The Linux Foundation Open Compliance Program Is Providing Compliance Resources for Licensing Professionals
By Karen Copenhaver, Choate, Hall & Stewart LLP, Counsel to the Linux Foundation
Linux and open source software now provide fundamental infrastructure for many of the worlds’ most successful industries and are being used to build the most innovative technologies of our time. Open source license compliance must be a focus for licensing professionals who work on transactions involving the creation, distribution, and use of such technologies. To address compliance concerns, as well as other important matters such as data security, it is necessary to understand the security and nature of the open source components included in software packages that are routinely delivered throughout the supply chain. Accordingly, preparing licensing professionals to tackle these challenges efficiently is critical to ensuring their clients are positioned to realize the benefits of the rapid innovation cycles and cost reductions of Linux and open source software.
In recognition of the foregoing, and their common dependency on these essential technology building blocks, companies have come together as part of the Linux Foundation Open Compliance Program to collaborate on the continuing evolution of efficient practices for handling ever more complex data regarding the packages in use. In particular, the Software Package Data Exchange (SPDX®) and the OpenChain Workgroups are establishing and automating best practices to ease open source compliance for companies and developers.
The SPDX specification is a standard format for capturing and communicating the components, licenses and copyrights associated with a software package for use internally and across a supply chain. The SPDX specification is developed by the SPDX Workgroup which includes representatives from more than 20 organizations—software, systems and tool vendors, foundations and systems integrators—all working to realize the benefits of a standardized format for gathering and sharing software package data. For example, with SPDX 2.0 a device manufacturer can easily understand what open source software has been used to build the device components, what versions of that software are being used, what modules have been integrated, and how this information may have changed from release to release. This allows companies to more efficiently identify and understand open source compliance obligations or vulnerabilities and address them before shipment.
The SPDX Workgroup recently announced the release of version 2.0 of its specification, which includes a human and machine-readable view of layered license dependencies that will make exchange of open source software components and license data even more useful and accurate. The relationship view of license dependencies is made possible through new features that include a deeper level of description and context in files and packages, including those external to the SPDX specification. This helps to create taxonomy for modules that can be used not only for compliance but also for identifying files that may require updating to address potential security vulnerabilities. Other new features include the ability to relate SPDX documents to each other, making the SPDX format valuable for a broader range of internal and external uses.
The OpenChain Workgroup is a community effort to standardize common best practices for open source software management to enable efficient and effective compliance with open source licenses. It is intended to both improve the performance of all participants in the supply chain, where many compliance failures originate, and to reduce costs by avoiding duplication of efforts. The OpenChain Workgroup’s output will be a baseline process that can be customized as companies and developers see fit. OpenChain will start by leveraging existing best practices in the Linux ecosystem, such as Debian, to provide an initial set of guidelines intended to be used as a basis for monitoring and developing compliance programs. Having a standard approach to compliance processes will benefit both suppliers and their customers. Suppliers have been slow to implement processes due to the confusing and conflicting requirements received from their various customers. A consistent approach and set of requirements reduces that friction and will relieve the burden on both suppliers and customers of conducting repetitive audits by enabling a single third party audit to be conducted in accordance with the common standards. Founding members of the OpenChain Workgroup include ARM, Qualcomm, Samsung, SanDisk and Wind River.
The Linux Foundation supports the world's top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company.