establishing free and open source software compliance ... · free and open source software (foss)...
TRANSCRIPT
Establishing Free and Open Source Software Compliance Programs: Challenges and Solutions
JULY 2010By Ibrahim Haddad, Ph.D.
Establishing Free and Open Source Software Compliance Programs: Challenges and Solutions
By Ibrahim Haddad Ph.D.
2
Executive SummaryThis white paper is a second in a series that focus on the practical aspects of ensuring
free and open source software (FOSS) compliance in the enterprise. The first paper
entitled “FOSS Compliance: The Basics You Must Know”, available from the Linux
Foundation web site1, provided a discussion on the multi-source development
model, the need for compliance, objectives and benefits, the consequences of non-
compliance, possible compliance failures, how to avoid them and lessons learned.
This paper picks up from where the first paper left off and provides a discussion on the
following topics:
• Theelementsofasuccessfulcomplianceprogramthatwillallowacompanytocapture,governandtrackallsoftwarecomponents(proprietary,3rdpartycommercialandFOSS)includedinitscommercialproducts.
• Thelistofcommonchallengesrelatedtoestablishingandmaintainingcomplianceprogramsandhowtoovercomethesechallengesandensuresuccessfulcomplianceprogramimplementation
1 http://www.linuxfoundation.org/collaborate/publications
3
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
IntroductionFOSS initiatives and projects provide companies with a vehicle to accelerate innovation
through collaboration with the global community of FOSS developers. However,
accompanying the benefits of teaming with the FOSS community are important
responsibilities: Companies must ensure compliance with applicable FOSS license
obligations.
The first half of this paper discusses the elements of a successful compliance program that allows companies to capture, govern, and track all FOSS components included in their commercial products. The second half of the paper lists the common challenges companies face when establishing and maintaining their compliance programs and proposes various solutions to overcome these challenges.
ElementofaComplianceProgramThe compliance program provides a structure around all aspects of FOSS including selection, approval, use, distribution, audit, inventory, training, community engagement, and public communication.
FIGURE 1. ESSENTIAL ELEMENTS OF A SUCCESSFUL COMPLIANCE PROGRAM
4
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
Figure1illustratesthecoreelementsneededinasuccessfulFOSScomplianceprogramthatincludes:
• Strategyandinquiryresponsestrategy
• Policiesandprocessesforusing,contributing,distributing,auditingFOSSandforfulfillinglicenseobligations
• Complianceteams(coreandextended)
• Toolstoassistincomplianceverificationandassurance
• Educationalprogramsandtraining
• Automationtoensureefficientprogramexecution
• Messaging,internallywithinyourorganizationandexternallytowardstheFOSScommunity
• RelationshipswiththeFOSSprojectsandFOSSorganizations
Inthefollowingsections,wewillprovideabriefoverviewofeachoftheseessentialelementsinaFOSScomplianceprogram.
ComplianceStrategyAcompliancestrategydrivesabusiness-basedconsensusonthemainaspectsofthepolicyandprocessimplementation.Ifyoudonotstartwiththathigh-levelconsensus,drivingagreementonthedetailsofthepolicyandinvestmentsintheprocesstendstobeveryhardifnotimpossible.ThecompliancestrategyestablisheswhatmustbedonetoensurecomplianceandoffersagoverningsetofprinciplesforhowpersonnelinteractwithFOSS.Itincludesaformalprocessfortheapproval,acquisition,anduseofFOSS,andamethodforreleasingsoftwarecontainingFOSSorlicensedunderaFOSSlicense.
