June 1, 2015

Why Companies That Use Open Source Need a Compliance Program

compliance paperCorporate use of open source software is now the norm with more than 60 percent of companies saying that they build their products with open source software, according to the 2015 Future of Open Source survey. But that same survey also revealed that most companies that use FOSS in their products don’t have formal procedures in place for ensuring that their software complies with open source licenses and regulations.

This is a dangerous trend for these companies and the open source community as a whole. Open source compliance failures leave companies, their suppliers and customers, vulnerable to lawsuits and often require costly engineering solutions to fix the problem. See the 2013 Fantec decision in Germany as an example of the potential liability for not managing a supply chain appropriately. Companies that don't manage compliance also erode an open source community’s trust, which can diminish a company’s influence in the projects they rely on for their products and inhibit open source developer recruitment and retention -- a critical competitive edge.

What is FOSS Compliance?

Most companies that have successfully integrated free and open source software (FOSS) and practices into their products create a FOSS compliance program. In its simplest definition, FOSS compliance means that users of FOSS must observe all the copyright notices and satisfy all the license obligations for the FOSS they use in commercial products. The complexity of achieving FOSS compliance increases slightly because you may also want to protect your intellectual property or possibly a third party supplier’s (whose source code is included in your product) from unintended disclosure.

FOSS compliance is typically more of an operational challenge related to execution and scaling than a legal challenge. Achieving compliance requires the aggregation of policies and processes, training, tools and proper staffing that enables an organization to effectively use FOSS and contribute to open source projects and communities. The goal is a FOSS compliance program that enables your business while respecting the rights of copyright holders who have offered you the ability to use the code freely. The R&D savings alone associated with the benefit your company derives would likely cover the internal process costs associated with complying with license obligations, and at the same time helping create a chain of compliance trust between your customers and suppliers.

The key to many successful FOSS compliance programs is a centralized core team, typically called something like the “Open Source Review Board” (OSRB). This team is usually comprised of knowledgeable experts in FOSS (e.g. from development and legal) plus representatives from engineering, product teams and supply chain. Well run programs often have a Compliance Officer (or sometimes called Director of Open Source) who owns the mission of compliance for the organization and who coordinates between product teams and business units. In addition to the core OSRB team, you may also find benefits from establishing an extended team that consists of various individuals across multiple departments (Documentation, Corporate Development, IT, Localization, etc.).

In this arrangement, legal counsel often provides practical advice to the software development team that enables developers to make daily decisions related to open source licenses without having to go back to the legal counsel for every single question. Much of this has been covered in our white paper, “Practical Advice to Scale Open Source Legal Support” where Ibrahim Haddad (now at Samsung Research Americas) discussed the role of legal counsel in ensuring FOSS compliance. He also examined practical advice that attorneys can provide to the software development team.

Free FOSS Compliance Resources

There are also several free resources available to help companies address the operational challenges of FOSS compliance, including:

The Linux Foundation offers hands-on training from compliance experts for individuals and companies responsible for achieving compliance with open source licenses and establishing an open source compliance program, as well as for those who simply want to learn more about compliance. Options available include live onsite training in addition to instructor-led live remote training. A certificate is provided to all who complete the training.

Developed by the SPDX workgroup hosted by the Linux Foundation, the specification helps facilitate compliance with free and open source software licenses by providing a standard format for communicating the components, licenses and copyrights associated with a software package.

A new Linux Foundation work group that aims to create a set of compliance best practices for companies to use not only internally, but with their supply chain. OpenChain seeks to embed best practices for FOSS compliance into supply chains, using a shared standard and best practices that form an auditable standard for FOSS compliance.

Developed by the Linux Foundation, the FOSS Bar Code Tracker, Dependency Checker Tool, and Code Janitor Tool are among several open source compliance tools available to help track important information on the FOSS stack contained in a product.

Each of these tools address topics on their own. Over the next few months I hope to dive deeper into various aspects of FOSS compliance that we often see multiple companies struggling to address. Further, I’d like to hear how your company is handling compliance and what areas in the industry could use more focus. You can find me on Twitter at @mdolan.

Download the full white paper, Practical Advice to Scale Open Source Legal Support.

Read Part 2: 5 Essential Duties of Legal Counsel in an Open Source Compliance Program

Part 3: 5 Practical Ways for Legal Counsel to Advise Developers on Open Source

Click Here!