Linux Foundation launch Open Compliance Program
The Linux Foundation has announced the launch of the Open Compliance Program, an initiative to help companies comply with open source licences through the use of tools, training, self-assessment and a standard format for reporting license information. Jim Zemlin, executive director of the Linux Foundation said that as the mission of the Foundation was to expand the use of free and open source software "so we created this program to give companies the information, tools and processes they need to get the most out of their investment, while maintaining compliance with the licenses governing the software.”
The program is supported by a large number of companies, with the founding participants including Adobe, AMD, ARM, Cisco, Google, HP, IBM, Intel, Motorola, NEC, Nokia, Novell, Samsung and Sony. Free and open source software organisations such as the Open Source Initiative, the Software Freedom Law Center, gpl-violations.org and the Codeplex Foundation also support the initiative, as well as compliance vendors such as Black Duck, Palamida and Open Logic.
"We welcome the new efforts by The Linux Foundation to encourage all parties in the Free Software world to consistently and carefully follow these rules," said gpl-violations.org founder Harald Welte. Eben Moglen, founder of the SFLC noted that "Compliance with free software licensing requirements is much easier for product manufacturers and distributors than certain industrial competitors want you to believe" and added that the program should "allow any organisation to meet its FOSS license compliance responsibilities completely, at very low cost".
The Open Compliance Program has six elements. Most notable is a directory of corporate open source compliance officers. Although billed as a directory, it is in fact a mechanism for open source developers to use the Linux Foundation as a route to contact a company's open source compliance officers, with the Foundation passing on the request. The Foundation believes that this will allow developers to get in touch with the appropriate party much more quickly. It also plans to use the list for rapid alerts on important issues. Compliance officers can register to be added to the directory.
Another element of the program is SPDX, a workgroup set up within the Foundation to create a specification for companies and organisations to share license information about software packages. This, it is hoped, will enable easier licence compliance by allowing for simpler management and automation, especially in the consumer electronics industry where manufacturers build devices from components sourced from many suppliers.
Tools from the Linux Foundation for checking dependencies and differences in BoM (Bill of materials) and a review tool for scanning code which may reveal company plans are designed to ease the process of due diligence on open source code. The Foundation has released early versions of two of the tools as open source and is looking for community involvement in enhancing them.
Companies will be able to use a self-assessment check-list of best practices for open source compliance programs. The check-list will be launched later in the year.
Training and education is another element of the program with the Linux Foundation offering courses and free white papers on open source licensing and compliance. The Foundation is incorporating these resources into the existing FOSSBazaar work group which will act a community for the program. A community being the last of the six elements of the program.