Today we are announcing the open source beta-release of EasyCLA, one of several services that are part of LFX.

EasyCLA helps maintainers of open source projects to streamline their workflows and reduce the hassles of managing Contributor License Agreements (CLAs) and authorizing contributors.

By automating many of the manual processes, this software-as-a-service hosted by the Linux Foundation reduces delays for developers to get authorized under a CLA.

Companies involved in open source projects benefit from having direct control over and visibility into which of their developers can contribute under their signed Corporate CLA.

The Linux Foundation already manages over 10,000 signed CLAs.  This experience has enabled us to build EasyCLA so it can scale with the largest open source projects, freeing up thousands of hours of time for developers, maintainers, and companies contributing to open source.

What is a CLA?

CLA stands for Contributor License Agreement, essentially a contract between the open source project entity and either an individual developer or the company contributing code.

CLAs are often categorized as either Individual CLAs and Corporate CLAs.

By signing an Individual CLA, an individual developer agrees that they have the right to contribute code and are doing so in accordance to the terms in the CLA.  When an individual signs their Individual CLA, they bind their contributions to the project under the terms of the CLA.

The complexity multiplies, however, when the project requires a Corporate CLA.

Corporate CLAs are often desired to provide direct corporate authority for employees of a company to make contributions with explicit authority for the grants (e.g. a patent grant) in an open source license.

There are other potential uses of Corporate CLAs, but it’s a project’s decision whether to use a CLA or not. In some projects, a CLA may address concerns amongst the contributor and user communities that makes it easier for them to participate in the community.  Other projects may not have the same level of concern and the CLA may, in fact, become a barrier to participation and “drive by” contributions

If the project decides to use a CLA and a contributing developer works for a company, a Corporate CLA needs to be signed by an authorized signatory of the company who employs them. By signing the Corporate CLA and then indicating which developers are authorized to contribute code under that CLA, the company removes ambiguity about who the company has authorized to contribute under the terms of the CLA and license for the project.

The Linux Foundation often recommends a “license-in” == “license-out” model where contributions are made under a project license with a Developer Certificate of Origin DCO “Signed-off-by” statement on each commit.  This means that the developer self-certifies their right to contribute to a project. Projects can easily enforce the DCO “Signed-off-by” requirement in code review tools such as Gerrit, GitHub1 and GitLab for example.

Some projects have considerations that lead to requiring a CLA in addition to using the DCO.

The agreement could include, for example, a statement of the license terms for the contribution to that project; a confirmation that the developer’s employer has authorized the contribution under those terms; or statements confirming that the contributor actually wrote the contribution. Some project communities believe these explicit statements provide greater certainty about rights contributors grant to the project.

In this case, the project maintainers carry the burden of managing the CLAs and the lists of authorized contributors. The burden increases as the number of contributors grows.

Automating the CLA process with EasyCLA alleviates this administrative load on the maintainers.

What Challenges does EasyCLA solve?

For projects that use CLA, one of the biggest problems is that the whole process adds friction to the project maintainer.

The common CLA processes of filing paperwork, following up with an internal signatory, and ensuring commits are made by authorized developers is a huge administrative headache.

Some of those specific pains include:

  • Tracking CLA paperwork, which is often spread across multiple emails or spreadsheets, is time-consuming and brittle
  • Ensuring that the list of company developers authorized to contribute to open source projects is up-to-date requires manual, fragile, time-consuming effort.
  • Collecting developers’ signatures and then waiting for maintainers to manually process CLAs can delay contributions
  • Projects and their maintainers want to ensure that every contribution was made under a CLA

What does EasyCLA do?

EasyCLA removes many of these manual processes by doing the following:

  • Automates the CLA signature and authorization workflows
  • Notifies contributors if they need to sign the CLA, or get authorized under their employer’s CLA from within GitHub or Gerrit
  • Blocks unauthorized contributors until they are authorized under a signed CLA
  • Supports reusing CLAs across projects
  • Enables each company signing a CLA to manage their own list of authorized contributors under their CLA
  • Includes modified template CLAs based on the Apache Software Foundation’s CLAs, as an option for the project’s CLAs

How EasyCLA Works

EasyCLA begins with the Project Manager, who is the project maintainer responsible for selecting the appropriate Individual and Corporate CLA.

