Establishing Free and Open Source Software Compliance Programs: Challenges and Solutions

JULY 2010By Ibrahim Haddad, Ph.D.

Establishing Free and Open Source Software Compliance Programs: Challenges and Solutions

By Ibrahim Haddad Ph.D.

2

Executive SummaryThis white paper is a second in a series that focus on the practical aspects of ensuring

free and open source software (FOSS) compliance in the enterprise. The first paper

entitled “FOSS Compliance: The Basics You Must Know”, available from the Linux

Foundation web site1, provided a discussion on the multi-source development

model, the need for compliance, objectives and benefits, the consequences of non-

compliance, possible compliance failures, how to avoid them and lessons learned.

This paper picks up from where the first paper left off and provides a discussion on the

following topics:

• Theelementsofasuccessfulcomplianceprogramthatwillallowacompanytocapture,governandtrackallsoftwarecomponents(proprietary,3rdpartycommercialandFOSS)includedinitscommercialproducts.

• Thelistofcommonchallengesrelatedtoestablishingandmaintainingcomplianceprogramsandhowtoovercomethesechallengesandensuresuccessfulcomplianceprogramimplementation

1 http://www.linuxfoundation.org/collaborate/publications

3

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

IntroductionFOSS initiatives and projects provide companies with a vehicle to accelerate innovation

through collaboration with the global community of FOSS developers. However,

accompanying the benefits of teaming with the FOSS community are important

responsibilities: Companies must ensure compliance with applicable FOSS license

obligations.

The first half of this paper discusses the elements of a successful compliance program that allows companies to capture, govern, and track all FOSS components included in their commercial products. The second half of the paper lists the common challenges companies face when establishing and maintaining their compliance programs and proposes various solutions to overcome these challenges.

ElementofaComplianceProgramThe compliance program provides a structure around all aspects of FOSS including selection, approval, use, distribution, audit, inventory, training, community engagement, and public communication.

FIGURE 1. ESSENTIAL ELEMENTS OF A SUCCESSFUL COMPLIANCE PROGRAM

4

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

Figure1illustratesthecoreelementsneededinasuccessfulFOSScomplianceprogramthatincludes:

• Strategyandinquiryresponsestrategy

• Policiesandprocessesforusing,contributing,distributing,auditingFOSSandforfulfillinglicenseobligations

• Complianceteams(coreandextended)

• Toolstoassistincomplianceverificationandassurance

• Educationalprogramsandtraining

• Automationtoensureefficientprogramexecution

• Messaging,internallywithinyourorganizationandexternallytowardstheFOSScommunity

• RelationshipswiththeFOSSprojectsandFOSSorganizations

Inthefollowingsections,wewillprovideabriefoverviewofeachoftheseessentialelementsinaFOSScomplianceprogram.

ComplianceStrategyAcompliancestrategydrivesabusiness-basedconsensusonthemainaspectsofthepolicyandprocessimplementation.Ifyoudonotstartwiththathigh-levelconsensus,drivingagreementonthedetailsofthepolicyandinvestmentsintheprocesstendstobeveryhardifnotimpossible.ThecompliancestrategyestablisheswhatmustbedonetoensurecomplianceandoffersagoverningsetofprinciplesforhowpersonnelinteractwithFOSS.Itincludesaformalprocessfortheapproval,acquisition,anduseofFOSS,andamethodforreleasingsoftwarecontainingFOSSorlicensedunderaFOSSlicense.

