Open-Source License Compliance in Software Supply Chains

Riehle, Dirk; Harutyunyan, Nikolay

doi:10.1007/978-981-13-7099-1_5

Cited by 8 publications

(4 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Section: Applications Of Reproducible Buildsmentioning

confidence: 99%

“…The challenges of managing third-party intellectual property (TPIP) in the software bill of materials (SBoM) (Riehle & Harutyunyan, 2019) and the SBoM of containers such as Docker (Hemel, 2020;Courtès, 2020), including licence compliance, can also be addressed by using R-Bs. Riehle and Harutyunyan (2019) outline the challenges of managing open source licence compliance in the SBoM where there is a mixture of proprietary and open source licensed components in a single product. A further problem is that there can be many versions of source code publicly available in multiple repositories and that there is therefore a broader concern of provenance in the long-term maintenance of software (Rousseau et al, 2020).…”

Section: Applications Of Reproducible Buildsmentioning

confidence: 99%

“…A challenge identified is that not all source code files distributed form part of the compiled software deliverable, thus the detection of licence compliance requires a detailed understanding of the build process used (van der Burg et al, 2014). Technologies such as SPDX (SPDX Workgroup, 2021) can be used in metadata to specify the licence or licences used by each dependency in the SBoM and the Open Source Tooling Group (OSTG) and Automated Compliance Tooling (ACT) (ACT, 2020) are developing solutions that use a combination of R-Bs and SPDX to automate licence compliance checks -licence clearance (Riehle & Harutyunyan, 2019) -in continuous integration (CI) through correspondence between the source code audited for licence compliance and the binaries created and integrated during the build process (Geyer-Blaumeiser, 2019). Furthermore, the use of R-Bs can contribute to securing CI pipelines by providing assurance that only audited SBoM components are integrated into the distributed software (Jacomet, 2020).…”

Section: Applications Of Reproducible Buildsmentioning

confidence: 99%

See 2 more Smart Citations

On business adoption and use of reproducible builds for open and closed source software

et al. 2022

View full text Add to dashboard Cite

Reproducible builds (R-Bs) are software engineering practices that reliably create bit-for-bit identical binary executable files from specified source code. R-Bs are applied in some open source software (OSS) projects and distributions to allow verification that the distributed binary has been built from the released source code. The use of R-Bs has been advocated in software maintenance and R-Bs are applied in the development of some OSS security applications. Nonetheless, industry application of R-Bs appears limited, and we seek to understand whether awareness is low or if significant technical and business reasons prevent wider adoption. Through interviews with software practitioners and business managers, this study explores the utility of applying R-Bs in businesses in the primary and secondary software sectors and the business and technical reasons supporting their adoption. We find businesses use R-Bs in the safety-critical and security domains, and R-Bs are valuable for traceability and support collaborative software development. We also found that R-Bs are valued as engineering processes and are seen as a badge of software quality, but without a tangible value proposition. There are good engineering reasons to use R-Bs in industrial software development, and the principle of establishing correspondence between source code and binary offers opportunities for the development of further applications.

show abstract

Section: Applications Of Reproducible Buildsmentioning

confidence: 99%

Section: Applications Of Reproducible Buildsmentioning

confidence: 99%

Section: Applications Of Reproducible Buildsmentioning

confidence: 99%

See 1 more Smart Citation

On business adoption and use of reproducible builds for open and closed source software

et al. 2022

View full text Add to dashboard Cite

show abstract

“…While open source software and open source development have been extensively researched [8,25], the topic of corporate open source governance, in particular, has been studied to a lesser extent. To address this industry-relevant topic, in our previous work, we studied different aspects of FLOSS governance in companies, such as the potential legal risks of open source use in products [35], and industry requirements for governance tools [23].…”

Section: Introductionmentioning

confidence: 99%

Getting Started with Corporate Open Source Governance: A Case Study Evaluation of Industry Best Practices

Harutyunyan

Riehle

2021

Proceedings of the Annual Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

Open source software usage in companies is on the rise, often resulting in lower development costs, higher quality, and quick availability of code. However, using open source software in products comes with legal, business, and technical risks. Experienced companies prevent and address these risks through corporate open source governance. In our previous work, we studied how top-tier companies got started with corporate open source governance. We proposed a set of industry best practices on the topic, using the practical format of interconnected contextproblem-solution patterns. In this study, we put the proposed state-of-the-art practices to the test by evaluating their real-life application in a case study at a Germany-based multibillion-dollar corporation with products in four distinct industries and more than 17000 employees worldwide. In the course of two and a half years, we conducted 35 semi-structured employee interviews and workshops in five divisions of the company to assess the initial situation of open source governance, the process of getting started with governance following our recommendations, and the outcomes. In this paper, we report the results of this longitudinal case study by presenting the artifacts created while getting started with open source governance, as well as the transferability evaluation of the proposed best practices, both individually and collectively.

show abstract

Managing Your Open Source Supply Chain-Why and How?

Harutyunyan

2020

Computer

View full text Add to dashboard Cite

Open-Source License Compliance in Software Supply Chains

Cited by 8 publications

References 8 publications

On business adoption and use of reproducible builds for open and closed source software

On business adoption and use of reproducible builds for open and closed source software

Getting Started with Corporate Open Source Governance: A Case Study Evaluation of Industry Best Practices

Managing Your Open Source Supply Chain-Why and How?

Contact Info

Product

Resources

About