Establishing a Clean Software Baseline for Open Source License Compliance
The Linux Foundation | 08 March 2017
One of a company’s first challenges when starting an open source compliance program is to find exactly which open source software is already in use and under which licenses it is available.
This initial auditing process is often described as establishing a clean compliance baseline for your product or software portfolio. This is an intensive activity over a period of time that can extend for months, depending on how soon you started the compliance activities in parallel to the development activities.
Below are some recommendations, based on The Linux Foundation’s e-book Open Source Compliance in the Enterprise, for some of the best ways to achieve initial license compliance.
4 Activities to Establish Baseline Compliance
Organizations achieve initial compliance through the following activities:
• Early submission and review of open source usage requests.
• Continuous automated source code inspection based on a predefined interval of time for all source code.
• Continual source code scans, including code received from third-party software providers, to intercept source code that was checked into the code base without a corresponding compliance ticket. Such source code scans can be scheduled to run on a monthly basis, for instance.
• Enforced design and architectural review, in addition to code inspections, to analyze the interactions between open source, proprietary code, and third party software components. Such reviews are mandatory only when a given interaction may invoke license compliance obligations.
Compliance on Future Revisions
If a company fails to establish baseline compliance, it is almost guaranteed that future revisions of the same product (or other products built using the initial baseline) will suffer from compliance issues. To guard against such scenarios, companies should consider establishing other elements of a complete open source management program, including the following:
• Offer simple but enforced policies and lightweight processes.
• Include compliance checkpoints as part of the software development process as it moves from concept into shipping
a product or software stack. Ideally, with every development milestone, you can incorporate a corresponding compliance milestone, ensuring that all software components used in the build have parallel and approved compliance tickets.
• Ensure availability of a dedicated compliance team.
• Utilize tools and automation to support efficient processing of compliance tickets.
There are several challenges in maintaining open source compliance, similar to those faced when establishing baseline compliance. In fact, many of the steps are identical, but on a smaller, incremental scale. We’ll cover recommendations for maintaining compliance in the next article in this series.
Read the other articles in this series:
The 7 Elements of an Open Source Management Program: Strategy and Process
The 7 Elements of an Open Source Management Program: Teams and Tools
How and Why to do Open Source Compliance Training at Your Company
Basic Rules to Streamline Open Source Compliance For Software Development
How to Raise Awareness of Your Company’s Open Source License Compliance
Similar Articles
Browse Categories
Cloud Computing Compliance and Security Open Source Projects 2024 Linux How-To LF Research Open Source Ecosystem and Governance Blog Diversity & Inclusion Research Newsletter Data, AI, and Analytics linux blog Training and Certification Linux Cross Technology Cloud Native Computing Foundation cybersecurity software development Announcements Decentralized Technology Legal OpenSearch Sustainability and Green Initiatives cloud native generative AI lf events Finance and Business Technology Networking and Edge cncf industries Emerging Technology Health and Public Sector Interoperability Kubernetes Topic: Security Web Application & Development amazon web services aws community tools confidential computing challenges decentralized AI decentralized computing eBPF funding japan spotlight kernel license compliance openssf ospo research survey skills development state of open source tech talent