We’ve all heard by now the quote from Marc Andreessen, VC “software is eating the world,” but during our webinar this week, Rogue Wave Software CTO, Rod Cope, stated that “open source has eaten the world” and if you were in attendance, you agree.
This webinar, the first session in our new open source webinar series, was designed to help you understand how enterprises learn to stop worrying and love open source. Open source is at the core of your applications, and Rod walked through the three areas where you need to focus your energies: technical issues, security concerns, and licensing. Addressing in each area how enterprises have moved from chaos to love.
During the webinar, we asked attendees a few poll questions to help us understand where on the spectrum of confidence they fall with regards to embracing open source.
Poll: What percentage of your code is free and open source software?
This time last year we held a webinar with a similar question, and only a small percentage of attendee were in the more than 75 percent category. This really shows the curve of open source – either organizations are just getting started or they are deep into it.
Poll: How does your team know when an OSS package has a vulnerability?
It looks like security has really been elevated in people’s minds, and more time and efforts are being put into monitoring reports and databases.
Poll: For open source included in software that you’re releasing are you compliant with all license obligations?
This was a surprising result – in a good way! It’s great to see we’re going in the right direction to ensure that OSS license obligations are being met. It’d be interesting to know from those “YES” folks if this is all open source in their organization or simply those packages used in mission-critical applications.
Answering your questions
The session was very interactive, and we received some great questions which we promised to recap.
Has any open source software lasted since 1980’s until now?
[Rod Cope] Yes in fact, I think one of the fascinating facts of open source is it very rarely ever goes away because it doesn’t have to have commercial success. So once it is released it tends to stay out there, whether it has rampant success or not is really the question. If you look at early packages like Perl it is still heavily used today and there’s hundreds of thousands of Perl packages and millions of installations around the world. I think that’s a good example of one that started a long, long time ago that is still going strong. And there’s lots of other examples.
Between technical, licensing, and security, how do we pick which area to focus on first?
[Rod Cope] If you’re not sure where to start with OSS management, I’d recommend an audit. An audit brings together licensing, security, and technical aspects of OSS into a single report that you can discuss with experts. A good report tells you not just what you have, but also how each package is licensed, what you need to do to comply with those licenses, whether there are significant known security issues, and how to get support for the key items you’re using. Most importantly, a high quality audit lets you talk to experts about the findings, ask questions, and truly understand what you need to do next.
What about community forums? Are they a good source for knowing about vulnerabilities?
[Rod Cope] Nearly every OSS community has a forum of some type where users can ask questions. Good communities respond quickly to questions with helpful advice and directions, but not all OSS packages have good communities around them. In fact, it’s often hit or miss when you’re looking for help because all participants are volunteers and have their own priorities. When it comes to security vulnerabilities, in particular, most high quality communities care deeply about resolving issues quickly. You may not always get a quick fix, or possibly any fix if you’re running an older version of a package that the community no longer supports, but you can usually learn about newly discovered vulnerabilities without much effort.
Can you go into more details about a licensing audit? What do I get?
[Rod Cope] An OSS audit report includes a list of packages found (sometimes called the “Bill of Materials” or “BOM”), a list of licenses associated with those packages, and the set of license obligations for those licenses. A higher value audit report and follow on discussion will also address compliance with those license obligations and basic guidance related to package usage (e.g., internal use only vs. distribution). Finally, value add reports include information related to security vulnerabilities and commercial support options for the packages you rely on to run your business.
Watch, re-watch, or share this on-demand version of the webinar – How enterprise learned to stop worrying and love open source.
Register and plan to attend our second webinar on June 29, where we will cover the true costs of open source. Director of product management and OSS expert Richard Sherrard examines examples of technical, security, and licensing hurdles that many organizations face so you can have a better understand of what “free” actually means.
If you have more questions, leave us a comment. We’d love to hear your thoughts on open source.