I first wrote about this topic on my Sybase blog in September 2008. As part of Sybase’s integration with SAP, and the shutdown of the Sybase blog server, that previous post is no longer available, yet the topic remains important for all development organizations. Since our integration with SAP, many aspects of this process for the SQL Anywhere team have changed. As a result, I am revisiting this topic, with some of the previous content, along with many additions and revisions.
One of my tasks as Senior Director of Engineering is to keep a handle on all the 3rd party and open source components we bundle or include in the SAP SQL Anywhere product.
I am sure that our engineering team is not unique in the software industry in looking for ways to speed up development by seeking to include certain 3rd party code to perform specific functions. This code may be object code provided by an operating system vendor such as Microsoft for tasks such as debugging, or it may be open source code providing functionality such as parsing of XML documents. While the bundling of 3rd party code can improve productivity, there are some caveats that development organizations should be very careful to consider prior to bundling the code.
When one of your developers grabs a piece of code from some internet site and integrates it, you, and not the original developer typically assume all liability for the functionality and supportability of the code. You have to ensure that the code is performing only the functionality you intend, and that you understand it enough to support the code in the future. Here on the SQL Anywhere team, our rule is that developers may NOT simply grab code and integrate it.
Here are the two key items we ensure are covered prior to its integration with SQL Anywhere:
Both of these items are of equal importance for most organizations. In our organization, they are handled together, so any obvious problems are identified as soon as possible.
Technical Review
The development manager must be involved in all evaluations of the technical aspects of the code, including a review of the code’s functionality to ensure that it is only performing the tasks required, and nothing unexpected. The development team must also run the code through one of the static source code analysis tools we use to understand any security flaws that may be present. As well, the development manager must be able to provide an opinion on the long-term supportability of the code.
Legal Review
Usually, I will work with the development manager to perform a preliminary license review even prior to technical review. If I think the license will probably be acceptable, then we proceed with the rest of the process.
As a company, when we review the license, we are looking for several different things:
Approval Process
We have a structured approval process that must be followed.
Post-Approval
After the bundling of a third party component is approved, there are still three key considerations for our team:
Legal Notification to Customers
Many of our customers have a keen interest in understanding what 3rd party components we include, and under what license. This is especially important to our OEM partners who distribute SQL Anywhere with their own products. As well, many of the 3rd party licenses contain a clause indicating that we MUST inform our customers about their license with respect to that component. To satisfy this requirement, our current in-market versions of SQL Anywhere all include a “Free Download Component / Third Party Terms and Conditions” document. In SQL Anywhere versions 11, 12 and 16, the file is installed (by default) to the ThirdPartyLegal directory.
Tracking of Third Party and Open Source Components
To ease the identification of 3rd party components in SQL Anywhere, the information is maintained in at least 2 different places:
Prior to each release, we have further due diligence phases. First, the development managers review their projects to ensure that all developers have followed the process, ensuring that third party components are all listed on our wiki, are checked into our source control system, and that the approval has been obtained from SAP legal. Finally, we undergo a complete source code scan using a special product specifically designed to find any open source code. If these all check out, then we are ready to ship.
Conclusion
While the use of open source can certainly be beneficial, the benefits have to be measured against the risks and the compliance costs. As you can see, we take the use of third party and open source code very seriously. I would recommend that you take it seriously too.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
15 | |
11 | |
10 | |
9 | |
8 | |
8 | |
7 | |
7 | |
7 | |
7 |