infoTECH Feature

January 10, 2019

Simplifying and Harmonizing Open Source for More Efficient Compliance

With the releases of open source software and higher customer adoption, the implications of using open source are either underestimated or overlooked by many companies. Sometimes companies avoid leveraging all the benefits of open source when they find it may be complicated to comply with legal requirements of open source licenses.

The Linux Foundation (News - Alert), the non-profit organization supporting open source, recently announced a new project, the formation of the new Automated Compliance Tooling (ACT) project.

Using open source code comes with a responsibility to comply with the terms of that code’s license, which can sometimes be challenging for users and organizations to manage. The goal of ACT is to consolidate investment in and increase interoperability and usability of, open source compliance tooling, which helps organizations manage compliance obligations.

Software widely includes an assortment of open source code with multiple licenses and a mix of proprietary code. Sorting and managing all these can be a major hassle, but the alternative is potential legal action and damaged relations with the open source community.

The projects in ACT are poised to boost existing Linux Foundation compliance projects like OpenChain, which identifies recommended processes and make open source license compliance simpler and consistent, and the Open Compliance Program, which educates and helps developers and companies understand their license requirements.   ACT provides tooling to help support efficient workflows.

The new group strengthens its existing projects, FOSSology and Software Package Data Exchange (SPDX) tools and adds two new projects, Endocode’s QMSTR for integrating open source compliance toolchain and VMware’s Tern, an inspection tool for identifying open source components within containers.

The foundation members have said that existing tools do not fully meet their requirements in terms of ensuring open source licenses compliance. However, with the launch of ACT, they now can benefit from additional effort to improve and interoperate

Mirko Boehm, CEO of Endocode and the initiator of the QMSTR project said, “License compliance is an important hygiene factor in the open source ecosystem. With QMSTR, we started to create a toolchain that focuses on fact-finding and accurate, complete and up-to-date compliance documentation for every software build. Endocode is extremely happy to contribute QMSTR to ACT and to take it to the next level together with The Linux Foundation and the other project partners”.

“We are excited that The Linux Foundation has accepted Tern, an open source project for inspecting container images for OSS compliance, for its ACT group of projects,” said Nisha Kumar, Open Source (News - Alert) Engineer, VMware Open Source Technology Center. “Since releasing Tern in June 2017, the project has grown in the community and features continuing with the most recent release version 0.2.0–which adds features to make the project more accessible to users and contributors. Moving the project under ACT is a great next step in encouraging wider collaboration from folks who are looking to meet their OSS compliance obligations as part of their container strategy. I look forward to working with the greater community towards this goal.”

Four Parts of ACT:

  • FOSSology: An open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from the command line.
  • QMSTR: Also known as Quartermaster, this tool creates an integrated open source toolchain that implements industry best practices of license compliance management. QMSTR integrates into the build systems to learn about the software products, their sources, and dependencies.
  • SPDX Tools standing for Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information including components, licenses, copyrights, and security references.

  • Tern: Tern is an inspection tool to find the metadata of the packages installed in a container image. It provides a deeper understanding of a container’s bill of materials so better decisions can be made about container-based infrastructure, integration and deployment strategies.

Gary O’Neall, CEO, Source Auditor, Inc said, “As a long-term contributor to SPDX and open source license compliance tools, I am excited to see the formation of ACT and the inclusion of the SPDX tools in the project.” He further added, “The SPDX tools are a result of many years of collaboration and contributions from the SPDX community. The SPDX tools provide users the ability to view, verify and translate SPDX documents while the libraries provide developers tools to integrate with SPDX licenses and documents. These capabilities will form a nice complement to the other ACT tools.”

“There are numerous open source compliance tooling projects, but the majority are unfunded and have limited scope to build out robust usability or advanced features,” commented Kate Stewart, Senior Director of Strategic Programs at The Linux Foundation. “We have also heard from many organizations that the tools that do exist do not meet their current needs.

Stewart also said that forming a neutral body under The Linux Foundation to work on these issues will allow the industry to increase funding and support for the compliance tooling development community.

Edited by Maurice Nagle

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers