<style type="text/css">
.reveal section img {
border: none;
box-shadow: none;
}
.reveal section span {
color: black;
font-size: 12px;
}
</style>
<span style="font-size:30%">
CC0-1.0 Universal Public Domain Dedication is [here ](https://creativecommons.org/publicdomain/zero/1.0/).
How to move:
**ESC** -> enter/exit the slide overview
**Right/left arrow** -> Main
**Down/up arrow** -> Branch for each chapter
**S key** -> Show speaker's notes
</span>
<aside class="notes" data-markdown>
Welcome to the OpenChain Curriculum Slides. These slides can be used to help train internal teams about FOSS compliance issues and to conform with the OpenChain Specification.
You can deliver these slides as one half-day training session or you can deliver each chapter as a separate module. Please note that each chapter has “Check Your Understanding” slides with questions and answers in the slide notes. These can be used as the basis for in-house tests for FOSS compliance.
</aside>
---
<aside class="notes" data-markdown>
This slide helps explain what the OpenChain Curriculum and these slides are for.
</aside>
---
<aside class="notes" data-markdown>
This slide is relevant to providing either a single three hour training session or explaining how a series of shorter sessions focused on “per chapter” training will work.
</aside>
---
<span style="font-size:40%">
(Link above is [here](https://www.linux.com/publications/generic-foss-policy).)
</span>
<aside class="notes" data-markdown>
This slide is intended to help a company identify where their internal FOSS policy is located in the company documentation.
</aside>
---
<aside class="notes" data-markdown>
This chapter is focused on the “big picture” of Intellectual Property. This chapter is probably most useful for managers or developers who might not fully understand the fundamentals of copyright, patent and trademark law.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This overview is not intended to cover all aspects of Intellectual Property. It is intended to provide context for the “big picture” and to establish that today we are only discussing copyright and patents, the areas most relevant to FOSS compliance.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains the “big picture” of copyright in software.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide clarifies the most important parts of copyright law to software.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains patent concepts relevant to software.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains what is a “license.” This is different to a contract under US law. This slides explains the boundaries of what can be in a license.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
Copyright protects original works of authorship. It's different than patent in that copyright protects the expression of an idea, whereas patent protects the underlying idea itself. Examples of works of authorship include photographs, songs, and computer code.
Most important copyright concepts for software are: right to reproduce, right to make creative works (or right to modify), and right to distribute.
Software can be subject to a patent. Patent protects method of operation, such as computer program. However, patent protects functionality, and not abstract ideas.
Patent holder can exclude others from practicing the patent, regardless of whether the others have independently created the product.
If you have independently developed your own software, then you may not need a copyright license if you can show the independent development and you had no access to the copyrighted work in question. This is difficult if the copyrighted work is popular such that it'd be reasonable to assume that you had access. If your software reads on a patent, then you will need a patent license regardless of whether you've independently developed the software. An example of this would be FFMpeg, which is a free software project that provides the codecs for encoding and decoding videos. However, you would still need a patent license to encode and decode a certain format.
</aside>
---
<aside class="notes" data-markdown>
This chapter is useful for lawyers, managers or developers who may not be familiar with FOSS licenses.
</aside>
----
<span style="font-size:40%">
(Link above is [here](http://www.opensource.org/licenses/
).)