InquiryResponseStrategyAninquiryresponsestrategyestablisheswhatmustbedonewhenthecompanyreceivesacomplianceinquiryorwhenthecompany’scomplianceeffortsarebeingchallenged.Severalcompaniesreceivednegativepublicityand/orweresuedbecausetheyignoredrequeststoprovidecomplianceinformation,didnotknowhowtohandlecomplianceinquires,lackedorhadapoorcomplianceprogram,orsimplyrefusedtocooperatebecausetheyassumedtheFOSSlicensesarenotenforceable.Weknowthatnoneoftheseapproachesisfruitfulorbeneficialtoanyofthepartiesinvolved.Therefore,companiesshouldnotignorecomplianceinquiries,andinstead,theyshouldacknowledgethereceiptoftheinquiry,informthereporterthattheywillbelookingintoit,andprovideacertaindateonwhentoexpectafollow-up.Informalcomplianceinquiriescanincluderequestssuchas:

• ArequestforaccessingsourcecodefollowingawrittenoffertoprovidesourcecodelicensedunderGPL,LGPLand/orotherlicensesthatrequiremakingsuchanoffertotheendusers

• ArequestforinformationregardinguseofaspecificFOSSprojectinaproduct

• Arequestforanupdatetotheattributionand/orcopyrightnoticethatpossiblywaslackingorincomplete

• ArequesttoprovidemissingfilesfromtheFOSSpackagesmadeavailableaspartofmeetingthelicenseobligations

5

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

Figure2presentsasampleprocessthatillustratesthestepsacomplianceinquiryshouldgothroughfromthetimeacompanyreceivestheinquiryuntiltheinquiryisresolved.Thefollowingsub-sectionsdescribewhathappensineachstepofthecomplianceinquiryprocess.

FIGURE 2. PROCESS OF RESPONDING TO INCOMING COMPLIANCE INQUIRIES

AcknowledgeOnceyoureceivethecomplianceinquiry,youshouldreplyinformingtheinquirerthatyouhavereceivedtheiremailandthatyouwilllookintoitandgetbacktotheminatimelyfashion.Itisimportanttounderstandthereporter,theirmotivationandtoverifyiftheiraccusationisaccurateorevencurrent.Furthermore,noteveryreporterunderstandslicensesfullyandsometimestheremaybemistakesintheirsubmissions.Ifyouweremissinginformationassubmittedbytheinquirer,youwouldrequestadditionalinformationfromthemtohelpyouisolatethepreciseproblem.Theminimumsetofinformationreportedshouldinclude:

• Thenameoftheproductaffected

• Thenameandversionofthesoftwarecomponentinquestion

• Thereasonwhyaviolationisbelievedtoexist

• Astatementregardingwhatlicensethiscodeisunder

InformCompaniesmustkeepanopenadialogwiththecomplianceinquiryreporter.Asacompanythatmaintainsrigidcompliancepractices,youshouldhighlightyourcomplianceprogramandpractices,and

6

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

showgoodfaitheffortstowardcompliance.Informtheinquireraboutyourcomplianceprogramandpracticesandassurethemthatyouwillinvestigatetheirconcern.Itisalsoadvisabletosendupdatesofyourinternalinvestigationwhentheyareavailable.

• Confirmyouhavereceivedthereport

• Confirmthatyoutreatcomplianceinquiriesseriouslyandconsiderachievingcomplianceaspartofthedevelopmentprocess

• Highlightyourcomplianceprogram

• Informthereporterthatyouareinvestigatingandwillreportbackonyourfindingswithinxnumberofdays

InvestigateInthisstep,youinvestigatethereportedallegation.Ideally,youcanreferbacktocompliancerecordsforthespecificproductandsoftwarecomponentinquestion,reviewit,andverifythatthecompliancerecordagreesordisagreeswiththeinquiry.

ReportAfterconcludingtheinternalinvestigation(withinacceptabletimedelays)throughthereviewofthecomplianceduediligencecompletedforthespecificsoftwarecomponent(orproduct)inquestion,youneedtoprovidethereporterwiththeresults.

Close InquiryIfthecomplianceinquirywasafalsealarm,youwillclosethecomplianceinquiryticketwithoutanyfurtheractionafterensuringthattheinquirerissatisfiedwithyourresponse.

