Upload
allen-miles
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
Let me introduce myself
Intellitrace
Test Automation with CodedUI
Chief Technical Officer
http://nl.linkedin.com/in/marcelv
@marcelv
http://fluentbytes.com
80% is based on components + your code + glue code => new productComponents dominantly are now open source
Build on the shoulders of giants by using free software components in your products
How software is build
Look at average ASP.NET websiteASP.NET itselfEntity frameworkJQueryAngularBootstrap…
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
Microsoft embraces open source in many areas nowDid you know Azure provides many different flavors of Linux distributions?Did you know Microsoft open sourced important parts of their development platform?
ASP.NETSignalRRoslyn compilers
The new Microsoft
Openness
Community
Rapid innovation
The .NET Foundation
.NET API for Hadoop WebClient
.NET Compiler Platform ("Roslyn").NET Map Reduce API for Hadoop
.NET Micro Framework
ASP.NET MVCASP.NET Web API
ASP.NET Web Pages
ASP.NET SignalR
Composition (MEF2)
Entity Framework
Linq to Hive
MEF (Managed Extensibility Framework)
OWIN Authentication Middleware
Rx (Reactive Extensions)
Web Protection Library
Windows Azure .NET SDK
Windows Phone Toolkit
WnsRecipe
Mimekit Xamarin.Auth
Xamarin.Mobile
Couchbase for .NET
Miguel de Icaza (Xamarin)
Laurent Bugnion (IdentityMine)
Niels Hartvig (Umbraco)
Anthony van der Hoorn (Glimpse)Paul Betts (GitHub)
Nigel Sampson (Compiled Experience)Join the conversation with the
community http://www.dotnetfoundation.org
Mailkit
System.Drawing
In the Microsoft eco system we are just getting startedHow do you come up with best practices already?
Look at the eco systems that have been using OSS for a long timeE.g. Java ecosystem
My personal experience as Technology manager, CTO in terms of risk awareness
Experiences based on consulting engagements where I worked in heterogeneous environment
Best practices in OSS for the enterprise
Developers want freedom to use open source software
It is highly encouraged by modern development tools like Visual StudioNuGet, NPM (node), Bower, Maven, etc.
How can I empower my developers, without bringing my company at risk?I see my .NET developer use open source now, how can I cope with this and still keep them happy?
Challenge to the enterprise
Open source softwareWhat are the implications in the enterprise?
What is open source?Publish open source software
What are common business models?When can I publish Oss?What do I need to accept contributions?
Consuming open source softwareWhat are the Licenses implications?Are there known Vulnerabilities?How well are these sources maintained?How can we keep that in control?
What is open source anyway?
“Computer software with its source code made available under a license in which the copyright holder provides the rights to study, change and distribute the software to anyone and for any purpose”
St. Laurent, Andrew M. (2008). Understanding Open Source and Free Software Licensing. O'Reilly Media. p. 4. ISBN 9780596553951
Discriminate against persons or
groups
Discriminate against fields of
endeavour
Be specific to a product
Restrict other software
According to the Open Source Definition, the license must not:
http://opensource.org/osd
ATTRIBUTION
BSDMIT
Apache
DOWNSTREAM
MPLEPL
MS-RL
COPYLEFT
GPLLGPLAGPL
Permissive
Restrictive
License spectrum
Distribution triggers obligationsAnd in some cases using on a network also trigger obligations (AGPL)
Obligations are:• Disclosing the source code of your product;• Making your product available under that copyleft license; and• Licensing your patents that read on the software.
Once your product is available under a copyleft license any recipient can use it and distribute it without charge.
Copyleft License implications
In general, using modified Copy left sources do not need to be published when used in cloud solutionCloud service is in general not considered distribution, but use of the software
So does not trigger copy left obligations
Except for following licenses:AGPLEuropean Union Public LicenseCommon Public License
Copyleft and Cloud
OSS Contribution Funnel• Be able to understand what it does• Can easily pick it up and use• Download• Fork / Follow / FavoriteUse
• Log bugs• Answer questions• Write blog posts• Fix / add documentation• Fix typos
Contribute Time
• Actually contribute code patches that fix bugs / improve test cases
• Contribute entirely new features• Translate• Maintain platforms
Contribute Code
• Become a core committer (get write access)• Accept / validate code contributions• Nurture new people• Stick around• Influence the direction of the project
Own
What do you need when you want to publish open source software?
