ORT Community Days 2024
🙏 Thank you to all those who participated, we hope to see you all at the next edition of the ORT Community days.
📅 The 2024 schedule now includes slides column with links to PDFs of the presentations.
The ORT Community Days are an opportunity for anyone who is looking to automate open source management within their organization whether license, security or ways of working. At the event several ORT users will share how they use ORT to manage their open source usage or contributions so whether you are new to ORT or an existing user this is the event to meet, learn and create with other ORT users.
Join us on March 6-7 2024, on Bosch IoT Campus in Berlin for two days of presentations, workshops and brainstorms on all things ORT from sharing best practices, technical deep-dives till building processes with ORT.
Please note that this is a community event and not a sales opportunity - vendors offering ORT related services are welcome as long as they are active contributors to the ORT community.
Below you can find the preliminary schedule - expect some slots to change.
| Agenda | Time | Session Details | Speaker(s) | Slides |
|---|---|---|---|---|
| Doors open and hallway track | 08:45 - 09:00 | |||
| Welcome | 09:00 - 09:10 | Community Day organizers | ||
| Community Poll | 09:10 - 09:30 | A quick poll within of attendees expectations and their #1 hot topic. | Moderated by Nick Vidal & Thomas Steenbergen | |
| Fireside chat with ORT Technical Steering Committee | 09:30 - 10:15 | Informal interview / Q&A session | Moderated by Nick Vidal | |
| What’s new in AboutCode: ScanCode, MatchCode, VulnerableCode, and beyond | 10:15 - 10:45 | ORT uses ScanCode and other AboutCode tools for code analysis. In this talk, Philippe will present the latest features in the AboutCode stack of open source tools and open data, and how ORT users can benefit. | Philippe Ombredanne, remote via Teams | Slides |
| Curation of ORT output - useful features from the perspective of FOSS license compliance | 10:45 - 11:15 | ORT provides helpful information about the FOSS licenses used in a piece of software. However, to create an SBOM or a reliable license information document manual review and curation is needed. This talk may be a starting point for the discussion about how to consider typical requirements from a lawyer's perspective. | Till Jaeger | Slides |
| Double Open Server for ORT | 11:15 - 11:45 | Introduction to DOS, the Double Open Server for ORT: What it is and how it relates to the ORT Server. | Sebastian Schuberth | Slides |
| Eclipse Apoapsis – Status and ORT-Server deep-dive | 11:45 - 12:15 | Creating and processing SBOMs at scale based on Open Source solutions: Intro to the new Eclipse Foundation Project Apoapsis providing a server concept to run continuous Software Composition Analysis for a large number of heterogeneous repositories. The talk will show the general setup how you can continuously generate your SBOMs and reports and provide a deep dive of the published reference implementation the "ORT-Server" interacting with the OSS Review Toolkit. | Marcel Kurzmann & Martin Nonnenmacher | Slides |
| Lunch | 12:15 - 13:15 | Sponsored by Bosch | ||
| Abstracting a Snippet Scanner in a Multi-Company Setup with ORT | 13:15 - 13:45 | Open source management use cases within Bosch have evolved significantly over the years, and thus the way in which we use ORT also had to be adapted. This talk will focus on one such special use case. It features a setup with development activities involving more than one company where the use of a remote snippet scanner via the UI was not an option, and where the reproducibility of the results beyond the scope of the joint project had to be ensured. In it, we will present the ORT snippet choice feature which we developed to address such a use case. A good practice for performing open source management is to split the activity between a project review, i.e. scan your own code with a snippet scanner, and a dependency review for the open source components, which ideally are collated via a package manager that can be leveraged by a tool such as the ORT Analyzer. However, we were recently presented with a use case that did not fit well into this standard approach. The key difference was the inability to use a remote snippet scanner instance with UI access to perform the project review, combined with a multi-company setup that required the snippet identifications to be reproducible beyond the scope of the joint project. Thus, a solution was needed which both enables a non-interactive approach to snippet handling, and ensures the results of the snippet handling are not tied to a particular snippet scanner instance but instead are stored locally. To address this problem, a decision was made to wrap away the underlying snippet scanner and perform all the snippet identifications in the .ort.yml file via configuration-as-code. We called this the "snippet choice" feature. It currently works with FossID and we are working on merging it to the ORT upstream. In the future it could potentially be extended to work with other snippet scanners as well, such as ScanOSS. | Vladimir Slavov & Nobelis Nicolas | Slides |
| How Volkswagen uses ORT to build a curated database of software libraries | 13:45 - 14:15 | Correct attribution of licenses and copyrights respectively authors are crucial parts to comply with license regulations and their respective obligations. To be able to provide this data centrally for all used components in software development projects Volkswagen built a custom data pipeline based on ORT. I will present how ORT has been customised for this use case and which challenges we still face. | Anton Augsburg | Slides |
| Break | 14:15 - 14:30 | |||
| Onboarding Break-out Session | 14:30 - 17:15 | Have challenges for which you would like to use ORT but don't know how? Then this is the track for you! | Moderated by Alin Jerpelea & Frank Viernau | |
| Hacking Break-out Session | 14:30 - 17:15 | Have questions about open ORT issues or its code, wanna hack on a new feature? | Moderated by Sebastian Schuberth | |
| Break-out sessions | 17:15 - 17:30 | Summary of break-out sessions by session leads plus closing words | Community Day organizers | |
| Evening Social | 18:00 - 21:00 | Dinner in local restaurant - participants pay for themselves |
| Agenda | Time | Session Details | Speaker(s) | Slides |
|---|---|---|---|---|
| Doors open and hallway track | 08:45 - 09:00 | |||
| ORT - from ideas to reality | 09:00 - 09:30 | How can we take outcomes from Day 1 break-out sessions and make them a reality? | Community discussion moderated by Nick Vidal & Alin Jerpelea | |
