Presentation from nexB Inc. by Dennis Clark, Product Manager, and Pierre Lapointe, Customer Care Manager. Attendees discovered how to manage open source (and third-party) software license requirements in their products with AboutCode, nexB's open source project available on GitHub. The presentation included: - How to document provenance (origin and license) and other important information about software components inside a codebase, - How to automate OSS Attribution Notice generation. More information on http://www.aboutcode.org/.

1. How to Manage Open Source
Requirements with AboutCode

2. How to Manage Open Source Requirements with AboutCode
Agenda
• About nexB
• Attribution Generation with AboutCode
• Q&A

3. How to Manage Open Source Requirements with AboutCode
About nexB
• Our business is software component management with a focus
on managing license compliance risks
• Offering
o DejaCode™ - SaaS or on-premises
o Open Source audit services
o Open Source scanning (ScanCode) and attribution
generation tools (AboutCode)
• We are
o Software provenance analysis experts
o Active open source developers & Linux Foundation member
o Co-founders of SPDX project - http://spdx.org/

4. How to Manage Open Source Requirements with AboutCode
AboutCode and DejaCode
nexB offers two OSS Compliance solutions:
• AboutCode for engineering/product teams
o Basic system that can be adapted for any technology
platform or language
o Can be integrated into build systems
o Open source license – Apache 2.0
• DejaCode for the enterprise
o Enterprise application designed for use by legal,
engineering and business staff across all products and
technologies
o Import data from any engineering-level system and from
external sources (system of record for product releases)
o Subscription for SaaS (or on-premises)

5. How to Manage Open Source Requirements with AboutCode
AboutCode
• nexB created the AboutCode tools to automate OSS compliance
o Based on ABOUT specification v1.0
o An ABOUT file documents the origin and license for each
component, usually at the library or directory level
o An ABOUT file = text file with file extension “.ABOUT”
o Applicable to any programming language and software
development environment
o Extensible for build system integration for advanced
automation
o Currently offered as command line tools
• Written in Python and licensed under Apache 2.0
• Code and specification available at
https://github.com/dejacode/about-code-tool

6. How to Manage Open Source Requirements with AboutCode
AboutCode Compliance Lifecycle

7. How to Manage Open Source Requirements with AboutCode
ABOUT File Example
A text file in tag / value format:
httpd-2.4.3.tar.gz.about
name: Apache HTTP Server
home_url: http://httpd.apache.org
download_url: http://apache.belnet.be//httpd/httpd2.4.3.tar.gz
version: 2.4.3
date: 2012-08-21
license: apache-2.0
license_file: httpd-2.4.3.tar.gz/LICENSE
copyright: Copyright 2012 The Apache Software Foundation.
notice_file: httpd-2.4.3.tar.gz/NOTICE

8. How to Manage Open Source Requirements with AboutCode
AboutCode tools
• Create ABOUT files inside a codebase from a Software BOM or
Inventory file (spreadsheet or other)
• Create a Software BOM or Inventory file (spreadsheet or other)
from ABOUT files in the codebase
• Generate an Attribution Notices file
o Text file organized by copyright/license notice and
component
o Default text or HTML format
• Generate a Source Code Redistribution package list

9. How to Manage Open Source Requirements with AboutCode
AboutCode Demonstration
• Example based on e2fsprogs project
o Package included in most Linux distributions
o Set of utilities under different licenses
• Software Inventory file to create ABOUT files
• ABOUT files as created
• Generated Attribution Notice
9

10. How to Manage Open Source Requirements with AboutCode
Questions

11. How to Manage Open Source Requirements with AboutCode
Contacts
nexB Inc.
http://www.nexb.com/
http://www.dejacode.com/
http://www.aboutcode.org/
Pierre Lapointe
plapointe@nexB.com
+1 415 287 7643