You need to know who worked on the softwareEach individual is a copyright holder!If you don’t know, you are at risk going forward, you need to chase them down
How about I publish software on my blog?You are still the copyright holder and need to set license terms for others to be able to use it!
Publishing open source
A Contributor License Agreement (CLA) defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source license. From Wikipedia, the free
encyclopedia
Open source is a proven viable business model
Company builds and contributes to the open source softwareCompany builds premium components they sellCompany provides premium services
e.g. SaaS versions of the product, or consulting services
Why would I publish my product as OSS?
Consuming open source softwareUse of components creates a
SOFTWARE SUPPLY CHAIN
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION
Consuming open source softwareIf you’re not using secure
COMPONENTSyou’re not building secure
APPLICATIONS
DEVELOPMENT BUILD AND DEPLOY PRODUCTIONCOMPONENT SELECTION
You need to know what is used in your enterprise!
How can we empower developers in using open source but be risk aware?
They use artifact repositories to pull their packages from and push their packages to
Provides a single point where you can ask questions about the software
In the Microsoft ALM tools, we are used toUse Version control repositories for our sourcesUse network drop locations for our build productsUse the web to pull our packages
What can we learn from the Java space?
Consuming open source software
DEVELOPMENT BUILD AND PUBLISH PRODUCTIONCOMPONENT
SELECTION
Artifact repository
When you have a repo in place, you can….
Scan for licenses in useScan for known vulnerabilitiesScan for popularity
There are different flavors out thereAlternatives are archiva, Artifactory, NexusYou can look at a comparison at: http://docs.codehaus.org/display/MAVENUSER/Maven+Repository+Manager+Feature+Matrix
For my demos I am using Sonatype Nexus
The one I most commonly encountered in my engagements with customersSupports the Microsoft Eco system with NuGet!
Meet the artifact repository
Great but not all OSS comes from NuGet
How can you know what is in your enterprise, because just using a proxy does not cut it?
How to publish to repo after build
By publishing your product back to the artifact repository, you can now scan your software on use of OSS
Consuming open source software
DEVELOPMENT BUILD AND PUBLISH PRODUCTIONCOMPONENT
SELECTION
Artifact repositoryArtifact repository
We need a way to scan my repository and answer my important questions
What licenses did we take a dependency on?What known vulnerabilities are there in components I took a dependency on?How popular are the components I am using?
Artifact repositories can help youEmpower your developers to build on shoulders of giantsAnalyze what is in useGive insights in your exposure to known vulnerabilities in OSS components
There are things you need to figure out yourself
What OSS do we pick for certain parts of the systemHow do you select the right component with an abundance of choice?How do you engage with communities?How to manage contributions to OSS?
Part of the puzzle
Integrating license and vulnerability scans as part of your continuous delivery pipelineDefining policies for what you allow
Component Lifecycle Management toolingCan plug into your build system or your delivery pipelines
People and PerceptionDeveloper biasDeveloper satisfactionNot looking at the other side of the fence
What we not covered
There is more to open source than sourcesUnderstand licensingUnderstanding the OSS ecosystemOSS usage impacts your businessSet up a strategy to know what you are usingArtifact repository can help you solve parts of the puzzle
Open source itself, enterprise features are paid add-ons.
Summary
TechEd Mobile app for session evaluations is currently offline
SUBMIT YOUR TECHED EVALUATIONSFill out an evaluation via
CommNet Station/PC: Schedule Builder
LogIn: europe.msteched.com/catalog
We value your feedback!
Connect with peers: DevOps meet up on Thurs (30th) 14:30–15:30 @ IT Community Experts in the Resource Zone (Expo Hall 7)
DevOps sessions @ TEE http://aka.ms/techeddevops
Resources for Devshttp://aka.ms/teched-eu
Resources for IT Opshttp://aka.ms/devopstl
Join the DevOps Insiders Group [email protected]
DevOps Resources
http://www.visualstudio.com
http://blogs.msdn.com/b/developer-tools/
http://msdn.microsoft.com/vstudio
DEV Track Resources
visualstudio
@visualstudio
visualstudio
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.