About
In this episode, I chatted with Shane Coughlan who leads the OpenChain project. OpenChain is an initiative run by The Linux Foundation. Listen to this podcast to learn how your company can improve it’s open source compliance processes. Some of the topics that we discuss include:
– Patent families and the Open Invention Network which is the world’s largest patent licensing community
– The benefits of using OpenChain as a process standard for open source software compliance
– And how OpenChain helped companies like WindRiver and Toyota improve their bottom line.
Transcript
hey everybody welcome back to the 20th episode of open source for business brought to you by open teams my name is
henry badgery and in this episode i chatted with shane coughlin who leads the open chain project open chain
is an initiative run by the linux foundation the conversation that i had with shane will be really useful to anyone who
wants to know how to improve their open source software compliance processes using open chain
some of the topics that we discuss include patent families in the open invention network
which is the world’s largest patent licensing community the benefits of using open chain as a
process standard for open source software compliance and finally how open chain helped
companies like wind river and toyota improve their bottom line whether you are a user developer manager or you’re
just curious about the industry open teams is the place to find the information news
training and support that you need to thrive with open source software now that the introductions are out of
the way let’s kick off this episode [Music]
shane thanks so much for joining me on the podcast it’s my absolute pleasure and i see i’ve been in a position of
following a great roster of speakers before me i hope to do it justice i’m sure you will do it justice we
haven’t actually had someone who’s been working in your field so i’m really excited about what we’re going to discuss today but
you’re currently the general manager of open chain which is an initiative run by the linux
foundation and prior to joining open chain you were the global director of licensing at the open invention
network now i’ve heard of this before because we had amanda brock on the podcast uh yeah so you definitely know amanda
i’ve known her since she actually started an open source so i think we’re going back about 13 years now
okay were you a canonical no no i was organizing a legal network for in-house and outside counsel in europe and she
was a relatively early participant so well i mean in the end there’s about 300
people in the world involved in open source governance around legal matters we all know each other everyone knows everyone i find that’s
kind of the case uh for most of the disciplines in open source but the open invention network uh for
those listening is the largest patent licensing community in the world for open source software
now i’m curious to learn a bit about the work that you did at this organization right so open invention network started
back in the middle 2000s and the basic concept was to address
concerns about how large corporations and small corporations that own patents
would act on core open source technology like the linux kernel and the solution was to have companies
agree to non-aggression over these technologies it wasn’t about giving away patents but
it was about saying in this space we’re not going to leverage our patents in an aggressive manner and when i
joined oan in late 2009 there were 59 companies in the cross
license agreement and by the time i finished in uh late 2015 we scaled to almost 2
000. now it’s well over 3 000 so it just keeps on growing uh indeed it’s it’s a
simple enough proposition there’s no reason at all to be aggressive around core open source
um and there’s a lot of reasons to collaborate in that space and not to hinder it in any way and so
by creating this non-aggression zone for companies to innovate the open invention network must bring
confidence to those that are part of the network but i can definitely imagine that before the network was established
companies would have wasted a lot of time and money on remediation and other processes so
can you walk us through what that process looked like for companies before the group of people came together
and said okay we’re actually not going to use patents against each other well i think we must distinguish between
different jurisdictions for instance in the u.s you have a situation where there’s
essentially two things that can happen with patent infringement one is unintentional infringement
and the other is intentional intentional leads to triple damages it’s a very serious thing
and naturally no company wanted to do that uh so the area which was gray really is
unintentional infringement what if company x happened to have a core operating system patent
and by using linux you infringe that this is a hypothetical it’s never actually happened but it was on the
table and every company addressed that in an individual manner thinking about what’s our personal threat profile
what’s our patent portfolio that could push back and so on oin gave a simple recipe just saying
okay here’s how we fix the ecosystem so it lifted the entire burden of oh i have to solve for this
and it became ah this is how we do this as a community and the dollar price for me is zero uh
the area of which i’m pledging non-aggression is not where i planned to essentially monetize my patents and it
was a no-brainer you could say but it did take a few years before everyone coalesced around that
because it’s a relatively new thing to have a massive cross-licensed community
not based on revenue but rather based on saying okay i’m not doing revenue here
and of course that’s it’s not altruistic it’s based on the fact that open source is far more valuable as it
is than it would be if it was hindered by people not being able to engage one thing that
we discussed off air that really intrigued me was the idea of patent families so what are patent families
so a patent family is essentially where you have one or two very strong patents let’s say you invented something
completely new and then around those you hang adjacent
innovations and those adjacent patterns might not be super interesting per se but they help fill
out the area and i’m going to give you an example which is a oversimplified version but you might