Traditionally, the Project Manager has had to enforce whether a contributor was authorized to commit code to their project.  This would become especially cumbersome when getting signatures for Corporate CLAs from companies and updating each company’s whitelist of authorized developers.

With EasyCLA, the Project Manager can apply their CLA to their project and EasyCLA automates and streamlines the rest of the authorization process.

For an Individual developer, the process is straightforward: if they haven’t signed the project’s CLA, their commit will be blocked and they will be given a link that takes them to the CLA.  After providing their e-signature agreeing to the CLA, all their future commits to that project will be allowed.

For a Corporate developer, the process is more complicated. We’ve defined three primary roles for this automated CLA workflow:

  • Contributor: any developer wanting to contribute code to the project
  • CLA Manager: person authorized to manage who can contribute under the company’s Corporate CLA
  • CLA Signatory: the authorized signatory of the project’s CLA for the company

Who can use EasyCLA?

Any project hosted by the Linux Foundation and using either GitHub or Gerrit can use EasyCLA.

Contributors, Project Maintainers, and Companies can all benefit:

  • Contributors submit code with minimal hassle from CLA paperwork.
  • Project Maintainers stop worrying whether accepted pull requests fall under signed CLAs and managing the signed paperwork.
  • Companies get greater comfort from a workflow that enables proper signing authority for Corporate CLAs.

If your project is not a Linux Foundation project, you can sign up here to indicate interest in using EasyCLA for your project.  We are exploring support for non-LF projects on a case-by-case basis.

How to Get Started

For Project Maintainers

If you’re a maintainer of a project already using EasyCLA, you can login with your LF ID here to manage your CLAs.

For Company

If you are the CLA Manager for a company with developers contributing to Linux Foundation projects that are using EasyCLA, sign in with or create your LF ID here.

From there, you can send the agreement to the appropriate signatory.  After the CLA has been signed, you can then can begin whitelisting developers.

Contribute Code to EasyCLA

The code running EasyCLA is open sourced.

While the code is open, there are still several dependencies in the code that would make it difficult right now to run the code on your own infrastructure.

However, if you feel there are features you want to add that will make EasyCLA work better for your, your project, or your company, then please go ahead and create an issue or submit a pull request!

1. https://github.com/apps/dco

The open source project will establish and maintain a common legal and technical foundation for smart legal contracts

London, Accord Project Forum, June 6, 2019 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the launch of the Accord Project as a Linux Foundation project. The Accord Project is a nonprofit organization that builds open source code and documentation to maintain a common and consistent legal and technical foundation for contract management. The project comprises all the software necessary to author, edit and execute smart legal contracts in a standardized way. Many of the world’s largest global law firms have signed on, as well as leading industry bodies and technology companies such as DocuSign, IBM, IEEE and R3.

Smart contracts are showing promise for simplifying complexities in supply chain management and other contract-heavy areas of technology development, but they also introduce requirements for interoperability and consistency. The Accord Project provides a globally interoperable approach for creating contracts that bind legally enforceable natural language text to executable business logic. With an increased focus on enterprise digitalization, adoption of blockchain technologies and the growth of the API economy, the usage of computable agreements is rapidly increasing. Having a common format for “computable” legal agreements is an important cornerstone for the future of commercial relationships. One of the main purposes of Accord Project is to provide a vendor-neutral “.doc” format for smart legal agreements.

“The Linux Foundation is home to communities that are advancing the world’s most critical software infrastructure,” said Mike Dolan, VP of strategic programs at The Linux Foundation. “The Accord Project represents an opportunity to collaboratively build the framework necessary for the next generation of contracting. Their work is essential in supporting the software that runs our lives.”

