& Do You Know The Ingredients | Using The Rasa Framework OF Your Software? For Creating Chatbots ees ONC EF YGROUP rican WORK WITH THE RIGHT OrientDB: A Flexible And Scalable Multi-Model NoSQL DBMS Using BigchainDB: A Database With Blockchain Characteristics Popular Open Source Databases: An Overview MariaDB And MySQL: Which One Should You Use? Business As A Platform How Open Source Is Helping To Enable Innovation To Build Smart Citieswww. .com DO OPEN SOURCE. All you need to do is develop expertise in an Open Source stack, and then build a team around it! And, Open Source For You can be your friend and a guide through this journey. - tm Visit: htips:isubscribe etyindia.com ss TO/READ OUR EZINE EDITION. visit: ntps:lezinetfymag.com é cat 4 < Locking for marketing solitons to engage wih outing edge techies? — Contact us at growmybiz@elyin OR call us at +91-9811155335,Does Your Antivirus Solution Provide SMe Meera ts TOP 10 things that your Antivirus solution should provide to tackle today’s threat... Ransomware File Protection ATP. Advance Threat Protection Deter a nse Application Blocking eee Leaming, Exploit Prevention RL Blocking Disk and Boo! Respond Investigate Remove Record Protection Lomi (Root Cause Analysis) ValeeoC Sun eRe NC Caa MOM Bl UOMR TIA CuK 0 Contact: Santosh on 9971696319 or Email at santosh gupta@itsipl.com Ss LT. Solutions India Private Limited + Mumbai ‘SSOPHOS 2920 GEST NEXTGEN PARTNER | Deln NCR 1D-88/5, Okhia Indust Area, Okhla Phase |, New Dehi-110020 + Jaipur ‘SOPHOS 2019 BEST NEXTGEN PARTNER | Delhy NCR ‘nrc Comeew ph Q1-47695000 «Em: ales@ tsipLcom -wwwitsp.cam + Chandigarh ‘SOPHOS 2018 BEST S! PARTNER | DeiCONTENTS eecesecsies soe sirn FORU &ME 41 Typeset: Taking the rudgery Out of Formating Academic Papers FOCUS 53 Top 10 Open Source Databases How Open Source is Helping Do You Know the Ingredients 58 epuar OpenSource Databases: to Big Smart Cities of Your Software? \n Overview 60 Using BigchainDB: A Database with Blockchain Characteristics DEVELoPeRs_______|_ Building Reusable Modules 72 Managing Secrets via Amber 74 Simplify Invoicing by Creating a Template with Python l COLUMNS —__ Dr Sanjeev Kumar 84 CodeSport ‘Shrivastava 600 an Nationa Coornat, ADMIN: STEM 86 Malboxes: Malware Analysis Made Easy 92 Docker: The Platform for New Business as a Platform to Generation Virtualisation in the industry trying to build new Enable Innovation innovative products 95 First Animal/Bird Language Translator Enabling you to Tak 07 FossBytes with Nature 4 | DECEMBER 2021 | OPENSOURCE FOR YOU | www OpenSourceFor com= GROUP Wanna Support —— Open Source For You? — Subscribe to the Magazine— so that we can Keep promoting Open Source. (ZA ES Eva eae asi we 5 ~\ Pay for = AAW 6 Issues A oxo” we Get 12! We": (Buy One Get One Free!) ree ee eee eres a eee ~~~ Wann nnn EE — ~~: ORDER FORM ~~~~~-~~--~---~---~ Satta Pay Pay { Pe Please CS Cd Tick (v) ey (Buy 24 tsa Free!) 3 Your Choice 1440 2880 SEE To subscribe online, visit — https://tinyurl.com/ySkuv4la cous Mating Aas, its photocopy to FV Enterprises Put td, 07/1 Ci few Det 110020 | Ph: 019-€059600Shoo CONTENTS roua,suscurnoNs ABvNG sung um uannngn cae MariaDB and MySQL: Which One fe 8 Should You Use? axis Ensen ewss0 stun ttn sverseuens tame tect trench tae foepiom Ent eane| Ethene pase Installing and OrientDB: A Flexible and Using MariaDB on Scalable Multi-Model tendpiitndnteti ontn Ubuntu NoSQL DBMS ‘pittance se Sietretesetonretarensconr ‘tse eae ‘mantissa Miennderiatcoates Transforming Data Using the Rasa Framework for withR Creating Chatbots 6 | DECEMBER 2021 | OPEN SOURCEFOR YOU | vaw-OpenSourcefatUcamFOSSBYTES Microsoft launches open Airbnb open sources serverless public key source real-time collaboration _ ‘amework ott i 7 ‘Airbnb has announced open tool called ‘Loop source Ot, a serverless pul infrastructure (PK1) framework developed in-house. Ottr handles end- tend certificate rotations without the use of an agent. Its primary design aims to be a scalable and configurable serverles framework on AWS, with litle operational overhead ‘or reliance on enrolment protocols. Our ean be extended to handle end-to-end certificate rotations for any hosts (e.g., network infrastructure, Linux, Windows) ‘capable of managing their own X.509 certificates from a remote session (ea. API, SSH, SSM Agent) While there are a numberof agent-based solutions to automate certificate rotations for Linux key Microsoft has launched its own version of Google Wave~ Microsoft Loop, anew and Windows distributions, the Office collaboration app. process to broker certificates for According to TechCrunch, Loop is a new app — and concept — that takes network infrastructure commonly the Fluid framework, which provides developers with flexible components to mix involves either manual intervention and match in order to create real-time editing-based applications, to create a new from engineering teams or use experience for users to collaborate on documents ‘of enrolment protocols such as Inmany ways, that was also the promise of Google Wave — real-time collaboration Certificate Management Protocol plusa developer framework and protocol to bring Wave everywhere, the report sai. (CMP), Simple Certificate Enrolment Google Wave was a doomed real-time messaging and collaboration platform Protocol (SCEP), or Enrolment over Google launched in 2009 and prematurely shuttered in 2010. Secure Transport (EST), all of which There are three elements to Loop — Loop components, which are ‘atomic have security issues. units of productivity’ like lists, tables, notes and tasks; Loop pages — “flexible ‘canvases where you can organise your components and pull in other useful elements like files, links, or data to help teams think, connect, and collaborate;" and Loop ‘workspaces. These are shared spaces where you can catch up on what everybody is working on and track the progress towards shared goals, (One thing Wave never had that is apparently a core feature of Loop is that the latter tracks your cursor position in real-time, the report said Linux Foundation enhances security to its LFX Community Platform ‘The Linux Foundation, the non-profit organisation enabling mass innovation through open source, has enhanced its free LEX security offering so that open tr was built to abstract away a source projects can secure their code and reduce non-inclusive language. numberof challenges associated with ‘The LFX platform hosts community tools for security, fundraising, community certificate provisioning while also ‘growth, project health, mentorship and more. I supports projects and empowers providing additional benefits around ‘open source teams to write better, more secure code, drive engagement and grow sustainable ecosystems. ‘operations and security wovs.OpenSaurceFrU.com | OPEN SOUR FORVOU | DECEMBER 2021 | 7=f FOSSBYTES Eclipse Foundation invites tech leaders for collaboration on software- defined vehicles ‘The Eclipse Foundation, along with ‘multiple industry leaders including Bosch, Microsoft and others, has announced an open invitation for technology leaders to help define a new ‘working group focused specifically on the software-defined vehicle. ‘The ultimate goal will be the creation of a vendor-agnostic, open source ecosystem with a vivid, contributing community focused on building the foundation for a new era in automotive software development. This announcement serves as a “call toaction” forall interested partes to Join this initiative and help shape the future of mobility. ‘Today, next-generation vehicle developers are turning to software- based solutions for their new designs. The foundation believes this will lead to an open source revolution that results in software-defined vehicles. ‘These vehicles will enable vehicle manufacturers as well as automotive suppliers to put software atthe very centre of vehicle development, with hardware considerations to follow. “We're very excited to develop this new effort here at the Eclipse Foundation. Although we have extensive roots withthe automotive community, a project ofthis scope and scale has never been attempted before,” said Mike Milinkovich, executive director of the Eclipse Foundation. “This initiative enables participants to get in at the ‘ground Jevel’ and ensure they each have an equal voice in this project.” ‘To support the transformation to software-defined vehicles, major players from the technology industry as well asthe automotive industry are being encouraged to collaboratively develop an open source in-vehicle application runtime stack, cloud-based vehicle operations, as well as highly integrated development toolchains. 