According to Linux, the checklist should include:
- Discover and disclosure: identifying open-source licenses
- Review and approval: evaluating how the open-source software will be used and distributed
- Obligation satisfaction: complying to the open-source license requirements
- Community contributions: how the organization is going to review and approval contributions internally and externally
- Policy: encouraging the use of open-source software and protecting business needs
- Adequate compliance staffing: having the appropriate skills and resources necessary to comply
- Adaption of business processes: how open-source compliance is going to fit into other business practices
- Training: the company has been trained and understands how to comply
- Compliance-process management: establishing, maintaining and enhancing an open-source compliance policy
- OSS inventory/recordkeeping: tracking open-source content and compliance
- Automation/tool support: how tools are going to help the organization comply
- Verification: assuring that the company and employees are able to adequately meet OSS requirements
- Process adherence audits: determining if the organization is on the right track with its compliance program.
According to Zemlin, it really isn’t any harder to comply with open-source licenses than it is to comply with a proprietary license. “We think with just a little bit of training, organizations will be confident to use open-source software and will get the benefit of billions of dollars worth of software and innovation that comes with it,” he said.
But according to Black Duck’s Weinberg, compliance would be easy if it was just one piece of code and one license. “We know organizations that are using thousands upon thousands of open-source software components, and in that case compliance and governance can be quite complex,” he said.
Weinberg added that the terms found in licenses can be confusing, and even if an organization thinks it understands the terms, its lawyers might have a different opinion or disposition, so compliance shouldn’t be left to any one part of the company. He recommended organizations adopt a cross-disciplinary purview and an open-source licensing board made up of engineering management, legal management and upper management.
Types of open-source licenses
There are thousands and thousands of open-source licenses. The Open Source Initiative recognizes approximately 60 of them, but that leaves about 2,000 self-styled and completely original open-source licenses, according to Black Duck’s Weinberg.
These licenses can fall into two basic categories: permissive and restrictive.
Permissive licenses are ones that require minimal obligations from a company, such as attribution requirements, according to Protecode’s Koohgoli. “For instance, all you have to do is make sure your product that uses the open-source code is shipped with a notice that says [the] product uses this open-source software,” he said. “The attribution comes in different forms, and they have to maintain the code or include the original lines of attribution on the top their software.”
Then there are restrictive licenses, typically called “copyleft” licenses, which generally allow you to use software for any purpose (but with various types of restrictiveness). The idea of restrictive licenses is to put a set of terms that restrict how the open-source code is distributed so that users can’t put it under any set of terms they want, according to Rogue Wave’s McLoughlin. “Some licenses very specifically say you can use this code, it is free, you can modify it, you can use it any way you want, you can put it in a commercial product, etc. But you can’t change the license, and any work that you create with this product, diverted work, any modifications that you made to it, have to be under this original license,” he said. The idea is to keep open-source software open source so that it isn’t closed-sourced by a commercial vendor in the future, he explained.
The most common licenses include the GNU General Public License, MIT License, and Apache License.