Phil Odence is Vice President at Black Duck Software and helps lead the SPDX workgroup at The Linux Foundation. He will be moderating a keynote panel next week at The Linux Foundation Collaboration Summit titled "Getting the Kinks Out of the Software Supply Chain."
Open compliance has become a bigger area of emphasis in the Linux and open source communities as the collaborative development model and software have become widely adopted. The topic is one in which we at The Linux Foundation receive many requests for resource and more information. As part of our series of Q&As with the Summit's keynote speakers, we asked Phil a few questions about the upcoming panel and the state of open source license compliance.
You will be moderating a keynote panel at The Linux Foundation Collaboration Summit. Can you give us a teaser about what we can expect from the group?
Odence: Everyone on the panel represents a company dependent on a software supply chain and is passionate about achieving efficiency and license compliance. Their organizations are unique, so each has their own perspective. It will be a great combination of conceptual agreement and differing perspectives.
How has the global supply chain changed in recent years and how is this impacting open source license compliance?
Odence: Two things: 1) Software has gone from from being developed within four walls to across complex supply chains, and; 2) the use of open source has ramped dramatically. Companies assembling software don't have very good upstream visibility and at the same time know there's lots of open source in the code and therefore potentially many license requirements with which they need to comply.
What are some of the key challenges companies still face with regards to open source licenses and compliance? What is being done to address them?
Odence: It's a lot of work and it tends to be redundant, i.e. repeated down the supply chain. It's that frustration that has lead a number of companies to come together to work on SPDX. There are other components to the answer—polices, processes, eduction, tooling—but SPDX is a keystone.
Can you tell us more about SPDX and how it works?
Odence: It conceptually simple: A common way to represent what's in a software package and the associated license. There are devilish details, but the idea is that if everyone in a supply chain is sharing information in this way, it makes it much easier and cheaper to know what's in the software and what the licenses are.
The SPDX workgroup has really advanced work on how to ease open source license compliance. Can you tell us how the group was able to accomplish so much? Companies and community members can learn a lot from others about best practices on how to collaborate.
Odence: While the group is not developing software per se, from the outset we've run ourselves like an open source project without a lot of rules, hierarchy, structure or budget. Everyone involved is open source savvy so we can tell new participants, "We run like an open source project," and they get it. The support of The Linux Foundation was helpful in initially assembling a critical mass, and on a ongoing basis, the infrastructure and events have provided us logical gathering opportunities and places. I'm not sure we'd ever actually see each other without Linux events.
What's next for the SPDX group?
Odence: Each of our three teams has a clear, going forward focus. The Business Team needs to drive broader adoption across, as well as up and down supply chains. The Technical Team wrestles with evolving the spec to support hierarchy in an intuitive and simple way. The Legal Team has a real gem in the standard license list we developed; they are polishing that up and defining a process to expand it.
Literally our next step after the Collaboration Summit is the Forum we are running in San Jose on Friday, April 6. We welcome any locals who want an in-depth introduction to join us.