Basic Rules to Streamline Open Source Compliance For Software Development
The Linux Foundation | 22 February 2017
The following is adapted from The Linux Foundation’s e-book, Open Source Compliance in the Enterprise, by Ibrahim Haddad, PhD.
Companies will almost certainly face challenges establishing their open source compliance program. In this series of articles, based on The Linux Foundation’s e-book, Open Source Compliance in the Enterprise, we discuss some of the most common challenges, and offer recommendations on how to overcome them.
The first challenge is to balance the compliance program and its supporting infrastructure with (existing) internal processes while meeting deadlines to ship products and launch services. Various approaches can help ease or solve such challenges and assist in the creation of a streamlined program that is not seen as a burden to development activities.
Companies should streamline open source management upon two important foundational elements: a simple and clear compliance policy and a lightweight compliance process.
Mandate basic rules
It’s important to first have executive-level commitment to the open source management program to ensure success and continuity. In addition, policies and processes have to be light and efficient so that development teams do not regard them as overly burdensome to the development process. Establish some simple rules that everyone must follow:
Require developers to fill out a request form for any open source software they plan to incorporate into a product of software stack.
Require third-party software suppliers to disclose information about open source software included in their deliverables. Your software suppliers may not have great open source compliance practices, and it is recommended that you update your contractual agreement to include language related to open source disclosures.
Mandate architecture reviews and code inspections for the Open Source Review Board (OSRB) to understand how software components are interrelated and to discover license obligations that can propagate from open source to proprietary software. You will need proper tooling to accommodate a large-scale operation.
Scan all incoming software received from third party software providers and ensure that their open source disclosures are correct and complete.
Integrate Rules Into the Existing Development Process
Once the basic rules have been established, the most successful way to create compliance is to incorporate the compliance process and policies, checkpoints and activities as part of existing software development processes.
The priority for all organizations is to ship products and services on time while building and expanding their internal open source compliance infrastructure. Therefore, you should expect to build your compliance infrastructure as you go, keeping in mind scalability for future activities and products. The key is thoughtful and realistic planning.
Plan a complete compliance infrastructure to meet your long- term goals, and then implement the pieces stepwise, as needed for short-term execution.
For instance, if you are just starting to develop a product or deliver a service that includes open source and you do not yet have any compliance infrastructure in place, the most immediate concern should be establishing a compliance team, processes and policy, tools and automation, and training your employees. Having kicked off these activities (in that order) and possessing a good grip on the build system (from a compliance perspective), you can move on to other program elements.
The next challenge to establishing an open source compliance program is clearly communicating your organization’s efforts to meet its open source license obligations with others inside and outside the company. In the next article, we’ll cover some practical ways to approach communication.
Get the open source compliance training you need. Take the free “Compliance Basics for Developers” course from The Linux Foundation. Sign up now!
Read the other articles in this series:
Cloud Computing Compliance and Security Projects Linux How-To Diversity & Inclusion Open Source Best Practices 2022 Events Cross Technology Training and Certification LFX Open Source Blockchain Research Legal Networking and Edge Data Governance Green Software Foundation LF Energy LF Research OpenChain System Administration