Bitsea, a company helping customers to analyse, assess, and optimize Software Development processes, has joined the OpenChain Partner program. This marks another significant expansion of the OpenChain ecosystem into the German software industry, and provides another milestone in our preparation to support our growth as a formal International Standard in Q4.

“Bitsea is delighted to join the OpenChain Partner program,” says Dr. Andreas Kotulla. “We have a long history of supporting excellent in open source and we look forward to helping our customers and adjacent companies understand and apply the OpenChain standard for quality open source compliance programs.”

“A key pillar of the OpenChain community is support,” says Shane Coughlan, OpenChain General Manager. “A great deal of this support is provided by our local and global work groups, consisting largely of user companies. However, there is a substantial proportion of this support provided by partners, and they provide a vital role in ensuring the sustainability of our industry standard. Bitsea will help bolster our support network and their deep experience will benefit everyone seeking to build out a quality open source compliance program.”

The recording of our regular bi-weekly Specification Work Team is now available. This time we talked about framing the objectives for future OpenChain updates. It will be a long time before we release a future version of the OpenChain Specification after our ISO launch this year, but we want to ensure that people from all over the world can connect and send in suggestions over time.

You can join the Specification Mailing List to follow all the activity

• https://lists.openchainproject.org/g/specification

はじめに

OpenChain Japan WG Advent Calendar 2019 Day18を担当する @K-Hama です．OSSマネジメントプロセスの研究とOSS管理に利用するツールの研究開発が主な仕事ですが，最近はOSS関係のコミュニティ活動も行っています．本日はFossologyプロジェクト¹が進めている新しい検索エンジン「Atarashi²」を調べて分かったことを簡単にまとめ,インストール方法までを紹介しようと思います．

Fossology とは

最初に簡単にFossologyとは何かを紹介します．Fossologyはソフトウェアを構成するソースコードを分析し，中に含まれているOSSライセンス，コピーライト，ECCなどの情報を検出，リストアップするツールです．Fossologyは The Linux Foundationの傘下プロジェクト主体で開発されていて，Fossology自体もOSSライセンスで利用許諾されているので誰でも自由に無料で利用可能となっています．基本的な使い方や情報は日本語のハンズオン資料がOpenChain Japan³（日本語）, FossologyのGithub⁴で(日本語，英語，ベトナム語)公開されているのでそちらを参考にしてください(日本語の内容はどちらも同じ)．また，誰でも無料で参加できるFossologyのイベントが OpenChain Japan WG Tooling Sub-WG 主催で2019年12月20日に東京で開催されます⁵．（このイベントにはFossologyの主開発者のMichael C. Jaeger さんも来ます）．Fossologyに関して他に以下のドキュメントが参考になります．

・Fossologyインストール方法
・Fossologyインストール方法 日本語
・FOSSology – Install from Sourceのススメ
・@y-ashiduka さんがOpenChain Japan WG Advent Calendar 2019 Day 10に投稿された
　Yocto環境にmeta-spdxscannerを適用し、SPDX出力環境を構築する（fossdriver利用編）

Atarashi の調査にあたって

FossologyにはNomos, Monkなどのライセンス検索エージェントが存在しています．これらに加えてテキストマイニングをしてライセンス検知を行おうとしているのものが、Atarashi²とのことです．AtarashiはFossologyの１検索エンジンとして開発されているようですが，現時点ではFossologyの本家にPull Request⁶が行われているもののマージされておらず，FossologyをインストールすればそのまますぐにAtarashiを使えるわけではないみたいです[2019年12月時点]. そこで，本記事ではAtarashiが何を目指して開発されているのか調査し，その上で分かったことをここにまとめようと思います．Atarshiに実装されている細かい検索アルゴリズムについては今回は名前を出すに留めます. ソースコードはGitHub⁷で公開されていますので誰でも確認できます．また，Google Summer of Code Projectの一つのプロジェクトとしてもAtarashiは進められていたたようです．他にAtarashiに関する資料がとしては以下のものが公開されています．・ FOSSology: Two New Approaches For License Scanning from Shane Coughlan

Atarshiの目的

fossology-two-new-approaches-for-license-scanningによると，Atarashi はテキスト統計および情報検索をもとにしたnon-rule based scannerです．

ファイルの展開をした後に，
1. SPDX identifiers を見つける
2. SPDX headers　を見つける
3. 見つけたものを適用
4. 類似度をもとにランキング作成
5. 出力表示