</span>
<aside class="notes" data-markdown>
This slide provides the “big picture” about what FOSS licenses do. It also explains a resource where you can find out more about some FOSS licenses.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains ”permissive” FOSS licenses, the most basic type of FOSS license, which usually have minimal requirements. The most basic requirement is to include a copyright notice. Permissive licenses do not require source code to be made available to downstream recipients. The code owner is providing the source code under the FOSS license, but is not requiring that you provide the source code to others.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains reciprocity and Copyleft, a more complex type of FOSS license that have additional requirements above permissive licenses. They require distribution of the original work and derivative works under the same terms as the original work.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains proprietary or closed source licenses. These licenses often have very different requirements and rules compared to FOSS licenses.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
There are other types of license used. Sometimes these are confused with FOSS but their requirements are actually different. Freeware or Shareware licensing should not be regarded as the same or compatible with FOSS licensing.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
There are other types of license used. Sometimes these are confused with FOSS but their requirements are actually different. Freeware or Shareware licensing should not be regarded as the same or compatible with FOSS licensing.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains public domain, a type of release that means the work is released without any restrictions whatsoever by the authors. In the US public domain software can be included in FOSS code, but it should be noted that not all legal jurisdictions recognize the existence or permit the release of authorship under public domain. Germany is one example.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains license compatibility, the way of understanding what licenses can be used together. Some FOSS licenses are compatible with each other. Some are incompatible. This is an important consideration when choosing code and choosing licenses.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains notices, the text comments in files that explain authorship and licensing, and which are often regarded as the most important way of knowing what license applies to a file.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slides explains multi-licensing. This is the situation where more than set of license terms can apply to a piece of software.**Conjunctive** = Multiple licenses apply
GPL-2.0 project also includes code under BSD-3-Clause
In this situation you have to comply with both sets of license terms
**Disjunctive** = Choice of one open source license or another
Mozilla tri-license
Jetty
Ruby
Disjunctive licensing may be something important to explore more deeply when creating a FOSS policy.
Under disjunctive licensing you have a choice of licensing, i.e. GPL and a more permissive license option, you may choose which license you are going to distribute under depending on license compatibility, license requirements.
Sometimes a project has a disjunctive licensing situation, but only one license is included in your code – so perhaps the person you got the code from already made this choice. If they choose the license you weren’t going to use, now you might have to consider if you should figure out who the original © holder is and get the code directly from them
**Example: **
MPL 1.1/GPL 2.0/LGPL 2.1 - -
“The contents of this file are subject to the Mozilla Public License Version - 1.1 (the "License"); you may not use this file except in compliance with - the License.
. . .
Alternatively, the contents of this file may be used under the terms of - either the GNU General Public License Version 2 or later (the "GPL"), or - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - in which case the provisions of the GPL or the LGPL are applicable instead - of those above.
If you wish to allow use of your version of this file only - under the terms of either the GPL or the LGPL, and not to allow others to - use your version of this file under the terms of the MPL, indicate your - decision by deleting the provisions above and replace them with the notice - and other provisions required by the LGPL or the GPL. If you do not delete - the provisions above, a recipient may use your version of this file under - the terms of any one of the MPL, the GPL or the LGPL. “
**“dual”** = confusing term that may be used for any of these situations, but usually refers to business model of OSS license or commercial license choice
For more on dual-licensing as a business model: http://oss-watch.ac.uk/resources/duallicence2
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
FOSS licenses are Free and FOSS Software licenses generally make source code available under terms that allow for modification and redistribution.
Typical obligations of a permissive FOSS license are that the copyright notice and warranty disclaimer are included with the software. Very often, the license would expressly prohibits users from using the author's name without permission.
Examples of permissive FOSS licenses include MIT, BSD, and Apache.
License reciprocity means that the derivative work of the copyrighted work must be made available under the same license. Other names being used include "hereditary", "copyleft", "share-alike", and pejoratively"viral."
Examples of copyleft-style licenses include GPL and LGPL.
Copyleft-style licenses often have source availability obligations, which require you to provide accompanying source code when you distribute a binary version of a program or library. The source code should be of the same version and content that corresponds to the binary version you distribute.
Freeware and Shareware are not FOSS.The reason is that even though freeware and shareware are available without cost, they don't allow the users to make modifications to the software.In fact, many of the freeware and shareware contain similar license restrictions common in proprietary software.
Multi-license refers to the practice where software is made available under multiple licenses. For example, an open source software can be dual-licensed under MIT and GPLv2. In that case, you are free to choose the license that suits your need.
FOSS Notices may include information about the identity of the copyright holders and the license governing the software. FOSS Notices may provide notice about modifications. Some licenses require that FOSS Notices be retained or reproduced for attribution purposes.
</aside>
---
<aside class="notes" data-markdown>
This chapter covers the big picture of FOSS compliance. It explains how compliance works from first principles.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains that FOSS compliance is really a two-part goal. The first is to know your obligations and have a process to support this knowledge. The second is to satisfy the obligations.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide expands on what compliance obligations must be satisfied in typical FOSS licenses.
The scope of source code availability is determined by the FOSS license. Some licenses may require source code availability for only the FOSS software. Others may require all the software described in the slide.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains when FOSS obligations are “triggered.” FOSS licenses are copyright licenses and the basic compliance trigger is when you distribute code to another legal entity.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains that modifying code can impose obligations under FOSS licenses. It explains a little bit about derivative works.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains how FOSS compliance programs work in “broad strokes” (a basic overview).
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains more about how FOSS compliance practices can work in an organization.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide describes some of the benefits that compliance brings to an organization beyond the fact of fulfilling the legal obligations of the license.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
FOSS compliance means following the licensing terms of FOSS licenses. It involves understanding the licenses, having processes to support the license terms, and having processes to address any oversights or errors.
The two main goals of a FOSS compliance program are **know your obligations** and to **satisfy your obligations**.��The important business practices of a FOSS compliance program include:
Identification of the origin and license of FOSS software
Tracking FOSS software within the development process
Performing FOSS review and identifying license obligations
Fulfillment of license obligations when product ships
Oversight for FOSS Compliance Program, creation of policy, and compliance decisions
Training
A FOSS compliance program provides various benefits such as an increased understanding of how FOSS impacts your organization, an increased understanding of the costs and risks associated with FOSS, better relations with the FOSS community and increased knowledge of available FOSS solutions.
</aside>
---
<aside class="notes" data-markdown>
This chapter describes some fundamental concepts in understanding FOSS usage
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide is about how the use of FOSS components is a consideration for your compliance. Different use cases will have different legal effects. The next few slides explain these concepts in more detail.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slides outlines what incorporation means when using FOSS.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slides outlines what linking means when using FOSS.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slides outlines what modification means when using FOSS.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slides outlines what translation means when using FOSS.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slides explains that development tools may do some of these actions “behind the scene”, and this is an area that companies should be aware of.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide explains some of the concepts behind distribution. Because FOSS licenses usually apply during distribution, this is a key point to consider in a compliance program.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
Incorporation is when you copy portions of a FOSS component into your software product.
Linking is when you link or join a FOSS component with your software product.
Modification is when you make changes to a FOSS component.
Translation is when you transform the code from one state to another.
When thinking about distribution of Open Source you should consider to things:
Who receives the software?
* Customer/Partner
* Community project
What is the format for delivery?
* Source code delivery
* Binary delivery
* Pre-loaded onto hardware
</aside>
---
<aside class="notes" data-markdown>
This chapter describes a “FOSS Review” process in which FOSS usage is analyzed and the relevant obligations are determined
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The FOSS Review is a basic building block of a FOSS Compliance Program.
A FOSS Review can be the meeting point for engineering, business and legal teams, and can require planning and organization to successfully conduct on a large scale.
* Engineering or developer teams may participate in gathering relevant information
* Legal teams analyze and determine license obligations and provide guidance
* Business and engineering teams may receive and implement guidance
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The first step is to identify the proper parties to initiate a FOSS Review
Important questions to ask include:
* Who are the decision makers about FOSS usage (managers, architects, individual engineers, etc.)?
* How can they raise questions about FOSS usage?
* Is there a regular point in your development process where FOSS Reviews can begin?
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
It should be noted that this list of information looks quite large. However, the amount of information required depends on the size of your company and what you intend to do with the FOSS code. Large entities tend to require more information than small entities.
There are a couple additional issues in the case of external vendors. First, you may need to follow up with the vendor if FOSS issues arise in the future, and having a reliable point of contact is important. You may also need to meet FOSS license obligations for FOSS delivered from the vendor. Ensure you have the notices and source code as needed to meet these obligations.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The FOSS Review team may consist of an interdisciplinary team
The legal team, which may include in-house or outside attorneys, reviews and evaluates the FOSS usage for license obligations
The legal team may be supported by others, including:
Scanning and tooling teams that identify and track FOSS usage. These teams may provide support using code scanning or forensics tools to identify FOSS components in a codebase. The teams may also organize and track information gathered regarding FOSS usage to assist with later compliance processes.
