August 19-21 - Co-Located Events
August 21-23 - Conference
Hilton San Diego Bayfront - San Diego, CA
More information for Open Source Summit + Embedded Linux Conference North America 2019

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Automating Compliance [clear filter]
Wednesday, August 21


FOSSology: News and Advances from the Project - Michael C. Jaeger, Siemens AG*
FOSSology is a collaboration project of the Linux Foundation covering license compliance tasks: It is a Web server system for users and a toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and Web user interface provides you with a compliance workflow.

The session presents and explains a number of new components in the area of scanning and license compliance automation: First, a couple of new scan techniques have been implemented for achieving more precision when scanning for licenses - reducing manual correction effort. Second, FOSSology was extended with a REST API, allowing other systems for interoperation with FOSSology using software, shells scripts, shell commands or any other form of execution that produces REST requests. Now, scanning and SPDX document generation can be entirely performance by REST requests.


Michael C. Jaeger

Project Lead, Siemens AG
Michael C. Jaeger is one of the maintainers for Linux Foundation's FOSSology and Eclipse SW360 projects, both available on Github and both in the area of OSS handling w.r.t. license compliance and component management. At Siemens Corporate Technology in Munich, Germany, Michael works... Read More →

Wednesday August 21, 2019 11:30am - 12:05pm
  • Session Slides Included Yes


Welcome Back to Dependency Hell - OSS Compliance in the Age of Software Reuse - Nisha Kumar, VMware*
This talk is about meeting Open Source Software Compliance in our current state of Software
Development. It is also a reckoning on our current state of Software Development with regards to Software Reuse, in other words, Dependency Management. The first step in meeting OSS legal obligations is to know what software your product or project is dependent on. This is an exponentially hard problem now when a single module can contain hundreds of dependencies and each development ecosystem has its own principles and tooling around tracking them. Wrapping each microservice in its own runtime environment (containers) has not solved this problem, but rather distributed it across an often times unreliable and unsafe network.

This talk doesn't provide a magic solution to a problem decades in the making, but it tries to raise awareness of the problem and lists some requirements to consider while the industry ponders on how to untangle itself.

avatar for Nisha Kumar

Nisha Kumar

Open Source Engineer, VMware
Nisha Kumar is an Open Source Engineer at VMware’s Open Source Technology Center. She is one of the maintainers of Tern, a container image inspection tool for OSS license compliance. She has spoken at several events including All Things Open, SCaLE, and a previous KubeCon.

Wednesday August 21, 2019 2:25pm - 3:00pm
  • Session Slides Included Yes


Open Source License Variations in Linux and Android: Comprehensive Examples and Insights - Peter Shin & David A. Barrett, Canvass Labs*
To comply with open source licenses, users must include proper license text in their software. Unfortunately, many times they include poorly-worded texts instead. To help solve this problem, Microsoft is leading an effort to clearly define license statements at clearlydefined.io.

In order to facilitate this effort, the Canvass Labs team analyzed the entire corpus of license text in Linux and Android and grouped each license according to a license type defined by The Software Package Data Exchange (SPDX). Then, they cataloged how each instance appearing in the Linux and Android repository varied from the standard license template.

They found that the license variations formed groups sharing similar structure for each underlying license template. They also found that sentence-level granularity leads to intuitive grouping.

avatar for David A. Barrett

David A. Barrett

Sr. Director, Canvass Labs
David A. Barrett is a Senior Director at Canvass Labs currently working on applying academic research to improving software infrastructure. After earning his Ph.D., he has been teaching and applying results from computer-science research to engineer solutions for large-scale software... Read More →
avatar for Peter Shin

Peter Shin

CEO, Canvass Labs Inc.
Peter Shin is the Founder and CEO of Canvass Labs Inc. He envisions building robust and secure Open Source Software community.He has spent 17 years working on Open Source Software at the San Diego Supercomputer Center, UC San Diego, and at Qualcomm conducting research in both artificial... Read More →

Wednesday August 21, 2019 3:15pm - 3:50pm
  • Session Slides Included Yes


Workshop: Hands On FOSSology, SW360 and SPDX - Michael C. Jaeger, FOSSolgy.org / Siemens AG*
FOSSology and SW360 are both software projects in the area of OSS license compliance. FOSSology can run license, copyright and export control scans and has a Web user interface providing a compliance workflow. SW360 allows organizations for maintaining a component inventory – the software bill-of-material (S-BOM). SW360 generates license compliance documentation for all involved (OSS) components of a product. It enables other use cases in the area of vulnerability management or export control. SPDX is a specification for exchanging license compliance (and more) information about software deliveries.

This tutorial performs a walkthrough on how to implement license compliance. From a java build, dependency information is sent to an SW360 server. In SW360, sending source code to FOSSology triggers license scanning resulting in SPDX documents. Then, SW360 generates license compliance documentation. The tutorial will provide an example case based on a Java software project.