| Automating Open-Source License Compliance for X-Road | 09:30 - 10:00 | X-Road is an open-source software and ecosystem solution that provides unified and secure data exchange between organisations. X-Road is used as a national data exchange solution in Estonia, Finland, Iceland and many other countries around the world. X-Road includes other open source components and in 2021 its open source compliance was automated using ORT. In this talk Petteri will show the benefits of open source compliance automation and what should be taken into consideration in the process. | Petteri Kivimäki , remote via Teams | Slides Video |
| Contributing to ClearlyDefined: and a little about how we’re using it and why | 10:00 - 10:45 | Getting licenses for dependencies is a big job. ClearlyDefined has been leading the way in building the source of truth for licenses. As a valued project, we are applying resources to help ClearlyDefined continue to move forward. I’ll talk about some of the recent development work, the growing community of developers, and how you can join the fun. I’ll give a peek into the ways we are using ClearlyDefined in our license compliance work at GitHub. | E. Lynette Rayle & Nick Vidal | Slides |
| Producing SBOMs for CMAKE projects using ORT's standard workflow | 10:45 - 11:15 | Reading a conclusive dependency list from CMAKE projects can be a challenge. FOSS license analysis could of course be done by scanning the complete code base with ORT. But the project will appear as one single large monolithic unit, without identifying individual packages. So, as ORT does not know about the dependencies, querying vulnerabilities, producing SBOMs as well as reusing curations across projects does not work.A clean solution to that could be to refactor the project to use a package manager. But his is not always feasible. A second existing alternative is to place package.spdx.yml or project.spdx.yml files in the source tree to inform ORT about the dependencies. This approach requires the build system setup to be compatible with SPDX. Our approach outlines a new third option. At first, the project has to be refactored to relocate the packages to a central place, such that the CMAKE build script does know about the included dependencies and their respective provenance information. Then a simple file is written containing a list of the packages. To funnel this information in ORT we've introduce a dedicated file format from which an analyzer result can be created. It targets only the minimal requirements for doing license clearance and creating SBOMs to allow easy adoption. | Frank Viernau & Ummo Schwarting | Slides |
| Break-out sessions | 11:15 - 12:15 | |||
| Lunch | 12:15 - 13:15 | Sponsored by Bosch | ||
| Break-out sessions | 13:00 - 15:00 | |||
| Open Discussions | 15:00 - 17:00 | Meetings rooms on the ground floor available for community discussions / issue hackathons. |
Event Registration Criteria: Embracing Collaboration & Diversity of Experiences
The ORT Community Days strive to bring together a varied mix of users and organizations. Our goal is to create an enriching environment where every participant has the opportunity to gain valuable insights. In order to achieve this, we are moving away from a first-come, first-served registration approach and implementing specific registration criteria.
- Priority will be given to individuals who fall into one or more of the following categories:
- Contributors
- Existing and new users
- OSPO (Open Source Program Office) members.
- Ideally, attendees should be able to join the event in person on both days.
Officially the registration closed on February 16th but we still have some seats free. If you meet both criteria, please complete the Event Intake Form by clicking here.
To ensure a diverse representation, in the event of a high volume of applications we will limit participation to a maximum of 4 individuals per organization, except the host location for logistical reasons. Registration closes on February 02, 2024.
Thank you for your understanding and commitment to making the ORT Community Days an inclusive and knowledge-rich experience for all.
Want to learn more about what goes on behind the stages of Free and Open Source Software? Then we recommend you combine your registration to ORT Community Days with a ticket to the FOSS Backstage 2024 conference which is also in Berlin on March 4 & 5th.
The ORT Community Days will held Ullsteinstraße 128, 12109 Berlin, on the Bosch IoT campus.
- From the Berlin airport (~45 mins): Take the S45 train direction S-Bahnhof Südkreuz, change at Tempelhof station to the U6 underground direction Alt-Mariendorf and disembark the train at Ullsteinstraße station.
- From the Berlin central train station (~30 mins): Take the S3, S5, S7 or S75 from platform 15 and change after 1 stop at Friedrichstraße station to the U6 underground direction Alt-Mariendorf and disembark the train at Ullsteinstraße station.
There is street parking available around the Ullsteinstraße for which you may need to pay.
The Community Day will be under Chatham House Rule, ORT's Code of Conduct and the Linux Foundation's antitrust policy.
Note that photographs and video recordings may be taken at the event for publicity purposes by the ORT project. By attending this event you consent to being included in photographs and video recordings, if you do not wish to be included you must contact the community day organizers prior to the event.
The ORT Community Days brings together a unique mix of user and organizations all interested in automating open source management whether license, security or ways of working and sharing their experiences under Chatham house rule. To give you a better idea of past attendees and talks we recommend you have a look at last year's schedule.
See registration section above, if you run into any issues or have question please email events@oss-review-toolkit.org.
See our call for speakers section above, if you have any other questions or inquiries please email events@oss-review-toolkit.org.
Yes you can, simply indicate in the speaker form that you would like to present remotely and once scheduled we will send you a meeting invite with a Microsoft Teams link.
ORT Community Days is mostly an in-person event but for a few talks the speaker will be presenting remotely via Microsoft Teams. If you are unable to attend in-person but would like to attend the remote speaker sessions, then use this form to register. Once the schedule is announced we will send registered remote attendees a meeting invite with a Teams link.
Yes there is, if you or your organization is interested in sponsoring or willing to provide swag please email events@oss-review-toolkit.org.
You can reach the organizers at events@oss-review-toolkit.org or on the #events ORT Slack channel.