A Fine Kettle of Files
Open Source Software Compliance involves finding your app's dependencies and then doing what the licenses tell you to do (subject to legal interpretation). If the license is a copyleft license, then you must also publish the source code of the dependency component you are using. It is non-trivial to find your software's dependencies even for a standalone app. It becomes much harder when you containerize your app as you are not just distributing the app, you are also distributing the mini-OS that it runs on. In this talk I will take a sample Docker container and show how you can do some detective work to find where all the pieces came from and what you could do to find out what are the software components that were used to create the pieces. Then I will show some methods you could use to automate the detective work. I will finally introduce an open source project called Tern that provides a framework to run this automation on a variety of containers for the purpose of open source software compliance.