The use of open source software (OSS) in the overall software development process has been increasing day by day. Modern cloud technologies, embedded systems and mobile computing often rely heavily on OSS solutions. The above has been confirmed by the 2022 State of Open Source Report, led by the Open Source Initiative (OSI) in collaboration with OpenLogic by Perforce. Most of the participants (77%) said that their use of free software has increased and for 36.5% of them, the use of free software has increased considerably. It’s no surprise, considering the tremendous benefits that OSS can bring to the software development process.
But at the same time, the survey revealed a “well-known secret” about OSS usage: a large portion of companies that use OSS do not meet the licensing requirements required by applicable OSS licenses. This could lead to infringement of intellectual property rights of software developers, which could have serious implications for the company using free software. Additionally, it is important to note that such a practice could lead to conflicts with the open source community that creates and maintains such software.
How to ensure compliance
To ensure compliance with open-source licenses and therefore to avoid the previously mentioned risks, the company that introduces OSS into its own development process must design, implement and monitor an OSS compliance system. A system that, by design, achieves the three primary goals of an OSS compliance procedure, as outlined by the Linux Foundation:
- Know what you use
- Know how you use it and
- Fulfill license obligations.
Before diving into the necessary elements of such a system, it can already be said that an OSS compliance system must be integrated and harmonized with the general compliance system of the company. Additionally, it should be ensured that the OSS compliance system is not the sole responsibility of a single employee or department. It is a procedure that must be implemented throughout the development process and involve all departments, including the management level itself, which must constantly supervise the operation of the system and ensure its constant improvement.
In order to achieve the above goals, a complete OSS compliance system should contain all three phases:
- Identification of the OSS components used and their use,
- Compliance with license obligations, and
- The incremental process.
The nature and necessary steps of each phase will be briefly explained.
Identification of the OSS components used and their use
The Identify stage begins when the situation is assessed, a basis of compliance is established, license obligations are identified, and open source components receive approval for use. It usually consists of 5 steps:
Deployment Scenario Specification: Most of the time, OSS license requirements vary depending on the deployment scenario of the software, i.e. whether it is designed for internal use only, for distribution or for deployment in an embedded system .
Component Identification: Source code origin, license obligations and all OSS component dependencies should be documented in detail in the software bill of materials (BoM).
Legal review: In this stage, the legal advisor reviews the license information, gathers and identifies the license obligations, as well as the steps necessary to comply with them, and flags any incompatibilities between the licenses.
Architectural review: The purpose of this process is to identify how the various components interact with each other and verify that the “copyleft” effect of some OSS licenses does not extend to incompatible code, primarily proprietary software .
Final approval: This phase consists of a review of all the information gathered from the steps mentioned above.
Compliance with license obligations
After identifying the license obligations for each component, this process ensures that the various license obligations are met, for example the distribution of the source code of the components as well as any modifications made. This can be achieved by creating and following a pre-distribution checklist that helps keep track of all mandatory steps.
The review after the updates
This phase should begin each time a new version of the software is under development, for example a version containing bug fixes or additional features to the original software. The goal is to identify any newly added, removed, or changed OSS components. Deleted components are then removed from the BOM while newly added and modified components go through the compliance process.
Deploying an OSS compliance system is essential to fulfilling OSS licensing obligations and to safely enjoy the significant benefits that non-OSS usage can provide. However, planning and implementing such a system is not at all an easy task. It consists of complex steps and procedures that must always be adapted to the specific needs of each company. We advise and provide guidance for the design and implementation of an OSS compliance system with a proof of practice approach.