8 | DECEMBER 2021 | OPEN SOURCE FOR YOU ‘The LEX Security module now includes automatic scanning for secrets-in- code and non-inclusive language, adding to its existing comprehensive automated ‘vulnerability detection capabilities. Software security firm BluBracket has contributed this functionality to open source software projects under LFX as part of its mission of making software safer and more secure. This functionality builds on contributions from Snyk, making LFX a leading vulnerability detection platform for the open source community. LEX Security now includes vulnerabilities detection, code secrets and non-exclusive Tangioge LEX tacks LILF bow many kxown vulneblts have been found in open source project, identifies if those vulnerabilities have ‘been fixed in code commits, and then reports on the number of fixes per project, through an intuitive dashboard. It detects secrets-in-code such as passwords, credentials, keys and access tokens, both pre-and post-commit, It also detects non-inclusive language used in project code, which isa barrier in creating a welcoming and inclusive community. Microsoft's Power Fx is now open source Microsoft's low-code programming language Power Fx has now been open sourced under an MIT licence on GitHub repository. The tech giant has open sourced the documentation of the language with plans to open source the actual source code by 2021 end. Microsoft officially announced its Power Fx, an open source formula language for low code that’s based on Microsoft Excel, in March. This language is said to allow customers of the Power Platform to build and customise application logic. Using formulas that are already familiar to hundreds of millions of users, Power Fx allows a broad range of people to bring skills they a already know to low at code solutions. It becomes a common AG ground for business users and professional developers alike to express logic and solve problems. Power Fx is said to have the tools a professional expects, {including the ability to directly edit apps in text editors like Visual Studio Code and use source control. This enables developers to go faster and find common ‘ground with millions of makers. Power Fx doesn't just share the same syntax and functions as Excel, i also behaves in a familiar way. Like Excel, formulas are declarative and recalculate instantly just as a spreadsheet does. Makers have the advantage of telling the app ‘what they want it todo without having to describe the how ar when—Power Fx does that for you, freeing developers from the tedious task of keeping variables and data tables up to date manually. |_wrwn-OpenSourceforU.comFOSSBYTES ‘The project welcomes contributions in agreement to Microsoft's Contributor License Agreement (CLA). NASA and ESA release open source tool for analysing Google Research introduces JAX library Earth science data for computer vision research NASA and ESA (European Space With new architectures like vision transformers (iTS) taking up day-t0- Agency) have publicly released day applications, there is a clear demand for software and machine learning an open source science tool for infrastructure to support analysing Earth science data in the easy and extensible ‘loud ~ the Multi-Mission Algorithm neural network and Analysis Platform (MAAP). architecture research in MAAP enables scientists to the field of visio. collaboratively develop algorithms Researchers and code as well as analyse and from Google Brain have visualise lage data sets acquired introduced SCENIC, an from sources including satelite pen source instruments, the International Space JAX library with a Station, and airborne and ground focus on transformer ‘campaigns, The large data and high- based models for computer vision research, It has been successfully used to develop _ performance computing required for classification, segmentation, and detection models for images, videos, and other MAAP, along with a shared code ‘modalities, including multi-modal setups. repository and catalogue, are stored ‘The SCENIC toolkit aims to facilitate rapid experimentation, prototyping, and and managed in the cloud. MAP research of new vision architectures and models. It offers optimised implementations capabilities are supported and shared of state-of-the-art research models spanning a wide range of modalities. between NASA and ESA. This open source library offers a unified, all-in-one codebase for modelling MAAP is said to provide access needs and implementations like ViT, DETR, MLP Mixer, ResNet and U-Net. to NASA and ESA Earth science SCENIC is developed in JAX and uses Flax as the neural network library. JAX ‘data’ and is a model for open source isa simple-to-use library that allows automatic differentiation of native Python science collaboration and analysis. and NumPy functions. t can support multi-host and multi-device training on It's the host platform for the first accelerators such as GPUs and TPUs, making it perfect for large scale machine globally harmonised assessment of learning research. aboveground carbon — information that is vital for managing global DIA integrates its Oracle infrastructure with the NEAR Protocol climate change. the development of effort. It is fully operational and The NEAR to tackle a broader range of Earth developed by the NEAR Foundation, using a proof-of-stake consensus mechanism. of a global effort to determine the surface, aiming to solve the scalability issue that ledgers like Ethereum are showing Intergovernmental Panel on Climate vs. OpenSaurceFtU co (OPEN SOURCE FOR YOU | DECEMBER 2021 | 9=f FOSSBYTES YADRO joins the Open Invention Network community Open Invention Network (OIN), the ‘organisation formed to safeguard ‘open source software (OSS) and the patent non-agaression community, announced that YADRO has joined as a community member. According to IDC, YADRO provides enterprise storage and high-performance servers in Russia and Eastern Europe. “High-performance enterprise computing and storage is enabled by Linux and other key open source software projects. The shared innovation generated by the open source community has enabled previously unimaginable scalability ‘and stability. OSS is essential to modem on-premises, hybrid ‘and cloud-based environments,” said Keith Bergelt, CEO of Open Invention Network. “Open source platforms enable the rapid deployment of advanced computing, storage ‘and communications solutions. We recognise the value in shared Innovation, a fundamental characteristic of open source “communities,” said Anna Egorova, chief delivery officer at YADRO. OIN’s community practices Patent non-aggression in core Linux and adjacent open source technologies by cross-licensing Linux System patents to one ‘another on a royalty-free basis. Patents owned by Open Invention Network are similarly licensed royalty-free to any organisation that agrees not to assert its patents against the Linux System. ‘announced the integrations of its data provision with many of these new networks, including chains like Moonriver, Arbitrum, Celo, Shiden and many others. Yugabyte raises US$ 188 million to expand into new markets ‘Yugabyte has raised USS 188 million in oversubscribed Series C funding led by Sapphire Ventures in support with Alkeon Capital, Mertech Capital, Wells Fargo Strategic Capital, and others. = ‘The new funding comes seven SEARS CU EReRE "months after the company raised USS 48 tetera million in a Series B-1 round that puts the company's valuation at more than USS 1.3 billion ‘Yugabyte’s open source database provides both the Apache Cassandra and PostgreSQL databases with API compatibility. “This additional funding will enable us to further grow Yugabyte’s field and engineering teams and fuel the company’s ongoing expansion into new markets around the world” wrote Bill Cook, CEO of Yugabyte in the company blog “We built YugabyteDB to address the growing unmet need for a cloud native transactional RDBMS for modem applications.” ‘YugabyteDB is an open source distributed SQL database that can run anywhere cloud native applications are deployed, across private, publi, hybrid, and multi cloud environments DTC's open source repository is now available on GitHub Digital Twin Consortium (DTC) said its open source collaboration initiative is ‘now available to the public on GitHub. An open source collaboration community accelerates the adoption of digital twin-enabling technologies and solutions Consortium members and non-members can collaborate on open source projects, code, and collateral and become part of : the DTC ecosystem. 