EOLE 2014 : Open Source Legal & software supply chain

Friday, October 31, 2014 -
09:00 to 19:00

This 7th edition of EOLE combines two Open World Forum's sessions: "Legal and licensing aspects of open source" – co-organized by Martin Michlmayr (Hewlett-Packard) and Philippe Laurent (MVVP) – and "Open Source & software supply chain" – co-organized by Claus-Peter Wiedemann (BearingPoint GmbH) and Benjamin Jean (inno³).

Legal and licensing aspects of open source

Open source allows you to take back control. Open source licenses give you a lot of freedoms and powers, although they also come with some obligations. This track considers various legal and licensing aspects of open source, both from a community and a corporate perspective. The track is a great opportunity for you to discuss legal and licensing aspects of open source with lawyers, decision makers, open source developers and other people who are interested in legal aspects of open source. Come and discuss how open source licenses have helped you take back control and what legal issues you've encountered when adopting or contributing to open source.

Open Source & software supply chain

Industries at large are rapidly embracing Free & Open Source Software (FOSS) as a strategic instrument to accelerate innovation and reduce development cycles. However many FOSS users are not aware of the risks associated with deploying FOSS in their products. Even if FOSS is not deliberately used by the products developers, it can still enter the product unintentionally or via external suppliers. As a result, companies have a duty to understand that uncoordinated deployment of FOSS in products carries significant legal risks.

Today, FOSS is present at virtually all stages of the supply chain. Its participants already invest considerable efforts into determining and fulfilling the license obligations required for making deliveries license compliant. To make this process efficient, companies usually take for granted the license compliance information provided by their suppliers without verifying its completeness or correctness. But the belief in this widespread, good-faith approach, was recently destroyed by a German court of law. The court has determined that doing so is acting negligently and has made it very clear: not only is every supply chain participant fully responsible for the compliance of all parts of their deliveries, but they are also required to verify the data provided by their own suppliers, even though it requires additional time and expenditures.

While the established processes have to change, the duplication of the FOSS management efforts at every single stage of the supply chain is not a viable solution.

This workshop will demonstrate why today’s FOSS supply chain management practices are often inefficient and ineffective, thus leaving participants with high risks that are accruing at each stage of the supply chain.

We will then proceed to demonstrate how SPDX combined with the standardization and automation of FOSS Management activities can be leveraged to build a network of trusted suppliers. The license compliance information is jointly managed by the network, making it not only reliable but ensures it permeates though the code. An approach that can greatly reduce the FOSS Management effort for all the network participants.