Industry requirements for FLOSS governance tools to facilitate the use of open source software in commercial products

“…The usage of only approved FLOSS components helps to avoid legal compliance risks introduced by unknown components. In our previous studies about industry requirements on FLOSS governance and compliance tools, we found that companies want to have an automated process of adding new FLOSS components and their metadata into a common architectural model [11], captured in the following requirement:…”

“…"The tool should allow automated adding of FLOSS components and their metadata into the repository using the product architecture model" -Requirement 5.b. [11] But in reality, users of FLOSS components often have to provide information about a component by hand. This manual step of collecting information is timeconsuming and can slow down the whole approval process.…”

“…We found a hierarchical list of requirements that indicated the following four key categories: Tracking and reuse of FLOSS components, License compliance of FLOSS components, Search and selection of FLOSS components, and Other requirements (security, education, etc.). We then extended our findings in a subsequent journal article [11] with a new round of qualitative data analysis using five additional interviews, which added the fifth category to the proposed theory focusing on the architecture model for software products.…”

“…For example, using unique SPDX license identifier instead of unstructured text to describe the declared license. Our previous studies cover the requirements for automation of the FLOSS compliance process, but those requirements are not fulfilled by tools to the extent which is required [10,11]. An elaborate representation of inter-dependency relationships should be an inherent part of the architectural model.…”

“…grounded theory, experiments) because of its suitability for the emerging and complex phenomena that can be best studied in their practical contexts [18]. Given the complexities of the corporate FLOSS use, governance, and compliance in general [9] and of the software dependency documentation issues in particular [11], we chose a case study company that actively uses open source components in products, while encountering issues in tracking and documenting this use as part of the complete product architecture.…”

Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study

“…The usage of only approved FLOSS components helps to avoid legal compliance risks introduced by unknown components. In our previous studies about industry requirements on FLOSS governance and compliance tools, we found that companies want to have an automated process of adding new FLOSS components and their metadata into a common architectural model [11], captured in the following requirement:…”

“…"The tool should allow automated adding of FLOSS components and their metadata into the repository using the product architecture model" -Requirement 5.b. [11] But in reality, users of FLOSS components often have to provide information about a component by hand. This manual step of collecting information is timeconsuming and can slow down the whole approval process.…”

“…We found a hierarchical list of requirements that indicated the following four key categories: Tracking and reuse of FLOSS components, License compliance of FLOSS components, Search and selection of FLOSS components, and Other requirements (security, education, etc.). We then extended our findings in a subsequent journal article [11] with a new round of qualitative data analysis using five additional interviews, which added the fifth category to the proposed theory focusing on the architecture model for software products.…”

“…For example, using unique SPDX license identifier instead of unstructured text to describe the declared license. Our previous studies cover the requirements for automation of the FLOSS compliance process, but those requirements are not fulfilled by tools to the extent which is required [10,11]. An elaborate representation of inter-dependency relationships should be an inherent part of the architectural model.…”

“…grounded theory, experiments) because of its suitability for the emerging and complex phenomena that can be best studied in their practical contexts [18]. Given the complexities of the corporate FLOSS use, governance, and compliance in general [9] and of the software dependency documentation issues in particular [11], we chose a case study company that actively uses open source components in products, while encountering issues in tracking and documenting this use as part of the complete product architecture.…”

Challenges of Tracking and Documenting Open Source Dependencies in Products: A Case Study

Considerations and challenges for the adoption of open source components in software-intensive businesses

How can FLOSS Support COBIT 2019? Coverage Analysis and a Conceptual Framework