0 “As a consortium, our collective goal d igital SAYA AIM 1s to progress dial twin technology Soren fot ofthe lab and into the marketplace Digital twins can be difficult to apply across the entire life cycle, where efficiency is often stifled by data silos and a lack of interoperability, Integration with legacy environments can also be challenging,” said Dan Isaacs, CTO, Digital ‘Twin Consortium. To contribute tothe open source collaboration community, candidates have to complete a project application, which the DTC Technical Advisory Committee reviews. If approved, contributors upload their project or related content to the DTC Open Source Collaboration GitHub site Eclipse Foundation launches the Oniro project ‘The Eclipse Foundation has launched the Oniro project and working group to create an independent implementation of the operating system OpenHarmony. ‘The OpenHarmony operating system is based on a HarmonyOS created by Huawei, It supports multiple kemels and uses the Linux kernel ifa device has a large memory. Huawei, along with Linaro, Seco, Array, NOITechPark and Synesthesia, has been contributing to @ continuous integration/continuous delivery (CUCD) platform that is part of the larger Oniro project. “Oniro is open source done right,” said Mike Milinkovich, executive director of the Eclipse Foundation, “It represents a unigue opportunity to develop and host a next- 10 | DECEMBER 2021 | OPEN SOURCE FOR YOU | www OpenSourceFer com‘generation operating system to support the future of mobile, IoT, machine economy, ‘edge and many other markets.” ‘With the creation of the Oniro project, the Eclipse Foundation aims to strengthen the global technology ecosystem, while bringing a vendor- neutral, open source OS to the global market. Discourse fixes critical vulnerability in its forum software Developers of Discourse, a popular open source forum software, have patched a critical security flaw that could result Jinan attack on remote code execution (RCE) in vulnerable systems. ‘The critical bug (CVE-2021-41163), CRITICAL which affects Discourse versions 2.7.8 and earlier, is found to have been triggered through a malicious Amazon SSNS subscription payload. The root cause was identified from a validation bug in the upstream aws-sdk-sns gem, Discourse’s AWS notification webhook handle. This lack of validation in subscribe_url values makes it vulnerable to RCE, through malicious requests Huawei donates its open source OS ‘openEuler’ Huawei announced at the Operating System Industry Summit 2021 that i wil be joining all partners in the community to formally donate its open source operating system ‘openBuler’ to the Open tom Foundation. Euler isan open source operating system for digital infrastructure that ean be deployed in servers, cloud computing, edge computing, embedded and other devices in various forms. Its applications cover IT, CT (communication technology) and OT (operational technology). The openE.uler program was intially announced in 2019, with the new openEuler OS launched back in September this year. “Huawei will donate the complete OpenEuler open source operating system code, brand trademarks, community infrastructure, and other related assets to the OpenAtom Open Source Foundation o build more strong digital infrastructure,” said Wang Tao, executive director of Huawel fl and director ofthe ICT infrastructure eet business management committee. be stall al Currently, the OpenEuler community oa, has around 10,000 developers, around a i hundred special intrest groups, and 300 partner companies This operating system combines the power of processors, machines, basi software, aplication software, industry customers, and other partners in the entre industry chain, Deng Taihua, Huawe’s vice president and president of the computing product line, said thatthe company will continue to invest in and promote the development of openEuler in five aspects. This includes technological innovation, ecological construction, commercial promotion, open source construction, and talent development Alibaba open sources four RISC-V cores Alibaba has introduced a range of RISC-V processors with the Xuantie family, ranging from the E902 microcontroller class core to the C910 core for servers in data centres, This also includes the Xvantie C906 core found in the Aliwinner D1 single-core RISC-V processor FOSSBYTES al ‘SETL open sources its PORTL framework Enterprise blockchain firm SETL is ‘open sourcing its cove framework PORTL, in an effort to speed up adoption of blockchain and DET solutions. PORTL is said to provide a robust, permissioned toolset for financial institutions to ‘build applications that interoperate between existing infrastrictures and a range of enterprise ledger technologies including Corda, Besu, Fabric, DAML and SETL's ‘own high-performance ledger. ‘The adoption of DLT in financial services has been slow in spite ofthe remendous potential the technology has to offer. Many of the reasons lead back to a lack of understanding of secure deployment procedures for banks, where the high levels of IT security that banks expect stands in contrast to the innovation-frst approach taken by some blockchain frameworks. Philippe Morel, SETL CEO said, “The potential of DLT solutions is still significantly underexploited. With our open source and fully interoperable PORTL framework, we hope (0 contribute to a wider adoption of DLT-based solutions.” SETL provides institutions with tools they need to take DLT and blockchain into production, To ease Integration with existing systems, SETL has adopted Kafka, the open source, high volume event engine as its main backbone for inter-process ‘communication “Our use of high capacity and batile-hardened components such as Kafka and Camunda is in line with the technology journey financial institutions are taking, PORTL bridges the gap berween ledger innovation and business integration allowing the tue benefits of DLT to make the jump from POC to live operation,” Morel added. wiv OpenSoureforlcom | OPEN SQURCEFOR YOU | DECEMBER 2021 | 11=f FOSSBYTES ‘While RISC- is an open standard and there’s a fair share of open source Anaconda partners with RISC-V cores available, many commercial cores are closed source. Zhang Microsoft to accelerate Jianfeng, president of Alibaba Cloud Intelligence, announced at the 2021 Apsara open source adoption Conference that'T-Head had open sourced four RISC-V-based Xuantie series Anaconda, Ine. has announced a processor cores, namely, Xuantie E902, E906, C906, and C910, as well as related collaboration with Microsoft to enable software and tools customers to confidently access ‘The RTL for the four cores has been released on T-Head Semiconductor's ‘Anaconda’s curated library of open GitHub account under the Apache 2.0 license. Each repository has its own source packages within Microsoft instruction and code. Alibaba also highlighted software support for its RISC-V Cloud hosted products and services, cores with AliOS, RT-Thread, FreeRTOS, Linux, and Android. It claims to have including Azure services like Azure _ shipped over 2. billion Xuantie cores so far. machine learning, as well as GitHub services such as GitHub Codespaces Apiiro’s open source software toolkit to combat and GitHub