Floor Drees
My name is Floor, I’m based in the Netherlands. I'm a Staff Developer Advocate at Aiven, we manage your favorite open source data tools without exploiting the projects and their maintainers. Previously I worked in DevRel at Grafana Labs and Microsoft. I'm a Devopsdays Core member, and organize the Devopsdays Amsterdam and Eindhoven chapters.
I'm a Microsoft MVP for Developer Technologies, and I organize a bunch of meetups, including-but-not-limited-to contributing.today, DevRel Salon Amsterdam, and the Amsterdam Ruby Meetup. Oh, I am an art school graduate, who stumbled into tech face-first.
Session
We’re all moving fast and in order to do so we’re relying on a lot of dependencies to give us that commercial edge. In doing so we’re trusting the work of strangers on the internet, and also that of vendors who may change their mind on who can benefit from their software.
The 2022 OSSRA (Open Source Security and Risk) report, examines the results of more than 2,400 audits of commercial codebases, of which 97% contained open source. Four of the 17 industry sectors represented in the report—Computer Hardware and Semiconductors, Cybersecurity, Energy and Clean Tech, and IoT—contained open source in 100% of their audited codebases.
If you install Electron and have to add 87 packages — that means 87 license dependencies. Every single package is likely to have its own dependencies, and therefore, another license you need to comply with. As you can imagine license management can’t be done manually and when done incorrectly can create a technical debt.
License litigation may end up forcing you to release your code under the same license as the package dependency you used. Other potential problems include being sued for financial liability by the creator of the component, and/or losing reputation and getting negative press coverage.
Find out how to do a software composition analysis to create an SBOM (Software Bill of Materials), and how to monitor changes in your components’ licenses every time you deploy.