といったプロセスで進んでいくようです．SPDX identifiers / SPDX headers についてはSPDXのページ⁸に詳細が書いていますので是非参考にして下さい．

なお　OpenChainJapanのSPDXに関する取り組みは　@Yoshiyuki_Ito　さんが「製品開発サプライチェーンでのライセンス情報授受の仕組みに関わる、「組織間のライセンス情報授受」サブグループの活動ご紹介」で紹介してくれています．　

また，1. SPDX identifiers を見つける の部分に関してはすでにFossologyで ojo Agentとして実装されており，利用可能です．使い方は簡単で検索オプション指定時に[ojo]を選択するだけです．

結果は以下みたいな感じになります．

Atarashiの構成

公式ドキュメントによるとAtarashiの中にもいくつかの検索エージェントが含まれており，それを指定し利用する仕組みになっています．名前はそれぞれ利用しているワード検索の手法に由来してます．

• DLD agent
  • レーベンシュタイン距離を求めて類似度検索
    • Damerau–Levenshtein distance
  • https://github.com/fossology/atarashi/blob/master/atarashi/agents/dameruLevenDist.py
• wordFrequencySimilarity agent
  • https://github.com/fossology/atarashi/blob/master/atarashi/agents/wordFrequencySimilarity.py
• tfidf agent
  • （Term Frequency、単語の出現頻度）&　idf（英: Inverse Document Frequency、逆文書頻度)
    • Term Frequency(TF)、
    • Inverse Document Frequency(IDF)
  • https://github.com/fossology/atarashi/blob/master/atarashi/agents/tfidf.py
• Ngram agent
  • https://github.com/fossology/atarashi/blob/master/atarashi/agents/cosineSimNgram.py

前準備

以下をインストール

• Python >= v3.5
• pip3

インストール

今回はインストール方法まで紹介しようと思います．(以下 commit id 387e144)

はじめに　requirement.txt を利用してパッケージを導入すればいいのですが、numpyだけは別途入れる必要があります。

$ git clone  https://github.com/fossology/atarashi.git
$ cd atarashi
$ pip3 install numpy
$ pip3 install -r requirements.txt
$ pip3 install .

以上でインストールは完了です．

下記のようにヘルプコマンドを押して

$ atarashi -h

以下のように出てきたらインストールは成功

インストールのあとどのように利用するか，利用した結果などを今後紹介できたらいいと思います．

さいごに

FOSSologyのを含めOSSライセンスの検索エンジンに関しては，いろいろなニュース出てきてて，今とても熱い分野だと言えそうです．(例： Digging for license information with FOSSology ). 今後OpenChain Japan WG Tooling Sub-WGでは企業の枠を超えてFossologyやAtarashiの利用方法調査や機能の実装も協力して進めていきたいと思います．興味があればメーリスに登録することをお勧めします．　https://lists.openchainproject.org/g/japan-sg-tooling

なお、OpenChain Japan WG Tooling Sub-WGの活動については @ystk-k さんの記事を参考にしてみてください。
https://qiita.com/ystk-k/items/1ec2b416cc05b98597a9

追記(2020/01/06)

Fosoology/Atarashiのレポートが公開されてたようなので共有しておきます．
https://github.com/fossology/atarashi/files/4016573/Atarashi-Report.pdf

公開場所: https://github.com/fossology/atarashi/pull/60

明日は

@yuichi-kusakabe さんがOpenChainとAGLに関係する記事を書いてくれます．Automotive Grade Linuxに興味がある方は是非一読しましょう．

---

1. https://www.fossology.org/ ↩
2. https://fossology.github.io/atarashi/ ↩
3. https://github.com/OpenChain-Project/Reference-Material
4. https://github.com/fossology/FOSSologySlides ↩
5. https://lists.openchainproject.org/g/japan-sg-tooling/message/15 ↩
6. https://github.com/fossology/fossology/pull/1408 ↩
7. https://github.com/fossology/atarashi/ ↩
8. https://spdx.org/ids ↩

We are taking a look at how GitLab addresses compliance for this webinar. Mo Khan, Senior Backend Engineer, will explain the approach offered to users and explain why it works. One of the most interesting things we can explore is how it all works with CI/CD.

We will allow plenty of time for questions and comments, so this is a perfect webinar to start engaging with the OpenChain community.

