October 31 - November 1 - Co-Located Events
October 28-30 - Conference
Lyon Convention Centre - Lyon, France
More information for Open Source Summit + Embedded Linux Conference Europe 2019

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Compliance Automation & Tooling [clear filter]
Monday, October 28


FOSSology: News and Advances from the Project - Michael C. Jaeger, Siemens AG & Maximilian Huber, TNG Consulting GmbH
FOSSology is a collaboration project of the Linux Foundation covering license compliance tasks: It is a Web server system for users and a toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and Web user interface provides you with a compliance workflow.

The session presents and explains a number of new components in the area of scanning and license compliance automation: First, a couple of new scan techniques have been implemented for achieving more precision when scanning for licenses - reducing manual correction effort. Second, FOSSology was extended with a REST API, allowing other systems for interoperation with FOSSology using software, shells scripts, shell commands or any other form of execution that produces REST requests. Now, scanning and SPDX document generation can be entirely performance by REST requests.

avatar for Maximilian Huber

Maximilian Huber

Senior Consultant, TNG Technology Consulting GmbH
He is part of the Linux Foundation project FOSSology, as a committer and in the the Steering Committee. Further he is also involved in SW360, which is currently an Eclipse incubator project. He previously gave FOSSology related talks on the Linux Foundation Collaboration Summit 2016... Read More →
avatar for Michael C. Jaeger

Michael C. Jaeger

Project Lead, FOSSology.org
Michael C. Jaeger is one of the maintainers for Linux Foundation\\'s FOSSology and Eclipse SW360 projects, both available on Github and both in the area of OSS handling w.r.t. license compliance and component management. At Siemens Corporate Technology in Munich, Germany, Michael... Read More →

Monday October 28, 2019 11:30 - 12:05
Rhone 1
  • Session Slides Included Yes


Export Control of Open Source - Jonas Öberg, Scania CV AB & Karan Marjara, Fujitsu Network Communications
Open source occasionally gets tangled up in geopolitics, such as prohibitions from exporting technology. Many Open Source projects have suitable models for disclosing an export code classification number (ECCN). Many projects also routinely disclose source code to the U.S. Bureau of Industry and Security (BIS). But many projects don't know the influence this can have, nor know how to classify, or what the different export control mechanisms and classifications are.

In this talk, Karan Marjara (Fujitsu) and Jonas Öberg (Scania), will talk about the current state of export control and their work in both companies to classify open source components accurately. They will give examples of the kind of questions developers need to answer in order to classify an open source component. They will discuss and invite to a working group to look at how this can be included in source code repositories to be computer readable, and how businesses can work together to support in this.

avatar for Jonas Öberg

Jonas Öberg

Open Source Officer, Scania CV AB
Jonas Öberg is the Open Source Officer for Scania CV AB, putting open source in support of his childhood dream of making buses, trucks, marine engines and other things that go wroom-wroom. For 20 years, he has worked to develop the ecosystem of open source software, focusing on automation... Read More →
avatar for Karan Marjara

Karan Marjara

Open Source Process Lead, Fujitsu Network Communications
At Fujitsu Network Communications (FNC), Karan acts as a liaison between Engineering, Legal, Security, and Export teams. He manages the day to day activities of Open Source Governance process, defining/redefining the end-to-end OSS Usage, Awareness and Release Process. He leads a... Read More →

Monday October 28, 2019 12:20 - 12:55
Rhone 1
  • Session Slides Included Yes


Moving Compliance to the Left (Open Source Compliance and Product Planning) - Scott Finkel, Qualcomm Technologies
Open Source compliance can be time consuming and risky if left until late in your product cycle. We will discuss how we have been “moving our compliance to the left” into product planning, engaging with our product and program management teams and aligning our data with the product definition.

Our goal is to define and review third party software, product distribution models and architecture up front and provide compliance guidance early. Tight integration into the product definition and composition systems will mean we can provide indicators to program management and drive any enforcement directly through our distribution systems.

We’ll give an overview of the organizational aspects and history of how we came to view this model, a demonstration of how we have integrated this capability and our ideas for how this approach leverages and integrates into the broader OS compliance ecosystem.

avatar for Scott Finkel

Scott Finkel

Software Engineer, Senior Staff, Qualcomm Technologies Inc.
Scott is a Senior Software Engineer on the Open Source Technologies team at Qualcomm Technologies Inc. (QTI), a subsidiary of Qualcomm, Inc., where he helps grow and improve software compliance processes and tools. Scott has been designing & building enterprise software at Qualcomm... Read More →

Monday October 28, 2019 14:25 - 15:00
Rhone 1
  • Session Slides Included Yes


Compliance Puzzle, Building an OSS Compliance Toolchain with Open Source Technologies - Sebastian Schuberth, Bosch Software Innovations GmbH
Open Source Compliance affects most development projects within an organization. Many of the activities are tedious work or require special knowledge, which are typically not favored by the teams. But help is at hand, activities can be automated in a way that keeps effort out of projects and enables back offices to efficiently process the special knowledge activities like license evaluation. These toolchains typically identify transitive 3rd party dependencies in codebases, enrich found dependencies with the known compliance metadata, trigger back office tasks, run company policy checks on the aquired data and produce the reports and legal notices defined as process outputs. The Open Source world contains lots of bits and pieces for these activities but the art is to plug them together to a working, industry scale toolchain. In this talk we present our approach at Bosch and its connection to the activities of communities like the Tooling Landscape Group, the TODO Group and OpenChain.

