EACG and OpenChain agree on partnership
Frankfurt, June, 8th 2018, EACG - the mother company of TrustSource - and the Linux Foundation agree on a partnership to co-operate in the OpenChain project.
EACG acts for several years now in the field of open source governance and compliance. Based on the experiences from some larger projects, EACG has developed TrustSource , the platform for automation of open source governance. "We are close to having all of the stuff automated. Even the legal part!", summaritzes Jan the efforts over the last few years.
"Our platform delivers the technical part: scanning, mapping, documentation and reports. But Governance is much more, that a tool may do. To really ensure compliant software delivery and distribution also processes and culture need to change. This is where OpenChain comes in. The many, well thought and carefully designed requirements will lead towards the required change, if managed carefully. We support that and provide all required features to ensure OpenChain compliance. "
EACG offer consulting services in the area of open source compliance and governance as well as the solution platform TrustSource. there are different editions available according to your needs. To check it out and test it here.
Release v1.5 available
We are happy to announce our latest Update v1.5.16. With this release we further strengthen our capabilities in managing vulnerabilities and extend our documentation competencies.
New Features
- PDF-your-Reports - It is now possible to download your reports as PDF. Timestamp and release number will always be included, so there is not chance for mixing up data.
- New Bill of Materials Report - With this release we have provided a BoM-report allowing you to request a visual representation of the Bill of Materials of any of your projects.
- New CVE-Impact Report - With this report you may select a CVE number and immediately see which components in what project are affected by this CVE. From the report you may jump directly to corresponding components and trigger further action.
Improvements
- Branding changed to TrustSource - from now on we have moved to the new branding schema. Not only the visuals (logo, etc.) changed, but also the URLs. The base URL is no longer https://ecs-app.eacg.de but it is https://app.trustsource.io. The old URLs will remain working, but we suggest to use the new ones.
- Preview changes in Bulk user upload - The bulk user upload for the corporate and enterprise accounts does have a preview now. So you may see which lines might cause unwanted impacts and dry-run your import before allowing it to take effect.
- Jira-Status-Report - Jira tickets are now presented in a nicer way according to status. Also it is possible to have project specific reports.
Why does a license matter?
“If someone is publishing his stuff on Github he must accept that it will be used by others!””
Unfortunately we still hear this critical misunderstanding often while finding open source components buried somewhere in source code; without any furtehr declaration of course. Let’s send a few words to discuss this in more detail.
In our western world protection of intellectual property is a high value. The believe that an inventor shall profit from his achievements has been accepted as the driving force of behind our wealth and developed status. That is why it has been protected by intellectual property laws. This insight counts some years already and meanwhile has been established and harmonized internationally through the Berner Convention.
Governing thought has been, that an inventor or creator of a work always will own all rights of usage, modification and all kinds of distribution. This is always valid for a certain period of time after the work has been created. Theperiod depends on the work.
An inventor or creator may transfer his rights to others. The typical form of this transfer is a license.
Without a license, all rights remain with the creator for his protection!
If no license exists, for the protection of the creator, all rights will be assumed as not transferred. Therefor each user of a component without license starts walking on ice. In general nothing might happen immediately. But who knows what will be in the future? Success might make jealous, motivations might change over time. Happy times for all of those, who own a license they may rely on!
But not only that there might be some contributors of open source software getting nasty. There is another relevant aspect of licenses. They also clarify the terms when the right to use is transferred. this will protect you from a usage without right.
In our hemisphere the usage of protected works without right is assumed a criminal act. This might not only cause immense financial damages due to call backs or branding impacts. But also a criminal investigation might be caused. In some countries this does not even require a plaintiff. This role will be taken by the prosecutor automatically triggered by a suitable evidence, irrelevant of the source (competition, former employee, original inventor).
To prevent all kinds of damage, it is highly recommended to ensure the availability of and conformity with a license!
To prevent damage, it is highly recommended to avoid using components without a license. But to achieve this, it is essential to know what has been used to build the software and what are the resulting obligations.
TrustSource has been developed to automate this task. Applying the automated scanning you may detect early which components are used and which licenses – or even no licenses – are related.
Our architects may help you to manage critical cases or identify alternative solutions. Do not wait, start right now in creating transparency!
TrustSource Version 1.4 released
We are proud to announce the release of v1.4!
It took some sweat, blood and a lot of testing, but now v 1.4 has been successfully released. There is a basket of new features available that will make your work much more efficient:
- the new inbox will collect all communication so you will not miss anything anymore.
- A vulnerability feed will alert you about latest changes or upcoming issues.
- CVSS-Scores and attack vector information allow a faster identification of critical issues
- Extended Obligations report - using the new obligation report it will be possible to jump directly to the associated component, so that you may work with it without switching between the two view. Also the report is now available from within the list views.
- Suitability checks - to further support SHIFT LEFT, we have created a feature which allows you to verify the suitability of not yet built in licenses and/or components. This allows developers to verify the consequences of using a product even before it will be added to the code base. The functionality also is available over the API.
- Private licenses - You are now able to create private license keys. So you may also manage your own licenses
Also we have added some improvements and Fixes. For example we were able to discover a matching problem in our vulnerability scanner.
Additional information can be found here.
June 19th, Compliance Breakfast @ Frankfurt a.M.
To achieve a fast Go-to-market for innovative products and services, the application of software, especially open source software is essential.
But, open source software is no free lunch!
What obligations are related to the use of open source software, what triggers the different obligations and what is resulting therefrom? What are athe risks and how to manage them? All this will be part of this informational event. You will receive an overview of the current legal situation as well as practical experiences of the introduction of Open Source Governnace.
0830-0900 Welcome coffee & tea
0900-0915 Introduction of speakers
0915-0945 Current legal situation and challenges (Heinzke)
0945-1000 Questions and discussion
1000-1045 Lessons learned from introducing Open Source Governance in a conglomerate (Thielscher)
1045-1100 Questions and discussion
Tickets can be booked here. To ensure a sound experience, the event is limited to 25 participants. Please note, the event will be in German.