Posts

compliance

There are generally two teams involved in achieving open source license compliance within an organization: a core team and an extended team of individuals from various departments.

No individual, no matter how adept, can successfully implement open source compliance across an entire organization. Keeping track of where and how open source code is used, approved, and shipped must be a cross-functional team effort.

From core engineering and product teams, to legal counsel and upper management, compliance involves individuals in many roles from various departments throughout the company.

In this article, highlighting a chapter of The Linux Foundation ebook Open Source Compliance in the Enterprise by Ibrahim Haddad, we’ll give an overview of the roles and responsibilities that any open source compliance program should include. Together, these are the individuals who will make sure your company stays current and compliant with the open source licenses in the code you use and ship.

3 Key roles on an open source compliance team

There are generally two teams involved in achieving compliance: a core team and an extended team, with the latter typically being a superset of the former. The core team, often called the Open Source Review Board (OSRB), consists of three key representatives from engineering and product teams, one or more legal counsels, and the compliance officer/ open source program office manager.

Legal representative: A legal counsel or paralegal, depending on the task. Reviews and approves usage, modification, and distribution of free and open source software (FOSS); provides guidance on licensing; contributes to compliance training; reviews and approves open source notices; and more.

Engineering and product team representative: Follows compliance policies and processes; requests approval to use (and/or contribute) to open source projects; responds quickly to all questions; conducts design, architecture, and code reviews; prepares software packages for distribution; and more.

Open source compliance officer, manager, or director: Not necessarily a dedicated resource, this person drives all compliance activities; coordinates source code scans and audits and distribution of source code package; contributes to compliance training and creation of new tools to facilitate automation and FOSS discovery in a dev environment; and more.

Others involved in open source compliance

The extended team includes a larger group of individuals from across multiple departments who contribute on an on-going basis to the open source compliance efforts. However, unlike the core team (in substantial organizations), members of the extended team are working on compliance only on a part- time basis, based on tasks they receive from the core review board. Roles and responsibilities include:

  • Documentation – Includes open source license information and notices in the product documentation including license text, written offer, copyrights and attribution notices
  • Supply Chain – Mandates third-party software providers to disclose open source in licensed or purchased software components and assists with ingress of third-party software bundled with and/or including open source software
  • Corporate Development – Requests open source compliance be completed before a merger or acquisition, or when receiving source code from outsourced development centers or third-party software vendors.
  • IT – Provides support and maintenance for the tools and automation infrastructure used by the compliance program and creates and/or acquires new tools based on OSRB requests
  • Localization – Translates basic information in target languages about open source information related to the product or software stack
  • Open Source Executive Committee (OSEC) – Typically includes executives representing Engineering and Legal. The OSEC reviews and approves proposals to release IP and proprietary source code under an open source license.

Read other articles in this series:

The 7 Elements of an Open Source Management Program: Strategy and Process

The 7 Elements of an Open Source Management Program: Teams and Tools

How and Why to do Open Source Compliance Training at Your Company

Basic Rules to Streamline Open Source Compliance For Software Development

How to Raise Awareness of Your Company’s Open Source License Compliance

Establishing a Clean Software Baseline for Open Source License Compliance

Ibrahim Haddad (Ph.D.) is Vice President of R&D and the Head of the Open Source Group at Samsung Research America. He is responsible for overseeing Samsung’s open source strategy and execution, internal and external R&D collaborations, supporting M&A and Corporate VC activities, and representing Samsung towards open source foundations. He is currently serving as Vice President of the Open Connectivity Foundation and the Director on the Board representing Samsung Electronics.

LOS ANGELES – OPEN SOURCE SUMMIT NORTH AMERICA – September 11, 2017 — The OpenChain Project is proud to welcome Hitachi as a Platinum Member. Hitachi joins eleven other companies to take a leadership role in our industry standard for open source compliance in the supply chain.

