The Linux Foundation focuses on educating and helping developers and companies understand their license requirements and how to build efficient, frictionless, and often automated processes to support compliance. Many of these resources are collated under The Linux Foundation's Open Compliance Program.
Education and Training
The Linux Foundation supports a comprehensive set of programs for open source software compliance. We view open source compliance as a continuous process managed by professionals—and achieving compliance across an ecosystem starts with education and training so we can develop more professionals.
- Whitepapers and how-to guides for developers and program managers
- Developer Training: Compliance Basics for Developers
Education and training build a base of knowledgeable resources to guide your open source journey. However, education alone will not solve efficiency issues if everyone implements compliance processes differently. The Linux Foundation projects enable the industry to develop compliance standards for companies and entire supply chains to exchange compliance data in a consistent way.
- OpenChain identifies common best practices in open source compliance that should be applied as a standard across a supply chain.
- SPDX Specifications enable projects and organizations to communicate accurate summaries of the licensing and copyright information in software deliverables .
- SPDX License List is a curated list of commonly found licenses that can be referenced by the use of a standardized short identifier per license. For each short identifier, the list contains the full name for each license, vetted license text, other basic information, and a canonical permanent URL for each license and exception.
- SPDX Meta Tags enable the use of the standardized short identifier in source code to efficiently refer to a license without having to redundantly reproduce the full license.
You’re not alone in your open source compliance journey. Many of our members have found it beneficial to participate in the projects we host, simply to access the network of experts participating in the projects. In addition, The Linux Foundation hosts professional networks to help compliance professionals find each other and collaborate on ways to improve compliance practices, tooling, and processes.
Tools and Infrastructure
To achieve higher levels of scale and reduce the overhead cost of compliance, companies have contributed to creating open source tools and infrastructure to achieve compliance at a lower cost, increasing cross-organization efficiency and integration of compliance with product development.
- FOSSology scans codebases, identifies licenses in use, creates machine readable license lists, and enables automatic notice file creation.
- FOSS Bar Code Tracker simplifies the way FOSS components are tracked and reported in a commercial product. The tool allows companies to easily generate a custom QR code for each product containing FOSS. The QR code contains important information on the FOSS stack contained in a product, such as component names, version numbers, license information, and links to download the source code, among other details.
- SPDX Tools are tools for validating, transforming, reading, and writing SPDX format files. SPDX also provides links to community-maintained and commercially available tools that support SPDX.
- Dependency Checker is capable of identifying code combinations at the dynamic and static link level. The tool also offers a license policy framework that enables FOSS compliance officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool.
- The Code Janitor provides linguistic review capabilities to make sure developers did not leave comments in the source code.