[00:00.000 --> 00:14.000]  So, hi everyone. So we're about to present you the Ermin project. So for those who are
[00:14.000 --> 00:20.000]  here on Friday, I can't talk close to the microphone.
[00:20.000 --> 00:37.000]  So it's the same project that we mentioned on Friday and hopefully the presentation will be easier to understand.
[00:37.000 --> 00:40.000]  Also because I'm with Nicolas Toussaint.
[00:40.000 --> 00:54.000]  So I'm with Nicolas Toussaint from Orange. We'll introduce you to the general idea of the project.
[00:54.000 --> 00:56.000]  Thank you.
[00:56.000 --> 00:58.000]  Okay, speaking loud.
[00:58.000 --> 01:06.000]  So what's Ermin, so a mine, apart from a really nice animal, which does take an age in French.
[01:06.000 --> 01:17.000]  So it's quite a young project, been existing for a year now, initiated by InnoCube and joined by five other large French companies.
[01:17.000 --> 01:22.000]  We're trying, so we're like an open project, we're trying to do things properly.
[01:22.000 --> 01:29.000]  We haven't joined an organization yet, Foundation, but that's planned.
[01:29.000 --> 01:38.000]  We have three committees, that's important. Legal committee because you'll see later it's all around legal suspects,
[01:38.000 --> 01:42.000]  made by jurists, mostly for jurists.
[01:42.000 --> 01:48.000]  And then, well, you know, we try to use, we do use AFERO, ODBL, and so on and so forth.
[01:48.000 --> 01:52.000]  Can you move to the next?
[01:52.000 --> 02:02.000]  Right, so we're building something new, and well, we think so, and we do rely on existing well-established tooling.
[02:02.000 --> 02:09.000]  All of those have been hearing about it all day. Let's move to the next one, probably know these ones.
[02:09.000 --> 02:18.000]  Right, so the nice part, what it's all about, so the idea is to really implement your open source policy.
[02:18.000 --> 02:23.000]  So we take, on one hand, all the license texts from the open source licenses.
[02:23.000 --> 02:32.000]  We break them down into obligations, so do you have to disclose the source code, mention the authors, and so on and so forth.
[02:32.000 --> 02:41.000]  On the other hand, we take S-bombs from the project, and we enrich it with legal and technical context.
[02:41.000 --> 02:49.000]  In the middle, that's where the magic happens. We kind of apply your open source policy,
[02:49.000 --> 02:55.000]  and out of this, we get, on one hand, we get a validation or not.
[02:55.000 --> 02:58.000]  Is it okay to use that license in that context?
[02:58.000 --> 03:03.000]  And on the other hand, you get a nice list of obligations you really have to follow,
[03:03.000 --> 03:07.000]  because you have plenty of obligations and plenty of context.
[03:07.000 --> 03:12.000]  Sometimes you have to follow them, sometimes not, depends on the context.
[03:12.000 --> 03:18.000]  So that's the big picture, and that's next to Kenny.
[03:18.000 --> 03:30.000]  So before talking about S-bombs itself, you have to have a kind of preparatory phase, so that's license analysis.
[03:30.000 --> 03:37.000]  The tool was mainly designed for IP lawyers, but we are not familiar with open source licenses.
[03:37.000 --> 03:49.000]  So what we wanted to do, it's to be able for them to save time while still being confident in the decisions that were made.
[03:49.000 --> 03:59.000]  So also, it was important, it's a shared tool, but of course, every company has its own open source policy,
[03:59.000 --> 04:03.000]  so it had to be flexible enough.
[04:03.000 --> 04:17.000]  So the first aspect is kind of a pedagogical framework that will allow lawyers to systematically and consistently analyze open source licenses,
[04:17.000 --> 04:26.000]  and that will also mean that if it's analyzed systematically, we can handle the decision programmatically to a certain extent.
[04:26.000 --> 04:35.000]  And as I was saying, the idea is also to share interpretations, because if you have a broader consensus about interpretations,
[04:35.000 --> 04:43.000]  then that will increase legal predictability and reduce legal risks.
[04:43.000 --> 04:49.000]  So when we do license analysis, it's basically break down in three parts.
