 So hello everyone. Thank you very much for coming to this session today. I'm Ayumi and he is Tomoyasu We are here as a speaker today Sorry This is our first time to Do this kind of a presentation in English so we are a little bit nervous, but in a good way so Yeah, so today we are here to talk about Things that we learned through an experience of releasing our software as open source That title is a journey to open source from conservative Japanese company So I am seeing a lot of people here in this room today and actually it is way more than Expected so thank you very much for your attention So let's get it started First of all, let us introduce ourselves My name is Ayumi Watanabe. I'm working with Hitachi solutions. It is an IT company in Japan I am a manager of open source and S bond management business of Hitachi solutions Our business is I would say like consulting business we are Supporting Japanese companies to know learn about S bomb or open source and also we help our customers To manage their open source and S bomb for their compliance and the security risk And I am also a community member of open chain In Japan open chain have a local work group. It is open change a program work group Last month I became a leader of the planning sub work group of open change of him So I am very excited to support our community members to communicate to each other more and more Yeah, thank you very much And there's Okay, first of all, let me explain why I started this story and why I decided to release open source software my part Okay, yes, I am at my name is Tomoyasu Akashi I'm a software developer in Hitachi solution LTD My usually work and a phone engineer and management business of issues solutions and After I speak it but and I'm our main developer for editor for a phone is this So again, we are very happy to be here as a speaker So first of all, let me introduce our company We are working for heat that solutions. It is on job. It is a Japanese company. It is an IP company And we are one of subsidiaries of the Hitachi limited in Japan and We are focusing on system integration in Japan and so large amount of our Engineers are system in a system engineers and we are using open source a lot for our development of our package or our system or everything that And I what is conservative in the title? I Am using the word conservative Meaning like a company who has no Limited policy rule or a process for a contribution Contribute I mean contribution to the open source ecosystem and in this meaning we are conservative and It is very common in Japan Let me use this Charge to explain that This child is a part of the survey of OSS compliance operations in Companies, which was we did Maybe two or three years ago as open change of him In this figure says 33% out of 58 Companies have a documented process for a contribution to the OSS community What do you think about it is enough or very low? Considering the fact Many of Companies in these 58 companies are a member of open chain Maybe I should say this 33 33% is quite low But this is the reality in Japan So my low introduction is over now. This is our overview So today we are talk about our story to release and our internal software on GitHub as an open source project the story is One software developer, which is he made up his mind to release his software as open source And he knows at that time there are no Documented process for a contribution. So he asked his manager. It was me for help So we did a lot for a contribution and we learned a lot from that And we finally make it happen to release power source code as editor for a spawn on GitHub Editor for a spawn is Just the editor For people who can't he won't we want to edit or read a spawn You can download our editor for a spawn from our GitHub repo with this QR code So if you are interested in As for more SBDX and if you have any chance to read write and edit SBDX which is one of the one of our formats of a spawn It's this our editor for a spawn would be good help for you So Today's session is divided into four parts Section one and two is talk is a talk from developed part side which is him and Section three is a talk from manager side, which is me and we have section four as a conclusion So it's over. Do you Okay Let me explain why I started this history and why I decided to leave this open source software My part may be a little out of place for us for concession But it is a contekies of our difficulties and learning in our open source software ladies procedures So I'd like to know the contekies before hearing about that My main job is developing enterprise application Most recently I was in charge of an implementation related to a spawn and SBDX As you know, and there's sophistication of the specific SBDX project is open source and some of our office Open source software exists So the specific of my job I learning them and developing some features related to them. I Think for general program the general programmer is it's nature to use language support features like and syntax highlighting and the candidate display For example, if it's Java, Agrips will provide each support for it for it If it's TypeScript on visual study code You can find and install your favorite extension yourself in addition to pre-installed features However, I noticed that SBDX still lacks the language support features. That's another language Programming language feature always have This realization was the first trigger for my story I'm sure any programmer would agree that and they would do their work with the language support features So I wanted such features for SBDX I search how to make That's all it says. I found that I could make it myself as an extension of the visual study of code Therefore, I decided to try this challenge. After a while, my code turned out to be good enough