What is the secret to staying on top of your open source compliance efforts? The simple answer is to have good practices implemented, and in this article we list nine best practices that will have a direct impact on your efforts. If you already have these practices implemented, congratulations, you are doing great. If you don’t have any of them yet implemented or only a subset, we invite you to consider introducing the missing ones.
Without further ado, the top open source compliance new year’s resolutions are (listed in random order):
1) Assign an Open Source Software Compliance Manager
There are various ways you can structure and organize your open source compliance efforts. Regardless of the organization, we believe there should be a resource whose role is to manage the compliance process and be accountable for ensuring open source compliance of products or services released. This resource is not necessary a dedicated individual, although in large organizations it typically is so, with subordinates, depending on the size of the company and the volume of open source used in the products and services.
What are the responsibilities of this resource? In a nutshell, it is responsible for driving open source compliance activities which include:
- Coordinating and executing source code scans and audits
- Releasing source code packages per compliance with open source licenses
- Creating and delivering open source compliance training to employees
- Continuously improving the open source compliance program
- Contributing to sourcing and/or creating and integrating tools to facilitate the automation of open source compliance (with the support and help of the IT department)
The resource usually possesses a mix of technical skills, a good understanding of open source licensing and advanced program management skills.
2) Know what open source is in your code
Open source can come to your enterprise from various channels: your own developers, 3rd party contracted developers, companies delivering software to you via commercial agreements, etc. It is therefore critical to make sure you have a process in place that allows you to identify all incoming source code (whole packages and snippets) and their corresponding licenses.
Knowing what open source code you are consuming will allow you to execute proper compliance with all applicable open source licenses.
3) Get your suppliers involved in compliance
As mentioned, open source can enter your organization via your software supply chain. Therefore, it is important to require your suppliers to disclose the open source software (whole packages and snippets) included in their deliverables – in addition to fulfilling license obligations towards you.
A recommendation is to ask your suppliers to go through the OpenChain Self Certification to help you identify if they have good open source compliance practices and to increase the trust in their internal compliance practices.
4) Set up an Open Source Review Board
Most companies with heavy reliance on open source software create a so-called “Open Source Review Board” (OSRB) to act as a clearing house for all open source usage across the enterprise. It typically consists of representatives from Legal, Engineering, and Product teams, in addition to the Open Source Compliance Manager. The members of the OSRB review all requests to incorporate open source code in products/services, evaluate these requests and decide on approval/denial based on technical and legal considerations. They also perform the same review function with respect to contributing to open source projects.
5) Create “playbooks” for commonly used open source licenses
Several organizations adopt the approach of creating license playbooks in an effort to minimize the demand on their legal counsels and to scale their effectiveness. So, what’s a license playbook? They are typically a 1-page summary of commonly used open source licenses within any organization and provide easy-to-understand information about these licenses, such as license grants, restrictions, obligations, patent impact, and more. They’re basically easy-to-read, digest-form summaries intended for employees who want to learn about a given open source license without reading the lengthy few-pages license text.
6) Set up a process and a policy
I think we all agree that it is really a smart idea to ensure compliance before a product ships or a service launches. How can an organization that ships many products using open source code manage the compliance piece? A great start would be to implement a policy, a process and then offer the tools to automate that operation. The open source compliance policy is typically a set of rules that govern the management of open source software (both use of and contribution to). A process is a detailed specification as to how a company will implement these rules (policy) on a daily basis. Compliance policies and processes govern the various aspects of using, contributing, auditing, and distribution of open source software.
7) Add compliance checkpoints into business and development processes
Establishing and maintaining open source compliance is a continuous effort that depends on discipline and commitment to incorporate compliance activities into existing engineering and business processes. Everything from your engineers downloading code from GitHub, to outsourcing software to offshore contractors, to your supply chain agreements, to corporate transactions including mergers or acquisitions, etc., open source compliance practices and milestones must be injected in all of these interactions and processes.
With organizations using hundreds and thousands of open source software packages (and a multiple of that in snippets), it is almost mandatory to automate the compliance discovery by deploying source code scanner that integrates with your build systems and helps you identify all open source packages, snippets, their source of origin and true license.
9) Provide compliance training
We believe in the power of training and highly recommend organizations to develop and offer open source and compliance training to their employees. Training will ensure that employees have a good understanding of the company’s open source policies, processes and compliance practices. In some cases, the training also covers the most commonly used open source licenses and the concerns arising from using open source in commercial contexts. Several organizations have even gone one step further and mandated open source and compliance training for all staff engaged in the development, management and outsourcing of software projects.
Let us help you with your open source software compliance.
Meet Us at the LF Energy Open Source Bootcamp
We’re excited to mention that Jon Aldama, Co-Founder and CTO of FOSSID, is a speaker at the LF Energy Open Source Bootcamp delivering a training session on open source compliance. The event is organized by LF Energy, an umbrella organization under the Linux Foundation, leading the way with the mission to grow and sustain open source software in the energy and electricity sectors. If you work for an energy company and interested to learn more on open source consumption, contribution, and compliance, please follow the link to register for a 1-day free open source training hosted by Alliander in their offices in Duiven, The Netherlands (about 45 mins by train from Amsterdam). The training includes talks from Ibrahim Haddad (Executive Director, LF AI Foundation) and Shuli Goodman (Executive Director, LF Energy Foundation).