Welcome!

Open Source Cloud Authors: Zakia Bouachraoui, Liz McMillan, Elizabeth White, Yeshim Deniz, Pat Romanski

Related Topics: Containers Expo Blog, Linux Containers, Open Source Cloud, Release Management , Cloud Security

Containers Expo Blog: Article

Open Source Compliance: Getting Started Guide

What are the challenges faced when establishing a compliance program? What best practices exist?

This article discusses Open Source compliance and the challenges faced when establishing a compliance program, provides an overview of best practices, and offers recommendations on how to deal with compliance inquiries.

Introduction
Traditionally, platforms and software stacks were built using proprietary software and consisted of various software building blocks that came from different companies with negotiated licensing terms. The business environment was predictable and potential risks were mitigated through license and contract negotiations with the software vendors. In time, companies started to incorporate Open Source software in their platforms for the different advantages it offers (technical merit, time-to-market, access to source code, customization, etc).

With the introduction of Open Source software to what once were pure proprietary software stacks, the business environment diverged familiar territory and corporate comfort zones (Figure 1). The licenses of Open Source software licenses are not negotiated agreements. There are no contracts signed with the software providers (i.e., Open Source developers). Companies must now deal with dozens of different licenses, and hundreds or even thousands of licensors and contributors. As a result, the risks that used to be managed through license negotiations must now be managed now through compliance and engineering practices.

A new computing environment necessitating Open Source compliance due diligence

Enter Open Source Compliance
Open Source software initiatives provide companies with a vehicle to accelerate innovation through collaboration with a global community of Open Source developers. However, accompanying the benefits of teaming with the Open Source community are very important responsibilities. Companies must ensure compliance with applicable Open Source license obligations.

Open source compliance means that users of Open Source software must observe all the copyright notices and satisfy all the license obligations for the Open Source software they use. In addition, companies using Open Source software in commercial products, while complying to the terms of Open Source licenses, want to protect their intellectual property and that of third party suppliers from unintended disclosure.

Open Source compliance involves establishing a clean baseline for software stack or platform code and then maintaining that clean baseline as features and functionalities are added. Failure to comply with Open Source license obligations can result in:

  • Companies paying undisclosed amount of money for breach of Open Source licenses.
  • Companies being forced by third parties to block product shipment and do product recalls.
  • Companies being mandated by courts to establish a more rigorous Open Source compliance program  and appoint a “Open Source - Compliance Officer” to monitor and ensure compliance with Open Source licenses
  • Companies losing their product differentiation and intellectual property rights protection when required to release source code (and perceived trade secrets) to the Open Source community and license to competitors royalty-free.
  • Companies suffering negative press and unwanted public scrutiny as well as damaged relationships with customers, suppliers and the Open Source community.

Lessons Learned

There are three main lessons to learn from the Open Source compliance infringement cases that were made public to date.

  • Ensure that your company has an Open Source management infrastructure in place: Open Source compliance is not just a legal exercise or checking a box. All facets of the companies are typically involved in ensuring proper compliance and contributing to the end-to-end management of Open Source software.
  • Make Open Source compliance a priority before product ship: Companies must establish and maintain consistent Open Source compliance policies and procedures and ensure that Open Source license(s) and proprietary license(s) co-existence well before shipment.
  • Create and maintain a good relationship with the Open Source community: As a user of Open Source software, it is to your best advantage to create a good relationship with the Open Source community and demonstrate good will.  The Open Source community provides you with source code, technical support, testing, documentation, etc. Respecting the licenses of the Open Source components you are using is the minimum you can do in return.

Compliance Challenges

Companies face several challenges as they start creating the compliance infrastructure needed to manage their Open Source software consumption. The most common challenges include:

  1. Achieving the right balance between processes and meeting product shipment deadlines: Processes are important, however, they have to be light and efficient so that they're not regarded as an overhead to the development process and to avoid Engineering spending too much time than necessary on compliance activities.
  2. Thinking long-term, executing short-term: The priority of all companies is to ship the product(s) on time, at the same time as building and expanding their internal Open Source compliance infrastructure. Therefore, expect to build your compliance infrastructure as you go while doing it the right way and keeping in mind its scalability for future activities and products.
  3. Establishing a clean software baseline:  Establishing a clean software baseline is usually an intensive activity over a period of time. The results of the initial compliance activities include: A complete software inventory that identifies all Open Source software in the baseline,  a resolution of all issues related to mixing proprietary and Open Source code, and a plan on fulfilling the license obligations for all the Open Source software.

 

Building a Compliance Infrastructure

The following subsections examine the essential building blocks of an Open Source compliance infrastructure required to enable Open Source compliance efforts.

Open Source compliance building blocks

More Stories By Ibrahim Haddad

Ibrahim Haddad is a member of the management team at The Linux Foundation responsible for technical, legal and compliance projects and initiatives. Prior to that, he ran the Open Source Office at Palm, the Open Source Technology Group at Motorola, and Global Telecommunications Initiatives at The Open Source Development Labs. Ibrahim started his career as a member of the research team at Ericsson Research focusing on advanced research for system architecture of 3G wireless IP networks and on the adoption of open source software in telecom. Ibrahim graduated from Concordia University (Montréal, Canada) with a Ph.D. in Computer Science. He is a Contributing Editor to the Linux Journal. Ibrahim is fluent in Arabic, English and French. He can be reached via http://www.IbrahimHaddad.com.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
kweins 01/14/10 03:22:36 PM EST

There is another free open source scanning tool (OSS Discovery by OpenLogic) that you can use to identify open source in your products or applications. You can download at www.openlogic.com.

IoT & Smart Cities Stories
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by ...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed...
The challenges of aggregating data from consumer-oriented devices, such as wearable technologies and smart thermostats, are fairly well-understood. However, there are a new set of challenges for IoT devices that generate megabytes or gigabytes of data per second. Certainly, the infrastructure will have to change, as those volumes of data will likely overwhelm the available bandwidth for aggregating the data into a central repository. Ochandarena discusses a whole new way to think about your next...
CloudEXPO | DevOpsSUMMIT | DXWorldEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Cell networks have the advantage of long-range communications, reaching an estimated 90% of the world. But cell networks such as 2G, 3G and LTE consume lots of power and were designed for connecting people. They are not optimized for low- or battery-powered devices or for IoT applications with infrequently transmitted data. Cell IoT modules that support narrow-band IoT and 4G cell networks will enable cell connectivity, device management, and app enablement for low-power wide-area network IoT. B...
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...