InquiryResponseStrategyAninquiryresponsestrategyestablisheswhatmustbedonewhenthecompanyreceivesacomplianceinquiryorwhenthecompany’scomplianceeffortsarebeingchallenged.Severalcompaniesreceivednegativepublicityand/orweresuedbecausetheyignoredrequeststoprovidecomplianceinformation,didnotknowhowtohandlecomplianceinquires,lackedorhadapoorcomplianceprogram,orsimplyrefusedtocooperatebecausetheyassumedtheFOSSlicensesarenotenforceable.Weknowthatnoneoftheseapproachesisfruitfulorbeneficialtoanyofthepartiesinvolved.Therefore,companiesshouldnotignorecomplianceinquiries,andinstead,theyshouldacknowledgethereceiptoftheinquiry,informthereporterthattheywillbelookingintoit,andprovideacertaindateonwhentoexpectafollow-up.Informalcomplianceinquiriescanincluderequestssuchas:
• ArequestforaccessingsourcecodefollowingawrittenoffertoprovidesourcecodelicensedunderGPL,LGPLand/orotherlicensesthatrequiremakingsuchanoffertotheendusers
• ArequestforinformationregardinguseofaspecificFOSSprojectinaproduct
• Arequestforanupdatetotheattributionand/orcopyrightnoticethatpossiblywaslackingorincomplete
• ArequesttoprovidemissingfilesfromtheFOSSpackagesmadeavailableaspartofmeetingthelicenseobligations
5
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
Figure2presentsasampleprocessthatillustratesthestepsacomplianceinquiryshouldgothroughfromthetimeacompanyreceivestheinquiryuntiltheinquiryisresolved.Thefollowingsub-sectionsdescribewhathappensineachstepofthecomplianceinquiryprocess.
FIGURE 2. PROCESS OF RESPONDING TO INCOMING COMPLIANCE INQUIRIES
AcknowledgeOnceyoureceivethecomplianceinquiry,youshouldreplyinformingtheinquirerthatyouhavereceivedtheiremailandthatyouwilllookintoitandgetbacktotheminatimelyfashion.Itisimportanttounderstandthereporter,theirmotivationandtoverifyiftheiraccusationisaccurateorevencurrent.Furthermore,noteveryreporterunderstandslicensesfullyandsometimestheremaybemistakesintheirsubmissions.Ifyouweremissinginformationassubmittedbytheinquirer,youwouldrequestadditionalinformationfromthemtohelpyouisolatethepreciseproblem.Theminimumsetofinformationreportedshouldinclude:
• Thenameoftheproductaffected
• Thenameandversionofthesoftwarecomponentinquestion
• Thereasonwhyaviolationisbelievedtoexist
• Astatementregardingwhatlicensethiscodeisunder
InformCompaniesmustkeepanopenadialogwiththecomplianceinquiryreporter.Asacompanythatmaintainsrigidcompliancepractices,youshouldhighlightyourcomplianceprogramandpractices,and
6
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
showgoodfaitheffortstowardcompliance.Informtheinquireraboutyourcomplianceprogramandpracticesandassurethemthatyouwillinvestigatetheirconcern.Itisalsoadvisabletosendupdatesofyourinternalinvestigationwhentheyareavailable.
• Confirmyouhavereceivedthereport
• Confirmthatyoutreatcomplianceinquiriesseriouslyandconsiderachievingcomplianceaspartofthedevelopmentprocess
• Highlightyourcomplianceprogram
• Informthereporterthatyouareinvestigatingandwillreportbackonyourfindingswithinxnumberofdays
InvestigateInthisstep,youinvestigatethereportedallegation.Ideally,youcanreferbacktocompliancerecordsforthespecificproductandsoftwarecomponentinquestion,reviewit,andverifythatthecompliancerecordagreesordisagreeswiththeinquiry.
ReportAfterconcludingtheinternalinvestigation(withinacceptabletimedelays)throughthereviewofthecomplianceduediligencecompletedforthespecificsoftwarecomponent(orproduct)inquestion,youneedtoprovidethereporterwiththeresults.
Close InquiryIfthecomplianceinquirywasafalsealarm,youwillclosethecomplianceinquiryticketwithoutanyfurtheractionafterensuringthattheinquirerissatisfiedwithyourresponse.
