OSPOs in the context of mergers and acquisitions

[anajsana]

New discussion to discuss OSPO in the context of mergers and acquisitions. Started by @vielmetti on slack

[anajsana]

@gyehuda replied:

Nithya and I gave a talk at a Linux Foundation event a few years ago about this — our slides http://events17.linuxfoundation.org/sites/events/files/slides/OSPO%20%2B%20M%26A.pdf

[anajsana]

Matt replied:

super cool @gyehuda that is a great presentation, thank you for sharing

[anajsana]

Matt replied:

in particular, nearly 100% of organizations have Open Source code that is included outside of a package manager and not "raised up" to the OSPO before the M&A process, so Code Owners are doing a scramble to get organized.

I know Blackduck's estimate is 97% of companies use Open Source code, and I've seen 96% from GitHub. Our experience is 100%.

[anajsana]

@gyehuda replied:

If you are a target in the process of being acquired by a smart tech company, you’ll need to be prepared to answer “what’s in your code?” But worded in contractual language that makes it really awkward to be sloppy. I’ve seen contracts with significant penalties for open source license violations as part of the deal. If you have your answer well-articulated, you’ve provided an important signal about how good your engineering is

[anajsana]

Matt replied:

that is SUCH a good point.

in a diligence there's the substance of an Open Source issue (or code quality, or security, or a loss of key personnel, etc.), and then there's an implicit evaluation simultaneous going on about the process and how data-driven the team is.

[anajsana]

@gyehuda replied:

Thanks. The other side of this: if you are reviewing a diligence report, make sure that your OSPO reviews it too, not just the lawyer. I recall one case where it was pretty clear from the audit report just how many versions of the software they had, and which technology they were using. This was not helpful to the lawyers, but to the engineering team who wanted to integrate their code into our product. Before the deal close, they could not share too many details about their code, but the scan results provided very good insight about their code — and that helped our engineering team prepare for integration conversations. In other words, this is more than just a check-box part of a deal. This is an opportunity to see things before deal-close that you'd otherwise miss. So treat this as more than just a check-box.

[anajsana]

Matt replied:

that is a really good point. thank you Gil.

[anajsana]

Matt replied:

my "wish list" on behalf of code owners preparing for diligence would be that they run a good OSS scan e.g. scancode regularly so that OSPO would be aware of third-party libraries making it into engineering use, not just those in the package manager.

[anajsana]

@justinabrahms replied:

https://twitter.com/justinabrahms/status/1519740738786918401

I had to do some license scanning for an M&A thing recently. The work being done in supply chain security is a real boon for this type of work.

[anajsana]

@tsteenbe replied:

Interested to learn what tool produced those CycloneDX SBOMs you are merging in that script - my experience is that security tools are terrible at license compliance e.g. does a best effort to pickup the declared license of a package

[anajsana]

@justinabrahms replied:

https://www.npmjs.com/package/@cyclonedx/bom

[anajsana]

@tsteenbe replied:

Thanks. had a look at their code and as I suspected it parses lock files and declared license only so it gives you a hint of the applicable license for a package but not the actual applicable license for a package in all cases. Also as it parses lockfiles it may get the version wrong of dependencies used - lock files are no guarantee npm/yarn will actually use that version.

[anajsana]

@tsteenbe replied:

@justinabrahms Are you aware of OSS Review Toolkit which is an LF project where various TODO members are building proper license compliance tooling?

https://github.com/oss-review-toolkit/ort/ - happy to give you a demo if you are interested.

[anajsana]

@tsteenbe In EU several TODO/LF members were not happy with the state of open source compliance tools so we decided to work together to build open source tooling for ourselves and the community.

The real issue is getting accurate data on applicable licenses to a package as the declared license is often wrong.

[anajsana]

Jimmy replied:

Back in the day when I did a few of those from the buyer side I always asked if the company was a) OpenChain certified, if so to provide the verification artifacts, if not then b) provide a gap analysis towards OpenChain. This was in the days before OpenChain had its ISO number so these days it would be even simpler to refer to ISO 5230. Simply because the selling side usually understands ISO.

[juliancoccia]

IMHO, M&A due diligence on license compliance must include plagiarism check. That requires checking all code against an Open Source Knowledgebase. Luckily, there is now an Open Source solution that works against a public API provided by the Software Transparency Foundation. You can download the Audit Workbench from https://osskb.org. It is free, perpetual, safe and anonymous.

…

On 9 May 2022, at 16:01, Ana Jimenez Santamaria ***@***.***> wrote:  New discussion to discuss OSPO in the context of mergers and acquisitions — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[vielmetti]

Thanks all for a very enlightening discussion.

[stephenkilbaneadi]

The OpenChain project has a guide, https://github.com/OpenChain-Project/Reference-Material/tree/master/Guides/Official/OpenChain-in-Mergers-and-Acquisitions/2.0/en - that dates back to 2020.

OpenChain had a summit on M&A, on 28-Apr-2022. The recording is probably available somewhere.

Andrew Katz of Moorcroft has outlined using the OpenChain standard as a structure for performing due diligence on an acquisition target. It's part of a webinar from May 2020: https://www.openchainproject.org/news/2020/05/07/openchain-webinar-3-video-recording