A Software Lawyer’s Take on the Linux Foundation’s ‘NEW’ Open Compliance Program

A Software Lawyer’s Take on the Linux Foundation’s ‘NEW’ Open Compliance Program

On August 10, 2010 the Linux Foundation announced the Open Compliance Program. So what is this all about and is this bad or good?

Essentially, the Linux Foundation created this program to address a lot of the FUD relating to using open source software with proprietary software. I think this is a noble objective, as there definitely is quite a lot of that FUD out there. So what are the components of the program (from the perspective of a of proprietary Software or SAAS company).

1) TOOLS

[Note to Self: need to check what OS these run on, as it may not be that useful for us]

  • Dependency Checker – checks for dynamic and static links.
  • Code Janitor – scans for certain keyword before the code is released.
  • Bill of Material Difference Checker – provides the ability to more accurately track components of the software.
  • Link to the TOOLS WEBSITE for more details.

2) SELF ASSESSMENT CHECKER 

  • Here is the checklist. Link

3) SOFTWARE PACKAGE DATA EXCHANGE (SPDX).

[Note to Self: While this sounds good on its face, it sounds like they are trying to lead the industry into disclosing all embedded open source software to (a) customers and (b) partners, etc. in the form of the Bill of Material  (not sure this is a good thing or even necessary; sounds like it will mainly add complexity and delay (at least in certain situations))]

  • Black Duck Software is deeply involved in this Working Group, so I understand why this benefits them. The more they can force the industry to become transparent about embedded open source, the more software companies will need tools like theirs. I am not say they are bad folks (as I have only heard great things about this company), but I am trying to share my thoughts on the possible motivations and direction the industry may be heading.
  • You can read more about this HERE (see page 2 about disclosing this information to third parties).

4) COMPLIANCE DIRECTORY AND RAPID ALERT SYSTEM.

[Note to Self: Sounds like a good idea, as it will help to create a direct link between the open source providers and the open source compliance officers at various companies]

5) TRAINING AND EDUCATION.

[Note to Self: Only good things can come from this] MORE INFO HERE.

Whew. Ok, so if you have a Software or SAAS company, take a read (or have your head of development take a read), especially if you embed open source software in your software.

Disclaimer: This is for informational and educational purposes, and no legal advice is provided. Consult your attorney for legal advice.

Categories
2 Comments
  1. Jeremy,

    Our view is this announcement is a reflection of the growing popularity and use of open source, and will help remove remove FUD, which will lead to even broader use of open source.

    WRT SPDX, which you point out we helped develop, there are many embedded technology companies (Moto, HP, Freescale, Qualcomm, and others) that drove and contributed to the standard. I think this is strong evidence they view it as a way to improve efficiency, reduce complexity and remove uncertainty. If players in the supply chain ecosystem use SPDX, it makes it easier for their downstream customers to manage the software they’re integrating.

    Peter

    • Peter,

      I think those are all valid points, and I appreciate the input.

      My main concern is if enterprise software customers demand the Bill of Material from software vendors, it seems like there will be some added complexity (and I think unnecessarily so) in the process (i.e. not all software is integrated). I can however see other situations where having the Bill of Material will create more efficiency in the process. I suppose it all depends on how and when it is used.

0 Pings & Trackbacks

Leave a Reply