for me It could have just needed as my own tool But I noticed that no similar extension existed on visual study code marketplace at that time Then I thought, don't anyone else need these features? This picture is me at that time Also, I thought it would be the nature for this code to exist there as open source just like the reference SBDX project As you know, I just said these features are usually provided free of charge as open source in other programming language Also, I thought my code is definitely not perfect But maybe it's still useful for someone Consequently, I decided to turn my code for myself into open source software and Suggest this challenge to Ayumi In addition, I thought it maybe could contribute to SBDX community and go around have a positive impact on our business Now let me explain the open source software. The name is editor for SBDX As I already mentioned in a little bit, it is the visual study code extension leading SBDX file of version 2.2 The features are syntax highlighting, hover information, print source snippets, completion, go to declaration, and check syntax errors They are all very common features, but I Just say I made it my for myself So it's not completely compliant with the specification and all features are still development Underspeed development, sorry The source code of this extension and distribute under MIT license This extension is made of Node.js and library for this Visual study code extension It's implemented to comply with SBDX specification v2.2 In addition, all it is not directly dependent But I reference official SBDX open source software code like SBDX tool for the concept and structures Okay, and finally it finished to speak about why I decided to lead this open source software Whereas what's the open source software? But as a side note, I explained the situation at the time of creation The context I'm going to talk about it is the point that the corroborated people with us were concerned about in the open source software release procedures that Then Ayumi will explain the leader first I Made this over this while I was working However, it wasn't it wasn't Ordered as a job. It was personal ingenuity work second It doesn't contain any code I had made in other job It includes only code writing for this software Third, I already say that at the beginning I learned the SBDX specification and how to use official open source software Which I use as a knowledge during development during my work However, other than that, how to create extension using features such as code language server protocol How to like Node.js and how to pass I learned those by myself in private Okay, my path in the end from now Ayumi will explain what we have done to make the software I made into open source software Difficulties learning in our open software release procedures. Thank you. So, let's move on to manager side One day one of my team member, which was he came to me and said hey I would I'd like to my software open source. What should we do and At the moment I heard that I was so so impressed and also I was so happy because Young developer in my team came to think about contribution and spontaneously So I immediately said of course right now. Let's do that So but at that time we already know there are there is no Documented process for a contribution in my company. So we started to We started to figure out what should we do before I open our code on GitHub And We talked a lot of people in my company to figure out what should we do We talked and talked Somebody said oh, I have no idea. So let's ask another person Some for some people said we cannot decide so before us you should ask the other department or the other person So finally I figured out Things that we should do before I open our code and they are this This is actually 10 steps of process Eight of us are huge, right? and in this in this chart from to from our section from step two to a section to step seven is our Usual work. I mean we usually do this kind of work for our property development so This time I noticed that for open source We do the same process for our appropriate development Additionally to that we need More than things for special especially for open source It was a huge work. I mean So I let me explain those works in detail step by step So first of all, I went to ask for advice from our finance department Because in Japan we need to record every software that we develop as company's asset so We need to Have their advice from finance finance aspect And then our financial department give me an advice like If you distribute your code, please note that you You distribute the place that everybody can access Because if you Distribute your code to the place that very limited or specific person can only Limited or specific person can access it should be Considered as an illegal pay off from company to other person so They said please make sure to open it Make it open to the public. It means The place that everybody equally can access So we decided to we decided to Open our code on github github is the best place because they're an advice and everybody can access and then We did a patent survey supported by our IP department this survey is for I check if There is no Patent infringement. I mean Not violating other person's trademark or IP and also This is tech this tech is for if there is a possibility to obtain our own IP or to read secret and we pass this survey and Then we did export control survey. It is for export control and This time we have no encryption called encryption modules in my in our code. So we passed this survey very easy After that we did open source compliance check this process is our usual process for internal or proprietary development in our company and In the end and regarding this OSS compliance check our company Gave us a very solid