As open source implementation becomes increasingly prevalent in enterprises, it can be challenging to meet compliance requirements and to deploy the software throughout the supply chain. According to Shane Coughlan, program manager at OpenChain, this is important for a number of reasons. “The core one is to ensure a company is meeting its obligations under a license and has the right to distribute code,” he said. “Failure to do this can result in product delays, brand damage, and legal risk.”
The project was formed in 2015 to create an overarching standard for monitoring and developing compliance programs for open source. The OpenChain community is comprised of a number of organizations located across Asia, Europe, and North America. This includes Arm, Cisco, Comcast, Qualcomm, Adobe, Toshiba, and GitHub, among others.
The project has four working teams. The first team is working on specifications and publishing a core set of requirements that compliance programs for free and open source software (FOSS) should meet. The second is a team that builds training and educational materials. It also has a conformance team that can help enterprises evaluate and ensure that they meet the project’s specifications. The fourth builds informational materials regarding the project.
Coughlan said that the program applies to any open source software and any supply chain. The standard created by the project helps make the supply chain more predictable and efficient when implementing FOSS.
Facebook, Google, and Uber all rely on open source to build a number of services and are all involved in developing standards for FOSS. The companies already contribute to a number of Linux projects, including Linux Kernel and the Open Compute Project.
In a blog post about Google joining the project, Max Sills and Josh Simmons of Google Open Source wrote that Google has developed rigorous policies and processes to perform open source license compliance correctly. “For us, it’s a matter of legal compliance as well as showing respect for the amazing communities that create and maintain the software.”
According to Sills and Simmons, without a compliance standard companies, including Google, have had to “invent and cobble together policies and processes, occasionally comparing notes and hoping we haven’t forgotten anything.”
Working toward a similar goal, last year both Facebook and Google, alongside IBM and Red Hat, formed an alliance to provide greater legal protection for some of the open source code they license. This was part of an effort to cure open source license compliance errors.