Contract templates are composed of three elements: the Template Grammar (the natural language text for the template), the Template Model (the data model that backs the template), and the Logic (the executable business logic for the template). When combined these three elements allow templates to be edited, analyzed, queried and executed. Importantly, the Accord Project’s approach does not lock smart legal contracts into any particular execution environment or vendor applications. Smart legal contract templates can be used with a wide variety of technologies, including different types of distributed ledgers.

The templates are designed to be quick to create from existing legal contracts and easy to execute using the Ergo domain specific language. Ergo aims to help legal tech developers quickly and safely write computable legal contracts. Ergo’s other goals are modularity (reuse of existing contract or clause logic), ensuring safe execution, neutrality with respect to blockchain implementation if one is chosen, and being formally specified so the meaning of contracts is well defined and can be verified and preserved during execution.

Dan Selman, co-director of the Accord Project and Chair of its Technology Working Group, noted that “Our goals for the Accord Project are to promote the use of open legal technology, attract a self-sustaining base of contributors, supported by a rigorous governance structure. Linux Foundation has been an excellent steward to scores of open source projects, large and small, over many years. We believe Linux Foundation is the perfect home for Accord Project and look forward to learning from the collective wisdom of the Linux Foundation community and taking advantage of the various services and programs they offer.”

Developers, attorneys, business and finance professionals and other contract users can access the Accord Project online at accordproject.org and the code at www.github.com/accordproject. For technical documentation please visit: https://docs.accordproject.org/

About The Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

In the last few years we have witnessed the unprecedented growth of open source in all industriesfrom the increased adoption of open source software in products and services, to the extensive growth in open source contributions and the releasing of proprietary technologies under an open source license. It has been an incredible experience to be a part of.

As many have stated, Open Source is the New Normal, Open Source is Eating the World, Open Source is Eating Software, etc. all of which are true statements. To that extent, I’d like to add one more maxim: Open Source is Eating the Startup Ecosystem. It is almost impossible to find a technology startup today that does not rely in one shape or form on open source software to boot up its operation and develop its product offering. As a result, we are operating in a space where open source due diligence is now a mandatory exercise in every M&A transaction. These exercises evaluate the open source practices of an organization and scope out all open source software used in product(s)/service(s) and how it interacts with proprietary components—all of which is necessary to assess the value creation of the company in relation to open source software.

Being intimately involved in this space has allowed me observe, learn, and apply many open source best practices. I decided to chronicle these learnings in an ebook as contribution to the OpenChain project: Assessment of Open Source Practices as part of Due Diligence in Merger and Acquisition Transactions. This ebook addresses the basic question of: How does one evaluate open source practices in a given organization that is an acquisition target? We address this question by offering a path to evaluate these practices along with appropriate checklists for reference. Essentially, it explains how the aquirerer and the target company can prepare for this due diligence, offers an explanation of the audit process, and provides general recommended practices for ensuring open source compliance.

If is important to note that not every organization will see a need to implement every practice we recommend. Some organizations will find alternative practices or implementation approaches to achieve the same results. Appropriately, an organization will adapt its open source approach based upon the nature and amount of the open source it uses, the licenses that apply to open source it uses, the kinds of products it distributes or services it offers, and the design of the products or services themselves

If you are involved in assessing the open source and compliance practices of organizations, or involved in an M&A transaction focusing on open source due diligence, or simply want to have a deeper level of understanding of defining, implementing, and improving open source compliance programs within your organizationsthis ebook is a must read. Download the Brief.

Global technology leader supports standardization in open source compliance to improve predictability and efficiency across supply chains

SAN FRANCISCO –  February 6, 2019 — The OpenChain Project, which builds trust in open source by making open source license compliance simpler and more consistent, announced today that Microsoft Corp. has joined as a platinum member. This comes on the heels of several other large companies joining OpenChain last month including Uber, Google and Facebook. The only standard for open source compliance in the supply chain, OpenChain provides a specification as well as overarching processes, policies and training that companies need to be successful in managing open source license compliance so that it becomes more efficient, understandable and predictable for participants of the software supply chain.

