Titans and Trolls Enter the Open-Source Arena

Open-source software has become a prominent part of the software industry, due in part to its applications in mobile devices, online social networks, and cloud computing. As a result, the open-source community is an increasingly attractive litigation target for patent trolls and titans. While in the past the open-source community focused primarily on ensuring license compliance, it now must reach beyond open-source licensing agreements and vigilantly employ multiple current or as yet untested defensive maneuvers to withstand the threats of patent lawsuits

Assisting Software Developers With License Compliance

Open source licensing determines how open source systems are reused, distributed, and modified from a legal perspective. While it facilitates rapid development, it can present difficulty for developers in understanding due to the legal language of these licenses. Because of misunderstandings, systems can incorporate licensed code in a way that violates the terms of the license. Such incompatibilities between licensing can result in the inability to reuse a particular library without either relicensing the system or redesigning the architecture of the system. Prior efforts have predominantly focused on license identification or understanding the underlying phenomena without reasoning about compatibility in a broad scale. The work in this dissertation first investigates the rationale of developers and identifies the areas that developers struggle with respect to free/open source software licensing. First, we investigate the diffusion of licenses and the prevalence of license changes in a large scale empirical study of 16,221 Java systems. We observed a clear lack of traceability and a lack of standardized licensing that led to difficulties and confusion for developers trying to reuse source code. We further investigated the difficulty by surveying the developers of the systems with license changes to understand why they first adopted a license and then changed licenses. Additionally, we performed an analysis on issue trackers and legal mailing lists to extract licensing bugs. From these works, we identified key areas in which developers struggled and needed support. While developers need support to identify license incompatibilities and understand both the cause and implications of the incompatibilities, we observed that state-of-the-art license identification tools did not identify license exceptions. Since these exceptions directly modify the license terms (either the permissions granted by the license or the restrictions imposed by the license), we proposed an approach to complement current license identification techniques in order to classify license exceptions. The approach relies on supervised machine learners to classify the licensing text to identify the particular license exceptions or the lack of a license exception. Subsequently, we built an infrastructure to assist developers with evaluating license compliance warnings for their system. The infrastructure evaluates compliance across the dependency tree of a system to ensure it is compliant with all of the licenses of the dependencies. When an incompatibility is present, it notes the specific library/libraries and the conflicting license(s) so that the developers can investigate these compliance warnings, which would prevent distribution of their software, in their system. We conduct a study on 121,094 open source projects spanning 6 programming languages, and we demonstrate that the infrastructure is able to identify license incompatibilities between these projects and their dependencies

LICENSE COMPLIANCE ISSUES IN FREE AND OPEN SOURCE SOFTWARE

Today, Free and open source software (FOSS) is widely used by organizations and individuals and viewed as a new approach to developing software. New software can be developed by integrating FOSS components or incorporating source code fragments, thus adding value in terms of functionality and quality. The use of FOSS components in developing new software requires developers to comply with the terms of the licenses associated with those components. The issues related to this compliance scenario are of paramount importance, because the license of a FOSS component can impact the whole Information System or computer application being developed. License compliance in FOSS is a significant issue today and organizations using FOSS are predominately focusing on this issue. The non-compliance to licenses in FOSS systems leads to the loss of reputation and the high costs of litigation for organizations. An automated approach is preferred to verifying license compliance of an FOSS being developed. Towards an automated approach, in this paper, we will argue for FOSS licenses in a machine interpretable form and for managing license compliance in a FOSS development process

Risk Mitigation in Corporate Participation with Open Source Communities: Protection and Compliance in an Open Source Supply Chain

Open source communities exist in large part through increasing participation from for-profit corporations. The balance between the seemingly conflicting ideals of open source communities and corporations creates a number of complex challenges for both. In this paper, we focus on corporate risk mitigation and the mandates on corporate participation in open source communities in light of open source license requirements. In response to these challenges, we aim to understand risk mitigation options within the dialectic of corporate participation with open source communities. Rather than emphasizing risk mitigation as ad hoc and emergent process focused on bottom lines and shareholder interests, our interest is in formalized instruments and project management processes that can help corporations mitigate risks associated with participation in open source communities through shared IT projects. Accordingly, we identify two key risk domains that corporations must be attendant to: property protection and compliance. In addition, we discuss risk mitigation sourcing, arguing that tools and processes for mitigating open source project risk do not stem solely from a corporation or solely from an open source community. Instead they originate from the interface between the two and can be paired in a complementary fashion in an overall project management process of risk mitigation. This work has been funded through the National Science Foundation VOSS-IOS Grant: 112264

Efficient Prior Publication Identification for Open Source Code

Free/Open Source Software (FOSS) enables large-scale reuse of preexisting software components. The main drawback is increased complexity in software supply chain management. A common approach to tame such complexity is automated open source compliance, which consists in automating the verication of adherence to various open source management best practices about license obligation fulllment, vulnerability tracking, software composition analysis, and nearby concerns.We consider the problem of auditing a source code base to determine which of its parts have been published before, which is an important building block of automated open source compliance toolchains. Indeed, if source code allegedly developed in house is recognized as having been previously published elsewhere, alerts should be raised to investigate where it comes from and whether this entails that additional obligations shall be fullled before product shipment.We propose an ecient approach for prior publication identication that relies on a knowledge base of known source code artifacts linked together in a global Merkle direct acyclic graph and a dedicated discovery protocol. We introduce swh-scanner, a source code scanner that realizes the proposed approach in practice using as knowledge base Software Heritage, the largest public archive of source code artifacts. We validate experimentally the proposed approach, showing its eciency in both abstract (number of queries) and concrete terms (wall-clock time), performing benchmarks on 16 845 real-world public code bases of various sizes, from small to very large