Other specialists or representatives that may be impacted by FOSS-related issues, such as commercial licensing, compliance or business planning teams.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The FOSS Review team should have the expertise to properly assess the FOSS usage. This may require support from engineering teams to educate legal and business teams about the proposed FOSS usage. For example, code scanning may be used to locate undisclosed FOSS usage.
Once the proposed FOSS usage has been fully assessed, the legal team will then have the necessary information on which to make its judgments.
</aside>
----
<!-- .slide: data-transition="convex" -->
<span style="font-size:40%">
(Link above is [here](https://www.fossology.org ).)
</span>
<aside class="notes" data-markdown>
This slide explains the big picture of what Open Source code scanning tools are, how they work, and where a new user can start to gather knowledge about the subject.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The FOSS Review process should be flexible enough to allow the interested parties to collaborate. Sometimes a FOSS usage scenario may not be clear to the FOSS review team. The engineering team will need the ability to provide further input. Likewise, the engineering team may need assistance in implementing guidance from the FOSS review team.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The FOSS Review process should have oversight (for example, an Executive Review Committee in this diagram). The oversight committee may make important policy decisions or resolve disagreements between parties in the review process.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
To gather and analyze information regarding FOSS usage and to produce appropriate guidance.
Initiate a FOSS review process. The method for initiating this process may vary by company, but should be open to those who are involved in using FOSS in development.
Initiate a FOSS review process or contact the FOSS review team. The process should be flexible enough so that FOSS users in your organization have access to guidance.
The package name, version, download URL, license, description and intended use in your product is a good starting point. The precisely level of detail you will need depends on your organization and intended use case.
The copyright notices, attribution and source code normally helps to identify who is licensing the FOSS software.
Development team's point of contact in case you need to follow up with future FOSS issues. You may also want to obtain copyright and attribution notices, and source code for vendor modifications if these are needed to satisfy license obligations for FOSS licenses governing the third party software.
Check information for completeness, consistency and accuracy. This process may be assisted by support teams, including teams that run code scanning tools to scan for undisclosed FOSS usage.
</aside>
---
<aside class="notes" data-markdown>
This chapter contains an example of a detailed end to end compliance management process.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide describes the definition of compliance management and its end goals.
Note that this section provides a detailed example of what may take place in a large enterprise. Smaller companies may wish to approach the process in a more streamlined way.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide describes what a Small to Medium Enterprise (SME)might need to do to build and deploy an effective compliance program.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide is an overview of the steps that a larger enterprise might use for their process.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The first step in our example process is to identify FOSS usage.
This step may have been initiated by one of the events listed in “prerequisites.” For example, a development team may have initiated a request (or initiated a FOSS Review). The step may also begin if the review team discovers or is notified that FOSS is being used in a software release or in third party software used by the company, and that a proper review needs to take place.
In this example, the FOSS review team may identify FOSS usage through review requests from engineers, from performing scans of internally-developed and third-party software, or reviewing code checked into development branches. The review team will then create a record of the review, then move to the next step (“Audit”).
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The next step is auditing source code identified in the previous step.
In our example, the company may conduct research into the identified FOSS component (e.g., review declared licenses, research origins of the FOSS component). The company may also scan the source code to verify the origin and composition of the code.
The review team may then produce an audit report with its conclusions regarding the origin and licensing of the source code.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
Once an audit report is produced that confirms the origin and licensing of source code, the review team should flag and review any issues under the company FOSS policy. For example, the earlier steps may have identified a FOSS component that contains other FOSS code under an incompatible license. The review team should provide appropriate feedback to the engineering team to resolve the issues.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide contains a template that may be used to illustrate FOSS usage and its relationship with company software. For example, how are FOSS and company components linked together? Templates such as these may be created by engineering teams to help educate the FOSS review team about planned FOSS usage.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
In this step, the FOSS review team reviews the facts collected in the previous steps and identifies the company’s obligations under the FOSS licenses.