avatar for Sebastian Schuberth

Sebastian Schuberth

Senior Expert Open Source Services, Bosch Software Innovations GmbH
Sebastian is a long-term Open Source user, contributor and maintainer, who engages in bringing together community and corporate aspects of Open Source Software. Lately, he got interested in automating OSS Compliance and founded the OSS Review Toolkit (ORT) project, for which he still... Read More →

Monday October 28, 2019 15:15 - 15:50
Rhone 1
  • Session Slides Included Yes


REUSE: Make Licensing Easy for Everyone - Max Mehl, Free Software Foundation Europe
Why is it so hard to detect the licensing and copyright information of source code? Because it is a tedious and often confusing task for developers to provide this information.

The REUSE project changes that! With three simple steps, we make adding and reading licensing and copyright information easy for both humans and machines. This way, reusing Free and Open Source Software which complies with the REUSE best practices becomes simple for other developers, compliance officers, and lawyers. REUSE nicely integrates into numerous development processes and other license compliance tools.

In this presentation, Max Mehl will guide through the REUSE principles, discuss opportunities for projects and enterprises, and update on the latest exciting developments of the REUSE project.

avatar for Max Mehl

Max Mehl

Programme Manager, Free Software Foundation Europe
Max Mehl is Programme Manager at the Free Software Foundation Europe (FSFE) and coordinates initiatives in the areas of license compliance, policy, and public awareness. But he is also frequently to be found in the virtual server room of the FSFE. He sees Free Software as an important... Read More →

Monday October 28, 2019 16:20 - 16:55
Rhone 1
  • Session Slides Included Yes


License Compliance Validation of Software Deliveries Using the Quartermaster Toolchain - Mirko Boehm, Endocode AG
Quartermaster (QMSTR) is an Open Source toolchain that generates license compliance documentation as part of a software build. A recently added feature of the toolchain is software delivery compliance validation. It enables vendors of software packages to ship them with automatically generated SPDX manifests that the recipients of those packages can validate automatically against the package content. The validation process verifies that the manifest matches the package content at the file level, that the package contains only the files listed in the manifest and that the license and rights holder documentation in the manifest is complete. The presentation will introduce and demonstrate the validation feature in a simulated software delivery, provide an overview of the current state and technical direction of the QMSTR project and a status report on the EU funded FASTEN project that develops further software ecosystem analysis tools and industry use cases.

avatar for Mirko Boehm

Mirko Boehm

Director, Open Source Governance and Compliance, Endocode AG
Free and Open Source Software contributor. Founder, Endocode. Director, Linux System Definition, Open Invention Network. KDE contributor since 1997 (including several years on the KDE e.V. board). Visiting lecturer and researcher at the Technical University of Berlin. FSFE Team Germany... Read More →

Monday October 28, 2019 17:10 - 17:45
Rhone 1
Tuesday, October 29


Ensuring Interoperability of Large Open Source Projects, Kubernetes Conformance Certification - Srinivas Brahmaroutu & Nimesh Bhatia, IBM
When an Open Source project like Kubernetes become a de facto platform of choice for creating cloud native computing applications, many vendors have started hosting a version of Kubernetes on their platforms. It is important that we ensure that Kubernetes is portable and interoperable across different vendors’ environments. Software certification prevent vendor lock-in and helps community growth through standards. Conformance certification programs should run parallel to normal technical and feature development cycles. Conformance should have proper guidelines to manage software release cycles and how vendors can participate.

In this talk you will learn about the issues we have to deal and best practices that were developed to design Kubernetes compliance program. Talk will give you insight into code and process that contributed to the success of the program and how it can be replicated to other open source initiatives.

avatar for Nimesh Bhatia

Nimesh Bhatia

Director - Open Technology, IBM, IBM
Nimesh is Program Director in Open Technology Group at IBM. He leads a team at IBM that contributes to many strategic open source projects such as Kubernetes, Docker, Cloud Foundry, Hyperledger and many more. He provides technical vision and guidance to build solid next-gen open software... Read More →
avatar for Srinivas Brahmaroutu

Srinivas Brahmaroutu

Sr. Software Engineer, IBM
Srinivas Brahmaroutu works as a Software Engineer at IBM Corp. He has many years of experience around IBM cloud offerings. He has worked on many strategic open source projects including Cloud Foundry, Docker and Mesos. Currently he works on Kubernetes contributing to test-infra and... Read More →

Tuesday October 29, 2019 11:30 - 12:05
Bellecour 3
  • Session Slides Included Yes
Wednesday, October 30


OSS Review Toolkit: Using FOSS Tools for FOSS Reviews in CI/CD World - Thomas Steenbergen, HERE Technologies
In an ideal world, a FOSS review is highly automated and done often and early so that any FOSS issues - whether technical, licenses or security - can be caught and resolved as they appear. However, despite many proprietary tools existing, the OSS community has been without review tooling that is compatible with modern SW development practices like using package managers, continuous integration and continuous delivery (CI/CD).