RectifyIftheinvestigationuncoversacomplianceissue,youwillreportbacktotheinquirerwiththeassurancethatyouwilltakeallthenecessarystepsneededtobringyourproductbacktocompliancewhilespecifyingadatebywhichyouexpecttocompletethistask.Itisyourresponsibilitytoresolvetheissuewiththereporter,whilebeingcollaborativeandshowinggoodwill.Youneedtounderstandtheobligationsundertheapplicablelicenseandshowhowandhowsoonyouwillmeettheobligations.

ImproveIfthereisacomplianceissue,youwillcallforanOSRBmeetingtodiscussthecase,learnhowthisnon-complianceoccurred,andimproveexistingprocessandpracticestoensurethatsucherrorsdonothappenagain.

PoliciesandProcessesApolicyisasetofrulesfortheuseandmanagementofFOSSinyourorganization.Processesaredetailedspecificationsastohowacompanywillimplementtheserulesonadailybasis.Compliancepoliciesandprocessesgovernthevariousaspectsofusing,contributing,auditing,anddistributionofFOSS.

7

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

Figure3illustratesanexampleend-to-endcomplianceprocessthatincludesthevariousstepsasoftwarecomponentgoesthroughbeforetheOSRBapprovesitsacceptanceinthebuildsystemandintegrationwiththesoftwareproduct.WewillhaveaseparatepaperthatdiscussespoliciesandprocessesinvokedwhenFOSSisincludedinacommercialproduct,inadditiontoadetaileddiscussionaroundthecomplianceend-to-endprocess.

FIGURE 3. SAMPLE COMPLIANCE DUE-DILIGENCE PROCESS

ComplianceTeamsComplianceteamsconsistofvariousindividualstaskedwiththemissionofensuringFOSScompliance.Figure4presentstheindividualsandteamsresponsibleforachievingFOSScompliance.

FIGURE 4. INDIVIDUALS AND TEAMS INVOLVED IN FOSS COMPLIANCE

8

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

Therearetwoteamsinvolvedinachievingcompliance:coreteamandextendedteam(Figure4).Thecoreteam,oftencalledtheOpenSourceReviewBoard(OSRB),consistsofrepresentativesfromengineeringandproductteams,oneormorelegalcounsels,andtheComplianceOfficer.Theextendedteamconsistsofvariousindividualsacrossmultipledepartmentsthatcontributeonanon-goingbasistothecomplianceefforts:Documentation,SupplyChain,CorporateDevelopment,IT,LocalizationandtheOpenSourceExecutiveCommittee(OSEC).However,unlikethecoreteam,membersoftheextendedteamareonlyworkingoncomplianceon-demand,basedontaskstheyreceivefromtheOSRB.Inafuturepaper,wewilldiscussindetailstherolesandresponsibilitiesofeachindividualorteaminvolvedinensuringFOSScompliance.

ToolsTheOSRBdeploysandusesseveraltoolstoautomateandfacilitatetheauditingofsourcecodeandthediscoveryofsourcecodeandlicenses.Thesetoolsinclude:

• Acomplianceprojectmanagementtooltomanagethecomplianceproject,tracktasksandresources

• Asoftwareinventorytooltokeeptrackofeverysinglesoftwarecomponent,version,productsthatusesit,linkagemethod,andotherimportantinformation

• Asourcecodeandlicenseidentificationtooltoidentifysourcecodeincludedinthebuildsystemandtheirlicenses

• Adependencycheckertooltoidentifytheinteractionsofanygivensoftwarecomponentwithothersoftwarecomponentsusedintheproduct

• Asourcecodepeerreviewtooltoreviewthechangesintroducedtotheoriginalsourcecodebeforeitgetspublishedaspartofmeetinglicenseobligations

• Abillofmaterial(BoM)differencetooltoidentifythechangesintroducedtotheBoMofanygivenproductgiventwodifferentbuilds

• Inafuturepaper,wewilldiscussthesetoolsandexplainhowtheycontributetoensuringFOSScomplianceinaveryefficientandaccurateway.