This step may be closely linked with the previous step (Resolving Audit Issues). In the previous step we removed FOSS usage that did not conform to company policy. In this step, we evaluate and identify the license obligations for FOSS usage that is retained.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
In the approval step of our example process, the review team communicates whether it approves of the FOSS usage in question, along with any associated conditions or obligations. The approval should also include important details such as version numbers of FOSS components and the approved usage scenario.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
Approval information from the previous step should be tracked or registered so that anyone releasing the software can understand and comply with the relevant license obligations.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
If required by a FOSS license, appropriate notices should be prepared (often in a text file that accompanies the release). Notices may include attribution notices, modification notices, or offers for source code. For some licenses, you may also need to include a full copy of the license text.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
In this slide of our example process, the company verifies that it has met its FOSS license obligations before release. In cases where source code must be made available, the company verifies that the source code matches the binary files being distributed. The company also verifies that notices are properly produced and included in distribution packages as needed.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
In cases where source code must be made available, the company provides the accompanying source code through the mechanisms permitted under the FOSS license. This may mean providing the source code along with the software distribution, making it available through a written offer, or posting a source code archive on a website.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
In this step, the company verifies that its distribution complies with its FOSS license obligations. This step could be a function of an entity providing oversight for the overall FOSS review process.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
For our example process, the steps include:
* Identification - Identify and track FOSS usage. This may take place through engineer requests, third party disclosures, or code scanning.
* Auditing source code - Review identified FOSS components for license and origin information.
* Resolving issues - Remove FOSS usage that is incompatible with FOSS policies.
* Performing reviews - Assess and determine obligations for FOSS usage.
* Approvals - Communicate approval conditions and license obligations.
* Registration/approval tracking – Track approval conditions and license obligations for later compliance steps.
* Notices - Prepare notices as required by FOSS licenses.
* Pre-distribution verifications – Review distributions for compliance before release.
* Accompanying Source Code Distribution – Make source code available as needed.
* Verification – Provide oversight for compliance process.
Architecture reviews examine the relationships between FOSS components and company software. For example, how are FOSS and company components linked together?
</aside>
---
<aside class="notes" data-markdown>
This chapter describes some common pitfalls in FOSS compliance processes, and discusses approaches to avoiding these pitfalls
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
In this chapter, we will describe some common pitfalls to avoid in the FOSS compliance process.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
In this step, the company verifies that its distribution complies with its FOSS license obligations. This step could be a function of an entity providing oversight for the overall FOSS review process.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The first pitfall described in this slide arises where copyleft-style licensed FOSS is inadvertently mixed with proprietary code.
This may be discovered through auditing source code for license notices or using code scanning tools.
Preventative measures include training of engineering staff, and building regular audits or scans into the development process.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The first pitfall in this slide arises where copyleft-style licensed FOSS is inadvertently linked to proprietary code.
This type of failure may be detected using dependency tracking tools or reviews of architecture.
Preventative measures include training of engineering staff, and building architectural reviews into the development process.
The second pitfall arises where proprietary code is included in copyleft-style licensed FOSS. For example, an engineering team making modifications to a FOSS component may include proprietary code in the modifications.
This type of failure may be discovered through auditing source code introduced into the FOSS component.
Preventative measures include training of engineering staff and building regular audits into the development process.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The first pitfall in this slide arises where a company has an obligation to provide accompanying source code, but fails to do so.
The second pitfall arises where a company provides accompanying source code, but fails to provide the correct version that matches the distributed binary version.
The third pitfall arises where a company modifies a FOSS component, but fails to publish the modified version of the source code. The company instead publishes the source code for the original version of the FOSS component.
In each case, the failures may be prevented by properly applying steps in the compliance process. For example, source code for released binaries should be captured and stored along with the binary version. Verifications prior to release should check to ensure the proper source code is provided with the binary release.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The pitfall in this slide arises where a company modifies a FOSS component, then fails to mark its modifications when required by the FOSS license. This pitfall may be prevented through implementing processes for marking code or within verification steps.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
The pitfalls in this slide arise from a failure to integrate the FOSS compliance process with the engineering team. In these cases, the engineering team does not raise FOSS usage to the review process, or does not receive the training on how to handle FOSS usage.
