Putting open source software into the hands of developers and businesses who use that code to build amazing things can be a powerful force in any industry. However, accepting and using that code comes with a serious responsibility to comply with the terms of the license you receive the code. The Linux Foundation focuses on educating and helping developers and companies understand their license requirements and how to build efficient, frictionless and often automated processes to support compliance.
Education and Training
The Linux Foundation supports a comprehensive set of programs for open source software compliance. We view open source compliance as a continuous process managed by professionals - and achieving compliance across an ecosystem starts with education and training so we can develop more professionals.
- Whitepapers and how-to guides for developers and program managers
- Developer Training: Compliance Basics for Developers (LFC191)
Education and Training build a base of knowledgeable resources to guide your open source journey. However, education alone will not solve efficiency issues if everyone implements compliance processes differently. The Linux Foundation projects enable the industry to develop compliance standards for companies and entire supply chains to exchange compliance data in a consistent way.
- OpenChain: identifies common best practices in open source compliance that should be applied as a standard across a supply chain.
- SPDX Specifications: enables projects and organizations to communicate accurate summaries of the licensing and copyright information in software deliverables.
- SPDX License List: is a curated list of commonly found licenses that can be referenced by the use of a standardized short identifier per license. For each short identifer, the list contains the full name for each license, vetted license text, other basic information, and a canonical permanent URL for each license and exception.
- SPDX Meta Tags: enables the use of the standardized short identifier in source code to efficiently refer to a license without having to redundantly reproduce the full license.
You’re not alone in your open source compliance journey. Many of our members have found it beneficial to participate in the projects we host simply to access the network of experts participating in the projects. In addition, The Linux Foundation hosts professional networks to help compliance professionals find each other and collaborate on ways to improve compliance practices, tooling and processes.
Tools and Infrastructure
To achieve higher levels of scale and reduce the overhead cost of compliance, companies have contributed to creating open source tools and infrastructure to achieve compliance at a lower cost, increasing cross-organization efficiency and integration of compliance with product development.
- FOSSology: Scans codebases, identifies licenses in use, creates machine readable license lists and enables automatic notice file creation.
- SPDX Tools: Tools for validating, transforming, reading and writing SPDX format files. SPDX also provides links to community-maintained and commercially available tools that support SPDX.
- Dependency Checker: Capable of identifying code combinations at the dynamic and static link level. The tool also offers a license policy framework that enables FOSS Compliance Officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool.
- FOSS Bar Code Tracker: Simplifies the way FOSS components are tracked and reported in a commercial product. The tool allows companies to easily generate a custom QR code for each product containing FOSS. The QR code contains important information on the FOSS stack contained in a product, such as component names, version numbers, license information and links to download the source code, among other details.
- The Code Janitor: Provides linguistic review capabilities to make sure developers did not leave comments in the source code.