Linux Foundation launches Open Compliance Program
Open source software has many benefits, but one of the greatest is the ability to not reinvent the wheel. By sharing solutions, the open source community is able to develop great software quickly and effectively. Although open source software usually stands alone, on ideological grounds, you can easily find examples of open source software in a great number of successful proprietary applications, too. Some open source licenses permit use in proprietary software, and some does not. Navigating the plethora of open source and free software licenses can be confusing to developers. Some open source code gets inappropriately bundled into proprietary software intentionally, as a short-cut to success, and some gets bundled in violation of the open source licenses by accident or negligence. It can be expensive and embarrassing to companies when this sort of misappropriation of open source software occurs. Today the Linux Foundation is launching the Open Compliance Program to help avoid just these sorts of problems.
![](data:image/svg+xml;charset=utf-8,<svg height="122" width="613" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Backed by big names you recognize — Intel, AMD, Google, Cisco, Nokia, Adobe, Sony, and many more — the Open Compliance Program is an effort to make it easier and cheaper to properly leverage open source software. The program is primarily comprised of self-administered training modules, but there are also some automated tools being rolled out to help programmatically identify license compliance issues. And new to the program is a standard license information data exchange format, so licensing information can be unambiguously communicated both upstream and downstream.
It all sounds interesting. Let’s hope the program is a success. Here’s the full press release:
The Linux Foundation Launches Open Compliance Program
Enterprise and Consumer Electronics Giants Join Forces to Help Address Increasing Complexities in Software Compliance
LINUXCON, Boston, Mass., August 10, 2010 – The Linux Foundation, the nonprofit organization dedicated to accelerating the growth of Linux, announced today the launch of the Open Compliance Program, a comprehensive initiative that includes tools, training, a standard format to report software licensing information, consulting and a self-assessment checklist that will help companies comply with open source licenses, increasing adoption of open source and decreasing legal FUD present in the marketplace.
As the use of Linux and other open source software has exploded in recent years, especially in mobile and consumer electronics products, the need has arisen for a trusted, neutral, non-commercial compliance program that offers a comprehensive offering of compliance training, tools and services. With today’s complex supply chains, it can be difficult to keep up with the code and licenses present in shipping products.
To address that complexity, The Linux Foundation has developed a set of tools, training curricula and a new self-administered assessment checklist that will allow companies to meet open source license obligations in a cost-effective and efficient manner. The Open Compliance Program also includes a new data exchange standard so companies and their suppliers can easily report software information in a standard way, a crucial missing link in the compliance landscape.
Founding participants of the program include enterprise computing and consumer electronics giants Adobe, AMD, ARM Limited, Cisco Systems, Google, HP, IBM, Intel, Motorola, NEC, Nokia, Novell, Samsung, Software Freedom Law Center, Sony Electronics and more than 20 other companies and organizations. Comments from all the companies and organizations can be found below.
“As Linux has proliferated up and down the product supply chain, so has the complexity of managing compliance,” said Jim Zemlin, executive director of The Linux Foundation. “Our mission is to enable the expansion of free and open source software, so we created this program to give companies the information, tools and processes they need to get the most out of their investment, while maintaining compliance with the licenses governing the software.”
“Compliance with free software licensing requirements is much easier for product manufacturers and distributors than certain industrial competitors want you to believe,” said Eben Moglen, founder and chairman, Software Freedom Law Center. “Free software licenses are designed to make it easy to copy, modify and redistribute software, commercially and non-commercially. But strong operational compliance engineering measures still play a crucial role, making risk avoidance both inexpensive and wholly effective. The Linux Foundation’s Open Compliance Program will make best operational practices for compliance accessible to all and will help commercial and non-commercial parties work together to improve those practices still further. Participation in this program, along with necessary legal advice and training, should allow any organization to meet its FOSS license compliance responsibilities completely, at very low cost.”
The six elements of The Linux Foundation’s Open Compliance Program are:
- Training and Education: The Linux Foundation now offers the industry’s most comprehensive compliance resource for training and informational materials. Training modules cover the fundamentals of open source licensing and compliance activities and can be tailored for audiences ranging from corporate executives to working professionals. Training will be offered live onsite or online. Information assets include free white papers, articles, and webinars available from noted compliance experts. More information on training and education can be found here: http://www.linuxfoundation.org/programs/legal/compliance/training-and-education.
- Tools: While there are many commercial and open source scanning tools available to identify the origin and license of source code, The Linux Foundation has developed complementary tools needed to help companies improve their open source compliance due diligence. The Linux Foundation has released initial versions of two of these tools as open source projects and urges other developers to contribute to them. They include:
- Dependency Checker: capable of identifying code combinations at the dynamic and static link level. In addition, the tool offer a license policy framework that enables FOSS Compliance Officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool.
- Bill of Material (BoM) Difference Checker: capable of reporting differences between BoMs and therefore enabling companies to identify changed source code components and to better report included open source components in updated product releases. Development on the BOM Difference Checker will begin in late 2010.
- The Code Janitor: This tool provides linguistic review capabilities to make sure developers did not leave comments in the source code about future products, product code names, mention of competitors, etc. The tool maintains a database of keywords that are scanned for in the source code files to ensure code released is safe and ready for public consumption.
- Self-Assessment Checklist: The Linux Foundation has developed an extensive checklist of compliance best practices in addition to elements that must be available in an open source compliance program to ensure its success. Companies are invited to use this checklist as an internal self-administered exercise to evaluate their compliance in comparison to top tier best compliance practices. The checklist will be formally launched in late 2010.
- The SPDX Standard and Workgroup: This workgroup enables companies to standardize their bills of material to ease the discovery and labeling of open source components in their products; this is especially important for consumer electronics manufacturers who assemble parts from a variety of suppliers into their shipping products. The end result is companies using free and open source software will all be following the same reporting method, thereby reducing costs and complexity. More information can be found at www.linuxfoundation.org/workgroups/spdx
- A Compliance Directory and Rapid Alert System: The Linux Foundation has created a directory of compliance officers at companies using Linux and Open Source software in their commercial products so communication can be eased, information related to open source licenses can be easily disseminated and actions can be coordinated. This is a huge need in today’s market where it’s often times difficult for open source projects to identify the correct people at companies using their software to address issues of concern. Companies can add their contact information or developers can query the directory at: http://www.linuxfoundation.org/programs/legal/compliance/directory/
- Community: The above resources join the existing FOSSBazaar workgroup, which has a thriving and informed community of software and compliance professionals. As the open source ecosystem continues to evolve with new opportunities and risks, this community will focus discussion on how the industry can best adapt to the changes. The Linux Foundation welcomes all interested companies to participate at www.linuxfoundation.org/workgroups/fossbazaar or www.FOSSBazaar.org.
You can find out more about the program at: http://www.linuxfoundation.org/programs/legal/compliance
![](data:image/svg+xml;charset=utf-8,<svg height="133" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="105" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="125" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