WebPresenceCompaniesuseportalsintwodirections:inwards,insidethecompany,andoutwardsasawindowtotheworldandtheFOSScommunity.Theinternalportalhousesthecompliancepolicies,guidelines,documentation,training,andhostsdiscussionforums,announcements,andaccesstomailinglists.Theexternalportaloffersaplatformforthecompanytowardstheworld,theFOSScommunity,andavenuetopostallthesourcecodeofFOSSpackagestheyuse,infulfillmentoftheirlicenseobligations.

EducationEducationisanessentialbuildingblockinacomplianceprogramtoensurethatemployeeshaveagoodunderstandingofthepoliciesgoverningtheuseofFOSS.Allpersonnelinvolvedinthedevelopment,qualityassurance,releaseandmaintenanceofsoftwareneedtounderstandthecomplianceprogram.

9

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

ThegoalofprovidingFOSSandcompliancetrainingistoraiseawarenessofFOSSpoliciesandstrategiesandtobuildacommonunderstandingaroundtheissuesandfactsofFOSSlicensing.Trainingalsoservesasavenuetopublicizeandpromotethecompliancepolicyandprocesseswithintheorganizationandtopromoteacultureofcompliance.Thereareformalandinformaltrainingmethods;formalmethodsmayincludeinstructor-ledtrainingcourseswhereemployeeshavetopassanexamtopassthecourse;informalmethodsmayincludewebinars,brownbagseminars,andpresentationsgiventonewhiresaspartofthenewemployeeorientationsession.

Informal Training• Brownbagseminars:Brownbagseminarsareusuallypresentationsdoneduringlunchtimeby

eithercompanyemployee(in-houselegalcounsel,FOSSexpert,complianceofficer,etc.)oraninvitedspeaker(mostcommonlyaprolificFOSSdeveloper).ThegoaloftheseseminarsistopresentandevokediscussionsaboutthevariousaspectsofincorporatingFOSSinacommercialproduct.Thesesessionscanalsoincludediscussionsofthecompany’scomplianceprogram,policies,andprocesses.

• Newemployeeorientation:Insomeinstances,theComplianceOfficerpresentsoncompany’scomplianceefforts,rules,policies,andprocessestoallnewemployeesaspartofthenewemployeeorientationsession.Assuch,ontheirfirstday,newemployeeswouldreceivea30minutestrainingonFOSSandcompliance.Asaresult,thenewemployeeswillhaveallthenecessaryinformationtheyneed:whototalkto,whatinternalwebsitetovisit,howtosign-upforFOSSandcompliancetraining,etc.

Formal TrainingDependingonthesizeofthecompanyandtheextenttowhichFOSSisincludedinitscommercialofferings,thecompanycanmandatetheiremployeesworkingwithFOSStotakeformalinstructor-ledcoursesandpasstheevaluation.Thissectionprovidesrecommendationsonfouressentialtrainingcourses:

• IntroductiontoFOSS:ThecourseprovidesanoverviewofFOSS,itscharacteristicsincomparisontoproprietarysoftwareandfreeware,andpresentsanin-depthdiscussionontheFOSSdevelopmentmodel,theFOSScommunity,andFOSSlicenses.Inaddition,thecourseexaminesthebenefitsandrisksofadoptingFOSSandusingitincommercialproductsandintroducescomplianceandlicenseobligations.

• ComplianceProcessesandPolicies:Thiscourseprovidesnecessarybackgroundinformationoncompliancepolicies,processes,andprocedures.ThefocusofthecoursewillbeoncompliancepracticesandtechniquesadoptedbythecompanytoallowyoutoshipaproductcontainingFOSSwhilemeetingalllicenseobligations,withoutputtingtheCompany’sintellectualpropertyorthatofyourthirdpartysoftwareprovidersatrisk.Furthermore,thetrainingprovidesademonstrationofhowtofillouttheOSRBformandprovideinformationaboutavailableFOSSguidelines.