Without this review capability, FOSS projects often are released without clear metadata, resulting in reduced adoption and contribution numbers, rendering the projects less successful.

In this talk, we demonstrate the latest version of OSS Review Toolkit (ORT) which enables highly automated OSS reviews within CI/CD by combining FOSS dependency and scanning tools like ScanCode with ClearlyDefined, a platform to discover, curate and share FOSS component metadata.

avatar for Thomas Steenbergen

Thomas Steenbergen

Head of Open Source, HERE Technologies
Thomas Steenbergen is the Head of Open Source at HERE Technologies (www.here.com). HERE is the open location platform company, which enables people, enterprises and cities to harness the power of location. He has been an active contributor to the SPDX specification since 2015, helping... Read More →

Wednesday October 30, 2019 14:25 - 15:00
Tête d'Or 2
  • Session Slides Included Yes


Simple and Transparent Open Source Contribution Process via GitHub - Fabienne Haag & Michael Picht, SAP
The trend of collaborative and reusable software development using open source software has spread to many companies, including SAP. In the last few years, SAP has not only used open source software but has also been actively involved in initiating open source projects and contributing code. With this increased involvement, developers at SAP needed to have a simple and transparent process for contributing to the open source community. For this reason, SAP OSPO worked on streamlining the existing outbound open source process that required lots of manual steps. The newly improved open source contributing process enables developers to easily start a new open source project and contribute code while being compliant and secure. The entire process workflow is executed via GitHub, a tool that is close to the developer community. Both developers and OSPO members benefit from having transparency into the status of any given request while being able to manage open source projects.

avatar for Michael Picht

Michael Picht

Chief Development Architect, SAP
Michael is part of the Open Source Program Office of SAP. At SAP, he had several roles as a software architect, project manager, and product manager, with focus on supply chain management, business processes and application integration. He helped to start and setting up SAP’s Open... Read More →
avatar for Fabienne Haag

Fabienne Haag

Global Licensing Expert, SAP
Fabienne is working as Global Licensing Expert at SAP. She is responsible for compliance along with open source licensing requirements within SAP products. In addition, she is responsible for the open source outbound process and involved in the development and implementation of the... Read More →

Wednesday October 30, 2019 15:15 - 15:50
Tête d'Or 2
  • Session Slides Included Yes


Decentralizing OAuth2.0 for a Post-GDPR World - Mehdi Medjaoui, Progressive Identity
In the classic OAuth 2.0 flows, the authorization server and the resource server are behind the same firewall, giving full power and control about sharing capabilities to the Identity Provider (i.e. Facebook, Amazon, Google etc...).

Because of new regulations about data portability (GDPR in Europe and CCPA in California), now every user is able to ask a full export of its data to be stored anywhere, breaking Identity Provider monopoly and control. In that context, users can now own fully a copy of their data and share it to whom they want. To really decentralize data from permissions, make users in control and companies GDPR compliant, you need now to update OAuth2.0 dance into a stateless flow and tokenize the GDPR permission contract.

In this talk, Mehdi will explain how you can use open source technologies to automate GDPR requests for your users to export 3rd-party data in your system and tokenize your GDPR contract using ALIAS protocol (based on OAuth2.0)

avatar for Mehdi Medjaoui

Mehdi Medjaoui

CEO, Progressive Identity
Mehdi is the founder and CEO of Progressive Identity, creator of the ALIAS protocol and author of O'Reilly Book "Continuous API management".As part-time, Mehdi is Horizon 2020 European Commission Expert on Open data/Open APIs and teaches IT for business and entrepreneurship in the... Read More →

Wednesday October 30, 2019 16:15 - 16:50
Tête d'Or 2


Automating OSS Compliance with Fossology, SW360 and SPDX - Anupam Ghosh, Siemens Technology and Services Private Limited
FOSSology is a collaboration project of the Linux Foundation covering license compliance tasks: It is a Web server system for users and a toolkit. As a toolkit, you can run license, copyright and export control scans from the command line. As a system, a database and the Web user interface provides you with a compliance workflow.

This session presents recent approaches introduced in Fossology like providing a REST API interface, new scanning techniques, for achieving more precision and to reduce correction effort. These new features have enabled more automation. This presentation explains how users of FOSSology can use the new features for better reviewing the licensing situation and create a compliance report including spdx document over REST or in CI/CD.


Anupam Ghosh

Lead Research Engineer, Siemens Technology and Services Pvt Ltd
Anupam is working with Siemens, India. He is an open-source enthusiast, GSoC mentor, developer and maintainer of Fossology community project in Github. He has around 13+ years of IT experience cutting across Embedded system, Telecom, Application/Web development and Machine Learni... Read More →

Wednesday October 30, 2019 17:05 - 17:40
Tête d'Or 2