Shane Coughlan leads the OpenChain project at the Linux Foundation. We managed to steal a few minutes of his time to talk about OpenChain, open source, compliance and security. But first, a brief backgrounder on Shane.
Shane has been involved in open source in one way or another since 1998. He started out by working on the GEM desktop GUI for the FreeDOS operating system, clearly aiming at the technology of the future. You can still find what he did if you search for the “OpenGEM” distribution.
He entered the field of security and compliance due to his research around net-centric in the period 2003~2004 and began to focus on licensing issues in detail from 2006 when he joined the Free Software Foundation Europe and established its legal department. Over the subsequent 10 years he continued to work on compliance issues or patent issues (as Regional Director Asia and then Global Director of Licensing at OIN for 6 years).
The OpenChain Project was something he had always been part of, sometimes more intensely, sometimes less. When the opportunity came up to help it scale, he felt it was a natural fit. In a nutshell, OpenChain gets to help thousands of companies become more comfortable around, more efficient with, open source compliance. This begets all sorts of other useful collaboration.
The LF has several projects that fall under the open source compliance umbrella. Can you please give us a quick overview of all the compliance projects at LF?
The Linux Foundation is a big place. We have an umbrella project called the Open Compliance Program and that is our gateway into a series of different projects addressing different problem sets. By way of example, OpenChain is at the “top of the stack,” a high level industry standard that defines the key requirements of a quality open source compliance program. It defines the inflection points where a company should have a process, policy or training program. However, it does not define the context of each specific process. Moving down the stack you find projects like SDPX, the standard for Bill of Materials, which is a neat way to fill out a process for identifying what is in a given software package.
We have other projects that are software rather than specifications. FOSSology is a great example. This is a scanner that helps to identify the license of given software files. It is open source, completely free to access, and widely used in production. There are more projects. The best way to explore them all is to visit the Open Compliance Program start page: https://compliance.linuxfoundation.org
Let’s dig into OpenChain. How would you describe OpenChain as an elevator pitch?
OpenChain aims to increase open source compliance in the supply chain. This issue, which many initially dismiss as a legal concern or as low priority, is inherently tied to ensuring that open source is as useful as possible with as little friction as possible. In a nutshell, because open source is about the use of third party code, compliance is the nexus of where equality of access, safety of use and reduction of risk can be found. OpenChain is built to increase trust between organizations to accomplish this.
Can you share why OpenChain exist and the challenges it aims to address?
Today many companies understand open source and act as major supporters of open source development. However, addressing license compliance in a systematic, industry-wide manner has proven to be a somewhat elusive challenge. The global IT market has not yet seen a significant reduction in the number of open source compliance issues discoverable in areas like consumer electronics over the last decade.
This supply chain challenge is not due to open source being inherently complex but rather due to the varying degree of exposure and domain knowledge that companies possess. By way of example, a company developing a small component that requires a device driver may have staff entirely unfamiliar with open source. One mistake, one misunderstanding, and one component deployed in dozens of devices can present an issue. Most compliance challenges arise from mistakes. Few, if any, originate with intent.
No single company makes a finished device and no single company can solve compliance challenges, and the supply chain requires a chain of interconnected solutions. To address this the OpenChain Project is building and disseminating an industry standard for license compliance. Engagement and adoption is simple, free and supported by a vibrant community backed by leading multinationals across multiple sectors.
Different open source projects are structured differently. How about OpenChain? How is it structured and organized?
There are three interconnected parts to the OpenChain Project. A Specification that defines the core requirements of a quality compliance program. A Conformance method that helps organizations display adherence to these requirements. A Reference Library to provide basic open source processes and best practices.
OpenChain is designed to be a compelling approach consistence and effectiveness across multiple market segments. At its core the project is about providing a simple, clear method of building trust between organizations that rely on each other to share code and create products. Any organization that is OpenChain Conformant is aligning behind key requirements that their peers agree are required in a quality compliance program. This is about confirming overarching processes and policies, while allowing the specifics of each process and policy to be crafted by each organization to suit its specific needs.
Does OpenChain help to define what information needs to be shared between customer and supplier companies?
The lack of an industry standard for open source compliance has – in the past – lead to very different “asks” from customer companies towards their suppliers. On occasion these asks have undershot what is needed for solid open source compliance and on occasion these asks have overshot what is needed, potentially slowing down the process of bringing products to market. The OpenChain Specification provides a neutral, clear series of requirements that maintain flexibility to adjust to different company sizes and to apply to different market sectors.
Perhaps one of the most important points illustrated by the OpenChain standard is that asking for processes to exist at inflection points ensures errors are dramatically reduced. This approach allows flexibility for companies to implement processes content without inherently undermining accuracy. OpenChain provides an avenue for addressing real world needs without leading to unwieldy and resource expensive approaches.