RectifyIftheinvestigationuncoversacomplianceissue,youwillreportbacktotheinquirerwiththeassurancethatyouwilltakeallthenecessarystepsneededtobringyourproductbacktocompliancewhilespecifyingadatebywhichyouexpecttocompletethistask.Itisyourresponsibilitytoresolvetheissuewiththereporter,whilebeingcollaborativeandshowinggoodwill.Youneedtounderstandtheobligationsundertheapplicablelicenseandshowhowandhowsoonyouwillmeettheobligations.
ImproveIfthereisacomplianceissue,youwillcallforanOSRBmeetingtodiscussthecase,learnhowthisnon-complianceoccurred,andimproveexistingprocessandpracticestoensurethatsucherrorsdonothappenagain.
PoliciesandProcessesApolicyisasetofrulesfortheuseandmanagementofFOSSinyourorganization.Processesaredetailedspecificationsastohowacompanywillimplementtheserulesonadailybasis.Compliancepoliciesandprocessesgovernthevariousaspectsofusing,contributing,auditing,anddistributionofFOSS.
7
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
Figure3illustratesanexampleend-to-endcomplianceprocessthatincludesthevariousstepsasoftwarecomponentgoesthroughbeforetheOSRBapprovesitsacceptanceinthebuildsystemandintegrationwiththesoftwareproduct.WewillhaveaseparatepaperthatdiscussespoliciesandprocessesinvokedwhenFOSSisincludedinacommercialproduct,inadditiontoadetaileddiscussionaroundthecomplianceend-to-endprocess.
FIGURE 3. SAMPLE COMPLIANCE DUE-DILIGENCE PROCESS
ComplianceTeamsComplianceteamsconsistofvariousindividualstaskedwiththemissionofensuringFOSScompliance.Figure4presentstheindividualsandteamsresponsibleforachievingFOSScompliance.
FIGURE 4. INDIVIDUALS AND TEAMS INVOLVED IN FOSS COMPLIANCE
8
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
Therearetwoteamsinvolvedinachievingcompliance:coreteamandextendedteam(Figure4).Thecoreteam,oftencalledtheOpenSourceReviewBoard(OSRB),consistsofrepresentativesfromengineeringandproductteams,oneormorelegalcounsels,andtheComplianceOfficer.Theextendedteamconsistsofvariousindividualsacrossmultipledepartmentsthatcontributeonanon-goingbasistothecomplianceefforts:Documentation,SupplyChain,CorporateDevelopment,IT,LocalizationandtheOpenSourceExecutiveCommittee(OSEC).However,unlikethecoreteam,membersoftheextendedteamareonlyworkingoncomplianceon-demand,basedontaskstheyreceivefromtheOSRB.Inafuturepaper,wewilldiscussindetailstherolesandresponsibilitiesofeachindividualorteaminvolvedinensuringFOSScompliance.
ToolsTheOSRBdeploysandusesseveraltoolstoautomateandfacilitatetheauditingofsourcecodeandthediscoveryofsourcecodeandlicenses.Thesetoolsinclude:
• Acomplianceprojectmanagementtooltomanagethecomplianceproject,tracktasksandresources
• Asoftwareinventorytooltokeeptrackofeverysinglesoftwarecomponent,version,productsthatusesit,linkagemethod,andotherimportantinformation
• Asourcecodeandlicenseidentificationtooltoidentifysourcecodeincludedinthebuildsystemandtheirlicenses
• Adependencycheckertooltoidentifytheinteractionsofanygivensoftwarecomponentwithothersoftwarecomponentsusedintheproduct
• Asourcecodepeerreviewtooltoreviewthechangesintroducedtotheoriginalsourcecodebeforeitgetspublishedaspartofmeetinglicenseobligations
• Abillofmaterial(BoM)differencetooltoidentifythechangesintroducedtotheBoMofanygivenproductgiventwodifferentbuilds
• Inafuturepaper,wewilldiscussthesetoolsandexplainhowtheycontributetoensuringFOSScomplianceinaveryefficientandaccurateway.
