It's great that open source offers flexibility and so much more. However, managing the licensing structure is confusing for many developers who incorporate or interact with open source code. The Linux Foundation (news, site) recently released a program to help chart your way through sometimes choppy waters.
If you're not familiar with open source software development (or software development in general), these days programs are complex enough that people often use code from many places. Sometimes this code is in the form of libraries, which are re-usable code that help developers avoid re-inventing the wheel each time they tackle a particular task. At other times the code is much bigger, a complete program that together with its APIs that the project's architect or team decided already does a particular job well.
Source code is typically written with some kind of license attached. In the case of open source, that license might be one of those approved by the Open Source Initiative. As a developer chooses libraries and tools, each item might come with a different license, whether a standard one or something custom. Each of these licenses has its own rules that have to be followed.
Even the most well-meaning teams can become too bogged down in trying to keep track of everything. Having proper tools can mean the difference between knowing that your software is compliant (and so not having to worry about legal issues) or getting a nasty surprise.
The Open Compliance Program
The Linux Foundation's Open Compliance Program offers a collection of six elements. First among these is a set of open source tools to "help companies improve their open source compliance due diligence."
These tools include:
- A dependency checker allowing FOSS Compliance Officers to define combinations of licenses and linkage methods that should be flagged if found at the dynamic or static link level
- A Bill of Material (BoM) checking tool that makes it easier to identify changed source code components and report included open source components in updated product releases
- A linguistic tool ensuring that developers don't leave comments in the source code regarding future products, product code names, mentions of competitors, and so on, working from a database of key words
Other components of the program are:
- A self-assessment checklist of compliance best practices, which will formally launch in Q4 of 2010
- The Software Package Data Exchange (SPDX) standard and workgroup, which is working toward standardization of BoMs for easier reporting
- A directory of Compliance Officers at companies using Linux and open source software, to make communication between projects and companies easier
- Training and education programs around licensing and compliance
- The FOSS Bazaar workshop, a community of software and compliance professionals
Hopefully this program will help development teams keep on top of things. Are these offerings something that you would consider using for your company or project? Let us know in the comments.