Companies consume billions of lines of open source software through their supply chains as they build new products and services. One key challenge as code flows between companies is ensuring the relevant license requirements are met in a timely and effective manner. The OpenChain Project provides companies with a consistent way to address these challenges. It’s hard to overstate the importance of this work given open source is a critical input at every step in the supply chain, both in hardware and software.

By joining OpenChain, Microsoft will help create best practices and define standards for open source software compliance, so that its customers have even greater choice and opportunity to bridge Microsoft and other technologies together in heterogeneous environments. Conformance with the OpenChain Specification shows that an organization follows the key requirements of a quality open source compliance program, and builds trust between organizations in the supply chain. It makes procurement easier for purchasers and preferred status easier for suppliers.

“Trust is key to open source, and compliance with open source licenses is an important part of building that trust,” said David Rudin, Assistant General Counsel, Microsoft. “By joining the OpenChain Project, we look forward to working alongside the community to define compliance standards that help build confidence in the open source ecosystem and supply chain.”

“We’re thrilled that Microsoft has joined the project and welcome their expertise,” said Shane Coughlan, OpenChain General Manager. “Microsoft is a strong addition not only in terms of open source but also in standardization. Their membership provides great balance to our community of enterprise, cloud, automotive and silicon companies, allowing us to ensure the standard is suitable for any size company across any industry.”

As a platinum member, a representative from Microsoft will join the OpenChain Governing Board. Other platinum members of the OpenChain project include Adobe, ARM Holdings, Cisco, Comcast, Facebook, GitHub, Google, Harman International, Hitachi, Qualcomm, Siemens, Sony, Toshiba, Toyota, Uber and Western Digital.

Additional Resources

About the OpenChain Project

The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

SAP has established an open source program office to further its open source activities and expand its engagement with the open source communities.

SAP has been working with open source for decades and has now established an open source program office (OSPO) to further formalize the coordination of its open source activities and expand its engagement with the open source communities. “SAP was one of the first industry players to formally define processes for open source consumption and contribution,” says Peter Giese, director of the Open Source Program Office.

Even so, many people do not yet consider SAP to be a company that embraces open source engagement and contributions.

“In the past, we may not have been active enough in sharing our open source activities,” says Giese.

Now, SAP is shining a spotlight on its work in open source. Transparency is an essential part of the new open source mandate, beginning with an explanation of what the company has been up to and where it is headed with open source.

How SAP came to adopt open source

“In 1998, SAP started to port the R/3 system, our market-leading ERP system, to Linux,” says Giese. “That was an important milestone for establishing Linux in the enterprise software market.”

Porting a system to Linux was just a first step, and a successful one. The action spurred an internal discussion and exploration of how and where to adopt Linux going forward.

“We came to the conclusion that Linux would become a major force,” Giese says. “Today that’s obvious, but at the time it was not as obvious to everybody. That’s when we started our endeavors into open source.”

In 2001, SAP formally defined and internally documented its process for open source consumption, and the company committed to using inbound open source projects to build SAP products. There were lots of details to attend to, such as open source licensing, security, and export control restrictions.

By 2004, SAP already had information on the specifications exchange with other companies and was one of the founding members of the Eclipse Foundation. From then onwards, SAP developers actively contributed to several Eclipse projects, including JGit, EGit, Mat, Tycho and Che.

However, it wasn’t until 2008 that SAP started to actively promote open source contributions from SAP employees on a company-wide basis. That was also the year when the company rolled out its outbound open source process. “We had a set of guidelines and rules for what SAP teams had to do in order to share their work with the open source community,” explains Giese.

In 2010, SAP integrated open source tools further into its development processes. “We moved to a higher level of compliance by introducing systematic open source code scanning as part of our standard development processes,” says Giese. “That means we started to systematically scan open source code for license compliance and security issues.”

In 2014, SAP shared with the open source community a tool called CLA assistant which was developed for managing open source contributor license agreements.

Even though these activities and projects were very successful, there was a growing need for more central coordination of SAP’s open source activities.

“We had several teams that took care of specific aspects of open source, such as security scanning, license scanning, and building our own open source tooling. But there was no dedicated function or role with the overall responsibility for everything open source at SAP,” says Giese. “That has changed now, and SAP’s chief technology officer is responsible for open source at SAP.”