Preventative measures include monitoring of engineering training, and also making the compliance process easily accessible to the engineering team.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide describes potential consequences of compliance process failures. In the first case, a code base may be used in development and releases without proper review. In the second case, FOSS usage may be known, but license obligations are not reviewed or determined. In the last case, the compliance process may face release deadline pressures and have limited time to perform its tasks.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
While avoiding the pitfalls described in this chapter may take resources and effort, prioritizing the FOSS compliance process is important. It can help you more effectively use FOSS in your development process, and also help maintain good working relationships within the FOSS community.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
Your FOSS compliance process is a building block to establishing good working relationships within the FOSS community.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
Pitfalls can occur under the following categories: IP failure, license compliance failure, and compliance process failure.
An example of IP failure would be commingling of proprietary code and open source code, which may result in making proprietary software available to general public despite company's preference.
An example of license compliance failure would be a failure to mark an open source software after modification or to properly list the open source software components in the software or to make the complete and corresponding source code available.
An example of compliance process failure would be a failure in the process related to audit, review, or approving the open source software. Auditors "waived" all the red-flagged items in a report, or that the review and approval process takes too long.
The benefits of prioritizing compliance are that you become more efficient in your use of FOSS, and that you build a better relationship with the open source community.
The benefits of maintaining a good community relationship are that you can better assess how you can comply with the FOSS license requirements, and you have a better two-way communication with regard to contribution and use of the FOSS.
</aside>
---
<aside class="notes" data-markdown>
(Nathan) I think this chapter could be useful if we can work out a "developer cheat sheet" or something similar. As it is now,this content seems to be more fully reproduced in other chapters and we are not adding much.
(shane) this chapter needs expansion, so this will be one of our key focuses in 2017
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slide outlines the key developer guidelines necessary for a high quality compliance approach.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
This slides explains how to anticipate compliance process requirements.
</aside>
should apply to all FOSS components entering your company.
</aside>
----
<!-- .slide: data-transition="convex" -->
<span style="font-size:40%">
(Link above is [here](https://training.linuxfoundation.org/linux-courses/open-source-compliance-courses/compliance-basics-for-developers
).)
</span>
<aside class="notes" data-markdown>
General guidelines developers can practices when working with FOSS:
- Select code from high quality FOSS communities
- Seek guidance
- Preserve existing licensing information
- Gather and retain FOSS project
information for your review process
Should you remove or alter FOSS license header information? No – existing license information should be preserved, additional header information can be added for modifications or additions to source code (note, some licenses require documenting changes) .
Important steps in a compliance process:
- Follow developer guidelines, especially for any FOSS code included in or linked to proprietary code
- Review and approve all FOSS early in the cycle
- Review architecture and avoid mixing components governed by incompatible licenses
- Verify OSS compliance for every product and every version prior to release
- Review OSS compliance for new versions of OSS
A new version of a previously reviewed FOSS component can create new compliance issues by:
- A change in the FOSS license for the new version of the FOSS component(e.g. ghostscript https://en.wikipedia.org/wiki/Ghostscript)
- New dependencies introduced with new versions which create additional FOSS obligations. These dependencies may be embedded in the FOSS distribution or they may be dependencies resolved at build time.
What risks should you address with in-bound software?
- License compliance for any disclosed FOSS embedded in the in-bound software
- The potential for creating license conflicts by integrating inbound software with other FOSS or proprietary software
- Undisclosed or unknown FOSS included in the in-bound software
</aside>
---
<aside class="notes" data-markdown>
(Nathan) I think this chapter could be useful if we can work out a "developer cheat sheet" or something similar. As it is now,this content seems to be more fully reproduced in other chapters and we are not adding much.
(shane) this chapter needs expansion, so this will be one of our key focuses in 2017.
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
---
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
P137
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
P138
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p139
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p140
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p141
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p142
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p143
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p144
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p145
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p146
</aside>
----
<!-- .slide: data-transition="convex" -->
<aside class="notes" data-markdown>
p147
</aside>
---
Thank you.
<aside class="notes" data-markdown>
</aside>
{"metaMigratedAt":"2023-06-14T18:56:03.102Z","metaMigratedFrom":"YAML","title":"The OpenChain Curriculum 1.2 ","breaks":true,"slideOptions":"{\"transition\":\"concave\",\"theme\":\"white\"}","contributors":"[{\"id\":\"c1b13d23-9285-4fa7-8c1c-baf59fc476ab\",\"add\":53520,\"del\":846}]"}