Open Source Software Governance: A Case Study Evaluation of Supply Chain Management Best Practices

Corporate open source governance aims to manage the increasing use of free/libre and open source software (FLOSS) in companies. To avoid the risks of the ungoverned use, companies need to establish processes addressing license compliance, component approval, and supply chain management (SCM). We proposed a set of industry-inspired best practices for supply chain management organized into a handbook. To evaluate the handbook, we ran a one-year case study at a large enterprise software company, where we performed semi-structured interviews, workshops, and direct observations. We assessed the initial situation of open source governance, the implementation of the proposed SCM best practices, and the resulting impact. We report the results of this study by demonstrating and discussing the artifacts created while the case study company implemented the SCM-focused governance process. The evaluation case study enabled the real-life application and the improvement of the proposed best practices

DaMiRseq—an R/Bioconductor package for data mining of RNA-Seq data: normalization, feature selection and classification

Abstract Summary RNA-Seq is becoming the technique of choice for high-throughput transcriptome profiling, which, besides class comparison for differential expression, promises to be an effective and powerful tool for biomarker discovery. However, a systematic analysis of high-dimensional genomic data is a demanding task for such a purpose. DaMiRseq offers an organized, flexible and convenient framework to remove noise and bias, select the most informative features and perform accurate classification. Availability and implementation DaMiRseq is developed for the R environment (R ≥ 3.4) and is released under GPL (≥2) License. The package runs on Windows, Linux and Macintosh operating systems and is freely available to non-commercial users at the Bioconductor open-source, open-development software project repository (https://bioconductor.org/packages/DaMiRseq/). In compliance with Bioconductor standards, the authors ensure stable package maintenance through software and documentation updates. Supplementary information Supplementary data are available at Bioinformatics online

REUSE Software: Making Copyright and Licensing Compliance Easier for Everyone

Best practices for displaying data and metadata pertaining to software licensing and copyright are currently unharmonized. The multiple competing licensing requirements for communicating the chosen license of a software project and its copyright holders increase the compliance burden on project maintainers, especially for smaller free and open source (FOSS) ones. The "REUSE Software" initiative aims to remediate this situation by defining a set of easy-to-implement best practices for declaring copyright and licensing in an unambiguous, human- and machine-readable way, so that the information is preserved when the file is copied and reused by third parties. REUSE specifications facilitate management policies for digital commons, improving data and metadata communication for individuals, communities, governments, and businesses

The Cardiac Atlas Project--An Imaging Database for Computational Modeling and Statistical Atlases of the Heart

MOTIVATION: Integrative mathematical and statistical models of cardiac anatomy and physiology can play a vital role in understanding cardiac disease phenotype and planning therapeutic strategies. However, the accuracy and predictive power of such models is dependent upon the breadth and depth of noninvasive imaging datasets. The Cardiac Atlas Project (CAP) has established a large-scale database of cardiac imaging examinations and associated clinical data in order to develop a shareable, web-accessible, structural and functional atlas of the normal and pathological heart for clinical, research and educational purposes. A goal of CAP is to facilitate collaborative statistical analysis of regional heart shape and wall motion and characterize cardiac function among and within population groups. RESULTS: Three main open-source software components were developed: (i) a database with web-interface; (ii) a modeling client for 3D + time visualization and parametric description of shape and motion; and (iii) open data formats for semantic characterization of models and annotations. The database was implemented using a three-tier architecture utilizing MySQL, JBoss and Dcm4chee, in compliance with the DICOM standard to provide compatibility with existing clinical networks and devices. Parts of Dcm4chee were extended to access image specific attributes as search parameters. To date, approximately 3000 de-identified cardiac imaging examinations are available in the database. All software components developed by the CAP are open source and are freely available under the Mozilla Public License Version 1.1 (http://www.mozilla.org/MPL/MPL-1.1.txt)

Presence of a pre-hospital enhanced care team reduces on scene time and improves triage compliance for stab trauma

© The Author(s). 2019 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.Background: A reduction in pre-hospital scene time for patients with penetrating trauma is associated with reduced mortality, when combined with appropriate hospital triage. This study investigated the relationship between presence of pre-hospital enhanced care teams (ECT) (Critical Care Paramedics (CCPS) or Helicopter Emergency Medical Service (HEMS)), on the scene time and triage compliance, of penetrating trauma patients in a UK ambulance service. The primary outcome was whether scene time reduces when an ECT is present. A secondary outcome was whether the presence of an ECT improved compliance with the trust's Major Trauma Decision Tree (MTDT). Methods: All suspected penetrating trauma incidents involving a patient's torso were identified from the Trust's computer-aided dispatch (CAD) system between 31st March 2017 and 1st April 2018. Only patients who sustained central penetrating trauma were included. Any incidents involving firearms were excluded due to the prolonged times that can be involved when waiting for specialist police units. Data relevant to scene time for each eligible incident were retrieved, along with the presence or absence of an ECT. The results were analysed to identify trends in the scene times and compliance with the MTDT. Results: One hundred seventy-one patients met the inclusion criteria, with 165 having complete data. The presence of an ECT improved the median on-scene time in central stabbing by 38% (29m50s vs. 19m0s, p = 0.03). The compliance with the trust's MTDT increased dramatically when an ECT is present (81% vs. 37%, odds ratio 7.59, 95% CI, 3.70-15.37, p < 0.0001). Conclusions: The presence of an ECT at a central stabbing incident significantly improved the scene time and triage compliance with a MTDT. Ambulance services should consider routine activation of ECTs to such incidents, with subsequent service evaluation to monitor patient outcomes. Ambulance services should continue to strive to reduce scene times in the context of central penetrating trauma.Peer reviewe