• WorkingwiththeFOSSCommunity:ThiscourseprovideinformationontheFOSSdevelopmentmodel,bestpracticesoninteractingwiththeFOSScommunity,drivingcontributionstomainline,culturalaspectsandgeneraladvicetoworkingwiththecommunity.

10

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

• EngineeringGuidelinesforUsingFOSS:Thiscourseprovidesguidelinesforsystemarchitectureanddescriptionofhowthecompany’spoliciesapplytoparticularengineeringsituations(userspaceversuskernelspace,dynamicversusstaticlinkage,devicedrivers,etc.).

EducationEngineersrequestingtouseorcontributetoFOSSwillberequestedtosubmitformsbuiltaroundtemplatesdesignedbytheOpenSourceReviewBoard(OSRB).Anefficient,automatedsystemincludeselectronicforms,templates,andworkflows.ThisautomationallowstheOSRBtomanageall“paperwork”relatedtocomplianceelectronically.Wewilldiscussthistopic,alongwithtools,inaseparatefuturepaper.

MessagingMessagingisanintegralpartofanycomplianceprogram.Itconsistsofinternalandexternalmessaging.Thesinglemostimportantrecommendationwithrespecttomessagingistobeclearandconsistentinyourmessaging,whetheritisinternallyexplainingthecompany’sgoalsandconcernsaroundFOSStoyouremployees,orexternallytowardtheFOSScommunity.

Compliance Challenges and SolutionsIn the following sections, we will discuss the challenges companies face when

establishing compliance program and offer recommendations on how can to overcome

these challenges via an operational focused approach. Some of the most common

challenges include:

1. Creating a compliance program while achieving the right balance between processes and product ship deadlines

2. Thinking long term, while executing short term

3. Communicating compliance

4. Establishing a clean software baseline for version 1.0 products

5. Maintaining compliance for evolving products

6. Institutionalizing and sustaining compliance efforts

Challenge#1:CreatingaComplianceProgramThefirstchallengeistocreatethecomplianceprogramanditssupportinginfrastructurewhileachievingtherightbalancebetweenfollowingprocessesandmeetingproductshipdeadlines.Therearevariousapproachesthatcanhelpovercomethischallengeandassistinthecreationofalightweightprogramthatisnotseenasaburdentothedevelopmentactivities.

Proposed Solutions

Executive SupportItisimportanttohaveexecutivelevelcommitmenttocompliance.Anexecutivesponsorforcomplianceisanecessitytoensureitssuccessandcontinuity.

11

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

Lightweight Policies and ProcessesProcessesandpoliciesareimportant,however,theyhavetobelightandefficientsothattheengineeringteamsdonotregardthemasoverlyburdensometothedevelopmentprocess.Youmustavoidrequiringengineerstospendmoretimethannecessaryoncomplianceactivities.Youneedtoestablishtwoimportantbuildingblocks:first,asimpleandclearcompliancepolicy,andsecondalightweightcomplianceprocess,bothwellcommunicatedacrossthecompany.

Mandate Basic RulesAspartofputtingthecomplianceprograminplace,youwillneedtomandatesomesimplerulesthateveryonemustfollow,suchas:

• MandatetheOSRBusageformforanyFOSS:TheOSRBusageformistheentrypointintothecomplianceduediligenceforanyincomingFOSSorincomingthirdpartysoftwaretothecompany.ItisessentialthatengineersfillouttheOSRBusageformforeveryFOSSprojecttheyintendtouseinanyproduct.

• Mandatecompliancecodeinspectionsaspartofthesoftwaredevelopmentprocess

• Mandatedesignreviewsaspartoftheexistingsoftwaredevelopmentprocess.

