Open Compliance Summit

This talk will present best practices for corporations receiving code contributions from third parties. These best practices consist of three components: employing an Apache-type Contributor License Agreement (CLA), implementing a procedure for accepting CLA signatures, and implementing a procedure for accepting code submitted under the agreement.

I will discuss the specific laws and risks attendant to each part of the CLA signing and code acceptance process.

Most license scanners are rule-based: Defined occurrences of text patterns let software identify a particular licensing in open source software. This approach is straight forward and easy to understand.

But there are two major drawbacks: first a license expert is required to define such rules. Secondly, since many licenses share common text portions imprecise license classifications occur.

In the FOSSology project, recently two new approaches
have been implemented: One approach is called Atarashi and uses information retrieval statistics about license texts and attempts to identify licensing statements based on computed statistics. The other approach named Rigel uses machine learning to understand licensing in source code, based on previously made clearing decisions.

This presentation covers the challenges of license recognition and explains how different approaches cover them.

Hitachi develops and provides enterprise systems with a large amount of Open Source Software, and the number of OSS used at Hitachi is increasing year by year. It is getting hard that developers recognize the whole stacks of OSS they use, because today’s OSS requires numerous other OSS under the hood and those dependencies are downloaded automatically on demand by tools like package managers. That makes it difficult to perform comprehensive license clearance promptly.
Daisuke established a system to solve this problem. The system is a kind of proxy server, which saves all files flowing through this proxy and detect what OSS and licenses each file includes. It enables developers to know what OSS they actually obtain and what licenses are included as they download. In this talk, Daisuke will present how the system works, how its improvement is, and future work.