INTRODUCTION

Open source is a way of obtaining, using and distributing third party intellectual property. It provides tremendous benefit to companies of all sizes, and to obtain this benefit the only requirement is to follow the terms of the applicable licenses.

OPEN SOURCE COMPLIANCE

Open source license compliance is well-defined and well-understood. The same basic approach can be used by small, medium and large companies. The approach to open source compliance can be framed as a stack of solutions ranging from high level process approaches (OpenChain) through to software package management (SPDX) and down to software compliance scanning (FOSSology). The Linux Foundation Open Compliance Program can help with each level of this stack. We can help point you to open source solutions both inside and outside the Linux Foundation.

STANDARDS

Processes, Training and Policies
The first step is to frame the overarching requirements for a quality open source compliance program. The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. There are three parts to the OpenChain Project. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.

Software Bill of Materials
The second step is to use a common language for describing the software flowing through the overarching processes and policies in a company. Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information (including components, licenses, copyrights, and security references). SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses, copyrights, and security references, thereby streamlining and improving compliance.

COMMUNITIES, EDUCATION AND TRAINING

Communities

The starting point for implementation of standards and great processes is to learn from great communities. There are three communities directly related to the compliance stack.

Education

The Linux Foundation supports a comprehensive set of programs for open source software compliance. We view open source compliance as a continuous process managed by professionals – and achieving compliance across an ecosystem starts with education and training so we can develop more professionals.

Big Picture

The OpenChain Project has developed a curriculum of reference materials to support organizations wanting demonstrate best practices managing open source in the supply chain.

Running a Program

The TODO Group has collected best practices from the leading companies engaged in open source development and published guide to help companies successfully implement and run an open source program office.

Training

Training For Management

The OpenChain Curriculum contains training and reference material to help companies build out their compliance programs. This material is designed to support the OpenChain Specification and general open source compliance activities. It is freely available to all parties for any use case under public domain licensing.

Training for Legal

We currently have no explicit resources for legal training. Please watch this space for future updates.

Training for Developers

Compliance Basics for Developers (LFC:191) is a targeted course designed to teach software developers and producers why it is important to add copyrights and licenses to their code, as well as how to do so.

OPEN SOURCE TOOLING

Package Scanning
FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. In one click you can generate an SPDX file, or a ReadMe with the copyrights notices from your software. FOSSology deduplication means that you can scan an entire distro, submit a new version, and only the changed files will get rescanned. This is a big time saver for large projects.

Storing Review Results
Eclipse SW360 is a software catalogue application designed to provide a central place for sharing information about software components used by an organization. It is designed to neatly integrate into existing infrastructures related to the management of software artifacts and projects by providing separate backend services for distinct tasks and a set of portlets to access these services. A complete deployment unit exists (vagrant box or docker container) that contains a complete configuration of all services and portlets.