Michael C. Jaeger

Project Lead, Siemens AG
Michael C. Jaeger is one of the maintainers for Linux Foundation's FOSSology and Eclipse SW360 projects, both available on Github and both in the area of OSS handling w.r.t. license compliance and component management. At Siemens Corporate Technology in Munich, Germany, Michael works... Read More →

Wednesday August 21, 2019 3:15pm - 5:45pm
Indigo D
  • Session Slides Included Yes


Getting a Good Nights Sleep After a Fresh Kubernetes Deployment - Paweł Wieczorek, Samsung R&D Institute Poland*
WIth constantly increasing number of security threats, no Kubernetes cluster should stay vulnerable. How easy it is to make sure yours follows all of the best practices? Having an automated assessment tool would be the most convenient. During this talk Paweł will present such utility developed for ONAP project purposes. He will share it with community in order to make sure attack surface stays as minimal as possible.

avatar for Pawel Wieczorek

Pawel Wieczorek

Software Development Engineer, Samsung R&D Institute Poland
Paweł Wieczorek works at Samsung R&D Institute Poland since 2014. Starting as an access control developer, Paweł contributed to the security framework of Tizen operating system. At that time, he introduced testing automation practices to Tizen and still actively develops automated... Read More →

Wednesday August 21, 2019 4:20pm - 4:55pm
  • Session Slides Included Yes


PacBot: Enabling Cloud Agility with Automated Compliance and Remediation - Nicholas Criss & Steve Hull, T-Mobile*
For T-Mobile, the purpose of public cloud is to accelerate time-to-value for customers, unlocking developer agility while protecting the business from critical security and compliance issues. This is a challenge given agility and compliance are typically at odds with one another, especially in the highly dynamic environment of cloud.

Nicholas & Steve will present PacBot, a system developed by their team since 2016 and open-sourced in the Fall or 2018. It auto-discovers assets in the cloud and applies software rules (policy-as-code) to continually check compliance. In addition to a rules engine, it includes a big data lake and a strong visualization capability to provide real insight into compliance.

Most importantly, PacBot includes the ability to "auto fix" critical issues, both in batch and real-time reaction to events.

Nicholas & Steve will demo PacBot and discuss its evolution over three years and the critical process of getting stakeholder buy-in for auto-remediation.

avatar for Steve Hull

Steve Hull

Sr. Director, Digital Customer Experience, T-Mobile
avatar for Nicholas Criss

Nicholas Criss

Sr. Manager, Cloud Center of Excellence, T-Mobile
Nicholas is Sr. Manager for Platform Services & Security with T-Mobile's Cloud Center of Excellence. He also leads the OSS Working Group. His team has open-sourced projects for serverless (Jazz), blockchain (NEXT Identity), secrets management (T-Vault) and automated compliance (P... Read More →

Wednesday August 21, 2019 5:10pm - 5:45pm
  • Session Slides Included Yes
Thursday, August 22


Customizing Open Source Software Metrics with Augur - Sean P. Goggins, University of Missouri & Matt Germonprez, University of Nebraska
Augur is a metrics prototyping tool that serves the CHAOSS Community. Its core features are aimed at storytelling through metrics. In this workshop session participants will learn to install and configure Augur for their own use, with different cases being available for community managers with less than 50 repositories and organizations with thousands of repositories to keep track of. In this lab/workshop you will:

1. Gather metrics for a few dozen open source repositories of your choosing
2. Compare your repositories with similar repositories drawn from the Augur library
3. Download graphics for storytelling
4. Download copies of your data for assessment and validation
5. Explore using the Augur Metrics API to systematically get project metrics to analyze using your own preferred tools.

This lab/workshop is designed to be hands on and engaged, so participants leave the session with new tools for explore CHAOSS metrics. Emerging Risk and Value metrics will be featured.


Sean Goggins

Associate Professor, University of Missouri
Sean is an open source software researcher and a founding member of the Linux Foundation’s working group on community health analytics for open source software CHAOSS, co-lead of the CHAOSS metrics software working group and leader of the open source metrics tool AUGUR which can... Read More →
avatar for Matt Germonprez

Matt Germonprez

Professor, University of Nebraska at Omaha
Matt Germonprez is the Mutual of Omaha Professor of Information Systems in the College of Information Science & Technology at the University of Nebraska at Omaha. He uses qualitative field-studies to research corporate engagement with open communities and the dynamics of design in... Read More →

Thursday August 22, 2019 11:15am - 12:40pm


Tested for Business: An Open and Transparent Quality Kit - Shelley Lambert, IBM Canada*
With the proliferation of OpenJDK binaries for a business to choose from, one factor in determining the selection is quality.  How do you know your choice is up to snuff?  The AdoptOpenJDK Quality Kit is an open and transparent verification story for OpenJDK binaries.  A robust and adaptable test kit that can be utilized by any OpenJDK implementor, and represents the quality bar required by large-scale customers in enterprise environments.  We test multiple freely available JDK implementations at AdoptOpenJDK and continue to refine this suite of tests to give the community access to high-quality binaries. 

