News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

Industry group takes on open source compliance challenge

Aug 10, 2010 — by Eric Brown — from the LinuxDevices Archive — 1 views

The Linux Foundation announced a program to help companies comply with open source licenses. The Open Compliance Program includes training, consulting, a self-assessment checklist, a standard format to report software licensing information, and tools for dependency checking, BoM analysis, and code clean-up,says the nonprofit organization.

The Linux Foundation (LF) announced the Open Compliance Program in conjunction with the LinuxCon conference being held in Boston this week. The program's charter is to increase adoption of open source software while decreasing legal FUD in the marketplace, says the company, figuratively nodding in the direction of Redmond, Wash. 

Stated Jim Zemlin (pictured), executive director of The Linux Foundation. "As Linux has proliferated up and down the product supply chain, so has the complexity of managing compliance. Our mission is to enable the expansion of free and open source software, so we created this program to give companies the information, tools and processes they need to get the most out of their investment, while maintaining compliance with the licenses governing the software."

The program includes tools, training curricula and a new self-administered assessment checklist that will "allow companies to meet open source license obligations in a cost-effective and efficient manner," says the LF.

The LF adds that it has developed complementary tools to commercial and open source scanning tools used to decipher code sources, targeting dependency checking, BoM, and a Code Janitor that cleans up stray comments.

In addition, the Open Compliance Program includes a new data exchange standard so companies and their suppliers can easily report software information in a standard way, says the LF. The organization calls the standard "a crucial missing link in the compliance landscape."

Founding participants of the program include Adobe, AMD, ARM Limited, Cisco Systems, Google, HP, IBM, Intel, Motorola, NEC, Nokia, Novell, Samsung, Software Freedom Law Center (SFLC), Sony Electronics and more than 20 other companies and organizations.

One of the latter is the new Linaro not-for-profit engineering firm, which is developing standardized, open source Linux tools, kernel, and middleware software for consumer electronics. Other organizations include Open Invention Network (OIN), and GPL-Violations.org, which like the SFLC have fought a number of legal and public relations battles on behalf of open source compliance and enforcement (see farther below for more background).

The six elements of The Linux Foundation's Open Compliance Program are listed as:

  • Training and Education — Live onsite or online training modules cover the fundamentals of open source licensing and compliance activities and can be tailored for audiences ranging from corporate executives to working professionals. Free white papers, articles, and webinars are also said to be available.
  • Dependency checker tool — The dependency checker checks code combinations at the dynamic and static link level, says the LF. The tool is also said to offer a license policy framework that enables FOSS Compliance Officers to define combinations of licenses and linkage methods that are to be flagged.
  • Bill of Material (BoM) difference checker tool — The BoM tool will report differences between BoMs, enabling companies to identify changed source code components and to better report included open source components in updated product releases. Tool development will begin later this year.
  • Code janitor tool — This tool provides linguistic review capabilities to ensure developers do not leave comments in the source code about future products, product code names, mention of competitors, and other sensitive information. The tool maintains a database of keywords that are scanned for in the source code files.
  • Self-assessment checklist — The checklist includes compliance best practices, as well as "elements that must be available in an open source compliance program to ensure its success," says the LF. Due late this year, the tool will let companies compare their practices against top-tier best compliance practices.
  • SPDX standard and workgroup — SPDX enables companies to standardize their bills of material to ease the discovery and labeling of open source components. The standard standardizes reporting methods for consumer electronics manufacturers that assemble parts from a variety of suppliers into their shipping products
  • Compliance directory and rapid alert system — This directory of compliance officers at companies using Linux and other open source software in commercial products helps to disseminate information related to open source licenses, says the LF.
  • FOSSBazaar community integration — The above resources join the existing FOSSBazaar workgroup and its community of software and compliance professionals.

 Compliance guidance background

The Linux Foundation is not the first group to address the growing complexities of open source licensing. In 2008, Open Compliance Program member SFLC, known for its successful prosecution of GPL scofflaws on behalf of BusyBox, published a GPL compliance guide to help embedded developers find their way through the licensing maze. That same year, a Germany-based group that inspired the SFLC — GPL-Violations.org — published a guide to identifying GPL violations in embedded code.

Last December, open source software service provider OpenLogic launched an Open Source Fulfillment Center service that helps companies ensure compliance with GPL licenses. In August of that year, the Olliance Group launched a "Mobile Open Source Practice," run by Linux veteran and LinuxPundit analyst and consultant William "Bill" Weinberg, with somewhat similar goals.

Embedded software vendors themselves have targeted the growing challenge faced by their customers in deciphering open source compliance. For example, one of Weinberg's previous clients, Embedded Alley, which is now owned by Mentor Graphics, upgraded its "Development System for Linux" package last year with tools to create software Bills of Materials, track open source components, trace binary sources, and help OEMs comply with open source license obligations.

Among others, MontaVista Software has addressed the compliance issue in with its MontaVista Linux 6. The commercial embedded Linux platform provides a new build platform and content server for keeping track of open source components.

Testimonials

The Linux Foundations listed dozens of testimonials from members. The following is a small sampling. 

Stated Eben Moglen (pictured), founder and chairman, Software Freedom Law Center, a group that appears to be the driving force behind the Open Compliance Program, "Compliance with free software licensing requirements is much easier for product manufacturers and distributors than certain industrial competitors want you to believe. But strong operational compliance engineering measures still play a crucial role, making risk avoidance both inexpensive and wholly effective. The Linux Foundation's Open Compliance Program will make best operational practices for compliance accessible to all."

Stated GPL-Violation.org founder Harald Welte, "The goal of gpl-violations.org has always been to assure that anyone in the Free Software market plays according to a common set of rules, i.e. the Free Software licenses. We welcome the new efforts by The Linux Foundation to encourage all parties in the Free Software world to consistently and carefully follow these rules."

Stated Chris DiBona, open source and public sector engineering manager at Google, "Efforts like the Open Compliance Program from the Linux Foundation can make the difference between healthy open source use and chaos. Google is happy to see The Linux Foundation creating this program to assist people with this complicated subject."

Stated Ari Rauch, Senior director of software and system engineering, Wireless OMAP(TM) processor group, TI, "Unfortunately, the lack of packaging and license standards make compliance an imprecise and potentially draining expenditure for any individual company. We are actively contributing to The Linux Foundation's Open Compliance Program as it is yet another step taken to make viable commercially-successful open source platforms."

The Linux Foundation also announced today that the Qualcomm Innovation Center (QuIC) has joined the LF as a Platinum member, sitting alongside existing Platinum members including Fujitsu, Hitachi, IBM, Intel, NEC, and Oracle. A wholly owned subsidiary of Qualcomm, QuIC is focused on developing and optimizing software for mobile open source platforms and technologies, and supporting the integration of Qualcomm's chipsets in open source designs. 

Availability

More information about the Open Compliance Program may be found at the Linux Foundation, here.

More on the program's training and education modules may be found here, and more on SPDX should be here. The compliance directory may be found here. Information on FOSSBazaar may be found here.


This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.