The following is adapted from Open Source Compliance in the Enterprise by Ibrahim Haddad, PhD.
An open source management program provides a structure around all aspects of open source software. This includes a strategy and processes around software selection, approval, use, distribution, audit, inventory, training, community engagement, and public communication.
This series of articles will provide a high-level overview of the various elements in an open source management program, survey the challenges in establishing a new open source license compliance program, and provide advice on how to overcome those challenges.
We’ll begin with an overview of open source strategy and processes, two of the seven core elements needed in a successful open source compliance program, seen in the figure above.
Compliance strategy
The open source compliance strategy drives the business-based consensus on the main aspects of the policy and process implementation. If you do not start with that high-level consensus, driving agreement on the details of the policy and on investments in the process tends to be very hard, if not impossible.
The strategy establishes what must be done to ensure compliance and offers a governing set of principles for how personnel interact with open source software. It includes a formal process for the approval, acquisition, and use of open source, and a method for releasing software that contains open source or that’s licensed under an open source license.
Inquiry Response Strategy
The inquiry response strategy establishes what must be done when the company’s compliance efforts are challenged. Several companies have received negative publicity — and some were formally challenged — because they ignored requests to provide additional compliance information, did not know how to handle compliance inquires, lacked or had a poor open source compliance program, or simply refused to cooperate with the inquirer. None of these approaches is fruitful or beneficial to any of the parties involved.
Therefore, companies should have a process in place to deal with incoming inquiries, acknowledge their receipt, inform the inquirer that they will be looking into it, and provide a realistic date for follow-up.
Policies and Processes
An open source compliance policy is a set of rules that govern the management of open source software (both use of and contribution to). Processes are detailed specifications as to how a company will implement these rules on a daily basis.
Compliance policies and processes govern the various aspects of using, contributing, auditing, and distribution of open source software. See the figure below for a sample compliance process, with the various steps each software component will go through as part of the due diligence.
Next week, we’ll cover two more key elements to an open source management program: staffing a compliance team and the tools they use to automate and audit open source code.
Read the first article in this series:
An Introduction to Open Source Compliance in the Enterprise
Read the next articles in this series:
The 7 Elements of an Open Source Management Program: Teams and Tools
How and Why to do Open Source Compliance Training at Your Company
Basic Rules to Streamline Open Source Compliance For Software Development