While complying with FOSS licenses is not overly difficult, it can be complex and many companies have asked for help ensuring that they don't run afoul of license requirements. Today the requests have been answered.
More than 30 companies have joined with The Linux Foundation today to launch the Open Compliance Program (OCP), an initiative to help companies ensure that their products comply with the requirements of FOSS licenses. The program comprises a set of open source tools to enable compliance efforts, a self-assessment checklist, training and consulting services, and a directory of compliance officers at participating companies.
As Linux and FOSS use has increased in the commercial market, a few commercial programs have sprung up to help companies deal with license compliance issues. However, there's been no industry standard for compliance issues or tools for companies that wish to handle compliance issues in-house. The Linux Foundation, with companies like IBM, AMD, Intel, Nokia, Google, and with the Software Freedom Law Center, has put together a tool-set and community to help deal with the common industry challenge of FOSS license compliance.
One of the most interesting features of the program is the compliance tools. Offered under the MIT license, the tools include a dependency checker, code janitor, and Bill of Material Difference Tool (BoM Diff). The dependency checker makes it possible to examine a project and provide an alert based on rules about a combination of licenses and linkage methods. The code janitor scans code for comments and provides a way for companies to ensure that the comments released with open source code don't divulge product plans or other information that shouldn't leave company walls.
The BoM tool is still scheduled for development beginning later in 2010. This will be a project that reports differences in bills of materials between versions to help companies with reporting and compliance between releases.
The Linux Foundation also points to several other tools developed prior to the launch of the OCP, including binary analysis tools to examine components that went into a product and FOSSology. FOSSology analyzes every file in a project for license information, which can be very useful for organizations including open source projects in their products or deploying them internally.
Finally, the OCP includes a self-assessment checklist so companies have a set of best practices for complying with FOSS license requirements.
Workgroup and Directory
The compliance program is being guided by the FOSSBazaar workgroup, which is developing a Software Package Data Exchange (SPDX) specification for organizations and projects to share information about licensing and copyrights associated with a project. The site for SPDX is available now and includes th specification and list of licenses for the tool, as well as usage guidelines.
Finding the right party at a company to discuss compliance issues can be a hassle for open source developers. Often it's non-obvious inside a company, much less outside, who is responsible for dealing with open source licensing issues for a given company. As part of the OCP, The Linux Foundation is providing a compliance directory and rapid alert system so developers can quickly reach out to compliance officers. Signups for the directory are open, so any company can add its compliance officer or other responsible person to the directory.
All of the tools in the world, of course, are of limited value without the capacity to use them. While some companies are adept at working in the open source community, others are still getting their bearings. For companies that need help with the tools and practices, The Linux Foundation is offering training and consulting for organizations that want to learn how to ensure their efforts meet the requirements of FOSS licenses.
Companies interested in compliance and other issues around open source are also encouraged to join the FOSSBazaar community. FOSSBazaar is a community of practice for accelerating adoption of FOSS in the enterprise.
Complying with open source licenses is not difficult, but it does require some effort and the right tools. With the Open Compliance Program, the Linux Foundation and FOSSBazaar are ensuring that organizations have the tools they need.