WebPresenceCompaniesuseportalsintwodirections:inwards,insidethecompany,andoutwardsasawindowtotheworldandtheFOSScommunity.Theinternalportalhousesthecompliancepolicies,guidelines,documentation,training,andhostsdiscussionforums,announcements,andaccesstomailinglists.Theexternalportaloffersaplatformforthecompanytowardstheworld,theFOSScommunity,andavenuetopostallthesourcecodeofFOSSpackagestheyuse,infulfillmentoftheirlicenseobligations.
EducationEducationisanessentialbuildingblockinacomplianceprogramtoensurethatemployeeshaveagoodunderstandingofthepoliciesgoverningtheuseofFOSS.Allpersonnelinvolvedinthedevelopment,qualityassurance,releaseandmaintenanceofsoftwareneedtounderstandthecomplianceprogram.
9
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
ThegoalofprovidingFOSSandcompliancetrainingistoraiseawarenessofFOSSpoliciesandstrategiesandtobuildacommonunderstandingaroundtheissuesandfactsofFOSSlicensing.Trainingalsoservesasavenuetopublicizeandpromotethecompliancepolicyandprocesseswithintheorganizationandtopromoteacultureofcompliance.Thereareformalandinformaltrainingmethods;formalmethodsmayincludeinstructor-ledtrainingcourseswhereemployeeshavetopassanexamtopassthecourse;informalmethodsmayincludewebinars,brownbagseminars,andpresentationsgiventonewhiresaspartofthenewemployeeorientationsession.
Informal Training• Brownbagseminars:Brownbagseminarsareusuallypresentationsdoneduringlunchtimeby
eithercompanyemployee(in-houselegalcounsel,FOSSexpert,complianceofficer,etc.)oraninvitedspeaker(mostcommonlyaprolificFOSSdeveloper).ThegoaloftheseseminarsistopresentandevokediscussionsaboutthevariousaspectsofincorporatingFOSSinacommercialproduct.Thesesessionscanalsoincludediscussionsofthecompany’scomplianceprogram,policies,andprocesses.
• Newemployeeorientation:Insomeinstances,theComplianceOfficerpresentsoncompany’scomplianceefforts,rules,policies,andprocessestoallnewemployeesaspartofthenewemployeeorientationsession.Assuch,ontheirfirstday,newemployeeswouldreceivea30minutestrainingonFOSSandcompliance.Asaresult,thenewemployeeswillhaveallthenecessaryinformationtheyneed:whototalkto,whatinternalwebsitetovisit,howtosign-upforFOSSandcompliancetraining,etc.
Formal TrainingDependingonthesizeofthecompanyandtheextenttowhichFOSSisincludedinitscommercialofferings,thecompanycanmandatetheiremployeesworkingwithFOSStotakeformalinstructor-ledcoursesandpasstheevaluation.Thissectionprovidesrecommendationsonfouressentialtrainingcourses:
• IntroductiontoFOSS:ThecourseprovidesanoverviewofFOSS,itscharacteristicsincomparisontoproprietarysoftwareandfreeware,andpresentsanin-depthdiscussionontheFOSSdevelopmentmodel,theFOSScommunity,andFOSSlicenses.Inaddition,thecourseexaminesthebenefitsandrisksofadoptingFOSSandusingitincommercialproductsandintroducescomplianceandlicenseobligations.
• ComplianceProcessesandPolicies:Thiscourseprovidesnecessarybackgroundinformationoncompliancepolicies,processes,andprocedures.ThefocusofthecoursewillbeoncompliancepracticesandtechniquesadoptedbythecompanytoallowyoutoshipaproductcontainingFOSSwhilemeetingalllicenseobligations,withoutputtingtheCompany’sintellectualpropertyorthatofyourthirdpartysoftwareprovidersatrisk.Furthermore,thetrainingprovidesademonstrationofhowtofillouttheOSRBformandprovideinformationaboutavailableFOSSguidelines.