[04:49.000 --> 05:00.000]  The fourth part is just the global characteristics of the licenses, like about the copy left level, the types of rights granted,
[05:00.000 --> 05:03.000]  like if you have patent grants, stuff like that.
[05:03.000 --> 05:09.000]  I mean, technical things like the choice of law of venue, et cetera.
[05:09.000 --> 05:13.000]  And the more important is your policy status.
[05:13.000 --> 05:19.000]  I mean, if you always allow it, if you never allow it, or if you allow it depending on context,
[05:19.000 --> 05:28.000]  then if you allow it depending on context, well, you'll have to specify which context it's allowed in.
[05:28.000 --> 05:39.000]  And if your context is based on simple enough facts, you will be able to automate that.
[05:39.000 --> 05:43.000]  So, for instance, I mean, you can have two subcategories of context.
[05:43.000 --> 05:45.000]  You will have a technical context.
[05:45.000 --> 05:49.000]  I mean, typically, I mean, how and if it has been modified or not.
[05:49.000 --> 05:52.000]  If it's as a type of linking it has with your code base.
[05:52.000 --> 05:57.000]  And but also you can associate it to a category of your products,
[05:57.000 --> 06:01.000]  which means that a product for which the IP will be treated differently.
[06:01.000 --> 06:07.000]  I mean, typically, I mean, in many cases, you won't accept to have a GPL V2.
[06:07.000 --> 06:10.000]  But if you do embedded Linux, I mean, of course, you will accept it.
[06:10.000 --> 06:15.000]  So that will not depend of the technical nature of the third party components or it's linking to your code base.
[06:15.000 --> 06:21.000]  It really, really depends on the business expectations that you are doing on the final projects.
[06:21.000 --> 06:25.000]  And so we can partly automate that.
[06:25.000 --> 06:31.000]  And the third party, it's the breaking down of each license in obligation.
[06:31.000 --> 06:36.000]  And each regulation will be triggered at two levels.
[06:36.000 --> 06:39.000]  The first one is if it has been modified or not.
[06:39.000 --> 06:43.000]  Because in many cases, I mean, you have many obligations that you don't care about
[06:43.000 --> 06:49.000]  just because you're just redistributing unmodified third party components.
[06:49.000 --> 06:54.000]  And the second one is the type of exploitation, which means do you distribute it?
[06:54.000 --> 07:00.000]  I mean, a source has been binary or do you provide network interaction extra?
[07:00.000 --> 07:06.000]  And also, I mean, when you break down different licenses, you will realize that, I mean,
[07:06.000 --> 07:08.000]  very often you have very similar obligations.
[07:08.000 --> 07:11.000]  I mean, they're not straight in the same way.
[07:11.000 --> 07:13.000]  But you can decide, and that's the choice of the lawyer,
[07:13.000 --> 07:18.000]  that actually the equivalent in the way, I mean, they have to be respected.
[07:18.000 --> 07:23.000]  And so you can relate that to a generic obligation and then you will only care about a generic obligation.
[07:23.000 --> 07:32.000]  And you will only care about a specific obligation when they are not related to a generic obligation.
[07:32.000 --> 07:35.000]  And that's about it.
[07:35.000 --> 07:40.000]  And so now that you have your policy ready, you can be ready to handle S-bombs.
[07:40.000 --> 07:42.000]  And I will pass you the microphone.
[07:42.000 --> 07:44.000]  Thank you.
[07:44.000 --> 07:49.000]  OK, so that was the right-hand parts, the licensing obligation.
[07:49.000 --> 07:51.000]  Now we're looking at the left-hand parts.
[07:51.000 --> 07:54.000]  How do you handle the S-bombs?
[07:54.000 --> 07:59.000]  So today, we mostly work with the evaluated report from ORT.
[07:59.000 --> 08:02.000]  You've heard about this morning and all the time.
[08:02.000 --> 08:06.000]  We're working on working with SPDX as well.
[08:06.000 --> 08:10.000]  There's a lot of work to be done in this area.
[08:10.000 --> 08:17.000]  And we will have to go to and support CyclingDX in the future as well.
[08:17.000 --> 08:21.000]  Right, so when you take this S-bomb, you have plenty of information,
[08:21.000 --> 08:26.000]  but you don't have all the information we need on the context.
