The Hitchhiker’s Guide to Open Source Compliance – Episode 4

With the skyrocketing adoption of free and open source software (FOSS) in commercial solutions, the past two decades have witnessed several cases of non-compliance. Some made it to the legal system and are a matter of public record, while others remained confidential and were resolved amicably between the parties involved. These types of enforcements are motivated by the end goal of ensuring compliance with FOSS licenses. 

In the traditional compliance-motivated enforcement, the person or organization raising the non-compliance complaint generally want to see full and correct compliance with the FOSS licenses, and assurance that the responsible company will make necessary process changes so that future compliance breaches will not recur.

However, in the past few years there has been an increase in enforcements not in the spirit of ensuring compliance, but with the goal of financial profiteering. Responding to financially motivated enforcement claims require a different approach and a legal strategy, and it is critical to identify the enforcement actions and respond to them appropriately. 

The most important outcome of compliance-driven enforcements has always been that the involved companies ultimately have to comply with the terms of the licenses in question. Therefore, it is really a sound strategy to always ensure compliance before a product ships or a service launches. 

How to Ensure Compliance Prior to Shipping a Product?

It is important to acknowledge that compliance is not just a legal department exercise. Various corporate functions must be involved in ensuring proper compliance, include the engineering team, the legal team, the software supply chain team, the corporate development team, and the documentation team.

Setting up a compliance program includes establishing and maintaining consistent compliance policies and procedures as well as ensuring that the licenses of all the software components in use (proprietary, third party, and FOSS) can co-exist without conflict before shipment or deployment. 

To that effect, companies need to implement a FOSS compliance program that will allow them to:

  • Identify all FOSS used in products/services – whole components and snippets, 
  • Identify the licenses for all FOSS incorporated in the software build,  
  • Perform technical reviews to verify the usage models of FOSS is in line with the approved company policies, 
  • Approve the use of all FOSS given the use case and the licenses involved, and
  • Provide a written offer, in addition to licenses, copyrights and attributions notices, and publish source code packages applicable in some specific cases, such as with the GPL/LGPL licenses.

Compliance as an Engineering Challenge

It used to be the case that the compliance teams were unable to keep up with the speed of software development, scanning all the source code and ensuring compliance prior to shipping. However, automation and modern tooling has made it possible for companies to achieve these goals in the drive to ensure compliance prior to product ship. 

At FOSSID, we are engineers by heart and look at compliance as an engineering problem we need to solve. We can help you manage complex development and compliance scenarios, and our tools support continuous integration in whatever build system or process you might have. We maintain the largest open source knowledge base on the market, with frequent updates to ensure you are always up to date with the latest open source advancements. We support snippet detection and you don’t need to spend hours waiving out false positives; Our technology is able to do that for you automatically! 

Until next time, happy innovation and “Don’t panic!”

Let us help you with your open source software compliance.