of Advanced Computing Chennai 603/1/12 Adaptation of business process Process management assures OSS compliance activities at early in the product development cycle. Late-cycle verification steps used before external distribution occurs. Training in OSS compliance.

7 Centre for Development of Advanced Computing Chennai 703/1/12 Adaptation of business process How and where are open source compliance activities injected into existing business processes? Product planning and product authorization Project planning and scheduling Architectural design review Documentation Verification Release readiness review Treat compliance as one more type of project activity to be routinely planned and executed.

8 Centre for Development of Advanced Computing Chennai 803/1/12 Supply chain responsibilities Companies update their supply chain procedures (deal flow process). The third party software providers disclose FOSS and a statement on FOSS license obligations. The company’s supply chain personnel must ensure the FOSS license obligations.

9 Centre for Development of Advanced Computing Chennai 903/1/12 Supply chain responsibilities The supplier inform the FOSS community. Agreements relating to outsourced development of software. Supply chain personnel mandate all source code and ensure license obligations.

10 Centre for Development of Advanced Computing Chennai 1003/1/12 Reviews two important reviews: Architecture review Linkage analysis review The goal of architecture review is to identify: Components that are FOSS (used “as is” or modified) Components that are proprietary Components that are third party licensed under a commercial license Component dependencies Communication protocols Dynamic versus static linking

11 Centre for Development of Advanced Computing Chennai 1103/1/12 Reviews contd... Components that live in kernel space versus user space Components that use shared header files Other FOSS specific software component with different FOSS license. The result of the architecture review is an analysis of the licensing obligations that may extend from the FOSS to the proprietary or third party components. The linkage analysis review Find potentially problematic code combinations at the static and dynamic link level. The goal is to determine if any FOSS obligations are extending to proprietary or third party software components.

12 Centre for Development of Advanced Computing Chennai 1203/1/12 Review of Supplier FOSS Disclosures Review of FOSS Disclosures A list of the FOSS packages used, including names, version numbers, and URLs of original download sites. Applicable license(s), license version(s), and URLs for license text. The change log for the modifications. Dependencies and linkages (if any) between each FOSS component and other FOSS or proprietary software components. FOSS compliance team might perform the following review steps for FOSS packages from the disclosure: Visit the homepage for the disclosed FOSS package to confirm the licensing information. Download the FOSS software, unpack it, and examine its contents. Look for files such as a README, COPYING, LICENSES, AUTHORS, etc.,

13 Centre for Development of Advanced Computing Chennai 1303/1/12 Review of Supplier FOSS Disclosures Examine the license text with the assistance of Company’s Law Department. Examine GPL, LGPL, or other copyright-licensed software. Engage supplier in discussion. Due Diligence in Regard to Supplier’s FOSS Compliance How does Company know that its suppliers’ disclosures are complete and accurate? Should Company rely on its suppliers’ disclosures?

14 Centre for Development of Advanced Computing Chennai 1403/1/12 Review of Suppliers Compliance Review the Code Company can ask that a supplier to provide source code for its entire deliverable. Company can ask a supplier to scan its own code using an automated tool and provide a scan report on identified FOSS and its licensing. Review the Supplier’s Compliance Process Company should assess the supplier’s practices in a disciplined manner. The Open Compliance Self- Assessment Checklist is ideal for appraising compliance programs.

15 Centre for Development of Advanced Computing Chennai 1503/1/12 Approvals As part of the approval step in the compliance process, there are two main recommended practices: Verifying that all sub-tasks related to the compliance ticket have been completed and closed before approving the compliance ticket. Recording a summary of the discussions that lead to the decision approval or denial.

16 Centre for Development of Advanced Computing Chennai 1603/1/12 Verification steps The verification steps taken by the OSS Compliance team to confirm that OSS obligations have been properly met. The compliance team perform verification activities according to a defined procedure. The compliance team verifies the source code license obligations have been met by time a product is considered ready for release. The compliace team verifies the copy right notices, license text and any modification logs have been included accurately. The compliance team verifies the OSRB approval has been obtained for all OSS packages in the release. The compliance team verifies the third party suppliers obligarion issues.

17 Centre for Development of Advanced Computing Chennai 1703/1/12 Process adherence audit The process adherence audits are used to determine whether the organization follows its defined compliance process. Audits assess the extent to which execution of compliance process produces expected compliance results. Audit determines whether the organization maintains accurate records about the OSS contents of its products and of the compliance activities it performs.

18 Centre for Development of Advanced Computing Chennai 1803/1/12 OSS Inventory and Recordkeeping The organization's need to maintain accurate records of OSS content and OSS compliane activities. The organization tracts the progress of compliance activities for a product being readied for release. The organization tracks progress of the OSS discovery process and of scans and audits on the product’s code. The organization systematically tracks closure of OSS issues identified during the discovery process. The organization tracks progress of the review and approval process for OSS cases. The organization tracks progress of obligation satisfaction for a product being readied for release.

19 Centre for Development of Advanced Computing Chennai 1903/1/12 OSS Inventory and Recordkeeping The organization maintains complete and accurate records about the OSS content in its products. A defined format is used to record information about the OSS included. The OSRB maintains accurate records about its reviews and review outcomes, including any limitations or conditions on approval that might necessitate a different outcome in another context. The organization uses past records of OSS review and approval as an aid when reviewing new OSS cases for approval.