Actions, without the dependency confusion attacks requirement of a separate license. Apiiro, the application risk management provider, has announced the release of the “We are committed to making it Dependency Combobulator, a modular and extensible open source toolkit to detect, easy to use Anaconda everywhere, and prevent dependency confusion atacks and that includes inside Microsoft's “The Dependency Combobulator allows organisations o safeguard against this cloud,” said Peter Wang, CEO and co- founder of Anaconda. “By combining ‘Anacondla’s package dependency manager and curated open source repository with Microsoft’s cloud products, data scientists and ‘developers can use tools they know ‘and trust withthe peace of mind that they do not have to worry about newly uncovered type of risk, which has been on the rise this year as a key vector in supply chain attacks targeting dependencies within software packages. ‘The company said this new solution is a critical element in the approach to securing the software development lifecycle to prevent both direct and supply chain attacks. additional licensing.” Dependency confusion compromises the open source software (OSS) ‘According to the company, ecosystem by tricking end users, developers and automation systems into organisations that capitalise on installing a malicious dependency instead of the correct one they intended to the innovation from thousands of install, compromising their software. makers and Apiito's Dependency Combobulator enables a flexible approach to analyse contributors in and automate release workflows that can be evaluated against different sources the open source _such as GitHub packages and can be extended to consider additional registries community have such as JFrog Artifactory, The Dependency Combobulator, aimed to be used by a competitive the AppSec practitioner, is a Python based toolkit that supports both the npm and advantage and are maven package management schemes out-of-the-box, and enables easy extension able to accelerate into other package management systems. It provides improved extensibility that projects that would typically take helps organisations to quickly adapt to new types of dependency attacks. ‘years. This collaboration expands the ‘The Dependency Combobulator is pluggable and can be baked into an availability of key open source data enterprise's application security program and release cycle in an automated way. science tools across platforms and Itcan be plugged into several interaction junctions within an enterprise software sets enterprises up for greater success development lifecycle, providing actionable insights to fit multiple use cases. by making it simpler for users to focus on end results. Intel open sources ControlFlag to automatically Anaconda said it has committed detect errors in code to provide Microsoft with a standard Intel Labs’ Machine Programming Research (MPR) team, working to improve SBOM, using software package data _software developer productivity and quality, has announced the open source exchange (SPDX) specifications, availablity of ControlFlag. Designed late last year, ControlFlagis a sef-supervised which will allow Microsoft to verify idiosyncratic pattern detection system, which learns typical patterns that occur the components, licensing, and {nthe control structures of high-level programming languages, such as CiC++, provenance of open source packages _by mining these patterns from open source repositories (on GitHub and other ‘and libraries inthe Anaconda ‘version control systems). It then applies learned pattems to detect anomalous repository. patterns in the user's code, 12 | DECEMBER 2021 | OPEN SOURCE FOR YOU | www OpenSourceFer com‘The ControlFlag’s pattern anomaly detection system can be used for various problems such as typographical error detection, and lagging a missing NULL check, to name a few Ic follows two main phases: (1) pattern mining phase, and (2) scanning for anomalous patterns phase. The pattern mining phase isa “training phase” that mines typical pattems in the user-provided GitHub repositories and then builds a decision- tree from the mined pattern. The scanning phase, on the other hand, applies the ‘mined patterns to flag anomalous expressions in the user-specified target repositories Intel said that since its introduction, ControlFlag has been tested on production- level software and widely used open source software systems. For example, last year, ControlFlag identified a code anomaly in Client URL (cURL), a computer software project transferring data using various network protocols over one billion times a day. The anomaly was reported to the CURL team; it agreed with ControlFlag’s findings and subsequently patched its code. ‘While ControlFlag cannot yet automatically mitigate the effects it finds, i offers users suggestions for potential corrections LOphtCrack password auditing tool is now open source LophiCrack, the Windows system password auditing tol, has been released as an open source utility Christien Rioux (DilDog), one of the original authors of LOphtCrack, had announced plans to release an open source version of the tool in early August on Titer. First released in 1997, LophtCrack can be used to test password strength and recover lost Windows passwords via dictionary, brute-force, and other types of attacks Ie was developed originally by Peter Zatko, LOpth then merged with @stake, which was acquired by Symantec in 2004, It was owned by Symantec berween 2004 and 2008, ‘when it was acquired from the cybersecurity firm by Zatko and other original authors. By that time, Symantec had stopped selling the too}, according to sources. In July 1, 2021, the company said LOphiCrack software was no longer owned by Terahash, LLC. Ithad been repossessed by the previous owners, formerly known as LOpht Holdings, LLC. LOphiCrack is no longer being sold. The current owners have no plans to sell licences or support subscriptions for the LophtCrack software. However on October 17, they officially announced the open source availability of LOphCrack version 7.2.0. The open sourced project is looking for both maintainers and contributors. Sentry’s FOSS Fund 155 to financially support open source community Sentry, an open source company, announced ithas donated USS 154,999.89 t0 108 individuals under its FOSS Fund 155, The company has invested in the open source community by donating SaaS credits to open source projects, sponsor conferences and meetups, and contribute patches to upstream projects. ‘Sentry said the inspiration came from it raising US$ 10,000 from the FOSS Fund Adopters launched by Indeed, “When Sentry received the investment, it committed to increasing its own financial giving tothe open source community.” According to the company, the specific amount was carefully calculated. The tech companies receive approximately US$ 2,000 of value per engineer on staf ‘Sentry employs 75 engineers, and the fund comes up to USS 150,000 as target budget. The rest is to meet membership fee thresholds and currency conversions. FOSSBYTES al Microsoft reverses -NET change after open source community outcry “Tech giant Microsoft backed off from the decision to remove a key feature from its upcoming NET 6 release, after a serious public outery from the open source community Microsoft had reportedly disappointed the NET open source ‘community by removing a key pat of Hot Reload in the upcoming release of NET 6, a feature that allows developers ‘to modify source code while an app is running and immediately see the results, The Verge reported, itis a feature many had been looking forward to using in Visual Studio Code and across multiple platforms until Microsoft made a controversial last- minute decision to lock to Visual Studio 2022, which is a paid product that’s limited to Windows. Microsoft has now reversed the change following a backlash, and anger inside the company from many of Microsoft's own employees. Alay “We made a mistake in executing ‘on our decision and took longer than expected to respond back to the community,” said Scott Hunter, director ‘of programme management for .NET. Microsoft has now approved the ‘community’s pull request to re-enable this feature and it will be available in the final version of the NET 6 SDK. “We have taken steps to address the issue that some of our OSS community members have experienced,” said a Microsoft spokesperson in a statement to The Verge. “Hot Reload capability will be in the general availability build of the NET 6 SDK,” the spokesperson added. ‘wuwcQpenSourceorllcom | OPEN SOURCEFOR YOU | DECEMBER 2021 | 13WHAT IS AVAXHOME?ee a Pe ee Cae ate De ee a a eo Cae Reena ee Unlimited satisfaction one low price Cheap constant access to piping hot media Protect your downloadings from Big brother Safer, than torrent-trackers 18 years of seamless operation and our users' satisfaction All languages Tc lem moo le lla lolita AvaxHome - Your End Place ACM Ta vl ole Lm OL meee ate) lame Nah Mo]=f FOSSBYTES IBM launches Open Source Cloud Guide for developers IBM has released the Open Source ‘Cloud Guide, which highlights various use cases that are important in hybrid ‘loud environments Ie features the important open source projects in these areas, and discusses how various louds are using open source in their offerings. “As both the cloud and open ‘source landscapes evolve, we saw a need fora guide to highlight important aspects of hybrid cloud and multi-cloud ‘development—and their corresponding, ‘open source services,” IBM said, According to an O'Reilly survey that IBM commissioned in 2020, developers who want to build cloud applications should work on honing, their open source skills instead of ‘only focusing on developing skills for ‘a proprietary cloud. Because every major cloud platform uses open source software in its infrastructure, developing skills elated to open technology makes developers more desirable o potential ‘employers and helps developers ‘compete in hybrid environments. Todd Moore, vice president, open tech, and Chris Ferris, CTO, open tech from IBM noted thatthe survey highlighted that the most desired of the ‘open source skills are around Linux (containers), artificial intelligence and machine learning, and data storage. “This got us thinking: How do those skills translate exactly to developing for hybrid cloud ‘environments, inclusive of the major loud providers? What open source technologies are most used? The purpose of the Open Source Cloud Guide is to answer those questions,” reads the IBM developer blog. Developers can discover more and contribute to the guide on GitHub, ‘The funds are grouped in three: foundation memberships (52 per cent), long- tail projects through GitHub Sponsors and Open Collective (36 per cent), and internships for new contributors through Outreachery (13 per cent). “All tech companies stand on the shoulders of community-supported open source giants, and Sentry is no exception. With this fund we prioritised support for cour dependencies in order to strengthen our supply chain. But, more than that— Sentry itself was a volunteer-run project for many years. Yes, we took a commercial route, but we respect the many projects that have chosen a different path Maintainers should be able to determine their own future, and financially supporting ‘our community-managed dependencies makes that a bit more feasible for them,” ‘wrote Chad Whitacre, senior software engineer at Sentry in a blog post. ‘The company has audited its product architecture and generated a list of seven major community-Ied open source projects including Python, Django, Rust, JavaScript, PostgreSQL, Apache, and Linux. “These projects are all backed by formal non-profit foundations; we added an eighth foundation, the Open Source Initiative, o represent the open source community as a whole. We decided to allocate half of our budget (52 per cent) to these eight foundations,” said Whitacre. CloudQuery raises US$ 3.5M in funding CloudQuery, a startup giving developers visibility into their cloud infrastructure assets and configuration, has announced that it has closed a US$ 3.5 million seed funding round led by Boldstart ventures, with participation from Work-Bench, Mango Capital and Haystack, As cloud infrastructure providers and service catalogues have grown, the burden con developer workllow has been ever more custom scripts, hacking and hassle for developers to get the insights they need over thei sprawling cloud infrastructure Each cloud provider has its own proprietary tooling for infrastructure visibility — AWS Identity and Access Management (LAM), Azure Cloud Discovery, Google Cloud Asset — each with its own learning ° curve, and each siloed within that single cloud @° provider environment. “With cloud infrastructure, developers too often find themselves blind about what 6 their assets are and what they are managing,” said Yevgeny Pats, co-founder and CEO at CloudQuery. “They only get spotlights on small parts of their infrastructure, and spend a lot of cycles writing manual scripts for specific APIs, doing transformations, and managing code. The vision for CloudQuery is “dev-first” visibility into infrastructure. That means continuous extract, transform, load (ETL) of your cloud infrastructure assets ito a relational database, a simplified SQL query ‘model that lets you ask all the questions you need to know for your use cases, and a vibrant community of contributors that les you tap into pre-supported cloud providers and queries, so you don’t have to build everything from scratch yourself: CloudQuery integrates with the cloud service providers, including AWS, Azure and Google Cloud. It fetches read-only data and normalises that data (via ETL) into a relational database. By exposing cloud infrastructure data as SQL-queryable, CloudQuery does not require mastering new DSLs. And the project boasts ‘more than 100 pre-written queries forall the cloud providers that it supports, so developers enjoy a running start forall the common queries they have of their cloud assets — but CloudQuery makes it easy to build custom queries too. For more news, visit wwwopensourceforu.com 14 | DECEMBER 2021 | OPEN SOURCE FOR YOU | www OpenSourceFer comInSight The government of india introduced the National Smart Cities Mission in 2015 to develop smart cities pan-India, making them citizen friendly and sustainable. It included 100 cities in this mission, to begin with, with the deadline for completion of the projects set between 2019 and 2023. But how can smart cities leverage open source technologies, and deploy 5G and loT to accelerate innovation and reach the ambitious targets set under this mission? A panel discussion on the subject ‘Deploying “5G, loT and Edge Computing” technologies for SmartCity and Business Verticals using Open Source Platforms’ among industry leaders at a Samsung IEEE event offered some answers. SourceForUcom | OPEN SQUACEFOR YOU | OECEMBE 5S282 he prime objectives of creating smart city environments are: optimised decision-making, building Infrastructure, and the use of cyber and physical resources to address the challenges in urban areas. However, the large-scale deployment of cyber- physical-social systems using open source has its own set of challenges that require smarter sensing and computing methods, as well as advanced networking and communication technologies to provide better services. Open source for next-gen networks. Gone ae the days when SG, IoT and exlge computing were just buzzwords. Intoday's business verticals, these are quite the reality. Open source is shaping large areas of technology. For example, intelecommunications, itis not just a way to foster collaborative research and innovation, but an opportunity to make real change inthe telco ecosystem. Open source projects are creating technology that wil drive the evolution of the next- generation mobile networks, which is vital as industries move towards the 5G era “Icis interesting to know that 80 per cent of telecom data is non-differentiated and can be used as open source. Instead of just consuming it, we can use the best it offers,” says Dr Aloknath De, CTO, Samsung India The concept of collaborative development on networks and new technologies is not new in telecom. “Samsung uses