Marcel de Vries discusses best practices for using open source software in enterprises. He notes that 80% of software is based on open source components and that awareness is key. He demonstrates how to use an artifact repository like Nexus to publish components after builds, scan for licenses and vulnerabilities, and gain insights. While repositories help with transparency and analysis, additional tools and processes are needed for component selection, community engagement, and contribution management to fully address open source usage in enterprises.

1. Marcel de Vries
CTO Xpirit
Best Practices for Using
Open Source Software in
the Enterprise

2. About me: Marcel de Vries
mdevries@xpirit.com
@marcelv
http://fluentbytes.comXpirit
Also regional director

3. How software is built
• 80% is based on components + your
code + glue code => new product
• Components dominantly are now
open source
• Build on the shoulders of giants by
using free software components in
your products

4. DEMO
Awareness is key!

5. Look at average ASP.NET website
• ASP.NET itself
• Entity framework
• JQuery
• Angular
• Bootstrap
• …
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B
Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.

6. The new Microsoft
• Microsoft embraces open source in many areas
now
• Did you know Azure provides many different
flavors of Linux distributions?
• Did you know Microsoft open sourced important
parts of their development platform?
– ASP.NET MSBuild
– SignalR .NET Core (CLR & FW)
– Roslyn compilers WCF

7. The .NET Foundation
.NET API for Hadoop WebClient
.NET Compiler Platform ("Roslyn")
.NET Map Reduce API for Hadoop
.NET Micro Framework
ASP.NET MVC
ASP.NET Web API
ASP.NET Web Pages
ASP.NET SignalR
Composition (MEF2)
Entity Framework
Linq to Hive
MEF (Managed Extensibility Framework)
OWIN Authentication Middleware
Rx (Reactive Extensions)
Web Protection Library
Windows Azure .NET SDK
Windows Phone Toolkit
WnsRecipe
Mimekit Xamarin.Auth
Xamarin.Mobile
Couchbase for .NET
Miguel de Icaza (Xamarin)
Laurent Bugnion (IdentityMine)
Niels Hartvig (Umbraco)
Anthony van der Hoorn (Glimpse)
Paul Betts (GitHub)
Nigel Sampson (Compiled Experience)
http://www.dotnetfoundation.org
Mailkit
System.Drawing

8. Best practices in OSS for the enterprise
• In the Microsoft eco system we are just getting started
• How do you come up with best practices already?
– Look at the eco systems that have been using OSS for a long
time
• E.g. Java ecosystem
– My personal experience as Technology manager, CTO in
terms of risk awareness
• Experiences based on consulting engagements where I worked in
heterogeneous environment

9. Challenge to the enterprise
• Developers want freedom to use open source software
– It is highly encouraged by modern development tools like Visual
Studio
– NuGet, NPM (node), Bower, Maven, etc.
• How can I empower my developers, without bringing my
company at risk?
• I see my .NET developer use open source now, how can I
cope with this and still keep them happy?

10. Open source software
• What are the implications in the enterprise?
What is open source?
Publish open source software
What are common business models?
When can I publish Oss?
What do I need to accept contributions?
Consuming open source software
What are the Licenses implications?
Are there known Vulnerabilities?
How well are these sources maintained?
How can we keep that in control?

11. What is open source anyway?
“Computer software with its source code
made available under a license in which the
copyright holder provides the rights to study,
change and distribute the software to anyone
and for any purpose”
St. Laurent, Andrew M. (2008). Understanding Open Source
and Free Software Licensing. O'Reilly Media. p. 4.
ISBN 9780596553951

12. According to the Open Source
Definition, the license must not:
• Discriminate against persons or groups
• Discriminate against fields of endeavour
• Be specific to a product
• Restrict other software
http://opensource.org/osd
What is a license?

13. COPYLEFT
GPL
LGPL
AGPL
Permissive
Restrictive
License spectrum

14. Copyleft License implications
• Distribution triggers obligations
– And in some cases using on a network also trigger obligations
(AGPL)
• Obligations are:
• Disclosing the source code of your product;
• Making your product available under that copyleft license;
• Licensing your patents that read on the software.
• Once your product is available under a
copyleft license any recipient can
use it and distribute it without charge.

