The use of open-source software (OSS) in the overall software development process has increased by each day passing. Modern cloud technologies, embedded systems, and mobile computing are often largely based on OSS solutions. The above were confirmed by the 2022 State of Open Source Report, conducted by the Open Source Initiative (OSI) together with OpenLogic by Perforce. Most of the participants (77%) stated that their use of OSS has increased and for 36.5% of them, OSS usage took a significant step-up. This comes as no surprise, given the profound advantages that OSS can bring to the software development process.
But at the same time, the survey revealed a “well known secret” about the use of OSS: A big portion of the companies that use OSS don't fulfil the license obligations required by the applicable OSS licenses. That might lead to an infringement of the intellectual property rights of the software developers, which could have severe implications on the company using OSS. Moreover, it is important to note that such practice might lead to conflicts with the open source community which creates and maintains such software.
How to ensure compliance
To ensure compliance with the open-source licenses and consequently to avoid the risks mentioned before, the company which introduces OSS into their own development process needs to design, implement, and supervise an OSS compliance system. A system which by design achieves the three primary goals of an OSS compliance procedure, as described by the Linux foundation:
Know what you use,
Know how you are using it, and
Fulfil license obligations.
Before diving into the necessary elements of a system like that, it can already be said that an OSS compliance system must be integrated and harmonized with the general compliance system of the company. Moreover, it should be ensured that the OSS compliance system is not the sole responsibility of a single employee or a single department. It is a procedure that should be implemented throughout the whole development process and involve every department, including the management level itself, which should constantly supervise the system's function and care for its steady improvement.
In order to achieve the aforementioned goals, a complete OSS compliance system should contain the three phases:
The identification of the used OSS components and their use,
The fulfilling of the licenses obligations, and
The incremental process.
The nature and the necessary steps of each phase will be briefly explained.
The identification of the used OSS components and their use
The identification stage starts where the situation is assessed, a compliance baseline is established, the license obligations are identified, and the open-source components receive approval for usage. It usually consists of 5 steps:
Specification of the deployment scenario: Most of the times, the OSS license obligations vary, depending on the deployment scenario of the software, namely whether it is designed to be used only internally, to be distributed or to be deployed in an embedded system.
The identification of the components: The origin of the source code, the license obligations, and all dependencies of the OSS components need to be documented in detail in the Software’s Bill of Material (BoM).
The legal review: At this stage, the legal counsel reviews the licensing information, gathers and identifies the license obligations, along with the necessary steps to comply with them and marks any possible incompatibilities between the licenses.
The architectural review: The goal of this process is to identify the way how the different components interact with each other and to verify that the “copyleft” effect of some OSS licenses doesn’t extend to an incompatible code, mainly proprietary software.
The final approval: This phase consists of a review of all the information gathered from the steps mentioned above.
The fulfilment of licensing obligations
After the license obligations for each component have been identified, this process ensures that the various license obligations are in fact fulfilled, for example, the distribution of the source code of the components along with any modifications made. This can be achieved by creating and following a pre-distribution checklist which helps keeping track of all the mandatory steps.
The review after updates
This phase should start whenever a new version of the software is being developed, for example a version containing bug fixes or additional functionalities to the original software. The purpose is to identify any newly added, deleted, or changed OSS components. The deleted components are then removed from the BoM while the newly added and changed components run through the compliance process.
The deployment of an OSS compliance system is vital to fulfil the obligations of the OSS licenses and to safely enjoy the significant benefits that the usage off OSS can offer. However, the planning and implementation of such a system is not an easy task at all. It consists of complex steps and procedures which should always be customized to the specific needs of the individual company. We advise and provide guidance for the designing and implementation of an OSS compliance system with a practice proof approach.