[08:26.000 --> 08:29.000]  Two types of information we want to add.
[08:29.000 --> 08:32.000]  We want to add the technical details.
[08:32.000 --> 08:36.000]  So sometimes you can get it inside the SPDX report.
[08:36.000 --> 08:40.000]  But I guess there's more automation we can do in this field.
[08:40.000 --> 08:46.000]  But we definitely need to add manually some extra information like the technical linking,
[08:46.000 --> 08:50.000]  how your component is linked to your application.
[08:50.000 --> 08:56.000]  The type of exploitation is what do you actually do with your components?
[08:56.000 --> 08:59.000]  Are you going to distribute it on the Internet?
[08:59.000 --> 09:05.000]  Are you going to distribute that to your end user and so on and so forth?
[09:05.000 --> 09:07.000]  Is that a SAS?
[09:07.000 --> 09:11.000]  You need to also specify if you have modified the source codes.
[09:11.000 --> 09:18.000]  That makes a big difference on how you're going to trigger the license, what you're going to have to do.
[09:18.000 --> 09:24.000]  And we also added recently some funding information.
[09:24.000 --> 09:30.000]  Where does the money come from for a given component, a given project?
[09:30.000 --> 09:36.000]  So the scope can be really handy to automate all the kind of things.
[09:36.000 --> 09:41.000]  There's that development dependency, that build dependency and so on and so forth.
[09:41.000 --> 09:46.000]  There's plenty of things we can do to automate further.
[09:46.000 --> 09:49.000]  But yeah, next please.
[09:49.000 --> 09:55.000]  Right, so there's quite a lot of work to validate the SBOMs.
[09:55.000 --> 09:57.000]  And this is what you see.
[09:57.000 --> 10:04.000]  It's really from a legal, jurist point of view, maybe more than a technical one.
[10:04.000 --> 10:09.000]  So when you get your SBOM in, well, obviously you need a valid XPX expression.
[10:09.000 --> 10:12.000]  If you don't have the XPX expression, you don't know what you're talking about.
[10:12.000 --> 10:15.000]  So you need to know what license you have.
[10:15.000 --> 10:24.000]  Well, number two is a very specific case where when you want to have, give choice to the user.
[10:24.000 --> 10:27.000]  You say it's either GPL or MIT.
[10:27.000 --> 10:32.000]  Quite often the developers tend to write it's this one and this one.
[10:32.000 --> 10:35.000]  But what they really mean is this one or this one.
[10:35.000 --> 10:43.000]  So we added a specific step to fix this particular problem.
[10:43.000 --> 10:48.000]  Type of exploitation we mentioned this earlier.
[10:48.000 --> 10:52.000]  You have also to choose, when you have this choice MIT or GPL,
[10:52.000 --> 10:57.000]  at some point you have to decide which one you're going to select.
[10:57.000 --> 11:01.000]  And all those licenses have to be reviewed by legal persons.
[11:01.000 --> 11:05.000]  They have to be what Kemi explained earlier.
[11:05.000 --> 11:09.000]  If that has not been done, then you have to go back to your jurist and say,
[11:09.000 --> 11:11.000]  please analyze this license.
[11:11.000 --> 11:19.000]  And there's plenty of things that we did to automate this because it can be a lot of work.
[11:19.000 --> 11:21.000]  We're not going into details now.
[11:21.000 --> 11:27.000]  But in particular, we're working on exporting the curation methods to odds.
[11:27.000 --> 11:33.000]  So you don't have to redo this in the future.
[11:33.000 --> 11:40.000]  Okay, so actually the interest of the tool is to combine the two aspects.
[11:40.000 --> 11:44.000]  And when you combine the two aspects,
[11:44.000 --> 11:53.000]  you end up with a list of obligations that you actually have to follow for your release.
[11:53.000 --> 12:03.000]  And so the idea is that it will really get rid of everything that is not actually needed.
[12:03.000 --> 12:10.000]  And also we have introduced the idea of a core set of obligation is that you don't necessarily,
[12:10.000 --> 12:16.000]  I mean it's not always efficient to stick to the bare minimum of obligations.
[12:16.000 --> 12:21.000]  Typically you have licenses like BSD0 or unlicensed.
[12:21.000 --> 12:25.000]  And they don't ask you to put a license in the documentation.
