Open Source Compliance Publications

​Practical GPL Compliance

  • A 50+ page guide for startups, small businesses, and engineers tasked with shipping products that contain GNU General Public License Version 2 (GPLv2) code.​
  • Authors: Armijn Hemel, MSc, and Shane Coughlan​

Open Source Compliance in the Enterprise

  • A 149-page practical guide for organizations on how best to use open source code in products and services, and participate in open source communities, in a legal and responsible way.
  • Author: Ibrahim Haddad, PhD 

Free and Open Source Software Compliance: The Basics You Must Know

  • This paper provides basic discussion on the changing business environment moving to a multi-source development model, the objectives of compliance and the benefits resulting from having a successful compliance program and much more.
  • Author: Ibrahim Haddad (Ph.D.), The Linux Foundation

Free and Open Source Software Compliance: Who Does What

  • Ever since companies started integrating FOSS in their products, there has been the need to ensure compliance with applicable FOSS licenses. Different companies have used various ways to structure their teams responsible for fulfilling this function. Other companies have opted for a cross functional team that consists of a dedicated Open Source Compliance Officer who has access to various individuals and teams that contribute to the compliance effort without being part of a centralized team. In this paper, we examine the latter model of FOSS compliance team and discuss the roles and responsibilities of individuals and teams involved in the compliance process.
  • Author: Ibrahim Haddad (Ph.D.), The Linux Foundation

Establishing Free and Open Source Software Compliance Programs: Challenges and Solutions

  • ​This white paper focuses on the practical aspects of ensuring free and open source software (FOSS) compliance in the enterprise. 
  • Author: Ibrahim Haddad (Ph.D.), The Linux Foundation

Keys to Managing a FOSS Compliance Program

  • This paper examines the managerial practices needed to plan, coordinate, and control a successful compliance program.
  • Author: Philip Koltun (Ph.D.), The Linux Foundation

A Five Step Compliance Process for FOSS Identification and Review

  • This white paper  focuses on the various practical aspects of ensuring free and open source software (FOSS) compliance in the enterprise. This paper provides an example of a compliance process for FOSS identification and review that consists of five steps. The focus of the paper is around using and integrating FOSS with proprietary and third party source code in a commercial product.
  • Author: Ibrahim Haddad (Ph.D.), The Linux Foundation

Achieving FOSS Compliance in the Enterprise

  • ​This white paper  focuses on the various practical aspects of ensuring free and open source software (FOSS) compliance in the enterprise. This paper examines a sample end-to- end compliance process.
  • Author: Ibrahim Haddad (Ph.D.), The Linux Foundation

FOSS Compliance Practices for Supplied Software

  • This white paper examines compliance practices needed when software supplied by a third party vendor is brought into the code baseline of a product to be distributed externally. The white paper discusses requirements a company should impose upon its suppliers to disclose FOSS in their deliverables and to provide what’s needed to achieve compliance. The paper also discusses steps a company should take to review and validate the FOSS disclosures made by its suppliers. In addition to those topics, the white paper addresses measures a company can undertake to assess its suppliers’ compliance capabilities.
  • Author: Philip Koltun (Ph.D.), The Linux Foundation

Compliance Templates

Self-Assessment Checklist

  • The Linux Foundation has compiled this extensive checklist of compliance practices found in industry-leading compliance programs. Companies can use this checklist as a confidential internal tool to assess their progress in implementing a rigorous compliance process and to help them prioritize their process improvement efforts. The Self-Assessment Checklist is constructed using at least two concepts from well-established models of process maturity such as the Software Engineering Institute’s Capability Maturity Model:
    • A distinction should be made between process goals and the practices implemented to achieve those goals. The compliance checklist explicitly recognizes valid alternative practices that may be used to achieve a particular goal.
    • Process adoption progresses from initial process definition through institutionalization to a state of controlled process management. The goal of a compliance process, as with any process, is to achieve consistent and expected business results from its use. A checklist of recommended practices should prompt companies to assess the extent to which they’ve institutionalized compliance actions and the degree to which those actions produce needed business results
  • Compliance practices included in the checklist will improve the effectiveness of compliance programs as well as deliver tangible benefit relative to the cost of those practices. A process failure modes effects analysis (FMEA) approach has been used to identify the ways a compliance process can fail and practices to prevent those process failures.
  • Author: The Linux Foundation

Generic FOSS Policy

  • Companies using FOSS often create a company-wide policy to ensure that all staff is informed of how to use FOSS (especially in products), to maximize the impact and benefit of using FOSS, and to ensure that any technical, legal or business risks resulting from that usage are properly mitigated. This document is a new free resource available from the Linux Foundation under the Open Compliance Program. It offers a generic FOSS Policy that companies can use as starting point in creating their own FOSS Policy. It provides a template policy that focuses on governing FOSS usage in externally distributed products that can be customized to the company’s specific needs.
  • Author: The Linux Foundation

A Template for Approval Request Form For The Use of Free and Open Source Software

  • ​This document is part of the free resources made available by The Linux Foundation Open Compliance Program. It offers a template for the Approval Request Form used by developers to request approval to use Free and Open Source Software (FOSS) in a commercial product. The company’s Open Source Review Board (OSRB) then reviews the submission and determines approval. In most cases, the submission, reviewal and approval of such requests is managed via an online submission system that is part of the company’s FOSS compliance management process.
  • Author: The Linux Foundation