The Hitchhiker’s Guide to Open Source Compliance – Episode 3
Open source software usage has been increasing at an incredible pace, and companies across all verticals are adopting an open source first policy. Even countries are doing so, with Canada being the latest to publish a new directive on Management of IT Services that includes phrases such as “…use open standards and open source software first…”, and “…all source code must be released under an appropriate open source software license…”.
This is a great testament to the power of open source methodology, that acts as an innovation multiplier, enables collaboration between industry players, academia and the general public, democratizes software, and speeds up product development and time-to-market – and ultimately leads to better and cheaper products.
But having access to billions of dollars of open source software comes with the price of ensuring compliance with the open source licenses. With source code entering organizations via various channels, and large volumes of open source software in use, it is becoming important to ensure an automated and scalable approach to compliance. Some compliance practices will always pass the test of time: identifying common errors and educating staff on how to avoid them, before they happen.
The Top 4 Errors Leading to Non-Compliance
From our experience, four compliance errors stand out from the rest. We list them below together with recommendations on how to avoid them:
- Using open source code in proprietary software components (or vice versa) without proper internal approvals. Such errors can be caught and flagged by a source code scanner, but if the scannings don’t occur on a regular basis (for instance if your scan tool is not tied to your build system), it will be a costly re-engineering if it is discovered that the combination of licenses is not a recommended one. The problem can easily be avoided through education. Offering training to development staff on recommended practices and company policies with respect to copy/pasting code under different licenses is a major factor to help decreasing such instances before they reach the source code scanner.
- Linking open source libraries to proprietary software components with incompatible licenses (or vice versa) without prior approvals. Companies often have policies in place that clarify the rules of interaction between software components under different licenses. Education is essential and training staff on company policies in relation to linkage relationships and how those affect the compliance efforts.
- Internal compliance process errors leading to infringements of the open source licensing terms. These are errors that happened due to either a poorly designed compliance process or staff that don’t follow the process. These errors can be avoided by both education and continuously introducing improvements to the process to make it more efficient, automated, and as least intrusive as possible to the developers.
- Failure to provide proper notices and/or appropriate source code packages. Some of the products using open source software contain hundreds or even thousands of open source packages. Companies can easily be overwhelmed by the amount of code they need to track per product, notices to collect, licenses and software interactions to analyze, and finally publishing the appropriate attributions, copyright and license notices in addition to the required source code packages. Automating the process and introducing advanced tools to manage the process is essential. In addition, introducing checks within the development process to verify ongoing compliance efforts is an essential aspect of minimizing these errors.
In the past few years, there has been an increased activities in compliance enforcement. In a future blog post, we plan to share some of the lessons learned looking at these activities from a practical perspective.
Until next time, happy innovation and “don’t panic!”.