• Mandatearchitecturereviewsandcodeinspectionstounderstandhowsoftwarecomponentsareinter-relatedandtodiscoverlicenseobligationsthatcanpropagatefromFOSStoproprietarysoftware.

• Mandateduediligenceonsoftwarereceivedfromthirdpartysoftwareproviders:IfaFOSSpackageisincludedinathirdpartycomponentinaproduct,theengineerselectingthethirdpartysoftware,thethirdpartysoftwaremanagementteamandthethirdpartysoftwarevendorshouldworktogethertopreparetheusageformforsubmissiontotheOSRB.

Integrate Compliance in the Development ProcessThemostsuccessfulwaytoestablishcomplianceistoincorporatethecomplianceprocessandpolicies,checkpointsandactivitiesaspartoftheexistingsoftwaredevelopmentprocess.Thismethodensuresthatcomplianceispartofthesoftwaredevelopmentprocessandnotanactivitythatiseitheranoverheadtodevelopment,oranactivitythatistryingtocatchupwithdevelopment(intermsofspeedandcoverage).

Challenge#2:Long-TermGoalsversusShort-TermExecutionFigure1describedtheessentialelementsneededforasuccessfulcomplianceprogram.Somemaybeoverwhelmedbytheamountofworkneededtoimplementsuchacompleteprogram.Inreality,itisactuallynotallthatdifficultbecauseyoudonothavetoimplementeverythingmentionedinFigure1atthesametime.

ThepriorityofallcompaniesistoshiptheproductontimewhilebuildingandexpandingtheirinternalFOSScomplianceinfrastructure.Therefore,youshouldexpecttobuildyourcomplianceinfrastructureasyougoandkeepinginminditsscalabilityforfutureactivitiesandproducts.

Proposed Solutions• Planacompletecomplianceinfrastructuretomeetyourlong-termgoals,andthenimplementthe

piecesneededforshort-termexecution.Forinstance,ifyouarejuststartingtodevelopaproductthatincludesFOSSanddonothaveanycomplianceinfrastructureyet,yourimmediateconcernmaybe,forexample,establishingacomplianceteam,processandpolicy,toolsandautomation,

12

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

andtrainingyouremployees.Onceyoukickofftheseactivities(inthatorder)andyouhaveagoodgriponthebuildsystem(fromacomplianceperspective),youcanmovetotheotherprogramelements.

• Establishlightweightpoliciesandprocesses(discussedearlier)

• Incorporatecomplianceaspartofthedevelopmentprocess(discussedearlier)

Challenge#3:CommunicatingComplianceCommunicationisessentialtoensurethesuccessofthecomplianceactivities.Therearetwoaspectsofthecommunicationactivities:internaltothecompanyandexternaltowardstheFOSScommunityandtheindustry.

Internal CommunicationCompaniesneedinternalcompliancecommunicationtoensurethatemployeesareawareofwhatisinvolvedwhentheyincludeFOSSinacommercialproductandtoensurethattheyareeducatedaboutthecompany’scompliancepolicies,processes,andguidelines.Internalcommunicationscantakeoneofseveralforms:

• All-handsmeetingsareagreatvenueforexecutivestoshowtheirsupportandendorsementtothecomplianceactivitiesandtoasktheiremployeestofollowcompanypoliciesandprocesses.

• FormaltrainingmandatedtoallemployeesworkingwithFOSS.

• Hostingbrown-bagFOSSandcomplianceseminarsareasuccessfulwaytobringadditionalcomplianceawareness.

• EstablishinganinternalFOSSportalthatwillhostthecompany’scompliancepoliciesandprocedures,FOSSrelatedpublicationsandpresentations,mailinglists,andadiscussionforumrelatedtoFOSSandcompliance.

• Somecompaniesissueacompany-wideFOSSnewsletterperiodicallythatfocusesoncomplianceandnewsaroundFOSS.

