2019-08-14 OSR WG Meeting Notes

Table of Contents

8/14/2019 10AM EST

Attendees

NameOrganizationGithub ID
Aaron WilliamsonFINOS
Rob Underwood (Deactivated)FINOS
Tosha EllisonFINOS
Aitana MyohlFINOS
Mirko BoehmEndocode
Andrew AitkenWipro
Gilles GravierWipro
Rich HeironimusFreddie Mac
Gaurav ParakhWipro
Simon HoltJP Morgan
Reza AlaviWipro
CR

John ScottIon Channel

Agenda

TimeItemWhoNotes from the Meeting
5 minConvene & roll call
40 minContinuous Compliance - An Introduction to QuartermasterMirko Boehm (Endocode)

Abstract

Free and open source license compliance is a thorny topic - it is at the same time a rigid obligation to vendors, an important hygiene factor in communities, and dauntingly complex to achieve and constantly maintain. Ensuring license compliance requires adequate business processes as defined in OpenChain, a common license data exchange format provided by SPDX, and tools to automate license compliance requirements integrated into the engineering workflow - Quartermaster. The presentation demonstrates how Quartermaster can be used to automatically create up-to-date and correct compliance documentation. It explains the concept and philosophy behind the toolchain, the history of the project and how Quartermaster develops bridges between free and open source developers, legal practitioners and open source program offices.

Notes from talk

  • Quartermaster runs in your build environment, typically in CI/CD environment, to collect license information about packages during build process.
  • We built Quartermaster because there was a hole in the compliance ecosystem -- no industry standard for open source compliance toolchains.
  • Who it's for: ideally, communities will use Quartermaster to provide compliance manifests with their code; vendors can use it to create documentation and manifests when producing software and distributing it; distributions, like Linux.
  • Project is led by Endocode, a German company bringing open source into traditional industries. Currently funded by a grant from the European Commission. 
  • Quartermaster also pulls in security information. Project has 3-year roadmap starting in 2019.
  • How it works: during construction, collects info on config, metadata, build graph, and history. During analysis, collects info on contributors, copyright, licenses, implements policies and metrics, and produces knowledge. During reporting, generates bill of materials, CI feedback, alerts, and a license catalog. Runs every time you build a project: every commit can change dependencies, what goes into the build, configuration, etc.
  • Software QTRMSTR uses: cmake, config files, make, git, scancode, cregit, custom policy code, ClearlyDefined, HTML, SPDX, Slack, and GitHub badges.
  • Architecture: master process, toolchain specific build system instrumentation, gRPC/protobuf module APIs, no file formats, modular command toolchain, integration API in master, runs on Linux, OSX, and Windows on the client side -- master runs in container. Allows integration of proprietary tools into the toolchain. 
  • The data model is licensed under the Open Data License, toolchain under GPLv3, modules are separate processes communicating with the master, paradigm: toolchian is FOSS, as are core modules. Proprietary integrations are possible.
  • Current milestone: validation. Suppliers can hand over compliance documentation, and customer can run validator against the package to ensure the manifest contains information about all components in the package. Result is a delivery receipt going back to the supplier.
5 minAny other business & adjournment



Decisions Made

N/A

Action Items

  •  


Need help? Email help@finos.org we'll get back to you.

Content on this page is licensed under the CC BY 4.0 license.
Code on this page is licensed under the Apache 2.0 license.