Title: FOSS Licensing and Security Compliance
Volunteers:
Intro:
The scale of open source software reused in products is ever increasing.
And US, EU, Indian, and other governments introduced cybersecurity compliance
regulations for anyone distributing software. So, what does this mean for developers?
Any software maintainer, producer, developer, and contributor needs to be aware of their
software dependencies and any associated risk, and how to efficiently manage software components.
This is most often – and now regulated – with SBOMs. FOSS compliance – both licensing and security
– is simplified by generating SBOMs and checkmarks in the compliance process.
Our goal is for open source developers, users, and contributors to exchange requirements, plans,
and collaboration opportunities around FOSS tools for software license and provenance detection,
vulnerability management, regulatory compliance like SEBI regulations/CERT guidelines,
code scanning, container and package dependency analysis, SBOM creation and consumption,
and license or vulnerability databases - basically, all the tools you need to figure out
which FOSS code you use, where it is from, what is its license, how to comply with the
license, and whether it contains vulnerable code.
Proof of Feasibility:
We’ve had multiple well received talks/sessions on similar topics at individual FOSSUnited
chapters and IndiaFOSS conferences, to name a few:
- OSPOs and Organisations BOF (IndiaFOSS 2024)
- Demystifying SBOMs: Lakshmi Teja IndiaFOSS 2024
- FOSSUnited Bangalore March 2024:
- ScanCode to Reuse Code Safely: Ayan
- Open Source Projects: Legal Issues: Biju K. Nair
- There have been some proposals/discussions on this too:
At IndiaFOSS 2024, there was a Birds of a Feather (BoF) session on OSPOs and Organisations
which we attended and there were lively and well attended discussions there on all things
OSPOs, SBOMs and Security/License compliance. We had a participation of around ~30 people
and 1 hour wasn’t enough for all the interesting discussions we had there. We had to
relocate to a different area in the convention center to continue our discussions since
there were other sessions after that.
We have also community partners at IndiaFOSS 2024, hosted two booths for community
organisations that we are a part of:
- OpenChain India WG
- AboutCode
We the organisers have also been a part of the team that organised the full-day FOSDEM fringe event:
FOSS license and security compliance tools workshop, and we have attended/there were similar devrooms
being organised every year at FOSDEM:
Number of volunteers requested for the devroom:
Proposal reviewers: 2
Logistics volunteers: 2
CFP:
Scope of talks:
- FOSS tooling and open data projects on licensing, vulnerabilities, community health metrics, compliance, software supply chain management
- FOSS compliance tooling users and common issues
- SBOMs (Software Bill of Materials): tools that produce or consume SBOMs
- Use of different types of SBOMs (Source, Build, Deployed, Runtime, etc.) in the software supply chain
- Indian policy landscape on SBOMs/Compliance
- Case studies and lessons from OSPOs (Open Source Program Offices)
- Case studies and lessons from Security/Compliance teams
- Software supply chain problems and security issues
- Best practices and open standards in software supply chain
- Developer advocacy and open source communities in compliance
- Vulnerability advisories, open data, reporting and reachability
- Open source licensing, copyrights, patents
Talks from open source communities on community-driven innovation and real-world applications will be preferred.
We welcome both technical talks and practical demos, with preferred durations of:
- 5 min (Lightning Talks)
- 20+5 min (Standard Sessions)
This is merged with another proposal: Navigating FOSS Compliance: Governance, Security, and Global Impact proposed by @Lakshmiteja and now is here: FOSS Licensing and Security Compliance