Carlo Piana

Presenting the toolchain that we have created for Eclipse Oniro, we believe the single largest compliance effort by many metrics ever attempted for Yocto projects, featuring besides than the usual suspects (Fossology, Scancode, SPDX, BANG, Gitlab CI) some specifically developed tools, including a dashboard, aliens4friends, a graph database to map dependencies and license incompatibilities, a license resolver and way more.

Yocto has (as a recent addition) its own facilities to create a SBOM. We worked on some complements that need to be added to consume it for all bells and whistles of a full OpenChain conformant software composition analysis. We have created a way to preserve this information throughout the entire process of creating a build and can demonstrate how it is possible to uniquely identify each and every file that goes into the final image, resolve each binary file license from a large mix of diversely licensed source files, find the dependencies, find potential incompatibilities and reuse this information by sharing it publicly. This for a project whose base of data and number of vetted licenses,files and packages is very large (one would say "huge"). Therefore, what we regard as an unprecedented amount of automation had to be put to work.

Compliance with copyright can be a nightmare, especially if the project faces it late in development. Everybody is now figuring out how to use tools and how this could help. We have been tasked with doing it for an entire operating system, something that would take months/man if not years. If you start late, you will finish late. But the gold standard is today to integrate compliance in CI/CD. We present our solutions and those that we have considered or are considering.

Globaleaks is an AGPLv3+ SaaS application for anonymous whistleblowing, developed by the Hermes Center. After receiving a prototype, the Italian Anticorruption authority (ANAC) re-published a version under EUPL, modifying attribution & copyright statement, removing reasonable notice from GUI, and failing to fully comply with source code obligations. The controversy was brought to Court and eventually settled, restoring the correct license, and patching the other issues. Several lessons learned.

Globaleaks is an AGPLv3+ SaaS application for anonymous whistleblowing, developed by the Hermes center for transparency and digital human rights. After receiving a prototype, the Italian Anticorruption authority (ANAC) re-published a modified version (developed via a public tender) under EUPL, modifying attribution & copyright statement, removing reasonable notice from GUI, and failing to fully comply with the obligation to convey the corresponding source code. After several attempts for an off-court solution, the question was finally settled by the parties, restoring the correct license, and the other issues. There are several lessons to be learned by this controversy. License compatibility and the other free software obligations (including conveying the corresponding source code) are not to be taken lightly, and require a good degree of knowledge and expertise, especially when they are related to an application which has been implemented by several Public administrations

Speakers: Carlo Piana - Lawyer with 25+ years experience in IT, former GC for FSFE and member of the Council of its Legal Network, serves as member of IP&OS advisory of UNTIL (United Nations). President of euroITcounsel, editor of Jolts (formerly Ifosslr).

Fabio Pietrosanti - Naif (Project leader) - Fabio Pietrosanti has been part of the hacking digital underground with the nickname “naif” since 1995, while he’s been a professional working in digital security since 1998. President and co-founder of the Hermes Center for Transparency and Digital Human Rights, he is active in many projects to create and spread the use of digital tools in support of freedom of expression and transparency. Member of Transparency International Italy, owner of Tor’s anonymity nodes, Tor2web anonymous publishing nodes, he is among the founders of the anonymous whistleblowing GlobaLeaks project, nowadays used by investigative journalists, citizen activists and the public administration for anti-corruption purposes. He is an expert in technological innovation in the field of whistleblowing, transparency, communication encryption and digital anonymity. As a veteran of the hacking and free software environment, he has participated to many community projects such as Sikurezza.org, s0ftpj, Winston Smith Project, Metro Olografix, among others. Professionally, he has worked as network security manager, senior security advisor, entrepreneur and CTO of a startup in mobile voice encryption technologies.

Giovanni Battista Gallus - Lawyer, ISO27001 Lead Auditor, freesoftware advocate, Former President of @CircoloGT, Nexa Fellow. ITLaw, privacy, security & drones.

Copyright, Criminal, Data Protection/Privacy and IT law are his main areas of expertise. In the last years, he is devoting a significant part of his practice to the legal aspects of UAVs (drones) After a cum laude degree in Law in Italy, he moves to Great Britain for the Master of Laws in Maritime Law e Information Technology Law at the University College London - UCL. Afterwhile, he earns a PhD. In 2009 he obtains the European Certificate on Cybercrime and Electronic Evidence (ECCE). He is ISO 27001:2013 Certified Lead Auditor (Information Security Management System). Member of the Bar of Cagliari since 1996, admitted to the Supreme Court since 2009, Data Protection Officer, he is a fellow of the Department "Informatica Giuridica" at the Università Statale of Milan where he teaches in the Post-Graduate Course in Digital Forensics and cybercrime. He also teaches at the Master for Data Protection Officers, organized by the Politecnico of Milan. Fellow of the Nexa Center on Internet and Society and of the Hermes Center for Transparency and Digital Human Rights. Author of several publications on the above mentioned areas and speaker at the main national and international congresses, he sides his legal profession an intense teaching activity, mainly in the field of copyright, Free/Open Source Software, data protection, IT security, digital forensics and drones.

Alberto Pianon - IT Lawyer with 10+ years experience in open source licensing and compliance, LL.M. in Law & Economics, member of the Legal Network of the FSFE.

OpenHarmony is a new operating system stewarded by Huawei's Open Source Technology Center, with Array as advisor. Having prioritized compliance, governance and transparency, OpenChain was the natural backdrop for it. Rather than embracing open source only to exploit it, having transparency and compliance as a last minute afterthought, OSTC has made them central pillars from the very beginning. We seek the opportunity to present you how the goal of OpenChain conformance helped.

Born as an internal project, since its conception OpenHarmony's future has been to live in an independent, respected foundation that will receive all the tool for keeping it a truly community-driven operating system. The tools that Will be donated do include a compliance toolchain with source code scanning, compliance policy documents and roles, a Bill of Material for the initial release and many other artifacts to make it sure compliance is not a one-off exercise, but an ongoing commitment for the entire life of the project. Full conformance with Openchain is projected in a short-term future and it is surely a motivation to start with the right steps and making the right choice off the very beginning of the project.

Drafting legal texts, especially when it comes to contracts, is often similar to writing code: modularity and reusability, version and branch control, collaborative editing and issue management are needs shared between developers and lawyers — even if the latter may not always realize it :).

In the end lawyers and developers face similar tasks, but lawyers can’t really leverage cooperative tools like git.

Having some software development background we wondered if we could use the same paradigms to produce legal documents, and to create a toolchain which should be easy to use for everybody. Git, Markdown, Pandoc, Mustache, Make (and some hand-made filters and scripts) did the trick. And we have a nifty presentation toolchain too! All with reveal-md and little else.

We can now produce documents and presentations using little else than a text editor and pretty much standard FOSS tools, roughly in the same way as software is written. And we think that this toolchain may be useful also to produce and manage business documentation, academic publications, and so on.