ORT: Automate compliance using Open Source & InnerSource
03-14, 15:10–15:40 (Europe/Berlin), Stage 2

Setting up or maintaining a FOSS compliance processes is not simple as most organizations use a wide variety of programming languages, code build tools and delivery methods. Ideally, you want to automate most of the compliance work but as most Open Source Program Offices (OSPO) have found out, there are often significant gaps between what is offered by most tools and what you would like to have. Given this, several OSPOs have been collaborating to build OSS Review Toolkit (ORT).

In this session Thomas demonstrates how one can use ORT to safely use, integrate, modify and redistribute third party software including FOSS in your software project(s). He will show a FOSS review from start to finish e.g. from scanning a repository for packages, licensing and vulnerabilities to fixing found issues and generating attribution documents, source bundles and SBOMs (CycloneDX/SPDX).

By the end of this session you should be able to replicate an ORT-based compliance process within your organization including automating your FOSS policy using Policy as Code and save process/review time by using an InnerSource-based review process and re-using FOSS clearance artifacts from the community.

See also: Slides (2.7 MB)

Thomas Steenbergen is the Head of Open Source Program Office at EPAM Systems (www.epam.com).
He is steering committee member and one of the co-founders/organizers of the European Chapter of the TODO group and co-founder of the OpenChain Automation Work Group - both industry working groups where companies collaborate to address shared open source challenges. He is also an active contributor to the SPDX ISO specification for over 5 years, helping to better match what developers find in code and incorporate security (leading the Defects WG). As a core contributor to the OSS Review Toolkit, he enables highly automated open source policy checks in CI/CD by providing easy, open-source & scalable tooling and to share results in open standard (SBoM) formats. He is a frequent speaker and panelist at various global open source conferences and is always happy to start a conversation around anything open source. Thomas has held a variety of technical lead roles over the past 15 years across the Netherlands, United Kingdom and Germany.

Surya is a Marketing and Program Management professional who has supported marketing of ORT over the years. She has worked in India, Finland and Germany for companies like IBM, Nokia, HelloFresh and HERE Technologies. She is always happy to talk about Open Source program management and how to market Open Source projects.