Get an overview of the GitLab approach

• https://docs.gitlab.com/ee/user/compliance/license_compliance/

Learn more about Mo

• https://www.linkedin.com/in/xlgmokha/

Take Part in the Webinar

Join Our Zoom Meeting

* https://zoom.us/j/9990120120

Password

* 123456

One Tap Telephone (no screensharing)

* +358 9 4245 1488,,9990120120# Finland
* +33 7 5678 4048,,9990120120# France
* +49 69 7104 9922,,9990120120# Germany
* +852 5808 6088,,9990120120# Hong Kong
* +39 069 480 6488,,9990120120# Italy
* +353 6 163 9031,,9990120120# Ireland
* +81 524 564 439,,9990120120# Japan
* +82 2 6105 4111,,9990120120# Korea
* +34 917 873 431,,9990120120# Spain
* +46 850 539 728,,9990120120# Sweden
* +41 43 210 71 08,,9990120120# Switzerland
* +44 330 088 5830,,9990120120# UK
* +16699006833,,9990120120# US (San Jose)
* +12532158782,,9990120120# US

Find your local number: https://zoom.us/u/abeUqy3kYQ
Not all countries have available numbers.

After dialing the local number enter 9990120120#

Check out all our previous webinars

• https://www.openchainproject.org/webinars-interviews

The latest OpenChain Newsletter is out. Learn about some of the highlights from June in our new 60 second reading format.

• https://www.openchainproject.org/openchain-newsletter-issue-38

Check Out All Our Previous Newsletters

• https://www.openchainproject.org/news/newsletter

The OpenChain Project UK Work Group is being launched on the 23rd of July at 14:00 BST via a virtual event.

This meeting is free and is open to anyone in the UK or elsewhere interested in why companies like Arm, Scania, Hitachi Data Systems, and Microsoft are embracing the OpenChain industry standard.

Learn More and Book Your Place

https://www.eventbrite.co.uk/e/openchain-uk-work-group-inaugural-meeting-tickets-111130698912

The OpenChain Project welcomes BMW CarIT GmbH as our 20th Platinum Member. BMW CarIT GmbH joins the governing board of the project ahead of our expected completion of the ISO process in September 2020. Their knowledge, support and expertise is expected to be an invaluable component of the next steps in adoption of the industry standard for open source compliance.

“BMW CarIT GmbH provides tremendous knowledge in the automotive space both in Europe and globally,” says Shane Coughlan, OpenChain General Manager. “Working alongside existing board members such as Toyota, Bosch and Panasonic, BMW CarIT GmbH is poised to help ensure that the automotive supply chain adopts the standard for open source compliance in a smooth, effective manner. We look forward to working with suppliers throughout the world on our continued mission of education, support and collaboration in effective open source governance.”

Learn More About BMW CarIT

• https://www.bmw-carit.de/en.html

Today Siemens Healthineers announces an OpenChain Conformant compliance program, joining a widening community of organizations from all industrial sectors. Siemens Healthineers is the first company specialized in medical technology to announce conformance.

“We have been collaborating with the team from Siemens Healthineers for a while and found have found their insights and contributions useful to the community as a whole,” says Shane Coughlan, OpenChain General Manager. “The conformance announcement today marks another milestone with the formal expansion of our industry standard into the medical sector. One thing that has become clear in the last two years of standard deployment is that all sectors, and companies of all sizes, face the same fundamental challenges with respect to open source compliance. By working together diligently we have isolated an effective real world solution. I am looking forward to assisting more companies in the health ecosystem with their engagement and adoption of the key requirements of a quality open source compliance program.”

“We find the insights shared across the OpenChain community to be very useful and look forward to continuing our active participation in this project and the associated community,” says Dr. Frances Paulisch, Head of Software Initiative at Siemens Healthineers.

Learn More About Siemens Healthineers

• https://www.siemens-healthineers.com/

The OpenChain Project had an exceptionally busy first half of 2020. From conformance to membership announcements, from reference material releases to taking the final steps in our ISO submission, the project and its community has pushed forward the state of the art in compliance.

You Can Expect Big News in Q3

First, a recap. OpenChain 2.0 is our current industry standard. It was reformatted for ISO submission in Q1 via something called the ISO/IEC JTC1 PAS transposition process. This reformatted but functionally identical document was termed OpenChain 2.1 and constituted our ISO/IEC JTC1 PAS submission in Q2. The goal is simple: our mature de facto industry standard (OpenChain 2.0) is going through a process to become a formal International Standard. There are two positive implications:

1. Everyone conformant with OpenChain 2.0 will also be conformant to the International Standard and;
2. People new to our field can easily engage and adopt our standard.

