Linux Foundation Launches Open Compliance Program
The Linux Foundation on Aug. 10 announced the launch of the Open Compliance Program, which it described as "a comprehensive initiative that includes tools, training, a standard format [in which] to report software licensing information, consulting and a self-assessment checklist that will help companies comply with open-source licenses."
The Linux Foundation, a self-described "nonprofit organization dedicated to accelerating the growth of Linux," made the announcement at the LinuxCon event in Boston.
The goals of the Open Compliance Program include "increasing adoption of open source and decreasing legal FUD [fear, uncertainty and doubt] present in the marketplace," the organization said.
The statement continued:
"As the use of Linux and other open source software has exploded in recent years, especially in mobile and consumer electronics products, the need has arisen for a trusted, neutral, non-commercial compliance program that offers a comprehensive offering of compliance training, tools and services. With today's complex supply chains, it can be difficult to keep up with the code and licenses present in shipping products.
To address that complexity, The Linux Foundation has developed a set of tools, training curricula and a new self-administered assessment checklist that will allow companies to meet open source license obligations in a cost-effective and efficient manner. The Open Compliance Program also includes a new data exchange standard so companies and their suppliers can easily report software information in a standard way, a crucial missing link in the compliance landscape.
Founding participants of the program include enterprise computing and consumer electronics giants Adobe, AMD [Advanced Micro Devices], ARM Limited, Cisco Systems, Google, HP [Hewlett-Packard], IBM, Intel, Motorola, NEC, Nokia, Novell, Samsung, Software Freedom Law Center, Sony Electronics and more than 20 other companies and organizations."
"Efforts like the Open Compliance Program from the Linux Foundation can make the difference between healthy open source use and chaos," Chris DiBona, open-source and public sector engineering manager at Google, said in a statement. "Google is happy to see the Linux Foundation creating this program to assist people with this complicated subject."
"By creating the Open Compliance Program, The Linux Foundation once again has stepped up to the challenge of providing the unifying force in an arena experiencing explosive growth, while decreasing the FUD around Linux and open source," Dan Frye, vice president of Open Systems Development at IBM, also said in a statement. "IBM proudly supports the Open Compliance Program, which is an invaluable step in furthering the standards, tools, training and certification so needed by the industry,"
In an Aug. 10 blog post, Jim Zemlin, the executive
director of the Linux Foundation, said, "We have the collective experience
of our staff as well as the ability to galvanize our members to deliver
information, training, tools and a standard that will help the industry
coalesce around best practices and save money at the same time. Just as in open
source, we feel collaborative development and reuse of resources in compliance
matters will deliver great efficiencies of scale. We fully expect the Open
Compliance Program to deliver real cost savings to all who participate as well
as enable companies to fulfill their license obligations."
In the Linux Foundation's statement, Eben Moglen, founder and chairman of the Software Freedom Law Center, said, "Free software licenses are designed to make it easy to copy, modify and redistribute software, commercially and non-commercially. But strong operational compliance engineering measures still play a crucial role, making risk avoidance both inexpensive and wholly effective. The Linux Foundation's Open Compliance Program will make best operational practices for compliance accessible to all and will help commercial and non-commercial parties work together to improve those practices still further. Participation in this program, along with necessary legal advice and training, should allow any organization to meet its FOSS [free and open-source software] license compliance responsibilities completely, at very low cost."
Ease of use and low cost appear to be the themes of the Open Compliance Program. Zemlin said in his blog:
"I also want to be very clear: complying with open source licenses is actually easier than complying with proprietary ones. (One reason: there is no money involved.) There are countless software audits of users every year, and settlements often range in the tens of millions for large companies. You may not have heard about those cases since they do not get the attention the very few open source cases do, but make no mistake, complying with proprietary licenses is not easy or cheap."
The Linux Foundation's statement said, "The six elements of The Linux Foundation's Open Compliance Program are: training and education ... tools ... [a] self-assessment checklist ... the SPDX [Software Package Data Exchange] standard and workgroup ... a compliance directory and rapid alert system ... [and] community."
The tools include a Dependency Checker, "capable of identifying code combinations at the dynamic and static link level. In addition, the tool offers a license policy framework that enables FOSS Compliance Officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool."
Also, a new tool called the Code Janitor "provides linguistic review capabilities to make sure developers did not leave comments in the source code about future products, product code names, mention of competitors" and similar subjects, the Linux Foundation statement said. "The tool maintains a database of keywords that are scanned for in the source code files to ensure code released is safe and ready for public consumption."
Another tool in the works is the Bill of Material Difference Checker, "capable of reporting differences between BoMs and therefore enabling companies to identify changed source code components and to better report included open-source components in updated product releases. Development on the BoM Difference Checker will begin in late 2010."
Meanwhile, Zemlin said there are three things everyone should bear in mind
about the Open Compliance Program.:
"1. It will lower costs for every company who uses open source by giving training, a guidebook of best practices and access to resources to make it much simpler to comply with license obligations.
2. It will help spread the use of open source software as it will eliminate the very few legal cases and most importantly the FUD around legal compliance that some vendors like to spread.
3. It's a collaborative project. The tools are open source and we welcome participation in making them better. The SPDX workgroup welcomes participation from all in the consumer electronics supply chain. Please download our resources and sign up to receive the checklist and give us your best practices at compliance (at) linuxfoundation dot org."