The Hitchhiker’s Guide to Open Source Compliance – Episode 6
The implementation of open source compliance processes varies between companies due to a number of reasons. However, the core elements usually remain the same: identifying the open source in the code base; reviewing and approving its use; and satisfying obligations.
This blog post gives an overview of a typical open source compliance process and illustrates the phases that free and open source software components go through before they are approved for usage.
Resolving Any Issues Uncovered by the Audit
As a result of the audit step, any issues detected by the source code scanner (such as license conflicts) turn into tickets to be resolved. All tickets generated from the audit are monitored and tracked until they are closed. Once all related tickets are closed, a new audit is performed to confirm that the issues are resolved.
Completing Appropriate Reviews
Once all issues identified earlier are resolved, the compliance ticket is moved to the review process. During the review process, the engineering and compliance teams perform an architecture review and a linkage analysis for the specific component and mark it as ready for the next step if no issues are uncovered.
- In the architecture review, the interactions between the open source, 3rd party and proprietary code are analyzed. The goal is to find out if the licensing obligations might extend from open source components to proprietary code.
- The linkage review focuses on finding potentially problematic code combinations at the static and dynamic link level.
Receiving Approval to Use Open Source
Once all reviews have been completed, the compliance ticket moves to the approval step, where it is either approved or rejected by the open source review team. If the ticket is approved, the open source review team communicates the approval to the product team so that they understand their responsibilities and begin preparations to fulfill the license obligations.
Registering Open Source in the Software Inventory
Once a software component has been approved for usage in a product, the following takes place:
- The component is added to the software inventory that tracks open source usage,
- The compliance ticket for the product in question is updated to reflect the approval. If usage has been rejected for a software component, the reason for rejection should be registered for future reference.
Updating Product Documentation to Reflect Open Source Software
One of the key obligations when using open source is the documentation obligation, also referred to as the notice obligation. Companies using open source in an externally distributed product must acknowledge the use of open source by providing the required copyright and attribution notices, reproducing the entire text of the license agreements for the open source code included in the product and informing the end user how to obtain a copy of the source code (when applicable).
Performing Verification to all Steps Previous to Distribution
The goal of this step is to ensure that:
- All open source packages destined for distribution have been identified and approved.
- Source code packages (including modifications) have been verified to match the binary equivalent being shipped with the product.
- Appropriate notices have been included in the product documentation with regard to attribution and to inform end-users of their right to request code (when applicable).
- All source code has been reviewed and approved to be distributed externally.
Distributing Source Code Packages and Performing Final Verifications
Once the verification step is completed, the open source packages and applicable notices are uploaded to the distribution website. It is recommended to verify that the packages were uploaded properly and can be downloaded and uncompressed without issues.
Need help with Automating Open Source Compliance?
In today’s world where open source software is deployed in everything from vacuum cleaners to cars, companies are realizing how extensive their reliance on open source software is and building up their internal compliance processes to scale with that high volume.
At FOSSID, we have created an open source compliance solution with a very high-performing scanning engine and the most comprehensive open source knowledge base available on the market.
We would love the opportunity to talk to you and demo our capabilities.