[12:25.000 --> 12:29.000]  But I mean it's more efficient to have the same process for every license and also for,
[12:29.000 --> 12:31.000]  I mean you have many reasons to do so.
[12:31.000 --> 12:37.000]  So also it allows you to classify obligations as part of something normal.
[12:37.000 --> 12:43.000]  I mean you know that you won't have any extra efforts or any special attention to put into your release
[12:43.000 --> 12:46.000]  because it's in your core set of generic obligations.
[12:46.000 --> 12:52.000]  And so that gives you free time to actually consider what is specific and more important.
[12:52.000 --> 13:00.000]  And also another thing that you get is that it gives you a global visibility.
[13:00.000 --> 13:04.000]  And one of the different sort of components you have in your project,
[13:04.000 --> 13:08.000]  so it's relatively, for instance, if you have logged for J, you can search for log for J
[13:08.000 --> 13:13.000]  and it will give you the different product and release which are involved.
[13:13.000 --> 13:23.000]  And also more importantly for us, you can know which of the third party components you are most relying on
[13:23.000 --> 13:27.000]  and also it gives you a direct link to funding them.
[13:27.000 --> 13:35.000]  But it's because it's quite important to actually care about funding and the third party components you rely on.
[13:35.000 --> 13:39.000]  And that's about it.
[13:39.000 --> 13:42.000]  Thank you.
[13:42.000 --> 13:44.000]  So where are we now?
[13:44.000 --> 13:48.000]  The project is ongoing obviously.
[13:48.000 --> 13:51.000]  We don't really have a 1.0 version yet.
[13:51.000 --> 13:53.000]  It's on the way.
[13:53.000 --> 13:56.000]  It's not really used in production yet.
[13:56.000 --> 13:58.000]  Maybe you do actually in a cube?
[13:58.000 --> 14:02.000]  Yeah, but we are not the typical users.
[14:02.000 --> 14:04.000]  Yeah, yeah, yeah.
[14:04.000 --> 14:07.000]  But we shall have one soon.
[14:07.000 --> 14:12.000]  If you have any questions, you can call on GitLab.com.
[14:12.000 --> 14:17.000]  And we do, so we are talking about this breaking down of the licenses into obligations.
[14:17.000 --> 14:19.000]  That's a lot of work.
[14:19.000 --> 14:23.000]  And some of it is already available on GitLab as well.
[14:23.000 --> 14:28.000]  So you can have a look at this.
[14:28.000 --> 14:33.000]  And yeah, if you want to come, we speak back English, but we're friendly.
[14:33.000 --> 14:36.000]  You want to add something?
[14:36.000 --> 14:39.000]  Because we have some time.
[14:39.000 --> 14:41.000]  Yeah, yeah, yeah.
[14:41.000 --> 14:43.000]  I think.
[14:43.000 --> 14:51.000]  Just to say on this particular side of the legal obligations,
[14:51.000 --> 14:57.000]  the idea is to also share with the project a set of licenses,
[14:57.000 --> 15:02.000]  a set of interpretations that can be shared by everyone.
[15:02.000 --> 15:06.000]  How are you going to deal with the fact that Cyclone DX only has one license field
[15:06.000 --> 15:10.000]  and does it not differentiate between conclusions and what's detected?
[15:10.000 --> 15:14.000]  Yeah, so just to repeat, how are we going to...
[15:14.000 --> 15:16.000]  Yeah, yeah, I'm doing that.
[15:16.000 --> 15:20.000]  How do we handle the fact that Cyclone DX only has one license field?
[15:20.000 --> 15:22.000]  I have no idea. Do you?
[15:22.000 --> 15:26.000]  We have just started implementing it.
[15:26.000 --> 15:32.000]  Historically, we've always been working with SPDX and that's quite natural, but we realized that...
[15:32.000 --> 15:35.000]  Well, some tools...
[15:35.000 --> 15:37.000]  Just to assume it's included when you see something there?
[15:37.000 --> 15:41.000]  Yeah, I mean, we'll have to see how it goes.
[15:41.000 --> 15:45.000]  We have first started to submit some peers to their specifications
[15:45.000 --> 15:49.000]  because we had additional needs like support for scopes and stuff like that.
