FOSSA: Because Our Software Gigafactory Needs To Solve Open Source Licensing
Originally published on February 24, 2017
Modern developers no longer write large pieces of software completely from scratch. Of course they write code, but really they assemble applications from other code, components, and (micro)services. This isn’t a new phenomenon, and in fact, has taken a couple decades to play out. In my eleven years in venture I’ve been fortunate enough to be able to play this trend via investments in SpringSource, Groovy & Grails, Sonatype (Maven), Gradle, Lightbend (Akka), and SysDig among others.
These gradual but inevitable shifts towards assembling apps, combined with the new methodologies in software development (agile, CI/CD, infrastructure as code) are having profound implications on software development.
Consider that the majority of code in most applications is from third parties and/or has dependencies on third party code, most of which is open source. There are a hundred different open source software licenses. At this scale of open source software use, where the dozens of open source packages that you use pull in dozens more, the complexity of managing licenses, and the risk of license violations, dramatically increases. Fundamentally, the modern software developer does not have a good handle on what he ships.
A manual approach to tracking open source licenses is no longer possible at this scale of open source software usage. The proliferation of languages and the complexity of build systems make licenses impossible to track, especially for non-technical people. Add in the trends toward agile software development and CI/CD, and we require automation. Manual tools and processes for managing open source licenses are incompatible with the new software development workflow.
Automated open source license management is not just a nice to have. It’s dangerous to not have it. Open source permeates practically every code base, and not all open source licenses are created equal; while some are relatively permissive (BSD, MIT, Apache), some are restrictive and pollutive (GPL) and can require you to open-source your entire codebase.
That’s why we recently made an investment in Kevin Wang and FOSSA, with participation from angels including Marc Benioff (Chairman/CEO, SalesForce), Jaan Tallin (Co-Founder, Skype), Steve Chen (CTO/Co-Founder, YouTube), Amr Awadallah(CTO/Co-Founder, Cloudera) and Justin Mateen(CMO/Co-Founder, Tinder).
FOSSA helps companies manage risk, understand what is in their code, and intelligently assemble better code. FOSSA links into your code base (one-click integration with Github; easy to point it to other external sources) and runs a mock build on your code. From this, FOSSA gleans which open source projects you are leveraging and which licenses you are beholden to. Companies can create bespoke license policies for their business and compliance requirements and FOSSA will identify any license exposure that falls outside the policy. FOSSA integrates with project management and error tracking systems, such as Jira, and fits into a company’s existing software development workflow rather than forcing developers to spend time inside FOSSA tools.
Tools for auditing license-compliance do already exist; but these audits are usually protracted, labor-intensive processes, typically performed by a services company, such as Black Duck or Palamida. Such a process typically takes several months (and potentially more than a year) as consultants manually review the code base. The end product is a static spreadsheet detailing the list of licenses and where in the code base they sit. FOSSA, by contrast, can scan a new code base within a few hours (far less, depending on the amount of code) and perform iterative scans in a matter of minutes. FOSSA uses a proprietary graph technology to map out the dependencies in your code base to determine which part of the code base needs to be edited to resolve any license conflicts.
We invested in FOSSA because it (i) doesn’t slow down software development, (ii) uproots traditional integration cycles (simple integration, scales up to big teams and down to small teams, plays well with code reviews, slack notifications, and other modern software development workflow), (iii) automates tons of existing work for the enterprise (reports, audits, attribution, communication, more), and (iv) makes sophisticated analysis simple and real-time.
But there’s a lot more to do. We should continue work on streamlining open source software licensing. The role of the modern developer is now more than ever about using and gluing together open source software modules and dependency trees. Dependencies are the most relevant part of his code. Software companies need to know what they ship, and licenses are the core of what allows them to leverage open source. Throughout the software lifecycle, every software company needs to manage and understand the open source licenses they’re beholden to.