SAP and open source today

The new central Open Source Program Office was established in early 2018.

“We wanted to be more active and visible in our interactions with our outside customers and partners, and with open source foundations and other open source communities,” says Giese. “That’s why we also joined the TODO Group last year to share experiences, jointly develop best practices, and work on common tooling.”

Giese points out that the company’s investments and contributions to open source are substantial, yet they still come as a surprise to many people.

“For example, in February 2018, Fil Maj from Adobe published a worldwide ranking of companies, with their total number of their employees actively contributing to open source projects on GitHub, and SAP ranked at number seven”, says Giese. “There are, of course, different ways to create such statistics, but it gives you an idea of SAP’s role as a contributor. Maybe we’re one of open source’s best kept secrets.”

SAP prefers not to be a secret any longer and is stepping up its open source game in more visible ways. “We’re going to participate in more of the open source community conferences, such as Open Source Summit, OSCON, FOSDEM, EclipseCon, KubeCon, and so on” says Giese. SAP’s climb to higher visibility is a sign of its continued commitment to excellence in open source, and the company aims to form more partnerships and spur accelerated innovations.

One recent example of SAP’s innovative open source projects is Gardener, a solution for Kubernetes clusters as a service, as listed in the CNCF Cloud Native Landscape. It enables the management of a large number of Kubernetes clusters and the reuse of Kubernetes primitives in its core architecture.

Another newly open-sourced SAP project is Kyma, a flexible and easy way to connect and extend enterprise applications in a cloud native world.

SAP is actively encouraging companies and other developers to codevelop and cooperate on projects such as Gardener and Kyma.

“This type of co-innovation, for me, is the most compelling aspect about the whole open source movement,” says Giese.

Learn more about prominent SAP projects on their open source page.

How SAP’s open source office works

SAP formed its Open Source Program Office as a virtual team consisting of several teams from different board areas.

“We are working in scrum mode, which is a software development methodology. It has advantages in driving an open source program office,” says Michael Picht, chief development architect in OSPO. “You work in sprints in scrum, and this means you’re forced to break down your tasks into smaller pieces.”

“The scrum methodology propagates cross-functional teams, and that’s what our OSPO is. We have colleagues from across the company in there. Scrum facilitates the work in such a setup. It sounds strange to some people when they hear we work in scrum mode, but in our case, it is working quite well.”

Picht says that “breaking large jobs down into smaller chunks and working in four-week sprints makes challenging and long-running tasks easier to master. It does require some training, however, to make sure all team members are comfortable with the method.”

The office’s mission is to nurture and support the open source approach to software development – inside and outside SAP. Consequently, for employees who want to contribute to open source projects in their spare time outside of the company context, SAP has simplified the clearance process dramatically. “We have provided a few simple rules and as long as you adhere to these you can directly start to work on open source projects in your spare time,” says Giese.

The company is also redesigning its corporate open source contribution process to make it even more efficient. The goal is to shift from policing developers to enabling them through simpler forms, automation of process steps, and support team services.

For the open source community, to advance open source best practices and tooling, SAP recently contributed it’s open source vulnerability assessment tool, which supports any software development organization in assessing security vulnerabilities of open-source components in their application development.

SAP’s open source program office will continue to look for ways to speed up and improve processes, and to support developers, partners, and open source communities.

“This will never end, this will always go on, so we always want to find new ways to improve open source processes and tools further,” says Picht.

Acknowledgements

We would like to thank Peter Giese, director of SAP’s Open Source Program Office and Michael Picht, chief development architect, for their time in contributions to this case study. We would also like to thank Pam Baker for taking the time to conduct interviews at the Open Source Program Office.

SAP is an active member of the Linux Foundation and LF projects including Cloud Foundry Foundation, Cloud Native Computing Foundation (CNCF), Hyperledger, ODPi, OpenAPI Initiative, and TODO Group.

The Linux Foundation offers an abundance of resources to help you achieve success with open source.

