As open-source software matures, organizations have gone from asking, “Should we use open source?” to, “How do we best manage open-source adoption and compliance?” Controlled adoption of open source and other third-party software includes avoiding package proliferation, maintaining control of quality, understanding known open-source security vulnerabilities, and managing compliance with license obligations.
The starting point: An open-source policy
As an initial measure, many organizations have, at the very least, implemented an open-source policy. The policy regulates the open-source governance process and covers topics such as who the stakeholders are within the organization. And it outlines acceptable attributes such as open-source licenses and communities.
An open-source policy also includes a workflow for requesting and approving open-source packages that can be used in specific projects or within the entire organization and defines the course of action once an open-source policy violation is suspected.
Enforcing the policy can be difficult. Developers are expected to be experts in developing code. Expecting them to be familiar with licensing would dampen innovation. Like other quality-assurance processes, it is best to start managing open-source compliance in the early stages of development. Examples of preventive open-source compliance activities include:
• A workflow process that can reject any packages that violate an organization’s open-source policy before the developer is permitted to use the code.
• A process that can detect and flag violations as the code is brought onto a developer’s workspace (from the Web, a private library, or external memory).
• An integrated workflow solution that allows regular open-source scanning and manages compliance of the organization’s policy.
The open-source policy is drafted with input from all the relevant stakeholders in the organization. Typically an open-source committee consists of representatives from legal, R&D and product management.
The pre-approval process
A good open-source policy puts emphasis on catching open-source compliance issues at the earliest stage of development, therefore vastly reducing the time and effort involved in remedying them.
An important element of any solid open-source policy is a package pre-approval process. In essence, this process is a series of actions that allow anyone to request a certain open-source package to be used in a project. Through a streamlined workflow process, a licensing person can approve or reject the requests based on the available information about the project, how the package is to be used in the project, and the open-source package’s attributes.
So, what does a package pre-approval workflow entail? First, developers must submit a request that includes details such as the package’s name, a link to the code, and information such as version, authors, and the license cited on the site or specified in the package. Other information such as known open-source security vulnerabilities and the presence of encryption content in the package will help the compliance examiner streamline the approval process.