have a patent on the wheel and that’s a great patent but around that you start to have
additional patents like a brake pad for the wheel or the axle bolts for the wheel and
these individual patents aren’t super exciting but they’re relevant and if you have all of that family
together you have a pretty strong um innovation lock on that wheel
approach so that’s how you build a patent family you find something really strong or a couple of patents and you
build out from there in the modern world companies would often not just build the patent
families but occasionally package them and sell them onwards and a patent family is a really easy
thing to digest because instead of looking at 30 individual patents you’re looking at
three patents plus all their best friends okay and so how does that compare to licensed families
so the licensing families are different in that they might be covering completely
different technologies the licensing families are simply a way of saying this is how i’m granting around the
copyrighted software so while patent families are very much about saying here are interrelated
uh temporary monopolies on technology licensing families are where you’re
saying this is my general approach to licensing software and inside this general approach i have some options with more
or less restrictions for users so it’s a different mental model
though of course fundamentally when you pull back what you’re looking at is intellectual capital whether it’s
an invention in a patent or the hard mathematical work of software and ways that you can leverage that
either for gain or control or indeed granting to everyone depending on your preference
so patent families it’s about building out specific innovation locks licensed families it’s about having an
approach to granting rights and then inside that approach having closely related licenses that give you
nuanced options this is really fun stuff for parties i’m sure it is and i’m sure you could get in
a very very long conversation at parties about how all of this works and i’d now like to shift gears and focus on the work
that you’re currently doing at open chain so for those listening open chain has essentially created a
process standard for open source software compliance that’s amazingly being compacted down into a seven page
document and after looking through the website it’s clear that it helps to define what quality open source
looks like and in short it’s a process approach that removes uncertainty and potential confusion that companies
face around licensed compliance so on to my question now what kind of
complexities has this helped reduce in the supply chain and why is it important that companies and suppliers adopt
open chains iso standard we’ve been doing open source now for about 30 years in the corporate space and for
a lot of that time in a similar manner to patents people were doing their own thing and they were solving for how to address license
compliance on their own many companies did an excellent job in this but there’s an issue when you look
at the supply chain and to get any product to market you’re looking at 20 30 40 companies in a chain going from
basic silicon through to injection molding through the final product or if it’s a cloud product you’re
looking at people building the stack from the you know the core technology of the server all the way to the web app that
you’re using and the issue became not how well can my company be compliant it became how well
can the supply chain manage compliance and the problem with being bespoke and solving it on your own is that every
company is doing something a little bit different and therefore a little bit incompatible with each other
so they might mean different things when they say oh we scanned internally or they might mean different things when we
they say oh i checked the software coming in to give you an example not that long ago in taiwan one of the
companies was using over 20 spreadsheets to address the different requests from
their customers and you can imagine that if it’s the same product but 20 different slices
on how you have to talk to your customers about it the stakes crawl in so what we had to do was essentially
look at a couple of decades of mistakes and isolate when they happened
and as it turns out they happen in the same places all the time and once we’ve done that we simply said
okay these are the failure points have a process here and if every company follows that
you know exactly where someone should have a process and if something goes sideways let’s say
you find a piece of code that’s not correctly licensed you can quickly start asking everyone
did you scan this piece of code at inbound and all of them will have the same answer yes we scanned it inbound
or eventually one will be like oops and quickly you can fix it and this is
very different from the past where you had to root through the supply chain and go through different questions and answers
so it used to take three to six months to remediate errors with something like open chain
you’re looking at days possibly less because everyone’s moving in the same direction
so open chain is license compliance but it’s not the dry matter of oh we must follow the licensed
text of course that’s the consequence but it’s really about supply chain efficiency
so we get things done a lot more quickly a lot more accurately and that saves us so much resources in
going back and forth and of course it prevents any product stoppage naturally if you
isolate an issue with something like licensing with intellectual property you don’t want to go to market with that
and that slows you down and that’s critical in many industries if you slow a car down
you’re looking at serious costs if you slow a cell phone to market you’re looking at the potential you’ve
killed its market position so it’s it’s an incredibly important area and it’s one that
while not neglected we hadn’t found a consolidated approach to in 2016 we launched this standard and it
very quickly gained a lot of traction 2020 it graduated as an iso standard instead of
just being a de facto standard and it continues to accelerate the reason of course is that
it’s rather good and it’s rather good because so many hundreds of companies got together and said here’s where
things go wrong and try to make sure that instead of a ridiculously long checklist
we caught the essence of it and once we caught the essence of it companies were free to implement in the specific way
