I’m excited to debut the Compliance Blog with a launch announcement of The Linux Foundation’s Open Compliance Program. The program was kicked off formally with Executive Director Jim Zemlin’s keynote at LinuxCon in Boston but has been gestating for months.
We’ve pulled together multiple services and products to ease the task of open source license compliance: training, white papers, tools, a self-assessment checklist, a community forum, a compliance data exchange standard, and a directory of corporate compliance contacts to enable rapid response to compliance inquiries. The end goal is to encourage even more adoption of open source by making compliance more efficient and less daunting to achieve.
In a nutshell, we’ll be offering the following resources:
- Training: Three classes that cover in varying levels of detail the fundamentals of open source licensing and compliance activities and can be tailored for audiences ranging from corporate executives to working professionals. On-site and remote live instructor-led classes will encourage frank and open discussion about compliance requirements and recommended practices.
- Tools: The Foundation has developed or supported compliance tools that complement commercial open source scanning products: A code dependency checker and bill of materials difference checker to define the locus of compliance activity; a “code janitor” tool to help clean up source code before distribution to the open community; the FOSSology tool that identifies license and copyright data in code it scans; and the Binary Analysis Tool from binaryanalysis.org that discovers what components were used to create compiled code.
- The Software Package Data Exchange (SPDX)(TM) Working Group that is creating a set of data exchange standards for companies to use in disclosing open source packages and applicable licenses when they release software.
- The FOSSBazaar site to serve as a community forum for compliance managers to share process approaches and compliance information.
- A Self-Assessment Checklist of recommended compliance practices that companies can use internally to gauge their progress in implementing a rigorous and disciplined compliance program.
- A Compliance Directory and Rapid Alert System to facilitate communication with company compliance officers when open source projects or copyright holders note concerns about use of their open source software. The Linux Foundation will assist, where appropriate, in establishing contact with company compliance officers to avoid communication breakdowns that might escalate into conflict.
Some of these services and products will be made available immediately, such as the tools and the Compliance Directory. The training classes will be offered starting September 1, the Self-Assessment Checklist during Q4. Please consult our Compliance website for forthcoming announcements and, of course, stay tuned to this blog for word about availability.
As Director of the Open Compliance Program, I’ll be blogging here about compliance topics of common interest: the role of the Open Source Review Board; diligence to require of third party suppliers to back up their open source disclosures; what methods of sharing software trigger license obligations; and so on. I hope that the readers will weigh in with their opinions and expertise. There’s a basic paradox we can overcome collectively: Compliance officers could benefit greatly by exchanging perspectives and approaches, but their companies often squelch any discussion of compliance standards or hint of compliance problems. The Open Compliance Program will serve as a neutral and trusted resource to aggregate data about compliance approaches and issues, and share information in a manner that preserves company confidentiality.
I welcome your input on ways to make the Open Compliance Program useful and hope you’ll help build a compliance community that benefits our common enterprise.