support for a developer. So let me explain in detail This open source compliance check is to know all the components in your software for a security risk management and also compliance compliance management Our company gave us Solid support from Specialists of each category inside company and system So in this figure We have for example software engineer department who gives who gives us Technical support and the process improvement from the aspect of technical professional and We have quality assurance of your department They gave us a quality risk management and the following ability management support and Also, we have the intellectual property department. They help us with open source compliance check And we also have open source professionals for best practice And we also have the software composition analysis through and the vulnerability Detect and the alert system as our internal system for our help and what we did in this open source compliance check is very complicated, so I will explain with this slide so first of all In how do I say designing a phase we do this Check for open source selection phase The purpose is that to conduct an early risk assessment for open source compliance That development team is considered to use. It is like a safe left In this phase, we do our first functional check This is to ensure if the OSS is sufficient for the requirement of the project program And also we do usage record check to ensure if this open source is famous or mature enough for use and We do risk assessment and risk control for EOL risk And after that in development phase, we do with three steps like this This is to be aware of all the OSS components in our software and find out unintended use of open source We do contamination check and risk assessment for unintended use of open source with SCA2 by analyzing source code and check compliance and security risk and We do a compliance check separated by our IP department And after that in maintenance phase, we do some monitoring and risk assessment for avoiding risks in early stage By taking appropriate actions to variable and EOL of open source components in products We do monitoring and risk assessment regularly with our Barunelabici management system and we do risk monitoring if something is happening And after OSS compliance check, we did trademark research separated by our PR department This trademark research is for For Preventing the infringement of trademark of trademarks all the third parties and And this is actually for naming The most fun part of your open source OSS project is I guess naming to give a name the cool name to your code and By and we also have a bunch of ideas for ideas of the name cool name for our open source But after this trademark research, we finally choose a very boring name Editor for SBOM because of it is very a safe name Not to violate someone's trademark. No, you know I It is very boring, but But it is of course very safe name and the company want to Protect us for trademark infringement. So we agreed that and after that we did software creditors supported by our QA department and we got approved by IP department and After that, we did document check Supported by our PR department our PR department checks every Tech is every document that we wanted to put on put on the github like read me or description or guidance of our guidance of the installment because They want to make sure there is no hypes or errors or in that document and It was very helpful because they found out some errors on the typos for us. So it worked and Finally, we went to get final approval of our executives. I Went to my executives and said I would we would like to release our code as open source So I the reactions of our executives were very positive So it was a very nice point and I was so so impressed and no one said oh no no or We should not do that everybody said Very good give a try Something like that's very positive and it was very nice because it is It is because I think our managers our executives understand the importance of open source and the importance of Contribution of course to get involved with the the Innovation also double of our company So I It was very good at the farm experience to know that our our executives are very positive for contribution and And I also figure out the thing that they our Executives are considered were risks risks, for example Patent infringement and the trade mark violation because it might be a lawsuit and Also, they are they are very concerned about Negative effects caused by bad quality of code because it might be damage our company's reputation as a developer And They also considered about the risk to get involved in the controversy online It also affects our our reputation So I explained Everything that we did to reduce those kind of risks to our managers and executives And we got a final approval by managers. Yay So this was the timeline we started this activity in October last year and We finally released our source code on GitHub in February this year Actually, it takes five months before just for just Preparing our Contribution It was so so long time but we did So I through this experience we found out many issues and the good point of our company Issues We have no Documented process for a contribution. We have we have not we didn't have and Also, we didn't have practical experience of contribution in our company Because of this our Specialists our inside specialist cannot decide it is okay or not because they have no experience for All the open source activity So I think it is issues, but we can learn from experience. I think in future And another issue is We tend to prioritize no risk over making a challenge It is very bad thing. I think because no challenge. No innovation, you know and A lot of process took us long time and the cost to