they needed to i could definitely imagine that being very useful in the supply chain because of the cascading effect if one person
uh makes a mistake and isn’t either quick to notify or to be able to see that it happened and then on the
other end actually fix it it would just be an absolute mess so it seems like a really interesting way of
like you said saving resources uh both in time and money spent on fixing those mistakes
but also making it a lot faster to go to market and making sure there’s no upsets along the way yes and when it comes to something like
consumer electronics you’re looking at approximately one to three months of primary sales and then
it’s a long tail but that’s not really profitable so if you delay one month market you’ve
really damaged your bottom line so definitely companies listening if you’re not a part of this and you’ve got anything to do with the supply chain but
also which we’ll discuss later there are other use cases and you’ve mentioned them before i just in this in this conversation i
think definitely check it out on their website but based on my understanding open chain
of looking at the website it standardizes a process of collecting different artifacts about
compliance at different inflection points for a company and off where we talked about the three inflection points being
inbound inside and outbound so can you explain this process a bit for those listening of course
uh the very basic thing is that when you’ve got software coming into a company you want to know what software
it is what version it is and what license it’s under and if you isolate those three things
as your developer team gets hold of it customizes it or simply integrates it they won’t make mistakes like putting
software together that might functionally work but in licensed terms is incompatible
and that’s a really important thing to get right internally of course then you want to make sure that your team is educated enough to
understand what the licenses are for example and that as they work they can monitor
stuff the last thing you want is your team to identify incoming software but then turn it into a binary and give it to
another team internally and that other team has no idea what it is and that stuff really happens especially
in multinationals so uh internal training and also tracking and then finally on outbound it’s the
sanity check and it’s basically making sure that the inbound and internal matches what the
outbound scan says quite frequently in the supply chain in company internal
something happens inside completely unintentionally in fact i’ve never encountered a company
purposefully violating a license something happens internally someone took a chunk of code
out of something and then forgot you know the license um and these unintentional errors happen
internally and you’ve got to catch them and out of them so it’s a very simple concept i mean there’s no quantum physics involved here
but it’s it describes where we know things go sideways and uh you know once once you introduce
it in the company we found that the engineering teams the project managers don’t really have a burden
in doing it in fact it’s less burden than someone at outbound saying oh you screwed up and if you don’t have
internal processes you really have to go manual okay and and how is all of this tracked is it in word
documents i knew you said that’s done historically is it a case where you kind of turn the 15 pages of word documents they would
have for many different processes or or areas within the company and you put it into one or what kind of process do
you use there and then also you mentioned training does that involve going out and making sure that the different teams
are aware of these processes so that if one person in one engineering team actually does add an
open source software library and how does that process work do they then need to tell or notify the other teams or is it
as as simple as just adding that to the document or whatever process you suggest they use so nowadays virtually all companies are
either automating or wish to automate these processes so you’re looking at scanners doing this
and inbound or monitoring development and catching outbound i’d say we’re somewhere in
halfway between the transition of the manual world which was excel spreadsheets or custom
databases and having automated tooling it’s volume as a problem i mean the linux kernel
alone is many millions of lines of code and people are using thousands of packages so doing it
manually inherently introduces errors and automation helps some people
use service providers for automation and some people use open source tools uh quite frankly it doesn’t really
matter what you use as long as you’re scanning everything out there is pretty good so it’s really a budget issue
do you want to pay someone to take the responsibility of supporting and maintaining the tool or do you want to save that money
and maintain it yourself what resources do you have but some people are still using excel spreadsheets to track their
software bill of materials and stuff uh for instance in japan there’s a bunch of companies doing that
and it’s fine as long as they make it nice and clear and particularly nowadays we use something called software bill of
materials and that uses standardized tagging so whether you are using a tool that’s automated or
you’re using a spreadsheet the tags are fundamentally the same so you know if you give them a spreadsheet
they can then use their tool to read the spreadsheet and integrate into their workflow and if they come out the other side and
someone needs a spreadsheet they can dump that into a spreadsheet so that’s really the link and the line
between manual and automated is blurring the way yeah i’m spreadsheets are not
optimal that’s for sure but you know it works for small companies quite frankly
for small companies it’s not a burden if you’re moving 100 million lines of code an hour like a large multinational a
spreadsheet would kind of be pushing the limits of what you can do so it’s definitely consideration these smaller companies need to have is yes
start with a spreadsheet which is quite archaic but would work for a little bit uh get out of the dinosaur ages and move
into something a bit more advanced and so it seems like it’s quite different across companies based on size and also industry and i can assume
that a lot of those larger and medium-sized companies that have adopted open source