the Tizen platform to build digital appliances, and Jerryscript from JavaScript is intended to run on a very constrained kind of environment. I also supports loT and Open Connectivity Foundation,” says Dr De. Moreover, when it comes to 5G communication, he considers Open Radio Access Network Software Community (O-RAN SC) and Open Networking Automation Platform (ONAP) as two big elements. Akraino is also an important element that 16 | DECEMBER 2021 supports high availability of cloud services, spanning a variety of use cases for artificial intelligence. Fundamental shift in architecture Industries are today focusing on product consumption, software architecture, modularity of sofware network functions, application services, and use Dr Aloknath De, (70, Samsung nia Granapriya Chidambaranatha AVP and senior principal architect, Infosys ‘Subodh Gojare, ad architect (6G and oT seeurty, isco R&D (PEN SOURCE FOR YOU | wwe OpenSourceFotU.com of open source, all of which indicates a ‘major shift in architecture Subodh Gajare, lead architect (5G and IoT security), Cisco R&D, feels that nowhere between 2G and 4G, did we witness such major architectural shifts. “When we look at 5G on a silo compared to the three previous generations of mobility, we see a fundamental shift in architecture in the way network components are looked at, and the security element has been blown apart.” He adds, “We are witnessing three major architectural shifts, and ths isthe place where 7 trillion devices, 7 trillion people and al these economies of scale will be met. And that’s why it’s both a huge competitive advantage and a huge secondary challenge as wel.” Innovation in the open network ecosystem Gnanapriya Chidambaranathan, AVP and senior principal architect, Infosys, says that we are looking towards how open networking is bringing in innovation, embracing the cloud nativeness as well as dynamic orchestration and automation of network slices, bringing closed loop assurance and exposing open APIs for ecosystem integration. For instance, all of us are connected remotely and enterprise workloads are ‘moving from the data centres tothe edge. Similarly, when we talk about the industry verticals, whether itis manufacturing or Industry 4.0, @ lot of low latency analyties and insights are required. And fom a consumer perspective, users can watch high definition, video live streaming and other immersive experiences, “There are a variety of possibilities that exist today. Open source brings in that openness and helps in driving innovation and cost efficiency,” she says. RANs enable physical access to devices and were mostly developed as complete proprietary solutions. ‘This means that it was difficult for Innovations to happen at the same pace as the rest of the market._ GROUP erase . “ORDER FORM PRINT MAGAZINE SUBSCRIBERS GET: + Free e-magazine every month Electronics For You | WITHIN INDIA (IN RUPEES) + Free delivery of print magazine by post (Rs 100/copy) ls 2900 3000 + And much more (check: subscribe@efy.in) SAARC COUNTRIES (IN US$ BY AIR) ‘+ For delivery by courier, please add Rs 50 for each copy 00 so | )OUMA OTHER COUNTRIES (INUSS BY AIR) mean 100 mo Tosubscribe online, visit |. SCAN = a J on ge: ‘emagazine subscriptions within India are available at half the rates mentioned here, Overseas rates for each e-magazine in USS: 1 year: $12; 3 years: $33; 5 years: $50 only | hitts://payment.etyindia.com i Nave Oranston iy Pacote sia Proto No Ena Sitsrpton No (sensing subsebers 2) would hoo subscribe tothe above (/nurhed mapa) staring with the next ssue. Pas nd ecloved a sun ch Pe by ODIMOreuad cheque Bearing he No a fn trv ef EF Entries Pat i, pay at Doi ase mask one (nares lating to your subscription: Jinan Company CIWNC CIRBD orpansaton (lEnginerng institute [}College’choo! ClAny other spect ‘Send this fiedn form or copy to: EFY Enterprises Pvt Lid, 07/1 Osa Indus rea, Phase 1, New Debi 110020 | Ph: O11-40598800 | e mal: suppor@etyin Terms # These ats apps fr ow subscrrs a5 wl ncn by ening subsites # se ‘Pace ete you pci expo airy et cy. 46 weeks or processing of you ssn“We are looking at the The Linux Foundation solution set, ORAN ecosystems, open stack and Kubernetes solutions. There is also the Open Networking Foundation (ONF), where there area set of open source platforms that exist, We are also looking at how DLT can be leveraged for smart contracts as the business models and monetisation is also important,” Gnanapriya states. Creating a revolution Linux and Androtd are a par of our life already, According to experts, they are playing a key role in the next phase of revolutionising the datacentre market. For instance alot of infrastructure for hyperscalers like Google and Facebook runs on open source. “We may not be aware that there are companies selling commercial networking products using open source to the data centre and cloud market. The next phase ofthe data centre evolution is the orchestration with OpenStack and Kubernetes,” says Abhijit Chaudhary, founder and CEO, Niral Networks. Acknowledging the pivotal role of 5G, loT, edge and telecom, Chaudhary says there are multiple initiatives for open source disaggregation happening in 5G for RAN, core and transport. “There have been few smaller commercial 5G deployments using open source, but I think 5-6 years down the line, there will be a huge momentum towards open source based commercialisation inthe telecom and private cellular networks for industrial1oT use cases,” he adds. Disaggregating components When 5G came into existence, the thought process of disaggregating the components had already begun. With the arrival of open RAN and the disaggregated components talking to each other on open interfaces, the possibility ofa lot of telecom applications in the RAN and transporting domains to become smaller components (hat could be handled in isolation), opened up 18 | DECEMBER 2021 Abhijet Chaudhary founder and CEO, Nr! Networks ‘Marish Gangey, ‘VP and head, RD, Airtel Dr Inde S. Gopal, EO, Indian Urban Data Exchange “These are components that you can innovate upon and bring alot of value into before you put them together to create a larger solution. So, from the service provider perspective, these are great developments,” say Manish Gangey, SVP and head, R&D, Airtel (PEN SOURCE FOR YOU | wwe OpenSourceFotU.com He points out that one of the big problems in India is that we have a low ARPU (average revenue per user) in comparison to any other place. “So the way we need ‘o build our own infrastructure has to be thought about differently for any company to be profitable.” pen source fits beautifully in an association like this by reducing the overall, cost of ownership, accelerating innovation and bringing in many more players into the market. “I look at open source as a great enabler forthe Indian ecosystem to develop,” says Gangey. Transforming industries Dr Inder S. Gopal, CEO, Indian Urban Data Exchange, says there is evidence that ‘open source can transform an industry “If we look at data centre networking atthe time of SDN and NFY, it was dominated by proprietary solutions. If we now look at the data centre and the boxes that are deployed in it, 80 per cent are white box solutions running, fo the most part, open source software. The open source commercialistion has been driven by the availability of open white box hardware alternatives and mature open source offerings, and that has really transformed the data centre,” he explains He expects to see a similar kind of transformation inthe telco space as well, though it might take alte bit longer. “T think telcos always move a litle bit more slowly than other sectors, but it definitely will happen and there is evidence that it can happen,” Dr Gopal says. Driving factor: Cost-effectiveness or competitiveness? O-RAN based deployments are becoming increasingly popular. For an operator, the costeffectiveness may be of prime Importance, but there is also competition because of the low ARPU; hence, the infrastructure cost has to be matched in line with that. The question is: Are the cost reductions or the vendor lack-ins driving the popularity of open