An effective open source compliance program depends on a mutually supportive triad of tools, process, and people, as the well-known illustration from the Software Engineering Institute depicted back when the Capability Maturity Model was first constructed:
The Linux Foundation recognized the importance of this “trinity” in announcing the Open Compliance Program at LinuxCon in August, 2010. The Linux Foundation Launches Open Compliance Program | The Linux Foundation.
Tools support and enact an organization’s existing processes. Sometimes, the tools are so powerful and encompassing that they form the foundation of an entire process. And, of course, teams envelop a tool with procedures, work instructions, and other artifacts to guide its use within the context of an overall program.
In constructing the Open Compliance Program, the Linux Foundation contributed several open source tools to complement existing commercial compliance tools. The Dependency Checker identifies source code combinations at the dynamic and static link levels and provides a license policy framework that enables FOSS compliance officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool. The Code Janitor helps a team “cleanse” its code of inappropriate comments and content prior to making a public release in compliance with open source license obligations. White papers and source code for these tools can be found at Compliance Tools | The Linux Foundation.
The process for an open source compliance program encompasses artifacts such as policies, process workflows, procedures, guidelines, checklists, forms and templates, plans, progress reports, metrics and so on. Many supporting elements help implement the core compliance processes of open source disclosure and discovery, review and approval, and obligation satisfaction, and community contributions, as depicted below.
The Open Compliance Program has developed a Self-Assessment Checklist as a confidential tool to help organizations gauge their progress in implementing a rigorous compliance process and prioritize their process improvement efforts. The checklist incorporates compliance practices found in industry-leading compliance programs, focusing on what must be done to achieve compliance goals. The Self-Assessment Checklist will be published November 1, 2010, on the Linux Foundation web site. Interested readers can also request a copy at Self-Assessment Compliance Checklist | The Linux Foundation.
The People dimension of a compliance program is especially crucial to its effectiveness. A compliance program must deploy a core compliance team of skilled and knowledgeable people, adequately staffed and with clear roles and responsibilities, organized in a way that makes sense for the business. And everyone in the company must understand its open source policy and appreciate what they must do to respect license obligations and follow company procedures. To assist organizations in defining and implementing an effective open source compliance program, the Linux Foundation has created compliance training in three versions: a half-day course for executives to help lay the groundwork for a compliance program; a comprehensive full-day course to lay out the compliance framework and implementation practices needed; and a two-day course that adds time for detailed working sessions with the compliance team on implementation specifics. And, by the way, the training emphasizes the critical role that tools play in a compliance program. To learn more about the training or to register, please go to Training and Education | The Linux Foundation.
Lastly on the People side, the FOSSBazaar site, FOSSBazaar | FOSSBazaar, hosts a community of people dedicated to increasing the adoption of free and open source software, which will be achieved, in part, through effective governance and compliance practices. Many industry leaders have contributed their thoughts on ways that tools, processes, and people can be coordinated to achieve compliance objectives.
So what can you do to implement a compliance program or enhance the effectiveness of your company’s existing program? Contact the Linux Foundation to schedule the comprehensive compliance training. Download the Self-Assessment Checklist once it’s available and use it to assess your compliance practices. Try out the tools we’ve made available and contribute your improvements back to the community. Get involved in the FOSSBazaar dialogues and in workgroups such as the SPDXTM project to standardize open source bills of material. Above all, let us know how the Linux Foundation can help. Contact us at