with an idea of trying to make it work for them knowing all of the software coming in and out it
sounds like largely that would be automated by a lot of these tools what are some of the best tools out there for
automating that process well right now there’s probably scanning tools which
are light in open source like scan code is one another is fussology
and these are ways to quickly scan a corpus of code then there’s more integrated management
tools that are scanning and tracking uh such as org open source review
toolkit and uh i think probably right now we’re looking at an even split across the industry scan
code fussology and or i think most people tend towards scan code for getting started it’s the
lightest to get started and for process integration a lot of people now in europe are using or
fossology uh is something that goes from scanning into complexity and uh quite a few companies have been
using it for quite a few years i think it’s probably the most mature solution out there
though not necessarily the most popular in all jurisdictions but i mean you’re looking at how long is
a piece of string companies are so different that it’s hard to pick any winner out there it’s really more of a portfolio of
options and on commercial tooling you have much the same thing you’ve got companies like
foss id laser focused on scanning for compliance and a bit of security then you’ve got
companies like synopsis who own blackduck who are doing the same thing but also integrating into all
kinds of project metrics and so on and then you’ve got companies like pwc that you don’t really hear about
in the context of open source compliance but they have incredibly sophisticated holistic process management for their
customers so again it’s how long is a piece of string what a bank wants is very different from what a router company
wants and the only thing i’d say is that most companies are margin constrained i mean
a few companies like google or facebook print money and they can afford to do whatever they want but if you look at a company in the
middle of the supply chain putting together a router their margin is one two or three percent
right so that that helps determine what they choose as much as the effectiveness of the
solution or the sophistication of it and it’s funny you mentioned synopsis because we had paul chen who’s a
manager of open source compliance and enablement at synopsis as one of the early guests on the podcast and i
was stunned when i heard the amount of audits they do every year i think it was something like 600 or
more and it definitely shows that that is quite a mature market we have the technology today
i guess you could develop it internally but it’s probably best to to look externally once since we are such a mature market in
that space i was wondering if you could share an example of a company using open chain standard
and explain how it affected their bottom line i think one good example is wind river
which isn’t a company that most people have heard of they basically work in the background on integration and they’re involved in
everything from helping people with consumer electronics through to space programs so you know if
you want to build a mars rover you might talk with green river about how to get started they’ve been using open chains since the
beginning and for them it was integral in two ways one it displayed
a path forward for supply chain management and remember you know wind river is somewhere in the lower middle
they’re above silicon but below application level right and for them it meant a path
to not dealing with 100 different requests from customers and it also meant path to just
unequivocally stating that yes we are using the standard for this you know there’s no question
that we’re using the correct standard so they’ve been deriving value since we launched in october 2016. they were the
first company conformant they’ve been conformed with every revision and they use it extensively in their
marketing and support materials i think their benefit was they deal with
a lot of customers including the most demanding in the world in areas like aviation and defense and
so on so for them a portfolio of clear standards is
the optimal solution you don’t want something where you say oh we do this in the way that we
invented and that’s great because you’re you know your audience will typically look at you and be like and which standard
does that follow uh so you know that’s another example is toyota which adopted
open chain as an iso standard on the day of release so you know obviously they had a preview of
the standard and we’re working on it for a while uh for them it’s simple they’re at the very end of the supply chain
and you know as car companies will often tell you they’re not a manufacturer they’re an integrator
they really don’t make anything they put stuff together really effectively and for a company like that with
thousands of suppliers it’s a statement of how they want their supply chain to align
and it’s all about efficiency and accuracy i do remember one of the toyota crew
telling me that toyota’s primary capital is trust
customer trust and everything that increases that is valuable to them and anything that
challenges it is a core issue so open chain isn’t about licensed
compliance to toyota per se it’s about saying in this new domain in this domain of software
here is one of the ways you can trust us and of course
like open chain can can lead to and when researching for this podcast i read that
open chain standard had also been applied in other domains and you hinted at that at the beginning of the podcast some of
the things that came to mind were security and venture capital so can you talk a bit about the different ways that this standard has
been applied outside of the supply chain yes to some extent it’s been surprising
the extent that open chain has been used in different domains given that we’re a young standard i mean
in in the international market sense five years is young and we’re just out of iso for five months
so it’s a case of oh this is a youthful standard but yeah it was applied almost directly
into new domains and it continues to be we just finished our project survey for q1 2021 and we found that
over 50 percent of organizations engaging with open chain were up to something else apart from
conformance or internal compliance health checks um and you know you look at that metric and you’re like