source? ‘The fact i, reducing infrastructure costs will also bring in more competitors.Disaggregation is happening; OEM layers are getting middleware and many more things. So if we split the monolithic architecture, systems integrators are needed to play the role, leading to a lot more challenges. “But the driving factor in open source Js the cost ofthe solution and the diverse supply chain. They are pretty interrelated. use open source and it will be cheaper, because there is nobody to charge me the royalty or the fees. We are not saying that the source is going to come cheap. We are not saying by any means itis fre ori is not free. Open source isnot free — it isa very common term that we can clarify all the time,” explains Gangey. (Open source isthe method of getting in more players and fostering innovation. Once ‘you have the vendor lock-in, whatever the requirement, you are dependent on a set of engineers who are catering to 15 different sets of customers across the world having 15 different requirements Gangey says, “If my solution doesn’t get priority in my partner’s ecosystem, Tam really stuck and will not be able to service my customer, So fundamentally, ‘when you disaggregate, you unlock and remove this lock-in, opening up for more innovation. You deploy the features faster and are able to monetise.” Cost can be brought down in one way or the other — in the form of efficiency in deployment, with optics or by way of capital expenditures, “It is not as simple as it sounds, but itis evident that whenever you open up things, it basically brings down the overall total cost of ‘ownership (TCO),” he adds. Gajare says, “The intelligent programmable infra and the architectural building blocks with open source, ONAP, policy, design, creation, dashboarding, external APIs, otchestration, networking, ‘NS, and infra monitoring — all of this is now a bundled offering,” ‘While he points out innumerable use cases of ONAP that can design, create, orchestrate and automate everything in 5G, he also tells telco operators to be aware that code repositories are no longer locked in I's not just about 10,000 people contributing, but about how the whole wheel aligns 10 the common cause of the use case. “think I can see that balance. A lot of vendors and telcos are working with Telstra, COX, Orange, Charter, Bell, AT&T, for example, and have evolved from lab ONAP networks to ONAP reference architectures. And that epochal shift is a very good science,” adds Gajare, Specifics on leveraging 5G from core to edge Various workloads have a variety of use cases and there is sometimes a doubt about how end-to-end service orchestration can happen. These could be wireless networks or CNF/VNF combinations. Going into the specifics of slice orchestration, it can be the core or access. Even inthe case of access, there has to be some thought on how RAN automation is going to happen ‘and how to support the real-time or non- real time scenarios. “When we talk about the services being offered, there are other digital players too apart from the telco specific services. So there should be an idea about how 1am going to do the end-to-end telco-cloud orchestration. Bringing in ‘orchestrations and adding edge factors into them will till needa lot of thinking on how orchestration happens from the ‘edge layer and when moving towards the CPE side," explains Gnanapriya, Based on the kind of requirements, different kinds of flavours can be easily addressed in an automated dynamic orchestration through these platforms. It gives enormous facilities and capabilities ‘here these solutions can be leveraged. Inthe Indian context, not just the operational efficiencies, but also from ‘a cost perspective, bringing all these ‘concepts together plays a vital role ‘Smart cities stay smart with open source ‘The smart city concept is gaining momentum with ll products coming under a digital shadow. It involves a functional and structural improvement of existing cities by captalising on information and communications technology to increase the city's sustainable growth, while ensuring enhanced quality of life fo its citizens. Dr Gopal points out to one of the ‘open source platforms, India Urban Data Exchange, that’s being deployed across the country for sharing data. Ifthe solutions that smart cities are deploying are looked at, there is a layer of software —a middleware layer, which for the most partis non-differentiated. It allows ‘you to find data and provide access to controls, he explains. “Companies work together to create a common open source platform. This has a significant role in the smart cities space. Everyone understands, and can deploy and suppor, but one has to focus on creating value on top,” says Dr Gopal. Bridge gaps with an organisational construct India has a pretty ambitious initiative of building 100 smart cities, and this project has been going on for about six years. However, it has not moved quickly and the results have not been as dramatic as expected initially. “Ivs because a lot of data — records, videos, etc — are being collected in these smart cities, but they sit right at the silos or closed proprietary platforms without any well-architectured interfaces," says Dr Gopal. tis very difficult for someone who has an innovative idea to get access to this data or even understand what data is available, Just suppose you want to build some kind of emergency response system within a city and would like to take data {rom the police and fire departments, as well as hospital services. Right now, that Js not possible in these cites as these departments are working on completely cifferent systems that have no correlation. ‘Common application programming {interfaces (APIs) help in bridging this fap, creating a platform that connects the systems together and brings the avalable data into @ common format. ‘wnwcQpenSourceForl.com | OPEN SOURCEFOR YOU | DECEMBER 2021 | 19ForU&Me MUNiens Dr Gopal explains, “This isa prime example where open source can play a role. [believe that anything that is being created for the public using public funds should be open source. It should be done a5 collaborative project where multiple parties can work together. We have tried to create a model that is open source and have also created the organisational construct. So, different partes can contribute code and create the governance model for an ‘open source project. This takes a lot of effort and, very often, itis really difficult to maintain and manage because there are always going to be conflicts.” Collaborate in the middle layer: He adds, “What we have done is disaggregate the deployment of smart city system. Previously, a city would go to a vendor and the later would build a vertically integrated system, but we now realise that this isnot the way forward, We have to split these systems into horizontal ayers.” Atthe bottom, there ae the sensors from different vendors. These can be mixed and matched as cities now have the ability to be vendor-agnostic. Sensors can be purchased, let's say, from Samsung and then something can be bought from Philips, and the companies can compete against each other at that level. The idea really i innovation below at the data collection level and then innovation at the application level. “Create applications and services on top. Collaborate in the mille to maximise the availablity and involve more players,” Dr Gopal adds Bringing cross-industry solutions together: The smart city construct is similar all across the globe, and the focus is on how cross-industry solutions can be brought together and automated. “For example, how can we support factories of the future and bring in these technologies together, helping in the automation, in the right kind of connectivity, and in bringing insights so thatthe operations efficiency can be improved,” Gnanapriya opines. ‘Then there are the surveillance, safety and security solutions. As an example, in the oil and gas industries, there seem to be a lot of opportunities for these solutions, but there are challenges in accessing 20 | DECEMBER 2071 | OPEN SOURCE FOR YOU or processing them in real-time, “Itis important to