“We’re doing a lot in the space but yet people think we’re doing the opposite, so something is really wrong,” Haddad said.
This is in part due to a number of open source license compliance issues in the last few years, including an incident last August when Samsung was called out for violating Linux’s GPL, he said. Though the company fixed the problem within two weeks, he said, the resulting distrust lingers.
How does a company like Samsung go about building trust in the open source community and with its partners and customers in the broader software industry? Simply using open source software and contributing back to those projects upstream isn’t enough. Companies must ensure compliance with open source software licenses in their products as well.
To help companies build trust with the open source community through compliance, Samsung and several partner companies have formed a new working group, hosted by The Linux Foundation. OpenChain aims to create a set of compliance best practices for companies to follow internally. The group’s latest meeting was held at Collaboration Summit last week.
“It starts by building trust within your own company,” Haddad said. “That will eventually propagate through the whole software supply chain.”
Samsung’s Compliance Program
Samsung gets software from thousands of partners and ships millions of devices per quarter; ensuring compliance is not an easy task. The company does still experience some issues, Haddad said, but it has also succesfully reduced the number of missteps over the past three to four years by creating a new compliance program, led by the company’s Open Source Innovation Group.
They began by identifying the common points of failure – where compliance issues were likely to arise. This included failures in policy, process, tooling, the software procurement process, and other minor areas such as failure to produce the proper binaries or a website access error.
“We’ve experienced all of these multiple times,” Haddad said.
Then for every failure they found, they came up with a resolution. For example, to reduce confusion and errors in their compliance policy among employees, Samsung reduced it to essentially one, easy to remember sentence: Any code you get from the outside has to go through a process.
The next step was making the compliance process very light weight. They track all incoming software from internal as well as third-party sources through a ticketing system. And there’s a 5-step approval process for creating or participating in open source projects, with product managers responsible for smaller requests (such as contributing minor patches to a project) and an open source review board taking larger requests such as forming a new open source project.
They also have a common set of tools for open source projects now, and a set of courses for developers on open source compliance and development. Developers who want to earn the presitigous title of “software architect” at Samsung are required to take those two courses as part of their overall training for advancement, for example.
Scaling compliance for an industry
Based on its own experiences, Samsung’s Open Source Group has boiled open source compliance down to five basic goals that companies should meet in order to help build trust internally and within the industry:
Goal 1: Everyone knows their FOSS responsibilities.
Goal 2: Responsibility for achieving compliance is assigned.
Goal 3: FOSS content (packages/licenses) is known.
Goal 4: FOSS content is reviewed and approved.
Goal 5: FOSS obligations are satisfied.
“As a company, our responsibility is to meet those goals and introduce practices that support each goal,” Haddad said. “If everyone had those in place, our compliance problems would go away.”
The OpenChain work group will help flesh out the criteria for meeting each goal and decide how to verify companies that participate — whether it’s independently through a third-party mechanism or self-policed. Anyone can join the work group and contribute to the conversation.
Companies can then work on implementing each of the five goals incrementally. Their level of completion would be scored on a “scale of compliance.”
“Then when I’m doing business with a company, I can ask them where they are on the scale of compliance,” Haddad said. “That brings a certain level of trust.”
“Just for a second let’s imagine that everyone we interact with on the software side acutally has this in place,” Haddad concluded in his presentation. “In that case the problem we had in August wouldn’t have happened.”