• WorkingwiththeFOSSCommunity:ThiscourseprovideinformationontheFOSSdevelopmentmodel,bestpracticesoninteractingwiththeFOSScommunity,drivingcontributionstomainline,culturalaspectsandgeneraladvicetoworkingwiththecommunity.
10
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
• EngineeringGuidelinesforUsingFOSS:Thiscourseprovidesguidelinesforsystemarchitectureanddescriptionofhowthecompany’spoliciesapplytoparticularengineeringsituations(userspaceversuskernelspace,dynamicversusstaticlinkage,devicedrivers,etc.).
EducationEngineersrequestingtouseorcontributetoFOSSwillberequestedtosubmitformsbuiltaroundtemplatesdesignedbytheOpenSourceReviewBoard(OSRB).Anefficient,automatedsystemincludeselectronicforms,templates,andworkflows.ThisautomationallowstheOSRBtomanageall“paperwork”relatedtocomplianceelectronically.Wewilldiscussthistopic,alongwithtools,inaseparatefuturepaper.
MessagingMessagingisanintegralpartofanycomplianceprogram.Itconsistsofinternalandexternalmessaging.Thesinglemostimportantrecommendationwithrespecttomessagingistobeclearandconsistentinyourmessaging,whetheritisinternallyexplainingthecompany’sgoalsandconcernsaroundFOSStoyouremployees,orexternallytowardtheFOSScommunity.
Compliance Challenges and SolutionsIn the following sections, we will discuss the challenges companies face when
establishing compliance program and offer recommendations on how can to overcome
these challenges via an operational focused approach. Some of the most common
challenges include:
1. Creating a compliance program while achieving the right balance between processes and product ship deadlines
2. Thinking long term, while executing short term
3. Communicating compliance
4. Establishing a clean software baseline for version 1.0 products
5. Maintaining compliance for evolving products
6. Institutionalizing and sustaining compliance efforts
Challenge#1:CreatingaComplianceProgramThefirstchallengeistocreatethecomplianceprogramanditssupportinginfrastructurewhileachievingtherightbalancebetweenfollowingprocessesandmeetingproductshipdeadlines.Therearevariousapproachesthatcanhelpovercomethischallengeandassistinthecreationofalightweightprogramthatisnotseenasaburdentothedevelopmentactivities.
Proposed Solutions
Executive SupportItisimportanttohaveexecutivelevelcommitmenttocompliance.Anexecutivesponsorforcomplianceisanecessitytoensureitssuccessandcontinuity.
11
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
Lightweight Policies and ProcessesProcessesandpoliciesareimportant,however,theyhavetobelightandefficientsothattheengineeringteamsdonotregardthemasoverlyburdensometothedevelopmentprocess.Youmustavoidrequiringengineerstospendmoretimethannecessaryoncomplianceactivities.Youneedtoestablishtwoimportantbuildingblocks:first,asimpleandclearcompliancepolicy,andsecondalightweightcomplianceprocess,bothwellcommunicatedacrossthecompany.
Mandate Basic RulesAspartofputtingthecomplianceprograminplace,youwillneedtomandatesomesimplerulesthateveryonemustfollow,suchas:
• MandatetheOSRBusageformforanyFOSS:TheOSRBusageformistheentrypointintothecomplianceduediligenceforanyincomingFOSSorincomingthirdpartysoftwaretothecompany.ItisessentialthatengineersfillouttheOSRBusageformforeveryFOSSprojecttheyintendtouseinanyproduct.
• Mandatecompliancecodeinspectionsaspartofthesoftwaredevelopmentprocess
• Mandatedesignreviewsaspartoftheexistingsoftwaredevelopmentprocess.
