Hero Image
FOSS@PorscheOSS Review Toolkit3rd November 2023 · 5min reading time
In this contributor story, the Open Source Office (OSO) at Porsche AG explains why it has chosen OSS Review Toolkit (ORT) as their core service for all in-house developed initiatives and why they preferred to collaborate with the community rather than buying a commercial solution.
How would you explain the OSS Review Toolkit project to a five-year-old? What problem does it solve for Porsche?Like the ingredients list on food that allows customers to make a conscious decision on what they can or want to eat, we as a company need to know exactly what open-source dependencies make up our Porsche software products. This allows us to comply with all license conditions that come with the open-source libraries in use.To answer all questions in the compliance journey where multiple actors are playing a role in the lifecycle, the utmost important area becomes the process around compliance and the data. But how do you collect all this information when multiple products are being developed having a wide variety of technology stacks used and each product must be compliant before they get released outside the Porsche environment?To find the solution to the problem statement, the Porsche AG OSO came up with an already existing community-based open-source software which is called OSS Review Toolkit (ORT). Moreover, extensive research was carried out before ORT was taken into the decision-making process and then this software was decided to move forward with.
Taycan, 2021, Porsche AG
What is ORT? OSS Review Toolkit (ORT) is an orchestration toolkit that helps the Porsche AG OSO to connect with product source code repositories which allows us to analyze the data, provides us the flexibility to run scanning on the collected data, and generates the necessary reports.What do we do with the Reports? The reports are deeply analyzed further to detect possible irregularities of the software libraries used in the product team development lifecycle within the Porsche environment. This helps us to be able to perform data enrichment by curating the data within ORT.How do we offer ORT within the Porsche Environment? ORT is offered as a core service to our product teams within Porsche AG and its subsidiaries. As ORT is an orchestrator, it comes with sequential stages which helps us distribute the concerned stage to different parties in an automated manner. This means, that the first stage of ORT which is “Analyzer” can be used as a decentralized service by product teams to generate metadata by connecting and running on their code repository. The remaining stages are controlled centrally by the OSO. Because of this setup, the Open Source Office and Product Teams work together having a handshake to help accomplish the journey of compliance.What is the bottom line? The compliance journey goes hand in hand when the majority of Porsche products are using FOSS in the development lifecycle. At the end of the day, we have a precise overview of all open-source components our products are relying on, which we can use, for instance, to ensure FOSS compliance and create the well-known Open Source Software Notice.
By contributing to the OSS Review Toolkit, the Open Source Office made a big step ahead in Porsche’s FOSS movement. What was the initial motivation to take this path? Why have you chosen to collaborate with an open-source community rather than buying a commercial solution?As the Porsche Open Source Office we always wanted to lead by example and prove the collaboration model that open-source communities offer to share knowledge across company borders, shorten development cycles, drive innovation, and save costs. The initial motivation was not to merely consume FOSS to ensure compliance but rather to build a cross-functional open-source ecosystem to embrace a holistic approach, including contribution and collaboration towards the community. Today, we can proudly say that our open-source ecosystem is utilized by the entire company and all respective subsidiaries.
Photo by Arnold Francisca on Unsplash
With a glimpse into the future: What are your further plans regarding FOSS Contributions? Who would you like to see next joining our FOSS Contributor community?The Porsche Open Source Office is currently developing central platforms that are based on open-source technologies such as the FOSS Hub portal and Data Platform, where the FOSS data of all product teams is centrally aggregated, enriched, and curated. This will allow us to leverage all four core strategies, including FOSS compliance, contribution, inner source, and vulnerability management on one joint platform and create a one-stop shop for open source at Porsche.The plan is to release these products as open-source projects to start building a community around our ecosystem. We are already conducting initial discussions with potential allies and are looking forward to the coming time in which we will further develop our open-source ecosystem together with further experts and community members.
Taycan Turbo S, light painting by 'Lumenman' Bernhard Rauscher, 2019, Porsche AG
OSS Review Toolkit (ORT)The OSS Review Toolkit (ORT) is a Free and Open Source Software (FOSS) orchestration toolkit to – among other features – manage open-source software dependencies and ensure compliance with a configurable set of policies. The ORT project, that was later donated to the Linux Foundation, quickly gained track among the FOSS community.