OpenChain in India – Update on Status

By December 5, 2019News

The OpenChain India Work Group had a great inaugural meeting hosted by MCA in Bangalore on the 7th of September. 25 people from 11 companies attended and shared experiences around open source compliance matters. This meeting marked the long-awaited expansion of OpenChain into one of the most significant IT markets in the world.

The second meeting will take place at Lyra Infosystems on the 21st of December 2019. Lyra has been OpenChain conformant for a while and is a pivotal user company supporting the eco-system in India.

Interested in helping shape the future of open source compliance in India? Jump right in!

Our dedicated India Work Group Mailing List

Detailed Overview and Minutes

Mishi Choudhary & Associates partnered with the OpenChain Project in conducting the OpenChain Project’s first India Work-Group meet-up at Hotel Royal Orchid, Bangalore on 7th September. The meetup included professionals, open source enthusiasts, tech-companies building or using products on open source and entities interested in learning more on open source compliance. The meet-up had presence of four OpenChain Conformant companies namely Infosys, Siemens, Lyra Infosystems and Cognizant. Besides, various global service providers using Open Source in different forms were also present.

The meetup was organised to initiate the core India Work-Group of the OpenChain Project which was rolled out by Linux Foundation to simplify compliance. The OpenChain Project builds trust in open source and makes compliance easy, predictable and effective. OpenChain Specification and Conformance form industry standards for open source compliance optimized for internal and external supply chains of any type.

The meet-up was moderated by Prasanth Sugathan, Legal Director, and Gurbir Singh Sidhu, Associate Counsel at Mishi Choudhary & Associates. The session also included presentations by Shuvajit Mitra (Senior Manager – IP Commercialisation, Open Source & Trademarks Practices, Infosys) and Arun Azhakesan (Lead OSS License Compliance, Seimens Healthineers).

Introductory Remarks:

Shane Coughlan, General Manager, OpenChain
Shane joined through video-conference from Japan. He spoke about major achievements for OpenChain Project in community outreach in the current month which include first work-group meet-ups in India, China and continuing activity in Taiwan. Besides, he expected doubling of conformance community this year. Further, he shared OpenChain activities in Japan which contain 68 companies and over 150 people. Besides, OpenChain Project’s Automotive WG in Japan have over 100 people involved.
He mentioned deep connections between companies from China with those in India present at the first work-group. To support this, he referred to Xiaomi which recently sold its 100th million smartphone sold in the Indian subcontinent.
He envisaged bringing together OpenChain Conformant companies like Infosys and others like WIPRO which are not yet. Also, he discussed plans on OpenChain’s readiness to become an ISO standard and consequent support for the same from user companies and developers.

Further, he assured support from international OpenChain community to the India WG at every step.

Gurbir Singh Sidhu, Associate, Mishi Choudhary & Associates
To give insights on the anticipated privacy legislation, Gurbir gave a presentation on Draft Personal Data Protection Bill, 2018 for the attendees. He gave a background on emergence of privacy law and policy in India. This included recommendations given by Justice (Retd.) AP Shah Committee on Privacy, 2011; the SC judgment in KS Puttaswamy & Anr v. UOI & Ors (Aug, 2017) which upheld privacy as a fundamental right and finally, the report released by Justice (Retd.) BN Srikrishna Committee on Data Protection Framework, 2017.
Thereafter, the key provisions of the Draft Protection Bill were shared. It included key terminology like Personal Data, Sensitive Personal Data, Data Principal, Data Fiduciary and Data Processor. Then, data protection obligations on data fiduciaries such as purpose limitation, collection limitation, storage limitation, notice and consent requirements; transparency and accountability measures (data audits, impact assessments, appointment of data protection officers) were presented. This was followed by rights of data principals such as rights to confirmation and access; data portability; correction of information and right to be forgotten. Thereupon, provisions on transfer of personal data outside India were discussed. It included data localization, mirror copy requirements; conditions on data transfer like contracts, intra-groups schemes. Finally, provisions relating to exemptions, Data Protection Authority of India, penalties, criminal offences and remedies under the Draft Bill were discussed.