• Mandatearchitecturereviewsandcodeinspectionstounderstandhowsoftwarecomponentsareinter-relatedandtodiscoverlicenseobligationsthatcanpropagatefromFOSStoproprietarysoftware.
• Mandateduediligenceonsoftwarereceivedfromthirdpartysoftwareproviders:IfaFOSSpackageisincludedinathirdpartycomponentinaproduct,theengineerselectingthethirdpartysoftware,thethirdpartysoftwaremanagementteamandthethirdpartysoftwarevendorshouldworktogethertopreparetheusageformforsubmissiontotheOSRB.
Integrate Compliance in the Development ProcessThemostsuccessfulwaytoestablishcomplianceistoincorporatethecomplianceprocessandpolicies,checkpointsandactivitiesaspartoftheexistingsoftwaredevelopmentprocess.Thismethodensuresthatcomplianceispartofthesoftwaredevelopmentprocessandnotanactivitythatiseitheranoverheadtodevelopment,oranactivitythatistryingtocatchupwithdevelopment(intermsofspeedandcoverage).
Challenge#2:Long-TermGoalsversusShort-TermExecutionFigure1describedtheessentialelementsneededforasuccessfulcomplianceprogram.Somemaybeoverwhelmedbytheamountofworkneededtoimplementsuchacompleteprogram.Inreality,itisactuallynotallthatdifficultbecauseyoudonothavetoimplementeverythingmentionedinFigure1atthesametime.
ThepriorityofallcompaniesistoshiptheproductontimewhilebuildingandexpandingtheirinternalFOSScomplianceinfrastructure.Therefore,youshouldexpecttobuildyourcomplianceinfrastructureasyougoandkeepinginminditsscalabilityforfutureactivitiesandproducts.
Proposed Solutions• Planacompletecomplianceinfrastructuretomeetyourlong-termgoals,andthenimplementthe
piecesneededforshort-termexecution.Forinstance,ifyouarejuststartingtodevelopaproductthatincludesFOSSanddonothaveanycomplianceinfrastructureyet,yourimmediateconcernmaybe,forexample,establishingacomplianceteam,processandpolicy,toolsandautomation,
12
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
andtrainingyouremployees.Onceyoukickofftheseactivities(inthatorder)andyouhaveagoodgriponthebuildsystem(fromacomplianceperspective),youcanmovetotheotherprogramelements.
• Establishlightweightpoliciesandprocesses(discussedearlier)
• Incorporatecomplianceaspartofthedevelopmentprocess(discussedearlier)
Challenge#3:CommunicatingComplianceCommunicationisessentialtoensurethesuccessofthecomplianceactivities.Therearetwoaspectsofthecommunicationactivities:internaltothecompanyandexternaltowardstheFOSScommunityandtheindustry.
Internal CommunicationCompaniesneedinternalcompliancecommunicationtoensurethatemployeesareawareofwhatisinvolvedwhentheyincludeFOSSinacommercialproductandtoensurethattheyareeducatedaboutthecompany’scompliancepolicies,processes,andguidelines.Internalcommunicationscantakeoneofseveralforms:
• All-handsmeetingsareagreatvenueforexecutivestoshowtheirsupportandendorsementtothecomplianceactivitiesandtoasktheiremployeestofollowcompanypoliciesandprocesses.
• FormaltrainingmandatedtoallemployeesworkingwithFOSS.
• Hostingbrown-bagFOSSandcomplianceseminarsareasuccessfulwaytobringadditionalcomplianceawareness.
• EstablishinganinternalFOSSportalthatwillhostthecompany’scompliancepoliciesandprocedures,FOSSrelatedpublicationsandpresentations,mailinglists,andadiscussionforumrelatedtoFOSSandcompliance.
• Somecompaniesissueacompany-wideFOSSnewsletterperiodicallythatfocusesoncomplianceandnewsaroundFOSS.
