Antoine Thomas

Compliance & Risk: Shipping Open Source, AI, and Containers

Shipping a container image is distribution; a Dockerfile is not. This distinction is critical for managing open source and AI license risk.

Compliance & Risk: Shipping Open Source, AI, and Containers
#1about 1 minute

Understanding the business risk of modern software compliance

Modern applications combine open source, proprietary code, and AI, creating legal and business risks that developers are increasingly responsible for managing.

#2about 2 minutes

Understanding when legal compliance obligations apply

Legal compliance obligations from open source licenses are primarily triggered at the point of software distribution, not during internal-only use.

#3about 3 minutes

Why developers should be proactive about license compliance

Addressing license compliance early in development is crucial because fixing issues after a product has been built and shipped is significantly more costly and difficult.

#4about 5 minutes

Comparing compliance risks of Docker images vs Dockerfiles

Shipping a Dockerfile is a lower-risk strategy than shipping a pre-built Docker image because it shifts the responsibility of distribution to the end user.

#5about 6 minutes

Best practices for creating reproducible and compliant builds

Ensure build reproducibility and compliance by pinning versions, archiving all sources in private repositories, and generating a Software Bill of Materials (SBOM).

#6about 4 minutes

A practical guide to open source license families

Open source licenses fall into three main categories: permissive, weak copyleft, and strong copyleft, each with different obligations for sharing source code.

#7about 2 minutes

How license choice impacts your product and IP strategy

A permissive license like BSD allows companies to keep their modifications private, whereas a strong copyleft license like GPL can require sharing proprietary code.

#8about 4 minutes

Navigating the complex world of AI model licensing

AI models introduce new licensing challenges, including permissive open source, proprietary APIs, and custom "fair use" licenses with commercial use restrictions.

#9about 4 minutes

Understanding the three categories of AI models for use

AI models can be categorized as true open source for unrestricted commercial use, fair use with specific limitations, or commercial-only APIs that create vendor lock-in.

#10about 8 minutes

How to scale compliance with automation and process

Make compliance scalable by adopting the SPDX framework, integrating automated checks with tools like Tern into your CI/CD pipeline, and creating an Open Source Program Office (OSPO).

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Articles

View all articles

From learning to earning

Jobs that call for the skills explored in this talk.