External CommunicationFurthermore,companiesneedexternalcompliancecommunicationstoensurethattheFOSScommunityisawareoftheireffortstomeetthelicenseobligationsoftheFOSStheyareusingintheircommercialproduct.Externalcommunicationscantakeoneofseveralforms:

• WebsitededicatedforFOSS:ThewebsiteisamainchannelfordistributionofFOSSpackages(andmodification)andusuallyhostsadiscussionforumormailinglists.

• ReachingoutandsupportingFOSSorganizationssuchastheFreeSoftwareFoundation:SuchactivitiesareimportanttohelpthecompanybuildrelationshipwithFOSSorganization,understandtherolesoftheseorganizations,andcontributetotheirefforts.

• ParticipationinFOSSeventsandconferences:Participationcanbeatvariouslevelsrangingfromsponsoringanevent,tocontributingpresentationsandpublications,orsimplysendingengineerstoattendandmeetFOSSdevelopersandfosternewrelationshipswiththeFOSScommunitymembers.

13

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

Challenge#4:EstablishingCleanSoftwareBaselineOneoftheinitialchallengeswithcomplianceprogramsistofindoutexactlywhatFOSSisinuse,howitislicensedandwhereinyourproductsorplatformitisbeingused.Furthermore,thechallengerevolvesaroundestablishingacleansoftwarebaselineforyourproductorsoftwareplatform.Thisisanintensiveactivityoveraperiodoftimethatcanextendformonthsdependingonhowsoonyoustartedthecomplianceactivitiesinparalleltothedevelopmentactivities.

Proposed SolutionsCompaniesachieveinitialcompliancethroughthecollectionofthefollowingactivities:

• EarlysubmissionandreviewofOSRBusageforms

• Auditsonthesourcecode

• DuediligenceontheuseofFOSSbythirdpartysoftwareproviders

• DesignreviewandcodeinspectionstoanalyzetheinteractionbetweenFOSS,proprietarycodeandthirdpartysoftwarecomponents

• UpdatedocumentationtoinformusershowtoobtainacopyoftheFOSS

Ifacompanyfailstoestablishbaselinecompliance,itisalmostaguaranteethatfuturerevisionsofthesameproduct(orotherproductsbuiltusingtheinitialbaseline)willhavecomplianceissues.

• Offerasimplebutenforcedpoliciesandlightweightprocesses(discussedearlier)

• Includecompliancecheckpointsaspartofthesoftwaredevelopmentprocess(discussedearlier)

• EnsureavailabilityofadedicatedcompliancecoreteamthatconsistsoftheComplianceOfficer,

• LegalCounselandEngineeringrepresentatives(wewilldiscussrolesandresponsibilitiesinafuturepaper)

• Utilizetoolsandautomationtosupportefficientprocessingofcompliancetickets

Challenge#5:MaintainingComplianceThereareseveralchallengesinmaintainingopensourcecompliance,similartothosefacedwhenestablishingbaselinecompliance.Infact,manyofthestepsarethesamebutjustonasmallerscale.Maintainingcomplianceisacontinuouseffortandisacomparativelysmallincrementaleffortthatdependsondisciplineandcommitmenttobuildcomplianceactivitiesintoexistingengineeringandbusinessprocesses.

14

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

Figure5illustratestheconceptofincrementalcompliancewherebyyouneedtoensurecomplianceofwhateversourcecodechangesthattookplaceinbetweentheinitialcompliantbaselineandthecurrentversion.

