Best Practices for Using Open Source Software in the Enterprise

Marcel de Vries

DEV-B209

Let me introduce myself

Intellitrace

Test Automation with CodedUI

Chief Technical Officer

http://nl.linkedin.com/in/marcelv

@marcelv

http://fluentbytes.com

80% is based on components + your code + glue code => new productComponents dominantly are now open source

Build on the shoulders of giants by using free software components in your products

How software is build

DemoAwareness is key

Marcel de Vries

Look at average ASP.NET websiteASP.NET itselfEntity frameworkJQueryAngularBootstrap…

201320122011200920082007 2010

2B1B500M 4B 6B 8B 13B

Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.

Microsoft embraces open source in many areas nowDid you know Azure provides many different flavors of Linux distributions?Did you know Microsoft open sourced important parts of their development platform?

ASP.NETSignalRRoslyn compilers

The new Microsoft

Openness

Community

Rapid innovation

The .NET Foundation

.NET API for Hadoop WebClient

.NET Compiler Platform ("Roslyn").NET Map Reduce API for Hadoop

.NET Micro Framework

ASP.NET MVCASP.NET Web API

ASP.NET Web Pages

ASP.NET SignalR

Composition (MEF2)

Entity Framework

Linq to Hive

MEF (Managed Extensibility Framework)

OWIN Authentication Middleware

Rx (Reactive Extensions)

Web Protection Library

Windows Azure .NET SDK

Windows Phone Toolkit

WnsRecipe

Mimekit Xamarin.Auth

Xamarin.Mobile

Couchbase for .NET

Miguel de Icaza (Xamarin)

Laurent Bugnion (IdentityMine)

Niels Hartvig (Umbraco)

Anthony van der Hoorn (Glimpse)Paul Betts (GitHub)

Nigel Sampson (Compiled Experience)Join the conversation with the

community http://www.dotnetfoundation.org

Mailkit

System.Drawing

In the Microsoft eco system we are just getting startedHow do you come up with best practices already?

Look at the eco systems that have been using OSS for a long timeE.g. Java ecosystem

My personal experience as Technology manager, CTO in terms of risk awareness

Experiences based on consulting engagements where I worked in heterogeneous environment

Best practices in OSS for the enterprise

Developers want freedom to use open source software

It is highly encouraged by modern development tools like Visual StudioNuGet, NPM (node), Bower, Maven, etc.

How can I empower my developers, without bringing my company at risk?I see my .NET developer use open source now, how can I cope with this and still keep them happy?

Challenge to the enterprise

Open source softwareWhat are the implications in the enterprise?

What is open source?Publish open source software

What are common business models?When can I publish Oss?What do I need to accept contributions?

Consuming open source softwareWhat are the Licenses implications?Are there known Vulnerabilities?How well are these sources maintained?How can we keep that in control?

What is open source anyway?

“Computer software with its source code made available under a license in which the copyright holder provides the rights to study, change and distribute the software to anyone and for any purpose”

St. Laurent, Andrew M. (2008). Understanding Open Source and Free Software Licensing. O'Reilly Media. p. 4. ISBN 9780596553951

Discriminate against persons or

groups

Discriminate against fields of

endeavour

Be specific to a product

Restrict other software

According to the Open Source Definition, the license must not:

http://opensource.org/osd

ATTRIBUTION

BSDMIT

Apache

DOWNSTREAM

MPLEPL

MS-RL

COPYLEFT

GPLLGPLAGPL

Permissive

Restrictive

License spectrum

Distribution triggers obligationsAnd in some cases using on a network also trigger obligations (AGPL)

Obligations are:• Disclosing the source code of your product;• Making your product available under that copyleft license; and• Licensing your patents that read on the software.

Once your product is available under a copyleft license any recipient can use it and distribute it without charge.

Copyleft License implications

In general, using modified Copy left sources do not need to be published when used in cloud solutionCloud service is in general not considered distribution, but use of the software

So does not trigger copy left obligations

Except for following licenses:AGPLEuropean Union Public LicenseCommon Public License

Copyleft and Cloud

Contributing to open source

OSS Contribution Funnel• Be able to understand what it does• Can easily pick it up and use• Download• Fork / Follow / FavoriteUse

• Log bugs• Answer questions• Write blog posts• Fix / add documentation• Fix typos

Contribute Time

• Actually contribute code patches that fix bugs / improve test cases

• Contribute entirely new features• Translate• Maintain platforms

Contribute Code

• Become a core committer (get write access)• Accept / validate code contributions• Nurture new people• Stick around• Influence the direction of the project

Own

What do you need when you want to publish open source software?