Shuvajit Mitra (Senior Manager – IP Commercialisation, Open Source & Trademarks Practices, Infosys)

Shuvajit started his presentation on how Infosys has adopted usage and deployment of OSS in their solutions; and how it has saved costs, resources while meeting customers’ expectations. Discussing challenges, he mentioned that being a diversified and large organization, there could be misunderstandings on OS usage due to inadequate licensing experience, compliance complications and related risks of IP infringement. Besides, requirement of methodical compliance checks, license validation, establishing roles, accountability in supervisory level were also discussed.

In order to address the challenges, Infosys IP team engaged with OpenChain Project to assess its compliance practices and identify gaps to come in consonance with industry standard practices. For capacity development Infosys organized trainings on OSS licensing, governance models & contribution processes.

Infosys did a Conformance Analysis which included assessment of its Open Source Policy, IP check & certification process, establishing an accountability system and attaining key requirements of OpenChain Specification to make its compliance program predictable, understandable and efficient. While discussing benefits, he mentioned that by being an OpenChain Conformant company, Infosys was able to demonstrate a transparent OSS compliance process in development and procurement. Being OpenChain Conformant would help Infosys in building trust among its customers and stakeholders while showcasing its global standards.

Arun Azhakesan (Lead OSS License Compliance, Seimens Healthineers

Arun represented the formal tooling work group of OpenChain and explained how some of these tools were adopted later by Linux. The idea behind tooling group is reducing the resource cost and enhancing output. Also, OpenChain bringing Conformance for the entire supply chain necessitated that these tools be streamlined.

He started his presentation discussing efforts led by OpenChain in developing tools to assist OS compliance and making it more predictable. Arun shared the entire Integrated Compliance Toolchain Instance with specific compliance tools for each layer. Thereafter, he covered specific tools useful for the entire compliance chain.
First being Fossology which allows license, copyright and export control scans from the command line. It can generate an SPDX file, or a ReadMe with the copyrights notices from the software. Scanners include Monk, Nomos and Ninka. Next tool, Eclipse SW360 is an OSS project which allows cataloguing of software components, assessing security vulnerabilities, maintaining license obligations among others. It is licensed under EPL- 2.0. Besides, Eclipse SW360 Antenna is again an OSS tool which automates open source license compliance process. It collects compliance related data, processes it and warns in case of compliance related issues. Other tools suggested by Arun for the entire software supply chain included:

  1. OSS Review Toolkit: To download and scan the source code of the dependencies for license information and summarize the results.
  2. Software Heritage: To collect, preserve and share all software that is publicly available in source code form.
  3. BANG – Binary Analysis- NG: To find out the provenance of the unpacked files and classify/label files, making them available for further analysis.
  4. SPDX: For communicating the components, licenses and copyrights associated with a software package.
  5. Open Source Automation Development Lab (OSADL): To promote and coordinate the development of open source software for the machine, machine tool, and automation industry.

Informal Discussions

Attendees discussed that lately, more companies are developing projects on open source including Google, FB, LinkedIn and Microsoft. Also, there are instances over past decade, where companies using open-source made downstream improvements to convert products into proprietary. This led to changes in license regime namely MongoDB and few others. Further, global movement towards streamlining compliance activities, led by Linux Foundation were discussed; OpenChain Project being one of the products.
High profile patent litigations were also mentioned including Apple-Qualcomm, Apple-Samsung. Open Innovation Network’s work in resolving such disputes and patent non-aggression particularly for Linux based products was referred.

Attendee companies discussed challenges they face while contributing in open source pool specifically in degree to which it can allow their developers to contribute and parts to retain after due diligence checks (against 3rd party patent infringements).

Also, there were suggestions on focusing on smaller companies and start-ups in their transition towards open source. Secondly, awareness being a major part of OpenChain Project should also be leveraged.

Mr. Sugathan encouraged sharing tools and compliance practices between WG members, as most companies use the same components but in different domains. He expressed utility of developing knowledge transfer between companies.

There were queries which ranged from basic questions like overview of OpenChain, the expectations from Indian companies and implementations required. Core requirements of OpenChain specifications were shown which included standards required to be met in terms of documentation, processes and accountability. OpenChain gives self-certification flexibility to the organization; but being Conformant would require due diligence checks from third parties. Further, benefits of OpenChain in keeping the software supply chain predictable and consistent were shared. This also helps companies to identify gaps in their compliance process and correcting them.

It was reiterated that these meet-ups would allow companies to share their best experiences, especially addressing challenges they faced in their compliance programs.