October 8, 2012

5 Key Questions for Auditing and Compliance: When Did Changes Happen?

What's New
Media & Entertainment
Git at Scale

copyright paths(First post in a five-part series on auditing and compliance)

In this short paper on IP governance, I mentioned five key questions you need to be able to answer in case of auditing or compliance problems. The first question seems straightforward: When did changes happen to IP?

This is a simple question for Perforce to answer, even if you're talking about changes submitted through Git Fusion. Commands like changes and filelog will show a complete record of everything that happened to a file or set of files. (Note that you can get this information through a GUI like P4V, P4Eclipse, or P4VS. I will show the command line equivalents here because it's more useful in reporting.)

p4 changes -l //gwt/trunk/...

Change 12111 on 2012/09/24 by rdefauw@git-fusion-trunk

        my first change today

        Imported from Git
         Author: rdefauw <rdefauw@perforce.com> 1348507341 -0600
         Committer: rdefauw <rdefauw@perforce.com> 1348507341 -0600
         sha1: e379f33c189c5f95a368cab365b1e842e7f6d103

If you dig a little deeper you can get even better information, like seeing when a file changed before it was branched to the current location:

> p4 filelog -i //depot/Jam/REL2.1/src/glob.c

... #1 change 380 branch on 2005/11/23 by ines@ines-rose (text) 'Create Jam 2.1 release branch. '
... ... branch from //depot/Jam/MAIN/src/glob.c#1,#2
... ... branch into //jam/rel2.1/src/glob.c#1
... #2 change 30 edit on 2000/01/10 by earl@earl-dev-guava (text) 'Copyright info. '
... ... branch into //depot/Jam/REL2.1/src/glob.c#1
... #1 change 1 add on 1999/09/23 by earl@earl-dev-guava (text) 'Initial revision '

And if you're ever in the position of having to report on what a build or production server had at some point in the past, you can run a command like this:

p4 -c deploy_ws files //deploy_ws/...@2010/01/01

If the deploy workspace changed in the past, you can see that information in the spec depot.

These simple reporting commands, backed up by the Perforce logs, give you full capability to answer the important question of when your IP changed - including the IP that's worked on in Git repositories via Git Fusion. Check the Perforce blog in the coming weeks for more articles on this topic.

To learn more about IP security and the America Invents Act (AIA), see: IP Security: Covering Your Bases in a Global Development Environment.