Jeff Luszcz was the Founder and CTO of Palamida, one of the first open source discovery and vulnerability management tools. Since 2004, he has helped hundreds of software companies understand how to best use open source while complying with their license obligations and keeping on top of security issues. He has directed professional services teams responsible for open source compliance and security audits. His teams have performed reviews for some of the largest mergers and acquisitions in the technology industry. He consults with companies on the topics of compliance, remediation, and security. He shares his thoughts on the industry at zebracatzebra.com and is a frequent conference speaker. Throughout his career, he has been active in the Java, Macintosh, and open source software communities. He received his B.S. from the Cornell University School of Operations Research and Industrial Engineering.
Licenses, business models, and additional next-generation OSS compliance concerns: supply chain compliance, subcomponent licensing, and more
Introduction and agenda - 0:00
OSS license compliance (Jeff explains how OSS licenses work and lists different license obligations. What happens when you have license obligations you can’t follow? How distribution models affect OSS license obligations.) - 1:17
Compliance notices example: Chrome - 6:19
A history of open source licensing eras (Jeff takes us on a story about evolution of licensing, starting from the mid-80s. The explosion in a number of open source components used by an average project and difficulties that brings. The shift towards a software supply chain - hundreds or thousands of suppliers you may have no contact with. How this results in compliance being pushed to upstream suppliers.) - 07:05
OSS compliance in mergers and acquisitions (OSS due diligence using a third party expert has become more common when buying/selling a company. What is involved in it? What are the most common compliance issues? - 12:30
Compliance through automated scanning (Humans can’t manage hundreds or thousands components and their licensing - software composition analysis scan tools becoming required. How to automate this at scale? How do SCA tools find third party code?) - 15:15
OSS security: fixing vulnerabilities (Open source components age like milk, not like wine. There is always someone checking code to find ways to exploit bugs and break in. Attacks can be scripted and done at scale.) - 17:34
What looks like OSS but isn’t! - 19:07
OpenChain - a standard for OSS compliance - 22:07
Things learned along the way (Compliance is a personality driven process. Same project could report 10 or 1000 libraries depending on a person leading compliance and processes used. How analysis paralysis can creep in and how we can plan for it. - 22:50
What is still very difficult for companies? (Companies still value new code over maintenance and compliance. Inner-package licensing is difficult to understand. Communication issues between different teams. Non-standard licenses and dead companies. - 25:30
What’s on the horizon? (Automated compliance. Supply chain attacks and defense against them. An accurate bill of materials becoming a commercial contract item. New FOSS licenses in database space.) - 27:50
Share your questions and comments below!