openEuler Gao Kun: Actively promote open source compliance to help supply chain security

受访者：openEuler 合规 SIG 高琨  

Since the open source code was opened on December 31, 2019, openEuler has gradually become the most dynamic open source community in China through open governance and attracting a large number of partners. As a global open source community of server operating systems, openEuler has been committed to promoting the prosperity and development of the software and hardware application ecosystem since its open source, and the compliance SIG aims to focus on research in compliance-related fields, and pass the research results through standards and procedures. , tools and other forms to provide the community with support for open source compliance management, and promote the healthy development of the community by improving the community’s compliance software engineering capabilities.

Recently, the editorial department of this site was very honored to invite Gao Kun, the founder of openEuler Compliance SIG, to discuss the establishment of openEuler and the development and practice of open source compliance.

"Building the Roots and Casting the Soul": Building the Ecological Base of the Domestic Digital Infrastructure Operating System

As we all know, the server operating system market has been "monopolized" by foreign manufacturers for a long time. Looking back at the development history of my country's software operating systems, we will find that almost all of our IT operating system bases used American software, especially RedHat.

Fortunately, under the general trend of scientific and technological innovation, Chinese innovators have finally ushered in the opportunity to overtake in the corner. At this point, Gao Kun, an expert in open source software, has a deep understanding.

"The emergence of openEuler has made domestic developers realize that they no longer need to follow the technical facilities of those software in the United States, but go to the upstream community to explore innovation by themselves."

In Gao Kun's view, in the past, compliance work was directly used by domestic companies after American companies completed them in the community. Therefore, when domestic enterprises take this road by themselves, a lot of the work needs to be done by themselves, and these are the reasons why openEuler established the Compliance SIG.

The most critical factor that truly makes openEuler "stand out" and allows Gao Kun to build his capabilities here is the complexity of his project. Gao Kun said that the openEuler community has gathered thousands of upstream components, and there are complex situations such as usage, construction, and dependencies.

openEuler has received a lot of responses after it was open sourced, especially for downstream partners who are not very aware of compliance, actively welcoming them to join can bring more vitality to the development of the community, and also make partners more compliant awareness, which is why the OSCAR conference set up a special session on industrial risk governance. With compliance and security awareness, everyone will have a consistent and clear goal for common development.

And this is why there are many other projects that also set up compliance and SIG's main business, but the industry still chooses openEuler, and it is also the reason why Gao Kun and his partners insist on openEuler.

Gao Kun said that at present, the entire organization of openEuler is open and transparent, including all regular meeting processes, meeting minutes and operations of the code hosting platform are completely open and traceable. At the same time, the community also encourages bilingual communication in both Chinese and English. Although most of the domestic partners and individual developers participate, it is believed that it will grow into an international well-known community in the future. Therefore, more overseas partners are welcome to join.

The Compliance SIG group was established in January 2021, and several meetups have been held in less than a year. For example, in March, May, July and August of last year, offline meetings were held in Shanghai, Beijing, Shenzhen, Changsha, etc. Meetup, every working meeting of the SIG group will be attended by Dalian University of Technology, Anshi Technology, Kirin, Tongxin, Kirin Principal, Runhe, Puhua, Huawei, Chinese Academy of Sciences and other companies. Each regular meeting has nearly 20 industry players. At the same time, Huawei is also conducting in-depth research and cooperation with organizations such as Dalian Institute of Technology Software, and co-establishing tools and services with companies such as Anshi Technology, and gradually building up compliance capabilities.

Gao Kun said that, just as the last OSCAR conference was a good opportunity, we have seen that the CAICT took the lead, including Huawei, ByteDance, Baidu, as well as suppliers and law firms. The steady development of the open source compliance ecosystem contributes to the openEuler community's practice in building my country into a "science and technology power".

Tool creation: spread Chinese classical culture and build a compliance tool chain

As software becomes larger and more complex, the software supply chain also becomes larger and more complex. The failure of any member of a large, complex software supply chain to comply with license obligations or to provide appropriate license information will have significant implications for vendors who are obligated to comply with licenses.

For these issues, the Compliance SIG is committed to building a complete end-to-end open source compliance tool chain. Plan and release a series of compliance tools, and provide developers with a series of compliance inspection services. At present, a series of services such as "Zhang Fei" for project license text scanning, "Zhou Yu" for SPDX standard comparison of license information, "Hua Tuo" for code lineage analysis and audit, and "Zhuge Liang" for compliance risk can be provided through tools. The regulatory information portal "Diaochan" hosts these services. The service tool is named after the allusions of figures related to the Three Kingdoms, and at the same time, it spreads Chinese classical culture.

Joining OpenChain: Helping Ecological Co-innovation and Development

Not long ago, the news that Huawei joined the OpenChain project as a platinum member attracted industry attention. In this regard, Gao Kun also specifically answered the topics of concern to this site.

According to Gao Kun, the OpenChain project is an interpretation of open source licenses, including a complete system of rules and enterprise formulation processes. As we all know, a license is a legal clause, but it can be standardized. This is one of the things that the openEuler Compliance SIG does - to help more enterprises understand open source compliance and consciously comply with the license.

A few years ago, the OpenChain project worked with 20 companies around the world to formulate the "OpenChain ISO 5230" international standard. Huawei is a new platinum member of the organization because it has learned the relevant organization standards before. Today, Huawei is more to drive the entire upstream and downstream/supply chain to develop and grow the entire domestic open source ecosystem. Gao Kun said that he was glad that OSPO leaders of at least 5 well-known companies had contacted him to inquire about how to join the organization. He believed that a large number of Chinese companies would soon join to practice the entire supply chain compliance practice.

The above is the original intention of Huawei to join the OpenChain project. Gao Kun also expects that all domestic enterprises and enterprises from all over the world will agree with this standard, and jointly innovate and develop under the premise of unified standards.

Join hands with CAICT: Develop credible open source to empower ecological governance

At the same time, Huawei is also cooperating with CAICT in terms of open source risk and open source governance. Gao Kun said that he has cooperated with the Academy of Information and Communications Technology on research related to trusted open source as early as 2020. At the beginning, no one in the industry community mentioned the word "credible". The so-called "credibility of the open source community" means that to achieve security and compliance, all actions of the open source community must be open and transparent.

These are the core characteristics of what Huawei believes to be a trusted open source community. Based on these characteristics, through insights into a large number of excellent projects (such as Fedora, Ubuntu, TF, etc.), it is found that excellent communities display the characteristics of diversity and inclusiveness in governance operations. Based on the refinement of these features, the Academy of Information and Communications released the standards for the "Trusted Open Source Framework White Paper" on May 26 last year.

In addition, Huawei and CAICT have also collaborated on white papers related to security governance and open source ecology. Focusing on in-depth cooperation with 4~5 new industry standards and white papers, they are mainly released in cooperation with the Cloud Institute of CAICT. The white paper on operating system content is related to the OpenEuler participated in the completion.

In the open source risk management sub-forum of the 2021 Open Source Industry Conference just past, Gao Kun, an open source expert, was also deeply involved in the open source risk management session. Domestic open source ecological healthy development empowerment.

In the past year, Huawei has gradually built the service capabilities of compliance functions in the open source community. At the same time, we expect more open source enthusiasts to join the construction of compliance tools and regulations in the future. The end of the compliance tool chain and management system, the establishment of a complete compliance technology ecosystem, to provide solid support for the healthy development of domestic open source.