[15:49.000 --> 15:52.000]  So we know that they come from security.
[15:52.000 --> 15:54.000]  They don't come from licenses.
[15:54.000 --> 15:56.000]  They come from two different worlds.
[15:56.000 --> 15:59.000]  So I think that they'll have to evolve at some stage.
[15:59.000 --> 16:03.000]  But they seem very open to suggestions.
[16:03.000 --> 16:06.000]  But we're still implementing it.
[16:06.000 --> 16:09.000]  Yes, Thomas?
[16:09.000 --> 16:12.000]  How would you say her mind is different than Ford's?
[16:12.000 --> 16:15.000]  Because Ford also has a policy engine and Ford's have already stopped.
[16:15.000 --> 16:18.000]  So as you know it...
[16:18.000 --> 16:24.000]  I mean, basically it started as a front-end for Oort
[16:24.000 --> 16:27.000]  and because we wanted to have a graphical interface.
[16:27.000 --> 16:36.000]  So technically it's a Django app and we have an REST API based on Django REST.
[16:36.000 --> 16:41.000]  So we want to stay as close as Oort, including to the concept as possible.
[16:41.000 --> 16:44.000]  But it works a bit differently.
[16:44.000 --> 16:51.000]  And that's why when we make curations we wanted to make them exportable as Oort formats.
[16:51.000 --> 16:56.000]  And we also plan to be able to export your license policy and the Oort format.
[16:56.000 --> 16:59.000]  The idea is to be as compatible as possible.
[16:59.000 --> 17:03.000]  But just the fact also, the main difference is that it has a central database.
[17:03.000 --> 17:09.000]  I mean, just like when you used to use a W360 and it brings the same functionality.
[17:09.000 --> 17:14.000]  That's about that and we really want to stay as close to Oort
[17:14.000 --> 17:17.000]  and that's why we contribute to Oort when we can.
[17:17.000 --> 17:19.000]  Did I answer your question?
[17:19.000 --> 17:21.000]  Can I just ask?
[17:21.000 --> 17:23.000]  Sorry.
[17:23.000 --> 17:24.000]  Thank you.
[17:24.000 --> 17:29.000]  Yeah, there really is a lot of work around working on the licenses and sharing interpretations.
[17:29.000 --> 17:31.000]  So this is part...
[17:31.000 --> 17:34.000]  If you download her mind and you execute it,
[17:34.000 --> 17:39.000]  it comes with a set of decisions and interpretations that you can use
[17:39.000 --> 17:42.000]  that you should actually read and make your own.
[17:42.000 --> 17:45.000]  But I guess that's on top of Oort.
[17:45.000 --> 17:47.000]  Sorry.
[17:47.000 --> 17:51.000]  Yeah, so that's not actually a question but a quick comment on the cycle of the X-situation.
[17:51.000 --> 17:54.000]  So the licenses for your component is actually in the right.
[17:54.000 --> 17:57.000]  So it's possible for you to give multiple licenses there.
[17:57.000 --> 18:01.000]  What might get trickier is actually attributing which files in the source tree.
[18:01.000 --> 18:04.000]  It's not expressing that there are multiple licenses.
[18:04.000 --> 18:06.000]  It's not expressing that there are multiple licenses.
[18:06.000 --> 18:07.000]  Yeah.
[18:07.000 --> 18:09.000]  And they don't connect to other relationships.
[18:09.000 --> 18:11.000]  Those things are missing right now.
[18:11.000 --> 18:15.000]  What I was just asking, is there anything missing in SPDX
[18:15.000 --> 18:19.000]  that we should be adding into the 3.0 that you need?
[18:19.000 --> 18:20.000]  Actually, maybe.
[18:20.000 --> 18:22.000]  I think it is, but for instance,
[18:22.000 --> 18:26.000]  I mean we mainly rely on the evaluating model of Oort,
[18:26.000 --> 18:30.000]  which is kind of semi-official.
[18:30.000 --> 18:33.000]  I'm not sure it's really publicly documented.
[18:33.000 --> 18:35.000]  The evaluating model.
[18:35.000 --> 18:36.000]  It's public.
[18:36.000 --> 18:37.000]  Okay.
[18:37.000 --> 18:39.000]  Yeah, I mean the code is public, of course.
