KubeCon + CloudNativeCon Europe · Apr 1-4 · London REGISTER TODAY

Search

    Join
    • Home
    • Blog
    • Establishing a Clean Software Baseline for Open Source License Compliance
    3 MIN READ

    Establishing a Clean Software Baseline for Open Source License Compliance

    The Linux Foundation | 08 March 2017

    One of a company’s first challenges when starting an open source compliance program is to find exactly which open source software is already in use and under which licenses it is available.

    This initial auditing process is often described as establishing a clean compliance baseline for your product or software portfolio. This is an intensive activity over a period of time that can extend for months, depending on how soon you started the compliance activities in parallel to the development activities.

    Below are some recommendations, based on The Linux Foundation’s e-book Open Source Compliance in the Enterprise, for some of the best ways to achieve initial license compliance.

    4 Activities to Establish Baseline Compliance

    Organizations achieve initial compliance through the following activities:

    • Early submission and review of open source usage requests.

    • Continuous automated source code inspection based on a predefined interval of time for all source code.

    • Continual source code scans, including code received from third-party software providers, to intercept source code that was checked into the code base without a corresponding compliance ticket. Such source code scans can be scheduled to run on a monthly basis, for instance.

    • Enforced design and architectural review, in addition to code inspections, to analyze the interactions between open source, proprietary code, and third party software components. Such reviews are mandatory only when a given interaction may invoke license compliance obligations.

    Compliance on Future Revisions

    If a company fails to establish baseline compliance, it is almost guaranteed that future revisions of the same product (or other products built using the initial baseline) will suffer from compliance issues. To guard against such scenarios, companies should consider establishing other elements of a complete open source management program, including the following:

    • Offer simple but enforced policies and lightweight processes.

    • Include compliance checkpoints as part of the software development process as it moves from concept into shipping

    a product or software stack. Ideally, with every development milestone, you can incorporate a corresponding compliance milestone, ensuring that all software components used in the build have parallel and approved compliance tickets.

    • Ensure availability of a dedicated compliance team.

    • Utilize tools and automation to support efficient processing of compliance tickets.

    There are several challenges in maintaining open source compliance, similar to those faced when establishing baseline compliance. In fact, many of the steps are identical, but on a smaller, incremental scale. We’ll cover recommendations for maintaining compliance in the next article in this series.

    Open source compliance

    Read the other articles in this series:

    The 7 Elements of an Open Source Management Program: Strategy and Process

    The 7 Elements of an Open Source Management Program: Teams and Tools

    How and Why to do Open Source Compliance Training at Your Company

    Basic Rules to Streamline Open Source Compliance For Software Development

    How to Raise Awareness of Your Company’s Open Source License Compliance
    Similar Articles
    Browse Categories
    Cloud Computing Open Source Compliance and Security Projects LF Research 2024 Blog Linux How-To Open Source Ecosystem and Governance Diversity & Inclusion Research Newsletter Data, AI, and Analytics linux blog Linux Training and Certification Cross Technology lf events software development Cloud Native Computing Foundation cybersecurity Announcements Decentralized Technology Legal

    Stay Connected with the Linux Foundation