Establishing a Clean Software Baseline for Open Source License Compliance
The Linux Foundation | 08 March 2017
One of a company’s first challenges when starting an open source compliance program is to find exactly which open source software is already in use and under which licenses it is available.
This initial auditing process is often described as establishing a clean compliance baseline for your product or software portfolio. This is an intensive activity over a period of time that can extend for months, depending on how soon you started the compliance activities in parallel to the development activities.
Below are some recommendations, based on The Linux Foundation’s e-book Open Source Compliance in the Enterprise, for some of the best ways to achieve initial license compliance.
4 Activities to Establish Baseline Compliance
Organizations achieve initial compliance through the following activities:
• Early submission and review of open source usage requests.
• Continuous automated source code inspection based on a predefined interval of time for all source code.
• Continual source code scans, including code received from third-party software providers, to intercept source code that was checked into the code base without a corresponding compliance ticket. Such source code scans can be scheduled to run on a monthly basis, for instance.
• Enforced design and architectural review, in addition to code inspections, to analyze the interactions between open source, proprietary code, and third party software components. Such reviews are mandatory only when a given interaction may invoke license compliance obligations.
Compliance on Future Revisions
If a company fails to establish baseline compliance, it is almost guaranteed that future revisions of the same product (or other products built using the initial baseline) will suffer from compliance issues. To guard against such scenarios, companies should consider establishing other elements of a complete open source management program, including the following:
• Offer simple but enforced policies and lightweight processes.
• Include compliance checkpoints as part of the software development process as it moves from concept into shipping
a product or software stack. Ideally, with every development milestone, you can incorporate a corresponding compliance milestone, ensuring that all software components used in the build have parallel and approved compliance tickets.
• Ensure availability of a dedicated compliance team.
• Utilize tools and automation to support efficient processing of compliance tickets.
There are several challenges in maintaining open source compliance, similar to those faced when establishing baseline compliance. In fact, many of the steps are identical, but on a smaller, incremental scale. We’ll cover recommendations for maintaining compliance in the next article in this series.
Read the other articles in this series:
Cloud Computing Compliance and Security Projects Linux How-To Diversity & Inclusion Open Source Best Practices 2022 Events Cross Technology Training and Certification LFX Open Source Blockchain Research Legal Networking and Edge Data Governance Green Software Foundation LF Energy LF Research OpenChain System Administration