Open source compliance garnered its fair share of attention at the recently-completed Linux Foundation Collaboration Summit April 6-8 in San Francisco. There were great presentations in a compliance track and a legal track, as well as working group sessions for the SPDXTM technical and business workstreams. And there was a great turnout for the Linux Foundation’s offering of the full-day compliance training course immediately after Collaboration Summit. Most of all, attendees reinforced their commitment to compliance as the way to do business and focused their attention on ways to operationalize compliance activities and make them more efficient and ingrained in everyday business practices.
The Compliance track featured presentations by a variety of compliance professionals. Kim Weins spoke about OpenLogic’s study reporting low levels of license compliance in the app development space. Phil Odence of Black Duck Software, one of the leaders of the SPDX project, overviewed SPDX accomplishments and future directions. I spoke about the Linux Foundation’s Open Compliance Program, highlighting compliance resources such as our training courses, white papers, and self-assessment checklist. Bradley Kuhn of the Software Freedom Conservancy offered a retrospective on twelve years of FLOSS license compliance activities. And Jim Markwith of GE Healthcare Information Technology provided a corporate and legal perspective on compliance processes.
We’re putting together a compliance track now for LinuxCon North America 2011, which comes to Vancouver in mid-August. There’s still time for people to submit a presentation proposal online, or you can email me with suggestions or questions at
Two ways of integrating compliance into business practices generated the most discussion at the conference. First, teams came together at Collaboration Summit to continue progress on the SPDX project, which provides a standard format and mechanism for exchanging software bill of materials information between supply chain partners. A half-day technical working session reviewed and revised the technical spec release candidate that will be made available later in April. An official Version 1 spec release is planned for LinuxCon North America. The SPDX Viewer and Translator tools were also discussed and are coming along nicely.
Meanwhile, the business workstream’s working session focused on readiness for the SPDX beta program, starting in May, in which committed pairs of trading partners plan to exchange bill of material information using the SPDX format. The business workgroup also brainstormed ideas on how to gain mindshare for SPDX. They plan to work with the distro vendors, open source communities, and the FOSS license enforcement community to foster adoption of the SPDX standard. The business team will also refresh the spdx.org website, with presentations and white papers putting SPDX more clearly in a supply chain context. They’ll highlight the SPDX value proposition for driving down the cost of supply chain by eliminating redundant analyses and assuring a network of trust through verification and accountability. A key to ultimate SPDX adoption, according to session attendees, will be to push bill of material information-gathering as close to its development source as possible, i.e. open communities and commercial software suppliers. An ideal state will be one where consumers of software products demand SPDX data of their suppliers.
By the way, the SPDX workgroup welcomes new members. If you’re eager to make a contribution, please take a look at “Getting Started with Participation.”
Beyond the SPDX work, many conference attendees listened keenly in plenary sessions to descriptions of the YoctoTM Project. Yocto will provide templates, tools, methods, and working code for creating a custom Linux operating system for new embedded devices, regardless of the hardware architecture. (There’s a great Yocto video on the LF website and more project details can be found at http://www.yoctoproject.org.) Yocto also enables production of custom application development tools for the new OS and the ability to test software out in an emulator. So conference attendees concerned with compliance immediately started talking about how cool it would be to integrate an SPDX-generation capability into the Yocto toolset and other build management tools such as Maven, so that SPDX-compliant bill of materials are generated as a natural outcome of the build process.
All in all, Collaboration Summit was a great opportunity to share perspectives with conference attendees and work face-to-face on common issues. Collaboration Summit was also the kickoff to the Linux Foundation’s 20th anniversary celebration of Linux, culminating at LinuxCon North America in August. Check out the clever 3 ½ – minute commemorative video at http://www.linuxfoundation.org/20th/.