The Linux Foundation, the nonprofit organisation dedicated to supporting Linux, announced on 10 August at LinuxCon the launch of the Open Compliance Program. What is that you ask? It's a comprehensive initiative to help companies and developers comply with open source licences.
You may not know it, but getting businesses and developers to obey open source licences has become a much bigger problem over the years. I'm not talking about the differences between GPLv2 and GPLv3. I'm talking about companies using open source code and not realising that they can't just use it any way they want.
The reason this has become a problem is that almost every major company is now using Linux and open source software. That's both the good and bad news. With so many companies using, and what's more important, incorporating FOSS (free and open-source software) in their products, there's lots of room for businesses to make big mistakes.
That's especially true in the mobile and consumer electronics space. All you have to do is look at the legal record and you can see that. Company after company builds some neat device and uses FOSS but then doesn't bother to follow the rules on how the software should be used. Then, when they're caught at it, the SFLC (Software Freedom Law Center) or a private law firm comes down like a ton of bricks on the open-source licence violators and they have to pay up for their sins.
There's got to be a better way of getting companies to obey the rules than hauling them into court, don't you think? That's what the Linux Foundation, SFLC and friends thought too, and that's where the Open Compliance Program comes in.
With the help of Adobe, AMD, Google, HP, IBM, Intel, NEC, Samsung, and a slew of other companies, the programmes offers tools, training, consulting and a self-assessment checklist to help companies comply with open source licences,
According to Jim Zemlin, the Linux Foundation's executive director who I spoke to before the show, "This is a vendor neutral, non-commercial compliance programme that offers a comprehensive offering of compliance training, tools and services. As open source has proliferated up and down the product supply chain, so has the complexity of managing open source compliance. Our mission is to enable the expansion of open source software, so we created this programme to give companies the information, tools and processes they need to get the most out of their investment in open source, while maintaining compliance with the licences."
The Linux Foundation couldn't do it by itself, of course. It needed all those industry players and the SFLC on board to make it happen. In a statement, Eben Moglen, the SFLC's founder and chairman, said "Free software licences are designed to make it easy to copy, modify and redistribute software, commercially and non-commercially. The Linux Foundation's Open Compliance Program will make best operational practices for compliance accessible to all and will help commercial and non-commercial parties work together to improve those practices still further. Participation in this programme, along with necessary legal advice and training, should allow any organisation to meet its FOSS licence compliance responsibilities completely, at very low cost."
Zemlin described the programme as being like a vaccine against not just FOSS licence problems but against all the legal troubles a company can get into with software licensing issues. In particular he sees it being very useful for companies in the mobile space. After all, "lots of vendors are involved in building smart phones. You can use this programme across your supply chain to reduce the friction of everyone not being on the same legal page when it comes to licence compliance. This will lower the costs for licence compliance across the industry."
So what it is? Well for starters. It's big. First, there are open-source software tools that will complement commercial and open-source scanning tools used to identify the origin and licence of source code. These tools are:
Dependency Checker: Like other such programmes, this software can identify code combinations at the dynamic and static link level. In addition, and this is new, the tool offers a licence-policy framework that enables FOSS Compliance Officers to define combinations of licences and linkage methods that are to be flagged if found as a result of running the tool.
Bill of Material (BoM) Difference Checker: This programme is capable of reporting differences between BoMs and therefore enabling companies to identify changed source code components and to better report included open source components in updated product releases.
The Code Janitor: This tool provides linguistic review capabilities to make sure developers did not leave comments in the source code about future products, product code names, mention of competitors, etc. The tool maintains a database of keywords that are scanned for in the source code files to ensure code released is safe and ready for public consumption. I won't mention any names, but I can think of at least one developer whose "funny'' code comments would have been caught by this tool and that would have saved his job.
But, wait, there's more besides programmes to help you with FOSS licence compliance. These other resources include:
Self-Assessment Checklist: An extensive checklist of compliance best practices in addition to elements that must be available in an open source compliance programme to ensure its success. This checklist will be launched later this year.
The SPDX (Software Package Data Exchange) Standard and Workgroup: This is an effort to provide a standard way for companies to standardise their licence and component information (metadata) in bills of material to ease the discovery and labeling of open source components in their products. This is especially important for consumer electronics manufacturers who assemble parts from multiple suppliers into their shipping products.
Compliance Directory and Rapid Alert System: This is a directory of compliance officers at companies using Linux and Open Source software in their commercial products. Companies can add their contact information for compliance purposes at the directory's Web site.
Training and Education: This is both a live and online training programme that covers the fundamentals of open-source licensing and compliance activities.
Community: The above resources join the existing FOSSBazaar workgroup. This is an existing community of software and compliance professionals.
Frankly, while this programme won't rank high on the excitement meter for Linux fans, I think it may be the most ambitious job that the Linux Foundation has ever taken on. Fortunately, with all that corporate support, I think they'll be able to pull it off. Because, you see, while it may not be thrill packed, the work being done here to make sure everyone works smoothly together to get Linux and FOSS into products without any fuss or muss is exactly what's needed as Linux moves into smartphones and tablets everywhere.