You need to know who worked on the softwareEach individual is a copyright holder!If you don’t know, you are at risk going forward, you need to chase them down

How about I publish software on my blog?You are still the copyright holder and need to set license terms for others to be able to use it!

Publishing open source

A Contributor License Agreement (CLA) defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source license. From Wikipedia, the free

encyclopedia

Open source is a proven viable business model

Company builds and contributes to the open source softwareCompany builds premium components they sellCompany provides premium services

e.g. SaaS versions of the product, or consulting services

Why would I publish my product as OSS?

Consuming open source

Consuming open source softwareUse of components creates a

SOFTWARE SUPPLY CHAIN

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION

Consuming open source softwareIf you’re not using secure

COMPONENTSyou’re not building secure

APPLICATIONS

DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION

You need to know what is used in your enterprise!

How can we empower developers in using open source but be risk aware?

They use artifact repositories to pull their packages from and push their packages to

Provides a single point where you can ask questions about the software

In the Microsoft ALM tools, we are used toUse Version control repositories for our sourcesUse network drop locations for our build productsUse the web to pull our packages

What can we learn from the Java space?

Consuming open source software

DEVELOPMENT BUILD AND PUBLISH PRODUCTIONCOMPONENT

SELECTION

Artifact repository

When you have a repo in place, you can….

Scan for licenses in useScan for known vulnerabilitiesScan for popularity

There are different flavors out thereAlternatives are archiva, Artifactory, NexusYou can look at a comparison at: http://docs.codehaus.org/display/MAVENUSER/Maven+Repository+Manager+Feature+Matrix

For my demos I am using Sonatype Nexus

The one I most commonly encountered in my engagements with customersSupports the Microsoft Eco system with NuGet!

Meet the artifact repository

Show Nexus repo

Demo

Great but not all OSS comes from NuGet

How can you know what is in your enterprise, because just using a proxy does not cut it?

How to publish to repo after build

By publishing your product back to the artifact repository, you can now scan your software on use of OSS

Consuming open source software

DEVELOPMENT BUILD AND PUBLISH PRODUCTIONCOMPONENT

SELECTION

Artifact repositoryArtifact repository

Publish to artifact repository

Marcel de Vries

Great!Now I have an artifact repository, how does that solve my needs?

We need a way to scan my repository and answer my important questions

What licenses did we take a dependency on?What known vulnerabilities are there in components I took a dependency on?How popular are the components I am using?

Health reports

Marcel de Vries

Artifact repositories can help youEmpower your developers to build on shoulders of giantsAnalyze what is in useGive insights in your exposure to known vulnerabilities in OSS components

There are things you need to figure out yourself

What OSS do we pick for certain parts of the systemHow do you select the right component with an abundance of choice?How do you engage with communities?How to manage contributions to OSS?

Part of the puzzle

Integrating license and vulnerability scans as part of your continuous delivery pipelineDefining policies for what you allow

Component Lifecycle Management toolingCan plug into your build system or your delivery pipelines

People and PerceptionDeveloper biasDeveloper satisfactionNot looking at the other side of the fence

What we not covered

There is more to open source than sourcesUnderstand licensingUnderstanding the OSS ecosystemOSS usage impacts your businessSet up a strategy to know what you are usingArtifact repository can help you solve parts of the puzzle

Open source itself, enterprise features are paid add-ons.

Summary

TechEd Mobile app for session evaluations is currently offline

SUBMIT YOUR TECHED EVALUATIONSFill out an evaluation via

CommNet Station/PC: Schedule Builder

LogIn: europe.msteched.com/catalog

We value your feedback!

Connect with peers: DevOps meet up on Thurs (30th) 14:30–15:30 @ IT Community Experts in the Resource Zone (Expo Hall 7)

DevOps sessions @ TEE http://aka.ms/techeddevops

Resources for Devshttp://aka.ms/teched-eu

Resources for IT Opshttp://aka.ms/devopstl

Join the DevOps Insiders Group msdevops@microsoft.com

DevOps Resources

http://www.visualstudio.com

http://blogs.msdn.com/b/developer-tools/

http://msdn.microsoft.com/vstudio

DEV Track Resources

visualstudio

@visualstudio

visualstudio

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.