[18:39.000 --> 18:41.000]  But I mean, that's really, I mean,
[18:41.000 --> 18:43.000]  and the kind of information we like,
[18:43.000 --> 18:45.000]  I mean, it's like we have scopes.
[18:45.000 --> 18:49.000]  I mean, and we have it in also sub-projects.
[18:49.000 --> 18:51.000]  Because when you scan, for instance,
[18:51.000 --> 18:56.000]  you can have your composer.json and your package.json in the same project.
[18:56.000 --> 18:58.000]  So it's easy to say, okay,
[18:58.000 --> 19:00.000]  so these are my dependencies for my back-end.
[19:00.000 --> 19:03.000]  These are the execution dependencies.
[19:03.000 --> 19:04.000]  And it comes naturally.
[19:04.000 --> 19:08.000]  I mean, I think it could be implemented in SPDX,
[19:08.000 --> 19:11.000]  but I don't think it's present in a, okay.
[19:11.000 --> 19:13.000]  So because initially, I mean,
[19:13.000 --> 19:15.000]  we wanted to stick as much as possible.
[19:15.000 --> 19:19.000]  So we say, okay, we will interface with Oort through SPDX.
[19:19.000 --> 19:22.000]  But it was, I mean, it was not really convenient.
[19:22.000 --> 19:23.000]  Yeah, sorry.
[19:23.000 --> 19:24.000]  May I ask one question there?
[19:24.000 --> 19:29.000]  Because this is really important.
[19:29.000 --> 19:30.000]  Okay.
[19:30.000 --> 19:33.000]  You're focusing on copyright balances.
[19:33.000 --> 19:35.000]  Do we have other legal obligations?
[19:35.000 --> 19:38.000]  Because copyrights, like 100% of the other legal obligations,
[19:38.000 --> 19:40.000]  we need to use the word for your customer.
[19:40.000 --> 19:42.000]  Sorry, could you speak up, please?
[19:42.000 --> 19:44.000]  Is it only open source obligations?
[19:44.000 --> 19:46.000]  We have other legal obligations,
[19:46.000 --> 19:48.000]  like privacy, security,
[19:48.000 --> 19:51.000]  we need to deliver information to your customer.
[19:51.000 --> 19:54.000]  So currently, we are focused on legal things
[19:54.000 --> 19:57.000]  and mostly related to IP.
[19:57.000 --> 20:00.000]  We tend to also include export control,
[20:00.000 --> 20:02.000]  because that's quite easy.
[20:02.000 --> 20:05.000]  Regarding security, it's a whole different subject.
[20:05.000 --> 20:07.000]  And actually, I mean, in the first prototype,
[20:07.000 --> 20:10.000]  we had a link with a vulnerable code.
[20:10.000 --> 20:13.000]  So it can be not, but it's not that trivial.
[20:13.000 --> 20:16.000]  And currently, I mean, all of the partners
[20:16.000 --> 20:19.000]  are treating the security aspect with their own tools.
[20:19.000 --> 20:21.000]  So it's not a priority for us.
[20:21.000 --> 20:28.000]  But yeah, I mean, we would be happy to be able to handle it.
[20:28.000 --> 20:30.000]  So did I answer your question?
[20:30.000 --> 20:31.000]  Okay, thanks.
[20:31.000 --> 20:32.000]  Sorry.
[20:32.000 --> 20:35.000]  Well, the points we take,
[20:35.000 --> 20:37.000]  I mean, the orange, at least,
[20:37.000 --> 20:41.000]  is that her mind is one part of the whole thing.
[20:41.000 --> 20:43.000]  And we're going to work on interfacing it
[20:43.000 --> 20:46.000]  with some of the tools like dependency track
[20:46.000 --> 20:47.000]  and that kind of things.
[20:47.000 --> 20:49.000]  The point is being to have one source,
[20:49.000 --> 20:52.000]  one database of all the components that we use
[20:52.000 --> 20:54.000]  within the group,
[20:54.000 --> 21:00.000]  and so you can use it from different perspectives.
[21:00.000 --> 21:04.000]  How do you handle incompatible source licenses,
[21:04.000 --> 21:08.000]  like GPL on one side and ACTI on the other,
[21:08.000 --> 21:11.000]  if they combine?
