Track: Open Source & software supply chain

Theme: THINK

Room: Namur

On: Oct 31, 2014, from 13:30 to 15:35

Track leader(s): Claus Peter Wiedemann (Senior Manager, Bearing Point) / Benjamin Jean (CEO, Inno3)

Industries at large are rapidly embracing Free & Open Source Software (FOSS) as a strategic instrument to accelerate innovation and reduce development cycles. However many FOSS users are not aware of the risks associated with deploying FOSS in their products. Even if FOSS is not deliberately used by the products developers, it can still enter the product unintentionally or via external suppliers. As a result, companies have a duty to understand that uncoordinated deployment of FOSS in products carries significant legal risks.

Today, FOSS is present at virtually all stages of the supply chain. Its participants already invest considerable efforts into determining and fulfilling the license obligations required for making deliveries license compliant. To make this process efficient, companies usually take for granted the license compliance information provided by their suppliers without verifying its completeness or correctness. But the belief in this widespread, good-faith approach, was recently destroyed by a German court of law. The court has determined that doing so is acting negligently and has made it very clear: not only is every supply chain participant fully responsible for the compliance of all parts of their deliveries, but they are also required to verify the data provided by their own suppliers, even though it requires additional time and expenditures.

While the established processes have to change, the duplication of the FOSS management efforts at every single stage of the supply chain is not a viable solution.

This workshop will demonstrate why today’s FOSS supply chain management practices are often inefficient and ineffective, thus leaving participants with high risks that are accruing at each stage of the supply chain.

We will then proceed to demonstrate how SPDX combined with the standardization and automation of FOSS Management activities can be leveraged to build a network of trusted suppliers. The license compliance information is jointly managed by the network, making it not only reliable but ensures it permeates though the code. An approach that can greatly reduce the FOSS Management effort for all the network participants.

This workshop is co-organized by Claus-Peter Wiedemann (BearingPoint GmbH) and Benjamin Jean (inno³) and will bring together European and American experts from representative FOSS organizations.

Talks