think about how to bring all the partner ecosystems together in an operations platform that can help in taking solutions forward,” she adds ‘Work towards forming a global registry: Gajare says, “We have a few ‘open source smart city platforms (for Pune, Jaipur and Navi Mumbai), and we are also trying to do something for the digital freight corridor operation now. But we need a registry for digital public goods, a place where allthis data can be exchanged at par withthe right security levels and context.” “Having a global registry for smart Cities, or even just for the 6000 odd cities in India, would be nice, and that is solely missing as one of the key agenda items.” Improve edge computing ‘capabilities: There are two types of edge — user edge and service provider edge. And the user edge may be either the microcontroller based or gateway systems. There is a focus on creating network infrastructure that may be a private network, especially to enable edge computing. Experts warn that ‘you may be forced to enhance edge Computing in future solutions. Chaudhary says, “Smart factories and rural connectivity need a private network ina lot of cases. We are trying to build an ‘open network operating system that needs three components — the radio, transport ‘and the core. We can create a concrete ‘edge upfront core network for 5G using ‘open source. Its all about collaboration, about more competitors coming and collaborating,” Open source drives standards: Dr Gopal reiterates the relationship between standards and open source: “The way standards get developed is by creating open source reference implementations. There is ‘akind of cycle between formal standards and implementations. And in many ways, open source drives those standards.” Atask force in the Bureau of Indian Standards is looking atthe feasibility of 5G and open source for 5G, as well as multiple segments, such as the access ‘and applications space, to check on wen OpensourceFor.com the maturity of open source. “But the objective really is to take it forward and 0 from a paper study to actually do a set of reference implementations in each of these areas,” says Dr Gopal Developing the culture of contributions: India is known forts software programming, but when it comes to open source, the country is still in its infancy. Gajare feels the time has come for creating something similar for the hole 5G ecosystem, where everyone who isa student, academician or research scholar can contribute. India has the mental muscle and now it’s just a matter of working withthe necessary frameworks that align to solve something tangible. “We have huge talent in India, Getting associated with any open source project of Interest will help. Students can stat with bug fixes, and then contribute to features ‘There area variety of opportunities availabe at any layer” says Gnanapriya, [Experts believe that we must develop the culture of contributions rather than Jooking at reaping immediate benefits. “L think we need to really grow our thought process and nurture this culture, also by busting @ lot of myths around it. If you are contributing something to open source, it s not your intellectual property Let’ build this culture of contributions,” Gangey concludes. a) _Ponete e + Dr Aloknath De, CTO, Samsung India (moderator) + Drinder S. Gopal, CEO, Indian Urban Data Exchange + Manish Gangey, SVP and Head, R&D, Aircel + Abhijit Chaudhary, founder and CEO, Niral Networks + Gnanapriya Chidambaranathan, AVP and senior principal architect, Infosys + Subodh Gajare, lead architect (5G and ToT security), Cisco R&D By: Abbinaya Kuzhanthaivel “The author works as an assistant editor at EF.Just like food, the software solutions you consume are also made up of different ingredients. These include third-party software (supplied by vendors outside your organisation) along with other open source software components and libraries that collectively form the ingredients of the software application. Organisations must adopt a compliance strategy to avoid the risks associated with releasing a product that does not comply with the underlying licences. ack of awareness about open source software compliance and software security risks can result in various compliance related issues. Before itis consumed by an end user, the product team and stakeholders should understand their software's composition. Unless you are aware ofthe potential risks your software may have, you cannot remediate that risk. To understand the risk associated with open source software, it i essential to know how it enters your supply chain What is open source software and how does it enter your supply chain? Open source software is computer software that is released under a licence in which the copyright holder grants users the right to use, study, modify, and nv. OpenSourceforlcam distribute the software and its source ‘code to anyone and for any purpose, Modern applications such as mobiles, the cloud and loT connected devices may comprise up to 90 per cent of open source, according to a report, by Forrester, Open source components, ‘are malleable in nature because one can copy, redistribute, and even make ‘changes to the software, for any purpose. This makes it favourable for 7 FX OPEN SOURCE FOR YOU | DECEMBER 2021 | 21GitLab @ python ‘Wnuget nem] SO GitHub maven @ favacnt & &S} 4S} supply conan Cade Intemaly Dovolopod Cove Ravsed Cove Thia-Party ‘Cove Lega ing ear {6} (5) = Figure 1: Various enry points of opensource components int the supply chain the developing team to incorporate this software into its code Another important aspect with regard to open source compliance risks isthe software dependencies. Dependencies are components and libraries that are required for the application to run, and are pulled into the application at build time These are categorised into two types — direct dependencies and transitive dependencies. Direct, dependencies are the libraries your code directly cals and utilises. ‘Transitive dependencies are the libraries or other software that the direct dependencies depend on. ‘These dependencies have their own governing licence, which could be different from the parent open source library. It is important to track the dependencies in your software because you are still obligated to comply with the terms of the licence, even ifthe dependency is direct o transitive. 22 | DECEMBER 2021 Open source licence risks and compliance Each open source software library is governed by an open source licence. ‘These licences can be categorised into different risk levels: permissive, weak copylef, strong copyleft, and source available, which in turn have obligations, attributions and varying severity of risks associated with them. Figure 2 shows the different licence types and their associated obligations. (Open source software licences obligate the developer or organisation developing software to comply with the terms of the licence. Some of the obligations include keeping the licence information and copyright notices Intact, providing attribution notices that identify the copyright holder, identifying ‘modifications made tothe software, et, and in some cases to make the source code of the overall application available to users of the application. Non- compliance with the licence obligations can impact the business in many ways. (PEN SOURCE FOR YOU | wwe OpenSourceFotU.com + Licence infringement consequences: Development teams Could lose the right ro use the component or library, which could result in a product recall, fixing or ithe code patch. + Loss of intellectual property (IP): (pen source licence compliance can result in a requirement to release the source code of your IP 10 users of the application. + Reputation loss: Press articles and media coverage can jeopardise a company’s reputation. + Cost consequences: Remediation processes like removing ot replacing an open source component can often be expensive and time-consuming, The reality of licence violations ‘Non-compliance with open source software inthe past has given rise to rmany disputes, which have made quite an impact on an organisation’s reputation and client base