The Hitchhiker’s Guide to Open Source Compliance – Episode 5
In this blog post we are sharing a few essential tips for enterprises to consider as they start building their Free and Open Source Software (FOSS) compliance programs.
1 – Appoint a FOSS compliance project manager
FOSS compliance is the aggregation of various policies, processes, tools and guidelines that enable an organization to effectively use FOSS in customer facing products and services, and to contribute to FOSS projects while respecting the various copyrights, complying with the license obligations, and protecting their intellectual property and that of their customers and suppliers. This is a major endeavor and it gets further complicated by the size of the enterprise and the number of products and services that incorporate FOSS. Therefore, it is highly recommended to have a dedicated FOSS Compliance Project Manager to oversee the execution of the FOSS Compliance Program.
2 – Know the open source in your code
With this tip, we are assuming that the organization is new to the FOSS compliance domain and our first recommendation is to conduct an automated scan to identify all FOSS incorporated in your code base. The result of the scan will offer you a complete FOSS Bill-of-Material (BOM) that covers all FOSS components and snippets, their originating source and license information. After establishing such a compliance baseline, you just conduct incremental compliance steps which are much less intense activities, as you are only focusing on the delta, or the changes, in the code base.
3 – Get your suppliers involved in FOSS compliance
If we look at non-compliance cases, some of them actually occur as a result of source code changing hands. There are several initiatives that were created to improve compliance in the supply chain such as OpenChain that aims to build trust and the Software Package Data eXchange® (SPDX®) whose goal is to standardize the way companies and communities report FOSS licensing information. We recommend to get involved in these initiative and adopt their practices with your suppliers. Part of that is requiring suppliers to disclose FOSS included in their deliverables to your organization and providing you with all you need to meet any license obligations once you ship your product.
4 – Set up an Open Source Review Board (OSRB) to review planned use of and contribution to FOSS
The OSRB is a center of FOSS expertise and brings together a small committee that includes representatives from Engineering or Products, Legal, and the FOSS project manager. The purpose is to establish a company strategy for FOSS usage, and FOSS community involvement and contributions. The OSRB reviews and approves requests to use and contribute to FOSS in company products.
5 – Provide FOSS license “playbooks” for commonly used licenses
FOSS License Playbooks are summaries of most used or most popular FOSS licenses. They provide easy to understand information about these licenses such as license grants, restrictions, obligations, patent impact and more. License playbooks minimize the number of basic questions sent to Legal Counsels and provide developers with immediate legal information about these most used licenses.
6 – Incorporate FOSS compliance activities into everyday business and development processes
The most effective way to ensure FOSS compliance is to examine ways of incorporating such activities directly into the existing business and development policies and processes instead of creating new ones. As an example, update your software procurement agreements to include FOSS provisions on the business end, and on the development end; ensure that all FOSS incorporated in the current release is approved and tracked before the release is committed.
7 – Automate, Automate, Automate
Similarly to the real estate cliché of “Location, Location, Location”, we believe that the use of tools and automation is mandatory for organizations to scale their FOSS compliance practices to be at par with the development speed in FOSS projects. Automation is a central topic for FOSSID and we would gladly discuss how we can improve and support your FOSS compliance efforts from a tooling perspective.
Until next time, happy innovation and “Don’t panic!”.