15. Copyleft and Cloud
• In general, using modified Copy left sources do not need to
be published when used in cloud solution
• Cloud service is in general not considered distribution, but
use of the software
– So does not trigger copy left obligations
• Except for following licenses:
– AGPL
– European Union Public License
– Common Public License

16. CONTRIBUTING TO OPEN SOURCE

17. OSS Contribution Funnel
• Be able to understand what it does
• Can easily pick it up and use
• Download
• Fork / Follow / FavouriteUse
• Log bugs
• Answer questions
• Write blog posts
• Fix / add documentation
• Fix typos
Contribute Time
• Actually contribute code patches that fix bugs / improve test cases
• Contribute entirely new features
• Translate
• Maintain platforms
Contribute
Code
• Become a core committer (get write access)
• Accept / validate code contributions
• Nurture new people
• Stick around
• Influence the direction of the project
Own

18. Publishing open source
• What do you need when you want to publish open source
software?
• You need to know who worked on the software
– Each individual is a copyright holder!
– If you don’t know, you are at risk going forward, you need to chase
them down
• How about I publish software on my blog?
– You are still the copyright holder and need to set license terms for
others to be able to use it!

19. A Contributor License Agreement (CLA)
defines the terms under which
intellectual property has been
contributed to a company/project,
typically software under an open source
license.
From Wikipedia, the free
encyclopedia

20. Why would I publish my product as OSS?
• Open source is a proven viable business model
• Company builds and contributes to the open
source software
• Company builds premium components they sell
• Company provides premium services
– e.g. SaaS versions of the product, or consulting
services

21. CONSUMING OPEN SOURCE

22. Consuming open source software
Use of components creates a
SOFTWARE
SUPPLY CHAIN
DEVELOPMENT
BUILD AND
DEPLOY
PRODUCTION
COMPONENT
SELECTION

23. Licenses are one part of the story, but what
about…
HEARTBLEEDEverything was secure until, suddenly it wasn’t
Introduced December 2011 Discovered April 2014 Lot of instances fixed, but still not all!

24. Consuming open source software
If you’re not using secure
COMPONENTS
you’re not building secure
APPLICATIONS
DEVELOPMENT
BUILD AND
DEPLOY
PRODUCTION
COMPONENT
SELECTION

25. You need to know what is
used in your enterprise!
How can we empower developers in using open
source but be risk aware?

26. What can we learn from the Java space?
• They use artifact repositories to pull their packages from
and push their packages to
– Provides a single point where you can ask questions about the
software
• In the Microsoft ALM tools, we are used to
– Use Version control repositories for our sources
– Use network drop locations for our build products
– Use the web to pull our packages

27. Consuming open source software
DEVELOPMENT
BUILD AND
PUBLISH
PRODUCTION
COMPONENT
SELECTION

28. When you have a repo in
place, you can….
• Scan for licenses in use
• Scan for known
vulnerabilities
• Scan for popularity

29. Meet the artifact repository
• There are different flavors out there
– Alternatives are archiva, Artifactory, Nexus
– You can look at a comparison at:
http://docs.codehaus.org/display/MAVENUSER/Maven+Repository
+Manager+Feature+Matrix
• For my demos I am using Sonatype Nexus
– The one I most commonly encountered in my engagements with
customers
– Supports the Microsoft Eco system with NuGet!

30. DEMO
Show nexus PRO

31. Great but not all OSS
comes from NuGet
How can you know what is in your enterprise,
because just using a proxy does not cut it?

32. How to publish to repo
after build
By publishing your product back to the artifact
repository, you can now scan your software on use of
OSS

33. Consuming open source software
DEVELOPMENT
BUILD AND
PUBLISH PRODUCTION
COMPONENT
SELECTION

34. DEMO
Publish to artefact repo

35. Great!
Now I have an artifact
repository, how does that
solve my needs?

36. We need a way to scan my
repository and answer my
important questions

37. DEMO
Health reports

38. Part of the puzzle
• Artifact repositories can help you
– Empower your developers to build on shoulders of giants
– Analyze what is in use
• Source code or binaries
– Give insights in your exposure to known vulnerabilities in OSS components
• There are things you need to figure out yourself
– What OSS do we pick for certain parts of the system
– How do you select the right component with an abundance of choice?
– How do you engage with communities?
– How to manage contributions to OSS?

39. What we not covered
• Integrating license and vulnerability scans as part of your continuous
delivery pipeline
• Defining policies for what you allow
– Component Lifecycle Management tooling
– Can plug into your build system or your delivery pipelines
• People and Perception
– Developer bias
– Developer satisfaction
– Not looking at the other side of the fence

40. Summary
• There is more to open source than sources
• Understand licensing
• Understanding the OSS ecosystem
• OSS usage impacts your business
• Set up a strategy to know what you are using
• Artifact repository can help you solve parts of the
puzzle
– Make them part of your Continuous Delivery Pipeline

41. Questions?
• Xpirit Magazine in your TechDays bag with
cool articles on e.g:
– Hololens programming
– Azure Service Fabric
– Application Insights
http://fluentbytes.com
@marcelv
mdevries@Xpirit.com
Need help? Contact us