At organizations everywhere, managing the use of open source software well requires the participation of business executives, the legal team, software architecture, software development and maintenance staff and product managers. One of the most significant challenges is integrating all of these functions with their very different points of view into a coherent and efficient set of practices.

More than ever, it makes sense to investigate the many free and inexpensive resources for open source management that are available, and observe the practices of professional open source offices that have been launched within companies ranging from Microsoft to Oath to Red Hat.

Fundamentals

The Linux Foundation’s Fundamentals of Professional Open Source Management (LFC210) course is a good place to start. The course is explicitly designed to help individuals in disparate organizational roles understand the best practices for success.

The course is organized around the key phases of developing a professional open source management program:

  • Open Source Software and Open Source Management Basics
  • Open Source Management Strategy
  • Open Source Policy
  • Open Source Processes
  • Open Source Management Program Implementation

Best Practices

The Linux Foundation also offers a free ebook on open source management: Enterprise Open Source: A Practical Introduction. The 45-page ebook can teach you how to accelerate your company’s open source efforts, based on the experience of hundreds of companies spanning more than two decades of professional enterprise open source management. The ebook covers:

  • Why use open source
  • Various open source business models
  • How to develop your own open source strategy
  • Important open source workflow practices
  • Tools and integration

Official open source programs play an increasingly significant role in how DevOps and open source best practices are adopted by organizations, according to a survey conducted by The New Stack and The Linux Foundation (via the TODO Group). More than half of respondents to the survey (53 percent) across many industries said their organization has an open source software program or has plans to establish one.

More than anything, open source programs are responsible for fostering open source culture,” the survey’s authors have reported. “By creating an open source culture, companies with open source programs see the benefits we’ve previously reported, including increased speed and agility in the development cycle, better license compliance and more awareness of which open source projects a company’s products depend on.”

Free Guides

How can your organization professionally create and manage a successful open source program, with proper policies and a strong organizational structure? The Linux Foundation offers a complete guide to the process, available here for free. The guide covers an array of topics for open source offices including: roles and responsibilities, corporate structures, elements of an open source management program, how to choose and hire an open source program manager, and more.

The free guide also features contributions from open source leaders. “The open source program office is an essential part of any modern company with a reasonably ambitious plan to influence various sectors of software ecosystems,” notes John Mark Walker, Founder of the Open Source Entrepreneur Network (OSEN) in the guide. “If a company wants to increase its influence, clarify its open source messaging, maximize the clout of its projects, or increase the efficiency of its product development, a multifaceted approach to open source programs is essential.”  

Interested in even more on professional open source management? Don’t miss The Linux Foundation’s other free guides, which delve into tools for open source management, how to measure the success of an open source program, and much more.

Open Source Compliance

This fully updated ebook provides detailed information on issues related to the licensing, development, and reuse of open source software.The Linux Foundation has released the second edition of Open Source Compliance in the Enterprise by Ibrahim Haddad, which offers organizations a practical guide to using open source code and participating in open source communities while complying with both the spirit and the letter of open source licensing.

This fully updated ebook — with new contributions from Shane Coughlan and Kate Stewart — provides detailed information on issues related to the licensing, development, and reuse of open source software. The new edition also includes all new chapters on OpenChain, which focuses on increasing open source compliance in the supply chain, and SPDX, which is a set of standard formats for communicating the components, licenses, and copyrights of software packages.

“Open source compliance is the process by which users, integrators, and developers of open source observe copyright notices and satisfy license obligations for their open source software components,” Haddad states in the book.

This 200+ page book encompasses the entire process of open source compliance, including an introduction on how to establish an open source management program, a description of relevant roles and responsibilities, an overview of common compliance tools and processes, and all new material to help navigate mergers and acquisitions. It offers proven best practices as well as practical checklists to help those responsible for compliance activities create their own processes and policies.

Essential topics covered in this updated ebook include:

  • An introduction to open source compliance
  • Compliance roles and responsibilities
  • Building a compliance program
  • Best practices in compliance management
  • Source code scanning tools

To learn more about the benefits of open source compliance and how to achieve it, download the free ebook today!

