Open Compliance Program
As the use of Linux and other open source software has exploded in recent years, especially in mobile and consumer electronics products, the need has arisen for a trusted, neutral, non-commercial compliance program that offers a comprehensive offering of compliance training, tools and services. To address that complexity, The Linux Foundation has developed a set of open source tools, training curricula and a new self-administered assessment checklist that will allow companies to ensure compliance in a cost-effective and efficient manner. The Open Compliance Program also includes a new data exchange standard so companies and their suppliers can easily report software information in a standard way.
The seven elements of the Linux Foundation’s Open Compliance Program are:
Professional, comprehensive compliance training
Tools to help with compliance due diligence
Standardized reporting for licenses and BoM
A benchmark to gauge progress in implementing compliance processes
A directory of compliance officers and and rapid alert system
A community to evolve compliance best practices
To provide a solid starting point for compliance initiatives
|Learn more...||Learn more...||Learn more...||Learn more...||Learn more...||Learn more...||Learn more...|
The Linux Foundation now offers the industry’s more comprehensive compliance resource for training and informational materials. Training modules cover the fundamentals of open source licensing and compliance activities, and can be tailored for audiences ranging from corporate executives to working professionals. Training is offered live on-site or online. In addition, The Linux Foundation also offers free tutorials on getting started with open source compliance and FOSS compliance checklists.
The Linux Foundation offers free educational white papers and publications on FOSS compliance covering a wide range of compliance related topics. Visit our compliance publications page to access all of the available compliance papers.
While there are many commercial and open source scanning tools available to identify the origin and license of source code, the Linux Foundation has developed complementary tools needed to help companies improve their open source compliance due diligence. The Linux Foundation has released initial versions of these tools as open source projects and urges other developers to contribute to them. They include:
- FOSS Bar Code Tracker: simplifies the way FOSS components are tracked and reported in a commercial product. The tool allows companies to easily generate a custom QR code for each product containing FOSS. The QR code contains important information on the FOSS stack contained in a product, such as component names, version numbers, license information and links to download the source code, among other details.
- Dependency Checker: capable of identifying code combinations at the dynamic and static link level. In addition, the tool offer a license policy framework that enables FOSS Compliance Officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool.
- The Code Janitor: This tool provides linguistic review capabilities to make sure developers did not leave comments in the source code about future products, product code names, mention of competitors, etc. The tool maintains a database of keywords that are scanned for in the source code files to ensure code released is safe and ready for public consumption.
Enables companies to standardize their bills of material to ease the discovery and labeling of open source components in their products; this is especially important for consumer electronics manufacturers who assemble parts from a variety of suppliers into their shipping products. The end result is companies using free and open source software will all be following the same reporting method. More information can be found at http://www.spdx.org/
The Linux Foundation has developed an extensive checklist of compliance best practices in addition to elements that must be available in an open source compliance program to ensure its success. Companies are invited to use this checklist as an internal self-administered exercise to evaluate their compliance in comparison to top tier best compliance practices. The checklist will be formally launched in q4 of 2010.
The Linux Foundation has created a directory of compliance officers at companies using Linux and Open Source software in their commercial products so communication can be eased, information related to open source licenses can be easily disseminated and actions can be coordinated. This is a huge need in today’s market where it’s often times difficult for open source projects to identify the correct people at companies using their software to address issues of concern. To add contact information for compliance purposes or query the directory: http://www.linuxfoundation.org/programs/legal/compliance/directory/
The above resources join the existing FOSSBazaar workgroup which has a thriving and informed community of software and compliance professionals. As the open source ecosystem continues to evolve with new opportunities and risks, this community will focus discussion on how the industry can best adapt to the changes. The Linux Foundation welcomes all interested companies to participate at http://www.FOSSBazaar.org.
When a company is in the process of creating a FOSS compliance program, they need to establish policy, processes, guidelines, best practices, and much more. The Open Compliance Program is offering some of these material as templates that you can customize to your own needs saving you the effort to start from scratch.
If you are interested in discussing open source license compliance with like-minded peers in the industry, The Linux Foundation offers dedicated compliance and legal tracks at Collaboration Summit, the Enterprise End User Summit, LinuxCon Japan, LinuxCon North America, and LinuxCon Europe. The goal of the Legal/Compliance track is to provide a neutral environment to discuss and collaborate on the open source legal and compliance issues of greatest common interest and concern, including collaborating on the next steps for the legal defense infrastructure for the Linux platform.