External CommunicationFurthermore,companiesneedexternalcompliancecommunicationstoensurethattheFOSScommunityisawareoftheireffortstomeetthelicenseobligationsoftheFOSStheyareusingintheircommercialproduct.Externalcommunicationscantakeoneofseveralforms:
• WebsitededicatedforFOSS:ThewebsiteisamainchannelfordistributionofFOSSpackages(andmodification)andusuallyhostsadiscussionforumormailinglists.
• ReachingoutandsupportingFOSSorganizationssuchastheFreeSoftwareFoundation:SuchactivitiesareimportanttohelpthecompanybuildrelationshipwithFOSSorganization,understandtherolesoftheseorganizations,andcontributetotheirefforts.
• ParticipationinFOSSeventsandconferences:Participationcanbeatvariouslevelsrangingfromsponsoringanevent,tocontributingpresentationsandpublications,orsimplysendingengineerstoattendandmeetFOSSdevelopersandfosternewrelationshipswiththeFOSScommunitymembers.
13
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
Challenge#4:EstablishingCleanSoftwareBaselineOneoftheinitialchallengeswithcomplianceprogramsistofindoutexactlywhatFOSSisinuse,howitislicensedandwhereinyourproductsorplatformitisbeingused.Furthermore,thechallengerevolvesaroundestablishingacleansoftwarebaselineforyourproductorsoftwareplatform.Thisisanintensiveactivityoveraperiodoftimethatcanextendformonthsdependingonhowsoonyoustartedthecomplianceactivitiesinparalleltothedevelopmentactivities.
Proposed SolutionsCompaniesachieveinitialcompliancethroughthecollectionofthefollowingactivities:
• EarlysubmissionandreviewofOSRBusageforms
• Auditsonthesourcecode
• DuediligenceontheuseofFOSSbythirdpartysoftwareproviders
• DesignreviewandcodeinspectionstoanalyzetheinteractionbetweenFOSS,proprietarycodeandthirdpartysoftwarecomponents
• UpdatedocumentationtoinformusershowtoobtainacopyoftheFOSS
Ifacompanyfailstoestablishbaselinecompliance,itisalmostaguaranteethatfuturerevisionsofthesameproduct(orotherproductsbuiltusingtheinitialbaseline)willhavecomplianceissues.
• Offerasimplebutenforcedpoliciesandlightweightprocesses(discussedearlier)
• Includecompliancecheckpointsaspartofthesoftwaredevelopmentprocess(discussedearlier)
• EnsureavailabilityofadedicatedcompliancecoreteamthatconsistsoftheComplianceOfficer,
• LegalCounselandEngineeringrepresentatives(wewilldiscussrolesandresponsibilitiesinafuturepaper)
• Utilizetoolsandautomationtosupportefficientprocessingofcompliancetickets
Challenge#5:MaintainingComplianceThereareseveralchallengesinmaintainingopensourcecompliance,similartothosefacedwhenestablishingbaselinecompliance.Infact,manyofthestepsarethesamebutjustonasmallerscale.Maintainingcomplianceisacontinuouseffortandisacomparativelysmallincrementaleffortthatdependsondisciplineandcommitmenttobuildcomplianceactivitiesintoexistingengineeringandbusinessprocesses.
14
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
Figure5illustratestheconceptofincrementalcompliancewherebyyouneedtoensurecomplianceofwhateversourcecodechangesthattookplaceinbetweentheinitialcompliantbaselineandthecurrentversion.