that’s interesting i wonder why and then you look at the satisfaction metric and virtually everyone was saying oh we’re very
satisfied and you think gosh but the reason is that open chain distilled identification and management of
software at a very basic level and particularly in a domain like security what open chain
accomplishes is pretty much exactly what you want and need for security identification of the software and the
version you mightn’t care about the license from a security perspective but you care a great deal about the first
two and you know on a core level there isn’t much else you’d want to do
on security for identification of software open chain covers all those core bases
so it just slots into your existing approach to security it’s like oh okay here’s how we do the open
source identification process management and thus it is people are using it that way other domains as well
so venture capital and merger and acquisitions i think m a came up first we found that
companies were leveraging open chain to ask acquisition targets are you open chain conformant and you
know most of them would say no and then they’d ask do you have processes at the points where open chain requires and most of them would say
no and at that point as an acquisition company you can start to find out what processes are they missing
and you can also do things like negotiate on pricing and so on so it became a tool immediately in m mna
uh and you know i don’t want to say that it was a mercenary tool that everyone just wants to negotiate lower pricing
we’re talking about the whole thing when you’re doing m a you’ve got to vet companies and the question is how do you vet
uh using the industry standard makes the most sense same for venture capital again you’re looking at a situation where you’re
about to roll the dice on a new company or you’re entering a young company
and probably your biggest question apart from the quality of the team is how chaotic is it in here and you can
see how that played out in certain markets like wework being one of the most fascinating train work
train wrecks in recent ipo history it is extreme case but it shows that a
company that’s young and has been operating for years can still be utterly chaotic inside
and open chain helps close one of those chaos zones do you use open source the answer is
always yes and if they say no you have a red flag because of course they do everyone does
and then you know do you follow process management on compliance the last thing you want to ingest as a
vc is bad intellectual property so you know it fits and we found it used in other
domains as well like people using open chain for export control again similar to security it just
touches on the right domain points so quite frankly we are accidentally successful at a pace we didn’t expect
in a wider range of domains than we had foreseen we had foreseen security we had thought
about export control but we didn’t think we’d be leveraged by vcs as early as we are but there you go and
of course we work hard to support all of these use cases uh by first of all making everything
public domain in terms of documentation second of all just letting people use our infrastructure for
you know self-certification assessment and so on so you can just tell a company or tell yourself go and use
the web app and see how many questions you can answer yes to it’s nice and simple and there’s little no limitations we don’t limit it
to license compliance and that’s good because over half of the people are not using it for license compliance
and you know that’s accelerating i think we’ve had defense companies and aviation companies turn up in increasing
numbers naturally they’re looking at a whole range of things that they’re covering so they’re using us in multiple
domains okay and definitely everyone anyone who’s listening check out openchain’s website and see how you can apply this
standard if you want to save time minimize waste increase the speed at which you can solve some of these compliance problems
that sounds really really like a great resource and also um community to be a
part of and also yeah whether you’re m a venture capital uh export control really anything it
seems like you’ve got a long range a big range of companies now using it so make sure you do check it out is
there anything upcoming that people should be aware of that are listening well i think on the closing note with open change since it
became an iso standard where iso 5230 we are now in a state of maturity
where we’re not planning to change the standard for quite a while but we are planning to build explicit
guidance documents or extensions to help companies using us for m a for security export
control vc and so on so you know get involved with our community if you’re interested
in those domains as much as compliance not only do we support you currently but we’re building
explicit documentation based on the experience of user companies just to make it easier
uh we work closely with things like the national standardization committees in countries like china u.s germany uk
and we work closely uh with international bodies like iso obviously because we’re an iso standard
and we also keep in communication with entities like oasis and so on so i’d say
watch this space what we’re doing now is extensions in terms of guidance documentation for open
chain and we’re working on integration with other standards it’s like how do we make sure there’s no gap
between the various standards there’s nothing to slip through as you go from you know your functional
safety standard to your security standard to your open chain standard and so on so it’s a case of watch this space as we
iterate and refine guidance documentation to make it as quick and as effective as possible
no matter what the use case so shane thanks so much for joining us today i definitely learned a lot myself and i’m
sure everyone listening uh learned a lot through this conversation so thank you my pleasure thank you for having me
and to everyone who’s listening uh if you like what you’re listening to today then please leave a review on apple podcast
or if you’re watching this on youtube leave a comment and like this video letting us know what you think it really does help out share it with a friend get
it out there because we want to make open source thrive that is our goal so thanks very much everyone thanks shane
and until next time thanks for [Music]
you