“The inclusion of Hitachi in our community is pivotal,” says Shane Coughlan, OpenChain Program Manager. “As a leader in numerous technology areas, and as a long-term contributor to the open source community, Hitachi is perfectly positioned to help us take the OpenChain Project to the next level. We look forward to working closely together to build out adoption of the OpenChain Specification in the supply chain.”

“We are delighted to join the OpenChain Project as a Platinum Member,” says Teruhisa Ishikawa, Director of OSS Solution Center, Systems & Services Business Division, Hitachi, Ltd. “Open source delivers value to multiple market segments and underpins many mission critical technologies. Good governance and clear standards are vital for effective, sustainable use. OpenChain helps empower companies of all sizes to benefit from the knowledge and experience of the community as a whole. We look forward to encouraging greater adoption.”

About The OpenChain Project

The OpenChain Project identifies key recommended processes for effective open source management. The project builds trust in open source by making open source license compliance simpler and more consistent.

The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain. Organizations of all sizes are invited to review the OpenChain Project, to complete our free Online Self-Certification Questionnaire, and to join our community of trust.

The OpenChain Project has twelve Platinum Members that support its work: Adobe, Arm, Cisco, Harmen, Hitachi, HPE, GitHub, Qualcomm, Siemens, Toyota, Wind River and Western Digital.

Additional Resources

The OpenChain Conformance page

The list of OpenChain Conformant organizations

About Hitachi, Ltd.

Hitachi, Ltd. (TSE: 6501), headquartered in Tokyo, Japan, delivers innovations that answer society’s challenges. The company’s consolidated revenues for fiscal 2016 (ended March 31, 2017) totaled 9,162.2 billion yen ($81.8 billion). The Hitachi Group is a global leader in the Social Innovation Business, and it has approximately 304,000 employees worldwide. Through collaborative creation, Hitachi is providing solutions to customers in a broad range of sectors, including Power / Energy, Industry / Distribution / Water, Urban Development, and Finance / Government & Public / Healthcare. For more information on Hitachi, please visit the company’s website at http://www.hitachi.com.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

# # #

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact:

 

pr@linuxfoundation.org

Communication is one of the seven essential elements to ensure the success of open source license compliance activities. And it’s not enough to communicate compliance policies and processes with executive leadership, managers, engineers, and other employees. Companies must also develop external messaging for the developer communities of the open source projects they use in their products.

Below are some recommendations, based on The Linux Foundation’s e-book Open Source Compliance in the Enterprise, for some of the best ways to communicate open source license compliance both internally and externally.

Internal Communication

Companies need internal compliance communication to ensure that employees are aware of what is involved when they include open source in a commercial software portfolio. You also want to ensure that employees are educated about the company’s compliance policies, processes, and guidelines. Internal communications can take any of several forms:

  • Email communication providing executive support and of open source compliance activities

  • Formal training mandated for all employees working with open source software

  • Brown-bag open source and compliance seminars to bring additional compliance awareness and promote active discussion

  • An internal open source portal to host the company’s compliance policies and procedures, open source related publications and presentations, mailing lists, and a discussion forum related to open source and compliance

  • A company-wide open source newsletter, usually sent every other month or on quarterly basis, to raise awareness of open source compliance

External Communication

Companies also need external compliance communications to ensure that the open source community is aware of their efforts to meet the license obligations of the open source software they are using in their products.

External communications can take several forms:

• Website dedicated to distributing open source software for the purpose of compliance

• Outreach and support of open source organizations which help the company build relationships with open source organizations, understand the roles of these organizations, and contribute to their efforts where it makes sense

• Participation in open source events and conferences. This can be at various levels ranging from sponsoring an event, to contributing presentations and publications, or simply sending developers to attend and meet open source developers and foster new relationships with open source community members.

Open Source Compliance

Read the other articles in this series:

The 7 Elements of an Open Source Management Program: Strategy and Process

The 7 Elements of an Open Source Management Program: Teams and Tools

How and Why to do Open Source Compliance Training at Your Company

Basic Rules to Streamline Open Source Compliance For Software Development