20 Centre for Development of Advanced Computing Chennai 2003/1/12 OSS Inventory and Recordkeeping Policy Document Project Management Plan Estimation Sheet Open Source Compliance Practices in Organizational Business Process Process Improvement Log Process Improvement Track Sheet Metric Sheet FMEA Audit Logs OSRB Documents Source code scan report Review and approvals

21 Code distribution mechanism As part of the process to satisfy source code obligations, the company should place the complete source code and all FOSS packages, into a software repository. Verification activities should assure that source code and all FOSS packages in the product have been approved by the OSRB. The company should also define a code distribution mechanism that satisfies the requirements of particular FOSS licenses.

22 Centre for Development of Advanced Computing Chennai 2203/1/12 Staffing The skilled individuals are made available to contribute to the compliance effort. To perform compliance functions. To Prepare and address the estimates of total compliance effort and duration to the Organization's compliance requirement. To track and record the compliance activities.

23 Centre for Development of Advanced Computing Chennai 2303/1/12 Training Training addresses the communications needed to assure that the entire company understands what must be done to achieve OSS compliance. The organization maintains a definition of who must take training. Training records are maintained. i)Training objectives are set. ii)Follow-up actions are taken to assure planned training is completed. OSS training is integrated into the organization’s training curriculum and made a part of organizational and personal objectives. OSS training is provided as part of new hire orientation. Refresher training on OSS compliance is provided periodically.

24 Centre for Development of Advanced Computing Chennai 2403/1/12 Organizing compliance function

25 Centre for Development of Advanced Computing Chennai 2503/1/12 Organizing Compliance Function There are two teams involved in achieving compliance: core team and extended team. The core team: The Open Source Review Board (OSRB) legal counsels The compliance officer. OSRB Ensuring compliance with both third party software and FOSS licensing obligations. Facilitating effective usage of FOSS in commercial products within the company. Ensuring that FOSS license obligations do not extend to proprietary software or third party software.

26 Centre for Development of Advanced Computing Chennai 2603/1/12 FOSS Compliance -Where to start...

27

28 Centre for Development of Advanced Computing Chennai 2803/1/12 OSRB Participants Legal Representative Review and approve usage, modification, distribution of FOSS Provide legal guidance Contribute to creation of the FOSS training Contribute to creation and improvement of the compliance program Review and approve content of web portals in relation to compliance Review and approve the list of obligations to fulfill for each software component included in a product Sign off on product release from a compliance perspective

29

30 Centre for Development of Advanced Computing Chennai 3003/1/12 Members of Extended team Open Source Executive Committee(OSEC) Set up FOSS strategy Reviewing and approving licensing proprietary source code under a FOSS license. Documentation Ensuring the written offer to provide source code. Appropriate notices (copyrights and attributions) in the product documentation. Localization Translate the FOSS licenses and notices The industry practice is to keep FOSS licenses in their native language.

31 Centre for Development of Advanced Computing Chennai 3103/1/12 Members of Extended team Supply Chain Disclose FOSS with a statement on FOSS license obligations. IT support and maintenance The tools Automation infrastructure used by the compliance program. Requests from the OSRB to develop tools Corporate Development Company policies Mandate that source code be evaluated from a compliance perspective.

32 Centre for Development of Advanced Computing Chennai 3203/1/12 Thank You

Download ppt "Centre for Development of Advanced Computing Chennai 103/1/12 Open Source Compliance Program Vidhyalakshmi A CDAC chennai"

Similar presentations

Effective Contract Management Planning

Effective Contract Management Planning
Roadmap for Sourcing Decision Review Board (DRB)

Roadmap for Sourcing Decision Review Board (DRB)
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
More CMM Part Two : Details.

More CMM Part Two : Details.
Software Engineering Code Of Ethics And Professional Practice

Software Engineering Code Of Ethics And Professional Practice
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
Software Quality Matters Ronan Fitzpatrick School of Computing Dublin Institute of Technology.

Software Quality Matters Ronan Fitzpatrick School of Computing Dublin Institute of Technology.
Purpose of the Standards

Purpose of the Standards
Supplier Ethics: Program Checklist

Supplier Ethics: Program Checklist
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Managing Project Procurement

Managing Project Procurement
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Update on The Open Compliance Program Phil Koltun, Ph.D. Director, Open Compliance Program

Update on The Open Compliance Program Phil Koltun, Ph.D. Director, Open Compliance Program
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.
SQA Architecture Software Quality By: MSMZ.

SQA Architecture Software Quality By: MSMZ.
Introduction to ISO 15189 New and modified requirements.

Introduction to ISO New and modified requirements.
1 Building and Maintaining Information Systems. 2 Opening Case: Yahoo! Store Allows small businesses to create their own online store – No programming.

1 Building and Maintaining Information Systems. 2 Opening Case: Yahoo! Store Allows small businesses to create their own online store – No programming.
Continual Service Improvement Process

Continual Service Improvement Process

Similar presentations

Ads by Google