FIGURE 5. EXAMPLE OF INCREMENTAL COMPLIANCE

Proposed SolutionsCompaniesachieveinitialcompliancethroughthecollectionofthefollowingactivities:

• EarlysubmissionandreviewofOSRBusageform

• Continuousenforcementofthebasicrules,e.g.engineersmustreceiveapprovalbeforeintegratingaFOSScomponentinthebuildsystem

• Continuousauditsofallsourcecodeintegratedinthecodebaseregardlessofitsorigins(FOSS,thirdpartyorproprietary)

• Continuousimprovementsoftoolsusedinensuringcomplianceandautomatingasmanyactivitiesaspossibletoensurehighefficiencyinexecutingthecomplianceprogram

Challenge#6:InstitutionalizationandSustainabilityOneofthechallengesfacingcompaniesistokeepcomplianceactivitiesgoingasthecompanygrowsandshipsmoreproductsusingFOSScomponents.Companiescantakeseveralstepstoensuretheinstitutionalizationofcompliancewithinthecompany’sdevelopmentcultureandtoensureitssustainability.

Proposed Solutions• Sponsorship:Executivelevelcommitmentisessentialtoensuresustainabilityofcompliance

activities.Therehastobeacompanyexecutivewhoisthecompliancechampionthatensurescorporatesupportforthecompliancefunction.

• Consistency:Achievingconsistencyacrossthecompanyiskeyinlargecompaniesthatconsistofmultiplebusinessunits.

• Measurementandanalysis:Measureandanalyzetheimpactandeffectivenessofthecomplianceactivities,processes,andprocedureswiththegoalofstudyingtheperformanceandimprovingthecomplianceprogram.Thiswillhelpyoucommunicatetheproductivityadvantagesthataccruefromeachprogramelementwheneducatingaboutthecomplianceprogram.

15

Establishing Free and Open Source SoftwareCompliance Programs: Challenges and Solutions

• Streamliningcomplianceprocesses:Thescopeandnatureofacompany’suseofFOSSisdynamic,itisdependentonproducts,technologies,mergers,acquisitions,offshoredevelopmentactivitiesandmanyotherfactors.Therefore,itisanecessitytocontinuouslyreviewcompliancepoliciesandprocessesandintroduceimprovements.Furthermore,theFOSSlicenseinterpretationsandlegalriskscontinuetoevolve.Insuchadynamicenvironment,thecomplianceprogrammustevolveaswell.

• Enforcement:Acomplianceprogramisofnovalueunlessitisenforced.Acomplianceprogramshouldincludemechanismsforongoingmonitoringofadherencetotheprogramandforenforcingpolicies,procedures,andguidelinesthroughoutthecompany.Onewaytoenforcethecomplianceprogramistointegrateitwithinthesoftwaredevelopmentprocessandensurethatacertainpercentageoftheemployees’performanceevaluationdependsonhowwelltheyarecommittedtoFOSScompliance.

• Staffing:ensureproposestaffingisallocatedtothecompliancefunctionaswellasadequatecompliancetrainingprovidedtoeveryemployeeintheorganization.

ConclusionsInthispaper,weprovideanoverviewofthevariouselementsthatcontributetothesuccessofFOSScomplianceanddiscusstopchallengesthatacompanyhastodealwithwhenestablishingandmaintainingtheircomplianceprogramsandhowtoovercomethesechallenges.ThisseriesofpapersaimstoincreasepublicawarenessofthevariousissuessurroundingFOSScompliancefromanoperationalperspective,anddoesnotaimtoprovidealegaldiscussiononthetopic.Compliancemanagement,orcomplianceduediligence,consistsofasetofactionsthatcontroltheintakeanddistributionofFOSSusedincommercialproducts.TheresultofcomplianceduediligenceisanidentificationofallFOSSusedintheproductandaplantomeettheFOSSlicenseobligations.Thistopicwillbediscussedinafuturepaper.Staytuned.

AcknowledgementsTheauthorwouldliketoexpresshisgratitudetoKarenCopenhaver(LegalDirectoroftheLinuxFoundationandPartnerinChoate,Hall&StewartLLP‘sBusiness&Technologypractice)forherreviewsandvaluableinput.

About the AuthorIbrahimHaddadisDirectorofTechnologyandAlliancesattheLinuxFoundationfocusingonMobileLinuxinitiativesandadvancingtheLinuxplatformfornext-generationmobilecomputingdevices.