Invest in making open source compliance more predictable, understandable & efficient across supply chains

SAN FRANCISCO and YOKOHAMA, JAPAN – OPEN COMPLIANCE SUMMIT –  December 6, 2018 — The OpenChain Project, which builds trust in open source by making open source license compliance simpler and more consistent, announced today at Open Compliance Summit that Facebook, Google and Uber have joined as platinum members.  The only standard for open source compliance in the supply chain, OpenChain provides a specification as well as overarching processes, policies and training that companies need to be successful.

Every day companies consume billions of lines of open source software through their supply chains as they build exciting new products and services. One key challenge as  code flows between companies is ensuring the relevant license requirements are met in a timely and effective manner. Many organizations seek to address similar compliance issues in a similar manner, providing an excellent opportunity for consolidation and harmonization.

The OpenChain Project provides companies with a consistent way to address these challenges. At the heart of the project is a specification, an overarching standard for how companies of all sizes, whether in physical products, in the cloud or internally, can deal with open source compliance.

Running some of the largest data centers, platforms and cloud infrastructure in the world, Facebook, Google and Uber use a considerable amount of open source software in their businesses and are joining the OpenChain project to proactively manage open source across their supply chains.

“At Facebook, we believe open source software accelerates the pace of innovation in the world. We are proud to support the OpenChain project, and, by doing so hope to make the open source supply chain more predictable and efficient so the community can focus on solving challenges of speed, complexity, and deploying open source software at scale,” said Michael Cheng, Facebook Open Source.

“Google is a strong believer that working together and being engaged with open source communities creates a ripple effect for the broader industry,” said Chris DiBona, Director, Open Source, Google. “We’re excited to join the OpenChain project and expect it will encourage greater compliance, and foster discussion on how the industry and open source projects can continue to work to improve software throughout the supply chain.”

“In the tech industry, it’s easy to take for granted how critical open source is for innovation and community collaboration,” said Matt Kuipers, IP senior counsel at Uber. “However, the lack of consistent open source policies remains an obstacle for adoption throughout the supply chain and across industries. We’re excited to join the OpenChain Project to support the adoption of consistent policies, reduce barriers to adopting open source, and increase the value of open source for more industries beyond tech.”

“We are very excited to see three innovative tech leaders join the project and welcome their experience to our Governing Board,” said Shane Coughlan, OpenChain General Manager. “We believe that their support will be a vital component as we continue to build upon a successful, meaningful industry standard for open source compliance in the supply chain.”

OpenChain also provides companies with overarching processes, policies and training to be successful in open source compliance. OpenChain Conformance with the OpenChain Specification confirms that an organization follows the key requirements of a quality open source compliance program, and builds trust between organizations in the supply chain. It makes procurement easier for purchasers and preferred status easier for suppliers.

As platinum members, one representative from each company will join the OpenChain Governing Board. Other platinum members of the OpenChain project include Adobe, ARM Holdings, Cisco, Comcast, GitHub, Harman International, Hitachi, Qualcomm, Siemens, Sony, Toshiba, Toyota and Western Digital.

Additional Resources

About the OpenChain Project

The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

 

 

Nithya Ruff talks with Swapnil Bhartiya about Comcast’s contributions to open source and more.

Sometimes when we think about open source, we focus on the code and forget that there are other equally important ways to contribute. Nithya Ruff, Senior Director, Open Source Practice at Comcast, knows that contributions can come in many forms. “Contribution can come in the form of code or in the form of a financial support for projects. It also comes in the form of evangelizing open source; It comes in form of sharing good practices with others,” she said.

Comcast, however, does contribute code. When I sat down with Ruff at Open Source Summit to learn more, she made it clear that Comcast isn’t just a consumer; it contributes a great deal to open source. “One way we contribute is that when we consume a project and a fix or enhancement is needed, we fix it and contribute back.” The company has made roughly 150 such contributions this year alone.

Comcast also releases its own software as open source. “We have created things internally to solve our own problems, but we realized they could solve someone else’s problem, too. So, we released such internal projects as open source,” said Ruff.