Our ISO/IEC JTC1 PAS submission (DIS 5230) will complete its voting period on the 22nd of September. Unless there is a request for a further FDIS ballot, our International Standard will be published within six weeks or less. In other words, OpenChain will have completed its transition from de facto industry standard into a formal international standard, expanding our audience of immediate interest from hundreds to thousands of companies. We will be the first formal standard from The Linux Foundation in 14 years (the last was Linux Standard Base / ISO/IEC 23360) and we are the first project to collaborate with Joint Development Foundation on transitioning a de facto standard from our field into an International Standard via the ISO/IEC JTC1 PAS transposition process.

A lot of our time and energy from now until then will be about putting everything in place to welcome new companies and new collaborators to our project. We want to ensure that people from sales, procurement and other areas impacted by the inclusion of ISO standards can quickly get up to speed. Our goal is to facilitate smooth adoption and to ensure everyone gets the benefit of great open source compliance programs.

The Outcome Will Be:

• An International Standard
• Improvements in our current reference material
• New reference material for sales/procurement/etc

Expectation 1

You can expect to always be able to access our International Standard on the OpenChain website. The OpenChain Specification 2.1 that will be hosted on our website will be “technically aligned” with the published ISO standard = they are the same. This is very similar to how the standard for Office Open XML File Formats is addressed with free access via ECMA-376 and formal ISO publication (gated access) via ISO/IEC 29500.https://www.ecma-international.org/publications/standards/Ecma-376.htm

Expectation 2

You can expect to always be able to self-certify to the OpenChain Specification 2.1 on the OpenChain website, along with all previous and future versions of our standard. By the same measure, you can always discover and collaborate with our official partners for legal support, services support and even full third-party certification precisely as before.

Expectation 3

You can expect all future work on the OpenChain ISO standard to remain right here, running under the same processes, our well-established and refined method of ensuring we have a concise, useful and pragmatic solution to the question of open source compliance.

Expectation 4

And you can expect stability. Our forthcoming ISO standard is the end result of years of contributions from hundreds of people. It has seen four iterations after originally going to market in October 2016 (OpenChain 1.0, 1.1, 1.2 and finally 2.0). Each iteration refined our work based on practical feedback from real world deployment. OpenChain 2.0 has been out since April 2019. It is rock solid, it is seeing adoption across every major geography and market. The status of OpenChain 2.0 and the functionally identical ISO formatted OpenChain 2.1 (DIS 5230) is simple: this International Standard, when it completes the ballot process, will be in market for many, many years to come. Adoption of OpenChain 2.0 and our forthcoming ISO standard is the adoption of a consistent standard that can be deployed with confidence in any supply chain.

And Of Course…

This does not mean we will put away our editing gloves. We want to capture experience and feedback from today and into the foreseeable future. As of last month we began bi-weekly calls to provide this forum. Oversimplifying things a little, we want to make sure that every viable idea and suggestion is captured and recorded on our GitHub for the Specification.

Get this guide and many more documents in the OpenChain Reference Library: https://github.com/OpenChain-Project/Reference-Material

This will allow us to draft future generations of the standard at an appropriate pace while also addressing and resolving many items via reference material. As always, the process will be clearly defined and clearly monitored, thanks in no small part to the exceptional work of Mark Gisi as the chair of the OpenChain Specification Work Team. Thanks Mark!

What else in 2H 2020? Conformance announcements. Membership announcements. Partner announcements. The usual. Each reflecting a new milestone in our continued progress. Most importantly our work teams, whether global and addressing spaces like automotive and reference tooling, or local and addressing geographies like China, Japan, Korea, Taiwan, India, Germany and (as of July) the UK, will remain the heart of everything we do. OpenChain is created by and run by user organizations to solve challenges for user organizations. This laser focus is at the heart of our success and it will remain so in the future.

On a final note, the OpenChain Project expects to be operating virtually until 2021. Our individual work groups in various geographies may hold physical meetings based on their discretion, but for the project as a whole our emphasis will be on ensuring our online communication and sharing is effective and consistent. We already put everything in place (bi-weekly webinars, bi-weekly space for spec discussions, our pre-existing mailing lists, free access to Zoom + UberConference), and we will continue to execute against this plan.

Regards

Shane Coughlan
General Manager, OpenChain
e: scoughlan@linuxfoundation.org       
p: +81 (0) 80 4035 8083                
w: www.linuxfoundation.org

Want to Talk More About This? Schedule a 1-2-1 Call

• https://calendly.com/openchainproject