finish so it is also very big issues for us and Also, we found out very good point of our company for example Everybody is very positive for a contribution It is because everybody knows the importance of the open source and they know how much we are relying on the open source ecosystem so to find out that it was very good because Because it is very difficult to Make executives for it to decide do to do open source activity and Of course Good point is we can have solid support by our internal professionals like IP PR QR curate departments and the open source specialist. It was very helpful and You want to add something? Yes issue. Yeah In adding my Opinion and open source software release is a still very hard challenge in conservative Japanese company In this case Why that's very lucky because she and the person I suggest my plan Is positive about open source software and contributing supported to me Also, I didn't quite realize that we need to commend station and as a resource in addition to code This is same real work And some process in my opinion and such as the process of freedom of research and naming it a force bomb Take took two months. Is this not necessary to spend that much time? Do you all spend that much time on it? In the case I would like to improve time-consuming part like this in the future And so through our through this activity I Decided to do something for our future for our company for example We needed to develop a documented process to contribute the on company level and Of and also we needed to set evaluation standards for each procedures to decide it is okay or not and We need to increase efficiency by automation for example system process or checklist or documents everything this is for I should say second runner or third runner following us Maybe as someone decided to Start open source project in our company out of us and Now our company is hosting three open source projects and out of three two is our team So we need to encourage our developers to contribute a lot more and more and To do that I Personally think I needed to establish Ospo open source program office in our company to lead everyone to be interested in open source and open source ecosystem especially for contribution so The that brings me to the end of my presentation So this is a story of our how do I say struggle to our open source And in future, I would like to share more our experience to be very mature Company for contribution. Thank you very much And we have Five minutes left. So we are happy to have your comments of it about a question. Thank you Thank you very much So you said you took a long time five months for your first first time contribution and open source publication I think that's not a very long time Yes, of course I mean to a developer it it seems that way because you just want to go But you need to figure all these things out, right? So to do this in five months is is not such a long time So I'm from Mercedes-Benz And so we are a traditional german company, right? And we had the same struggles So the first time it took it took us at least as long as well, you know And then we went we went through the same things, you know, I can totally confirm all of all of what you said With also the tendency to prioritize no risk Yeah, because we're in a heavy heavily regulated industry And our you know, the attorneys it's their job to prevent risk from the company. So they're like That's maybe not do this, you know, but as engineers, it's our job to drive forward innovation So we want no risk. We want, you know, we there's it's not risky, you know, so there's always this Conflict of interest between the two parties, but you just sit down with the right people and then and then you can get things done So good job. Thanks very much. Thank you very much Thank you. Thank you for the presentation So I'm wondering you mentioned at the beginning that you, you know, you were challenged You know, of course, you know defining this whole process But I'm still wondering, you know When you start this kind of new idea or a new way of working in your in your company, have you You know faced any kind of challenges From leaderships, you know, in terms of, you know, the mindset, you know, the it's because it's it's totally a mindset change Do you have challenges from the, you know, from that aspect and how if so, how did you Comments your, how's that your leaders to go in this way? Okay, the basic understanding is in our company I mean, uh, everybody knows the importance and everybody, uh, think like we should do something right, uh, in To contribute to Of those ecosystems. So we need to do anything To change the mindset of the people in the company We just have no We just have no Procedure or the documented process inside the company Thank you very much I would like to just to comment in In the way you show us, um Your opinion or your point of view as conservative, I would like to call very respectful Yeah, because you were worried more about Or you were respectful about How comply the process how to do the the things well, not rather than that than Conservative and I work for a continental automotive and we use more open source as consumers and this is a A good example about how contribute with the community Instead of thinking more about proprietary code using open source. So It's great to hear your your your history and your journey and all of this and also I would like to ask you are you planning to contribute with more packages or other additions to your open source Yes, of course. Yeah, he is now preparing to release new version. Maybe it supports next version of this video. Maybe Yeah, thank you. Thank you very much. Thank you very much Uh, so it's time to finish. So again, thank you very much for everyone to for your attention today Thank you very much. Thank you