BOSTON, Mass. -- The Linux Foundation, the non-profit organization dedicated to supporting Linux, announced on Aug. 10 at LinuxCon the launch of the Open Compliance Program, a comprehensive initiative to help companies and developers comply with open-source licenses.
You may not know it, but getting businesses and developers to obey open-source licenses has become a much bigger problem over the years. I'm not talking about the differences between GPLv2 and GPLv3. I'm talking about companies using open-source code and not realizing that they can't just use it any way they want.
This has become a problem because almost every major company is now using Linux and open-source software. That's both the good and bad news. With so many companies using and, more important, incorporating free and open-source software (FOSS) in their products, there's lots of room for businesses to make big mistakes.
That's especially true in the mobile and consumer electronics space. All you have to do is look at the legal record and you can see that. Company after company builds some neat device and uses FOSS but then doesn't bother to follow the rules on how the software should be used. Then, when they're caught at it, the Software Freedom Law Center (SFLC) or a private law firm comes down like a ton of bricks on the open-source license violators, and they have to pay for their sins.
There has to be a better way of getting companies to obey the rules than hauling them into court, don't you think? That's what the Linux Foundation, SFLC and friends thought too, and that's where the Open Compliance Program comes in.
With the help of Adobe, AMD, Google, HP, IBM, Intel, NEC, Samsung and a slew of other companies, the program offers tools, training, consulting and a self-assessment checklist to help companies comply with open source licenses,
According to Jim Zemlin, the Linux Foundation's executive director who I spoke to before the show, "This is a vendor neutral, non-commercial compliance program that offers a comprehensive offering of compliance training, tools and services. As open source has proliferated up and down the product supply chain, so has the complexity of managing open source compliance. Our mission is to enable the expansion of open source software, so we created this program to give companies the information, tools and processes they need to get the most out of their investment in open source, while maintaining compliance with the licenses."
The Linux Foundation couldn't do it by itself, of course. It needed all those industry players and the SFLC on board to make it happen. In a statement, Eben Moglen, the SFLC's founder and chairman, said "Free software licenses are designed to make it easy to copy, modify and redistribute software, commercially and non-commercially. The Linux Foundation's Open Compliance Program will make best operational practices for compliance accessible to all and will help commercial and non-commercial parties work together to improve those practices still further. Participation in this program, along with necessary legal advice and training, should allow any organization to meet its FOSS license compliance responsibilities completely, at very low cost."
Zemlin described the program as being like a vaccine against not just FOSS license problems but against all the legal troubles a company can get into with software licensing issues. In particular he sees it being very useful for companies in the mobile space. After all, "Lots of vendors are involved in building smart phones. You can use this program across your supply chain to reduce the friction of everyone not being on the same legal page when it comes to license compliance. This will lower the costs for license compliance across the industry."
So what it is? First, there are open-source software tools that will complement commercial and open-source scanning tools used to identify the origin and license of source code:
Dependency Checker: Like other such programs, this software can identify code combinations at the dynamic and static link level. In addition, the tool offers a license-policy framework that enables FOSS Compliance Officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool.
Bill of Material (BoM) Difference Checker: This program is capable of reporting differences between BoMs and therefore enabling companies to identify changed source code components and to better report included open source components in updated product releases.
The Code Janitor: This tool provides linguistic review capabilities to ensure developers did not leave comments in the source code about future products, product code names, mention of competitors, etc. The tool maintains a database of keywords that are scanned for in the source code files to ensure code released is safe and ready for public consumption. I won't mention any names, but I can think of at least one developer whose "funny'' code comments would have been caught by this tool and that would have saved his job.
Besides programs to help you with FOSS license compliance are other resources:
Self-Assessment Checklist: An extensive checklist of compliance best practices in addition to elements that must be available in an open source compliance program to ensure its success. This checklist will be launched later this year.
The Software Package Data Exchange (SPDX) Standard and Workgroup: This is an effort to provide a standard way for companies to standardize their license and component information (metadata) in bills of material to ease the discovery and labeling of open source components in their products. This is especially important for consumer electronics manufacturers who assemble parts from multiple suppliers into their shipping products.
Compliance Directory and Rapid Alert System: This is a directory of compliance officers at companies using Linux and Open Source software in their commercial products. Companies can add their contact information for compliance purposes at the directory's Web site.
Training and Education: This is both a live and online training program that covers the fundamentals of open-source licensing and compliance activities.
Community: The above resources join the existing FOSSBazaar workgroup, an existing community of software and compliance professionals.
While this program won't rank high on the excitement meter for Linux fans, I think it may be the most ambitious job that the Linux Foundation has ever taken on. Fortunately, with all that corporate support, I think they'll be able to pull it off. While it may not be thrill-packed, the work being done here to make sure everyone works smoothly together to get Linux and FOSS into products without any fuss or muss is exactly what's needed as Linux moves into smartphones and tablets everywhere.