As one representative from a company in Europe quipped, OpenChain can replace 12 pages of open source-related language in procurement with a single line: “Please be OpenChain Conformant.” Naturally, this is a simplification, but it touches on how OpenChain can dramatically streamline the open source compliance relationship between companies.
Is OpenChain at a stage of maturity that allows adoption by both supplier and customer companies?
The OpenChain Specification is a de facto industry standard that is ready for adoption by any organization that creates, uses or distributes free and open source code. The online conformance is free of charge, the mailing list and Work Team calls are open to everyone. Arguably, this is the first time a single, unifying approach to addressing the challenge of open source compliance in the supply chain exists. Perhaps most importantly, OpenChain is in the ISO standardization process and we expect delivery of a formal standard during first half 2020. You can learn more and engage with our work on the project website: www.openchainproject.org
What about adoption? How do you see that trending?
This is my favorite question. As mentioned above, the OpenChain industry standard defines the inflection points where a company should have a process, policy or training program. However, it does not define the context of each specific process. Adopting OpenChain is as simple as ensuring you have appropriate process, policy or training programs in the right places.
At this point many parties say something along the lines of “er, that is all very well, but what specifically can I put inside these process points?” It is a valid question! We do not dictate that content inside the OpenChain industry standard because it needs to be applicable to entities of all sizes in all markets. However, we have a super active and supportive community. There is reference material of all sorts – including entire reference training programs or multi-industry policy options – right here: https://www.openchainproject.org/resources
Perhaps more importantly our community is delighted to help any other collaborator with what I like to call “reference material on demand.” If people raise an area where they would like to see something on one of our calls or mailing lists it is almost inevitable that many parties will jump in with institutional knowledge from their space.
A company defines the inflection points, finds appropriate ways to fill those out, and they are OpenChain conformant. This is not to say that is the end of the road. Licensing compliance is an activity of continual like every other business activity. What OpenChain accomplishes is making it easier to devote your resources effectively and to get results faster.
Who is conforming? What data can you can share with us on this?
That is a moving target! There are three threads here. One is organizations with a publicly announced OpenChain conformant program. The list is always expanding, with some recent examples being Liferay, Sony Semiconductor and LG Electronics. You can check out the full list on our website: https://openchain.lfprojects.linuxfoundation.org
However, there are two other parts. There are organizations who are OpenChain conformant but are not making a public announcement for one reason or another and there are organizations undergoing conformance or – perhaps even cooler – using OpenChain as the framework for how they do compliance. These two “other” categories are part of our long-term foundation, and as OpenChain expands via the ISO process and procurement, more of these entities will probably go public with their engagement.
An interesting data point is that around 50% of the users of our online self-certification web app are aiming for OpenChain conformance, whether it is public or not. Around 50% are using this resource, and our other resources, for process optimization not specifically linked with announcements or labeling at this juncture. That dovetails neatly with our desire to ensure OpenChain is the solution of choice for open source compliance. It provides a positive confirmation that our community is on-target for a diverse audience set.
As not purely a source code project, can you share some advice on how to contribute to OpenChain?
Join our calls, join our mailing lists. OpenChain is a very, very open project. All our standard development is not only in the open but we pro-actively encourage parties to jump in and provide their thoughts. All of our reference material comes to life in the open. All of our key decisions, such as votes on the OpenChain standard itself, are both public and welcoming to audience and questions.
Sometimes people ask “how do I become part of the OpenChain Project?” I always answer “turn up.” We have an incredibly welcoming community and you can get started with it right here: https://www.openchainproject.org/get-started/participate
What is the end goal of OpenChain?
The OpenChain Project has built the standard for open source compliance over tens of thousands of person-hours and multiple years. It provides the framework for companies of all sizes in all markets to address compliance in a cost effective, time effective manner. When it comes to the supply chain, the more companies that adopt OpenChain, the less errors we see enter the process and the quicker remediation of any errors becomes.
The end goal is to make open source compliance – which constitutes the gateway to access of open source code – easier, faster and more effective. This is well underway but naturally where we would love to end up is in a situation where every company, everywhere, regarded adoption of the industry standard as much a part of their everyday goals as, say, the adoption of ISO9001. That is the tipping point when all stakeholders will maximize their efficiency in deployment of code from the perspective of licensing.
Open Compliance Summit (December 17-18, 2019, Tokyo)
The Open Compliance Summit is an exclusive 2-day event for Linux Foundation members and select invitees. It provides an excellent opportunity for Linux Foundation Members in the APAC region to share knowledge around open source compliance matters and to build connections that streamline interactions between companies of all sizes in all sectors. Shane will be in attendance and also speaking at the event, moderating a discussion panel.
FOSSID is proud to be Gold sponsor of the Open Compliance Summit, and participate, among other things, through a talk by CEO and Co-Founder Oskar Swirtun. We look forward to seeing you there!