FIGURE 5. EXAMPLE OF INCREMENTAL COMPLIANCE
Proposed SolutionsCompaniesachieveinitialcompliancethroughthecollectionofthefollowingactivities:
• EarlysubmissionandreviewofOSRBusageform
• Continuousenforcementofthebasicrules,e.g.engineersmustreceiveapprovalbeforeintegratingaFOSScomponentinthebuildsystem
• Continuousauditsofallsourcecodeintegratedinthecodebaseregardlessofitsorigins(FOSS,thirdpartyorproprietary)
• Continuousimprovementsoftoolsusedinensuringcomplianceandautomatingasmanyactivitiesaspossibletoensurehighefficiencyinexecutingthecomplianceprogram
Challenge#6:InstitutionalizationandSustainabilityOneofthechallengesfacingcompaniesistokeepcomplianceactivitiesgoingasthecompanygrowsandshipsmoreproductsusingFOSScomponents.Companiescantakeseveralstepstoensuretheinstitutionalizationofcompliancewithinthecompany’sdevelopmentcultureandtoensureitssustainability.
Proposed Solutions• Sponsorship:Executivelevelcommitmentisessentialtoensuresustainabilityofcompliance
activities.Therehastobeacompanyexecutivewhoisthecompliancechampionthatensurescorporatesupportforthecompliancefunction.
• Consistency:Achievingconsistencyacrossthecompanyiskeyinlargecompaniesthatconsistofmultiplebusinessunits.
• Measurementandanalysis:Measureandanalyzetheimpactandeffectivenessofthecomplianceactivities,processes,andprocedureswiththegoalofstudyingtheperformanceandimprovingthecomplianceprogram.Thiswillhelpyoucommunicatetheproductivityadvantagesthataccruefromeachprogramelementwheneducatingaboutthecomplianceprogram.
15
Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions
• Streamliningcomplianceprocesses:Thescopeandnatureofacompany’suseofFOSSisdynamic,itisdependentonproducts,technologies,mergers,acquisitions,offshoredevelopmentactivitiesandmanyotherfactors.Therefore,itisanecessitytocontinuouslyreviewcompliancepoliciesandprocessesandintroduceimprovements.Furthermore,theFOSSlicenseinterpretationsandlegalriskscontinuetoevolve.Insuchadynamicenvironment,thecomplianceprogrammustevolveaswell.
• Enforcement:Acomplianceprogramisofnovalueunlessitisenforced.Acomplianceprogramshouldincludemechanismsforongoingmonitoringofadherencetotheprogramandforenforcingpolicies,procedures,andguidelinesthroughoutthecompany.Onewaytoenforcethecomplianceprogramistointegrateitwithinthesoftwaredevelopmentprocessandensurethatacertainpercentageoftheemployees’performanceevaluationdependsonhowwelltheyarecommittedtoFOSScompliance.
• Staffing:ensureproposestaffingisallocatedtothecompliancefunctionaswellasadequatecompliancetrainingprovidedtoeveryemployeeintheorganization.
ConclusionsInthispaper,weprovideanoverviewofthevariouselementsthatcontributetothesuccessofFOSScomplianceanddiscusstopchallengesthatacompanyhastodealwithwhenestablishingandmaintainingtheircomplianceprogramsandhowtoovercomethesechallenges.ThisseriesofpapersaimstoincreasepublicawarenessofthevariousissuessurroundingFOSScompliancefromanoperationalperspective,anddoesnotaimtoprovidealegaldiscussiononthetopic.Compliancemanagement,orcomplianceduediligence,consistsofasetofactionsthatcontroltheintakeanddistributionofFOSSusedincommercialproducts.TheresultofcomplianceduediligenceisanidentificationofallFOSSusedintheproductandaplantomeettheFOSSlicenseobligations.Thistopicwillbediscussedinafuturepaper.Staytuned.
AcknowledgementsTheauthorwouldliketoexpresshisgratitudetoKarenCopenhaver(LegalDirectoroftheLinuxFoundationandPartnerinChoate,Hall&StewartLLP‘sBusiness&Technologypractice)forherreviewsandvaluableinput.
About the AuthorIbrahimHaddadisDirectorofTechnologyandAlliancesattheLinuxFoundationfocusingonMobileLinuxinitiativesandadvancingtheLinuxplatformfornext-generationmobilecomputingdevices.