Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auditing Gem Licences

Leif Eriksen
October 31, 2013
Technology
0
36

Auditing Gem Licences

Talk given to Ruby Australia on how CGU audit the private Gem server to extract licence details, to ensure compliance and manage IP risk

Leif Eriksen

October 31, 2013
Tweet

Other Decks in Technology

See All in Technology
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
740
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
150
クラウドサインにおけるプロダクトマネージャーの役割と開発プロセス / 20240410_cloudsign-PdM
bengo4com
1
690
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
180
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
62
18k
オブザーバビリティの Primary Signals
onk
PRO
0
550
エンタープライズ環境下での Active Directory の運用 TIPS
tamaiyutaro
1
1.6k
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
5
330
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
100
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
14
35k
反実仮想機械学習とは何か
usaito
PRO
7
2.5k
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
630

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
321
20k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.3k
Design by the Numbers
sachag
274
18k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Building Applications with DynamoDB
mza
88
5.6k
Making Projects Easy
brettharned
108
5.5k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
2k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
GitHub's CSS Performance
jonrohan
1023
450k

Transcript

  1. What’s the risk ? Auditing licence variants in Gem repositories

    Thursday, 31 October 13

  2. Licence Audit a large collection of tools authored in Java

    .Net Ruby Other propriety and FOSS languages and toolsets Thursday, 31 October 13

  3. Ruby Gem Server GemInABox Project/Product .lock files held in VCS

    CI server uploads new gems to GIAB Selection/Review process in play Thursday, 31 October 13

  4. .lock VCS CI RubyGems.org delta Audit GIAB store fetch fetch

    fetch report commit Thursday, 31 October 13

  5. Gem file Metadata Easier if use rubygems-update (gem update --system)

    Extract gem metadata (a version of the .gemspec) Licence strings stored in two places license licences Thursday, 31 October 13

  6. Audit Process Scan .lock files Download Gem versions Crack open

    and pull strings Report ??? Compliant !! Thursday, 31 October 13

  7. Findings small-ish footprint - 258 gem files (fetched in <

    10s !!) most with <3 versions 14 unique licence strings 7 licences MIT, GPL (v2), LGPL, BSD (2,3,4 clause), Artistic, Apache, Ruby - and combinations of these (Ruby,MIT) No commercial licences Thursday, 31 October 13

  8. Are you at risk ? IANAL Thursday, 31 October 13

  9. The Code Have requested Corporate to Open Source this as

    a repo on GitHub The wheels are grinding away...will update list if it goes ahead Thursday, 31 October 13

  10. Questions ? Thursday, 31 October 13