LinuxCon Japan is the premiere Linux conference in Asia that brings together a unique blend of core developers, administrators, users, community managers and industry experts.
CloudOpen Japan is a conference celebrating and exploring the open source projects, technologies and companies who make up the cloud. It’s built on a belief that open works: for users, for industry and for technology.
Checking source code is a mandatory task for license compliance. But scanning a lot of source code each time is costly: it takes time and effort and the available tools don't always make it easy, by generating a lot of information that needs to be analyzed for correctness. Especially if the scanned code is often very similar to previously scanned code this can be frustrating.
I argue that besides a waste of resources it is also unnecessary! There are far more effective methods that allow someone to quickly drill down to problematic files in minutes, rather than having to wade through tens of thousands of source code files for hours or days, which is especially useful if quick action needs to be taken, or if audits need to be done frequently (for example on snapshots of code from an upstream vendor).
In this talk I will describe a very simple method that I have found to be very effective, namely trusting upstream software teams more. It requires to make a few reasonable assumptions, but can dramaticaly decrease the problem space with over 90%, making for example a Linux kernel audit manageable.