[21:11.000 --> 21:12.000]  Good question.
[21:12.000 --> 21:14.000]  Okay, so the question was,
[21:14.000 --> 21:18.000]  how do we handle incompatible open source licenses?
[21:18.000 --> 21:20.000]  For the moment, we don't,
[21:20.000 --> 21:22.000]  but that was discussed on Friday,
[21:22.000 --> 21:24.000]  and it's not that trivial
[21:24.000 --> 21:26.000]  because you first have to understand
[21:26.000 --> 21:29.000]  the relationship between the two components,
[21:29.000 --> 21:31.000]  because currently what we handle
[21:31.000 --> 21:34.000]  is the relationship between a third-party component
[21:34.000 --> 21:36.000]  and your code base.
[21:36.000 --> 21:38.000]  But you can have incompatibility
[21:38.000 --> 21:42.000]  between two different third-party components,
[21:42.000 --> 21:45.000]  so you have to qualify the technical relationship
[21:45.000 --> 21:47.000]  between those two.
[21:47.000 --> 21:49.000]  And that's a bit tricky,
[21:49.000 --> 21:51.000]  but I think Friday we realize
[21:51.000 --> 21:53.000]  that many people want to work on the question
[21:53.000 --> 21:57.000]  and we really want to be part of this discussion.
[21:57.000 --> 22:00.000]  Yes, so let's...
[22:00.000 --> 22:02.000]  You can use ORT,
[22:02.000 --> 22:04.000]  and that's Osado support for license compatibility,
[22:04.000 --> 22:06.000]  so you can actually do the front-back already.
[22:06.000 --> 22:07.000]  Okay.
[22:07.000 --> 22:09.000]  You can transport from Burma into ORT,
[22:09.000 --> 22:13.000]  from Osado, Osado is a German open source foundation,
[22:13.000 --> 22:15.000]  and they published a license compatibility matrix,
[22:15.000 --> 22:17.000]  which has been included in ORT,
[22:17.000 --> 22:19.000]  and then it was activated.
[22:19.000 --> 22:21.000]  Is it perfect? No, but it is possible.
[22:21.000 --> 22:22.000]  Yeah.
[22:22.000 --> 22:24.000]  Osado has lawyers inside the area.
[22:24.000 --> 22:26.000]  They're working on the legal side,
[22:26.000 --> 22:28.000]  but you shouldn't be there.
[22:28.000 --> 22:30.000]  Well, we do have a few lawyers on board,
[22:30.000 --> 22:32.000]  so...
[22:33.000 --> 22:36.000]  And by the way, there's no competition.
[22:36.000 --> 22:39.000]  We had a very interesting discussion with Osado,
[22:39.000 --> 22:43.000]  and we really plan to cooperate with them,
[22:43.000 --> 22:45.000]  and that's on our to-do list in the beginning.
[22:45.000 --> 22:47.000]  It's just that we lack time, but...
[22:47.000 --> 22:49.000]  Yeah, I mean, we really want...
[22:49.000 --> 22:52.000]  I mean, we really will work with them in the future on that,
[22:52.000 --> 22:55.000]  and anyway, the next one is interesting.
[22:55.000 --> 22:57.000]  So you have another question.
[22:57.000 --> 23:07.000]  Yes, please.
[23:07.000 --> 23:16.000]  That's true.
[23:16.000 --> 23:21.000]  Sorry, I mean, you're talking about SW360, or...?
[23:21.000 --> 23:23.000]  Okay.
[23:23.000 --> 23:27.000]  Yeah, I mean, just for your information,
[23:27.000 --> 23:29.000]  we contributed documentation back in the day,
[23:29.000 --> 23:32.000]  and we wanted to go the SW360 way,
[23:32.000 --> 23:35.000]  but that was before the project was reborn.
[23:35.000 --> 23:37.000]  No, because there were dislikes,
[23:37.000 --> 23:39.000]  so we needed it.
[23:39.000 --> 23:43.000]  I mean, I can talk to you about that a lot,
[23:43.000 --> 23:46.000]  but we really wanted to go the SW360 way,
[23:46.000 --> 23:48.000]  and we couldn't.
[23:48.000 --> 23:52.000]  So once again, I mean, we are all for collaboration.