Beyond a frank discussion starter on the criteria by which we measure quality, this talk summarizes the real quality requirements of enterprise customers and presents a compelling story for verifying and/or selecting your OpenJDK implementation.

avatar for Shelley Lambert

Shelley Lambert

Runtime Technologies Test Lead, IBM
Shelley Lambert is the Test Lead for the IBM Runtime Technologies team. She and her team test open and freely available JDK implementations and have delivered the test strategy, test code base, and test frameworks into the Eclipse OMR, Eclipse OpenJ9 and AdoptOpenJDK projects. She... Read More →

Thursday August 22, 2019 2:10pm - 2:45pm
  • Session Slides Included Yes


OSS Review Toolkit: Using FOSS Tools for FOSS Reviews in CI/CD World - Thomas Steenbergen, HERE Technologies*
In an ideal world, a FOSS review is highly automated and done often and early so that any FOSS issues - whether technical, licenses or security - can be caught and resolved as they appear. However, despite many proprietary tools existing, the OSS community has been without review tooling that is compatible with modern SW development practices like using package managers, continuous integration and continuous delivery (CI/CD).

Without this review capability, FOSS projects often are released without clear metadata, resulting in reduced adoption and contribution numbers, rendering the projects less successful.

In this talk we demonstrate the latest version of OSS Review Toolkit (ORT) which enables highly automated OSS reviews within CI/CD by combining FOSS dependency and scanning tools like ScanCode with ClearlyDefined, a platform to discover, curate and share FOSS component metadata.

avatar for Thomas Steenbergen

Thomas Steenbergen

Head of Open Source, HERE Technologies
Thomas Steenbergen is the Head of Open Source at HERE Technologies (www.here.com). HERE is the open location platform company, which enables people, enterprises and cities to harness the power of location. He has been an active contributor to the SPDX specification since 2015, helping... Read More →

Thursday August 22, 2019 3:00pm - 3:35pm
  • Session Slides Included Yes
Friday, August 23


Infrastructure and Compliance Testing with InSpec - Ben Bleything, Google
This workshop is an introduction to the open source InSpec framework. InSpec is commonly used for automated infrastructure and compliance testing. You’ll leave with the knowledge and experience necessary to start implementing test suites for your own infrastructure.

You'll learn the basics of InSpec and get hands-on experience writing controls. You'll explore the compliance and integration testing capabilities of InSpec. Finally, you'll get pointers to various resources you can use to continue learning on your own.

avatar for Ben Bleything

Ben Bleything

Developer Advocate, Google
Ben Bleything is a developer and sysadmin from Seattle, Washington. He's best known as one of the world's leading experts in the emerging field Clown Computering. You may also know him from the Ruby community, where he maintains BenString: the only core class wrapper that's recommended... Read More →

Friday August 23, 2019 11:30am - 12:55pm


Moving Compliance to the Left (Open Source Compliance and Product Planning) - Craig Northway & Mark Matyas, Qualcomm Technologies Inc*
Open Source compliance can be time consuming and risky if left until late in your product cycle. We will discuss how we have been “moving our compliance to the left” into product planning, engaging with our product and program management teams and aligning our data with the product definition.

Our goal is to define and review third party software, product distribution models and architecture up front and provide compliance guidance early. Tight integration into the product definition and composition systems will mean we can provide indicators to program management and drive any enforcement directly through our distribution systems.

We’ll give an overview of the organizational aspects and history of how we came to view this model, a demonstration of how we have integrated this capability and our ideas for how this approach leverages and integrates into the broader OS compliance ecosystem.

avatar for Craig Northway

Craig Northway

Director, Engineering, Qualcomm Technologies, Inc
Craig Northway is a Director Engineering in Corporate Engineering at Qualcomm Technologies Inc. (QTI), a subsidiary of Qualcomm, Inc. Craig manages the Qualcomm Open Source Technology Group, a group formed to improve process, policy and tooling around Open Source software at Qualcomm... Read More →
avatar for Mark Matyas

Mark Matyas

Senior Staff Engineer/Manager, Qualcomm Technologies Inc
Mark Matyas is a Sr Software Engineer at Qualcomm Technologies Inc. (QTI), a subsidiary of Qualcomm, Inc. Mark is a lead engineer for the Qualcomm Open Source Technologies Group, where he builds and integrates tooling around Open Source software compliance at Qualcomm. Mark has been... Read More →

Friday August 23, 2019 2:25pm - 3:00pm
  • Session Slides Included Yes