PackagingCon

Daniel Machlab

A big fan of Open Source Software and an efficient development lifecycle, Daniel Machlab has dedicated his interests to making OSS license compliance seamless for his fellow VMware developers—and the entire Bazel community. Daniel's passion and appreciation for the Open Source Community dates back to his high school days when used OSS in his first apps. He had no idea that years later he would contribute a solution back to the community to make OSS easier to use.


Session

11-09
17:25
20min
Streamlining VMware's Open Source Licensing Compliance With Bazel
Daniel Machlab

With hundreds of thousands of open source software (OSS) projects to choose from, OSS is a vital component of almost any codebase. However, with over a thousand unique licenses to comply with, complexity of managing OSS use cannot be overlooked. Identifying and tracking OSS to comply with license requirements adds friction to the development process and can result in product-release delays. At VMware, developers must run a scanner to identify a Bill of Material (BOM) of what OSS is being used. This extra step adds toil and leaves room for error. Some scanners are imprecise, compounding these issues.

We solve this problem using Bazel to create an accurate BOM containing OSS and third-party packages during a build. To do this, we made a Bazel aspect that analyzes the dependency graph and collects information about each package from VMware's internal Artifactory. Additionally, it consumes a list of approved and denied OSS from VMware's legal team. By moving OSS validation to build time, OSS decisions are made earlier in the development and review process, making them less costly.

Metadata & Building things
Room 4