Establishing a Clean Software Baseline for Open Source License Compliance
The Linux Foundation | 08 March 2017
One of a company’s first challenges when starting an open source compliance program is to find exactly which open source software is already in use and under which licenses it is available.
This initial auditing process is often described as establishing a clean compliance baseline for your product or software portfolio. This is an intensive activity over a period of time that can extend for months, depending on how soon you started the compliance activities in parallel to the development activities.
Below are some recommendations, based on The Linux Foundation’s e-book Open Source Compliance in the Enterprise, for some of the best ways to achieve initial license compliance.
4 Activities to Establish Baseline Compliance
Organizations achieve initial compliance through the following activities:
• Early submission and review of open source usage requests.
• Continuous automated source code inspection based on a predefined interval of time for all source code.
• Continual source code scans, including code received from third-party software providers, to intercept source code that was checked into the code base without a corresponding compliance ticket. Such source code scans can be scheduled to run on a monthly basis, for instance.
• Enforced design and architectural review, in addition to code inspections, to analyze the interactions between open source, proprietary code, and third party software components. Such reviews are mandatory only when a given interaction may invoke license compliance obligations.
Compliance on Future Revisions
If a company fails to establish baseline compliance, it is almost guaranteed that future revisions of the same product (or other products built using the initial baseline) will suffer from compliance issues. To guard against such scenarios, companies should consider establishing other elements of a complete open source management program, including the following:
• Offer simple but enforced policies and lightweight processes.
• Include compliance checkpoints as part of the software development process as it moves from concept into shipping
a product or software stack. Ideally, with every development milestone, you can incorporate a corresponding compliance milestone, ensuring that all software components used in the build have parallel and approved compliance tickets.
• Ensure availability of a dedicated compliance team.
• Utilize tools and automation to support efficient processing of compliance tickets.
There are several challenges in maintaining open source compliance, similar to those faced when establishing baseline compliance. In fact, many of the steps are identical, but on a smaller, incremental scale. We’ll cover recommendations for maintaining compliance in the next article in this series.
Read the other articles in this series:
The 7 Elements of an Open Source Management Program: Strategy and Process
The 7 Elements of an Open Source Management Program: Teams and Tools
How and Why to do Open Source Compliance Training at Your Company
Basic Rules to Streamline Open Source Compliance For Software Development
How to Raise Awareness of Your Company’s Open Source License Compliance
Similar Articles
Browse Categories
2023 Compliance and Security Cloud Computing Open Source Projects Linux How-To 2024 Diversity & Inclusion LF Research Open Source Best Practices Blog Linux Foundation Newsletter 2022 Training and Certification Research Cross Technology Linux lf blog research report LFX cybersecurity linux blog project news software development AI Cloud Native Computing Foundation Legal OpenSearch Topic: Data Announcements Financial Services In the news Networking and Edge lf events Data Governance Energy Featured Events Industry: Finance Industry: Fintech Interoperability LF Energy Open Mainframe Open Models OpenChain System Administration This week at FINOS Topic: Security Topic: Sustainability amazon web services aws brand perception cloud native cncf confidential computing challenges eBPF generative AI human capital japan spotlight kernel lf projects license compliance maintainer openssf research survey sbom tech talent techtalentsurvey updates