[23:52.000 --> 23:54.000]  Oh, yeah, Bradley.
[23:54.000 --> 23:57.000]  Do you have any plans to assist your users
[23:57.000 --> 23:59.000]  in meeting their legal obligations,
[23:59.000 --> 24:02.000]  or are you just trying to identify what the legal obligations are
[24:02.000 --> 24:04.000]  and not actually assist in meeting them?
[24:04.000 --> 24:06.000]  Oh, no, I mean, we do.
[24:06.000 --> 24:08.000]  Sorry.
[24:08.000 --> 24:10.000]  I'm sorry.
[24:10.000 --> 24:13.000]  The question was, do we assist the clients
[24:13.000 --> 24:17.000]  to meet the obligation, or just identify them?
[24:17.000 --> 24:20.000]  Well, ideally, both, because the idea is also that
[24:20.000 --> 24:23.000]  for each generic obligation that you have,
[24:23.000 --> 24:26.000]  so that they can identify a generic process to do it
[24:26.000 --> 24:28.000]  and to do it the right way.
[24:28.000 --> 24:30.000]  I mean, that means that that will be really compliant
[24:30.000 --> 24:32.000]  with each license that requires it.
[24:32.000 --> 24:36.000]  For instance, like providing the corresponding source code
[24:36.000 --> 24:38.000]  and stuff like that.
[24:38.000 --> 24:40.000]  So you're working on a system to prepare
[24:40.000 --> 24:42.000]  the corresponding source for you?
[24:42.000 --> 24:44.000]  No, no, no. Sorry.
[24:44.000 --> 24:46.000]  We don't do executions of the obligation.
[24:46.000 --> 24:48.000]  Sorry, I misunderstood your question.
[24:48.000 --> 24:50.000]  We're really happy to be able to branch out,
[24:50.000 --> 24:52.000]  but I'm not sure if it can be done automatically.
[24:52.000 --> 24:54.000]  I mean, I know that in some build system,
[24:54.000 --> 24:56.000]  it can be done.
[24:56.000 --> 24:58.000]  But the problem is so that it will really depend
[24:58.000 --> 25:00.000]  on each build system.
[25:00.000 --> 25:02.000]  And for instance, just for having a notice file,
[25:02.000 --> 25:04.000]  and we were, I mean, there was a very interesting talk
[25:04.000 --> 25:06.000]  about build as bottom,
[25:06.000 --> 25:08.000]  and I really believe in that.
[25:08.000 --> 25:11.000]  But the problem, for instance, if you take the Node.js ecosystem,
[25:11.000 --> 25:14.000]  you have many different build systems,
[25:14.000 --> 25:17.000]  and some of them have this kind of automatic function
[25:17.000 --> 25:19.000]  to generate notice attribution.
[25:19.000 --> 25:21.000]  The only problem is that they're wrong.
[25:21.000 --> 25:24.000]  And so, I mean, we're uncomfortable
[25:24.000 --> 25:26.000]  relying on something that we know.
[25:26.000 --> 25:28.000]  I mean, we can't pretend, oh, it's wrong, we didn't know.
[25:28.000 --> 25:30.000]  You know, I mean, that's a problem that we have checked.
[25:30.000 --> 25:32.000]  And so, for corresponding source code,
[25:32.000 --> 25:34.000]  I think, I mean, we had very interesting talks
[25:34.000 --> 25:37.000]  about embedded system, and I think that they are trustable.
[25:37.000 --> 25:40.000]  So we prefer to refer to that,
[25:40.000 --> 25:42.000]  because I mean, they do what they are doing,
[25:42.000 --> 25:45.000]  and the process will be just, I mean, pointing them to that.
[25:45.000 --> 25:48.000]  I don't know if I understand.
[25:48.000 --> 25:50.000]  We do have a REST API,
[25:50.000 --> 25:53.000]  so the idea is to provide one piece of the whole chain,
[25:53.000 --> 25:55.000]  and probably...
[25:55.000 --> 25:57.000]  Okay. Do you have a question?
[25:57.000 --> 25:59.000]  Thank you.
[25:59.000 --> 26:01.000]  That's all right.
[26:01.000 --> 26:19.000]  Thank you.