Two notable projects that Comcast recently open sourced are Trickster and VinylDNS. At the moment, Comcast is maintaining these projects, but the company is also open to nurturing such projects to a stage where they can become part of bigger open source bodies like The Linux Foundation or Apache Software Foundation.

“These are the two projects that we’re actually maintaining. We are inviting contributors from all parts of the world to contribute to it and there is a great deal of diversity around these projects,” said Ruff. “At the same time, we also have Traffic Control, our CDN project, which is hosted at the Apache Foundation.”

Traffic Control is a good example of a Comcast project that became mature enough to graduate as a top tier project at the Apache Foundation. Comcast is also the force behind the RDK Management, an open source consortium to manage the Reference Design Kit (RDK). It’s an open source software platform for the connected home that standardizes core functions used in broadband devices, set-top boxes, and IoT.

Beyond Code

Ruff also serves on The Linux Foundation Board of Directors, where she represents the larger open source community. “As part of the board, one of the big lenses that I like to bring to the board is diversity and inclusion,” she said. She works closely with The Linux Foundation teams to make their projects and events more diverse and inclusive.

“We have a great opportunity as a foundation to set some guidelines for the 150-plus projects that are at the Foundation itself, but also to create best practices for the community to follow,” Ruff said.

“The whole world is getting digitized. As we are recreating this world, we need to create it with people of all types,” she continued. “Otherwise, we will have a very monotonous world. We will have a black-and-white world created by a few people with their biases that are embedded in that world. And we cannot afford to do that.”

Watch the video below to hear more:

Learn how to align your goals for managing and creating open source software with your organization’s business objectives using the tips and proven practices from the TODO Group.

The majority of companies using open source understand its business value, but they may lack the tools to strategically implement an open source program and reap the full rewards. According to a recent survey from The New Stack, “the top three benefits of open source programs are 1) increased awareness of open source, 2) more speed and agility in the development cycle, and 3) better license compliance.”

Running an open source program office involves creating a strategy to help you define and implement your approach as well as measure your progress. The Open Source Guides to the Enterprise, developed by The Linux Foundation in partnership with the TODO Group, offer open source expertise based on years of experience and practice.

The most recent guide, Setting an Open Source Strategy, details the essential steps in creating a strategy and setting you on the path to success. According to the guide, “your open source strategy connects the plans for managing, participating in, and creating open source software with the business objectives that the plans serve. This can open up many opportunities and catalyze innovation.” The guide covers the following topics:

  1. Why create a strategy?
  2. Your strategy document
  3. Approaches to strategy
  4. Key considerations
  5. Other components
  6. Determine ROI
  7. Where to invest

The critical first step here is creating and documenting your open source strategy, which will “help you maximize the benefits your organization gets from open source.” At the same time, your detailed strategy can help you avoid difficulties that may arise from mistakes such as choosing the wrong license or improperly maintaining code. According to the guide, this document can also:

  • Get leaders excited and involved
  • Help obtain buy-in within the company
  • Facilitate decision-making in diffuse, multi-departmental organizations
  • Help build a healthy community
  • Explain your company’s approach to open source and support of its use
  • Clarify where your company invests in community-driven, external R&D and where your company will focus on its value added differentiation

“At Salesforce, we have internal documents that we circulate to our engineering team, providing strategic guidance and encouragement around open source. These encourage the creation and use of open source, letting them know in no uncertain terms that the strategic leaders at the company are fully behind it. Additionally, if there are certain kinds of licenses we don’t want engineers using, or other open source guidelines for them, our internal documents need to be explicit,” said Ian Varley, Software Architect at Salesforce and contributor to the guide.

Open source programs help promote an enterprise culture that can make companies more productive, and, according to the guide, a strong strategy document can “help your team understand the business objectives behind your open source program, ensure better decision-making, and minimize risks.”  

Learn how to align your goals for managing and creating open source software with your organization’s business objectives using the tips and proven practices in the new guide to Setting an Open Source Strategy. And, check out all 12 Open Source Guides for the Enterprise for more information on achieving success with open source.