Like the ingredients list on food that allows customers to make a conscious
decision on what they can or want to eat, we as a company need to know
exactly what open-source dependencies make up our Porsche software products.
This allows us to comply with all license conditions that come with the
open-source libraries in use.
To answer all questions in the compliance journey where multiple actors are
playing a role in the lifecycle, the utmost important area becomes the process
around compliance and the data. But how do you collect all this information when
multiple products are being developed having a wide variety of technology stacks
used and each product must be compliant before they get released outside the Porsche
To find the solution to the problem statement, the Porsche AG OSO came up with an
already existing community-based open-source software which is called OSS Review
Toolkit (ORT). Moreover, extensive research was carried out before ORT was taken
into the decision-making process and then this software was decided to move forward
What is ORT? OSS Review Toolkit (ORT) is an orchestration toolkit that helps
the Porsche AG OSO to connect with product source code repositories which allows
us to analyze the data, provides us the flexibility to run scanning on the collected
data, and generates the necessary reports.
What do we do with the Reports? The reports are deeply analyzed further to
detect possible irregularities of the software libraries used in the product team
development lifecycle within the Porsche environment. This helps us to be able to
perform data enrichment by curating the data within ORT.
How do we offer ORT within the Porsche Environment? ORT is offered as a core
service to our product teams within Porsche AG and its subsidiaries. As ORT is an
orchestrator, it comes with sequential stages which helps us distribute the concerned
stage to different parties in an automated manner. This means, that the first stage of
ORT which is “Analyzer” can be used as a decentralized service by product teams to generate
metadata by connecting and running on their code repository. The remaining stages are
controlled centrally by the OSO. Because of this setup, the Open Source Office and Product
Teams work together having a handshake to help accomplish the journey of compliance.
What is the bottom line? The compliance journey goes hand in hand when the
majority of Porsche products are using FOSS in the development lifecycle. At the
end of the day, we have a precise overview of all open-source components our
products are relying on, which we can use, for instance, to ensure FOSS
compliance and create the well-known Open Source Software Notice.
As the Porsche Open Source Office we always wanted to lead by example and prove
the collaboration model that open-source communities offer to share knowledge
across company borders, shorten development cycles, drive innovation, and save
costs. The initial motivation was not to merely consume FOSS to ensure
compliance but rather to build a cross-functional open-source ecosystem to
embrace a holistic approach, including contribution and collaboration towards
the community. Today, we can proudly say that our open-source ecosystem is
utilized by the entire company and all respective subsidiaries.
The Porsche Open Source Office is currently developing central platforms that
are based on open-source technologies such as the FOSS Hub portal and Data
Platform, where the FOSS data of all product teams is centrally aggregated,
enriched, and curated. This will allow us to leverage all four core strategies,
including FOSS compliance, contribution, inner source, and vulnerability
management on one joint platform and create a one-stop shop for open source at
The plan is to release these products as open-source projects to start building
a community around our ecosystem. We are already conducting initial discussions
with potential allies and are looking forward to the coming time in which we
will further develop our open-source ecosystem together with further experts and