As open-source software matures, organizations have gone from asking, “Should we use open source?” to, “How do we best manage open-source adoption and compliance?” Controlled adoption of open source and other third-party software includes avoiding package proliferation, maintaining control of quality, understanding known open-source security vulnerabilities, and managing compliance with license obligations.

The starting point: An open-source policy
As an initial measure, many organizations have, at the very least, implemented an open-source policy. The policy regulates the open-source governance process and covers topics such as who the stakeholders are within the organization. And it outlines acceptable attributes such as open-source licenses and communities.

An open-source policy also includes a workflow for requesting and approving open-source packages that can be used in specific projects or within the entire organization and defines the course of action once an open-source policy violation is suspected.

Enforcing the policy can be difficult. Developers are expected to be experts in developing code. Expecting them to be familiar with licensing would dampen innovation. Like other quality-assurance processes, it is best to start managing open-source compliance in the early stages of development. Examples of preventive open-source compliance activities include:
• A workflow process that can reject any packages that violate an organization’s open-source policy before the developer is permitted to use the code.
• A process that can detect and flag violations as the code is brought onto a developer’s workspace (from the Web, a private library, or external memory).
• An integrated workflow solution that allows regular open-source scanning and manages compliance of the organization’s policy.

The open-source policy is drafted with input from all the relevant stakeholders in the organization. Typically an open-source committee consists of representatives from legal, R&D and product management.

The pre-approval process
A good open-source policy puts emphasis on catching open-source compliance issues at the earliest stage of development, therefore vastly reducing the time and effort involved in remedying them.

An important element of any solid open-source policy is a package pre-approval process. In essence, this process is a series of actions that allow anyone to request a certain open-source package to be used in a project. Through a streamlined workflow process, a licensing person can approve or reject the requests based on the available information about the project, how the package is to be used in the project, and the open-source package’s attributes.

So, what does a package pre-approval workflow entail? First, developers must submit a request that includes details such as the package’s name, a link to the code, and information such as version, authors, and the license cited on the site or specified in the package. Other information such as known open-source security vulnerabilities and the presence of encryption content in the package will help the compliance examiner streamline the approval process.

Another important item accompanying the pre-approval request is a description of how the package is going to be used in the product, including whether or not the code will be modified, redistributed, or only used internally.  

After the request is submitted, an administrator (someone from the open-source committee) can review the request. Typically, a combination of manual research and automated open-source scanning tools are used to confirm and identify licenses, obligations, copyrights, open-source security vulnerabilities, and encryption properties of the requested package.

At this stage, the licensing person will review license obligations and other properties of the requested package against the organization’s policy, taking into consideration how the developer intends to use the package. If there are no conflicts with the organization’s open-source policy, the administrator can approve the package. Once a software package is approved, it is then logged and made available to the specific product groups or the whole organization. A record of the approved packages is made available so that developers can readily use these pre-approved components in the future.

As with other software life-cycle management processes, automated solutions for package pre-approval exist that significantly reduce the time and effort spent on open-source compliance and increase the accuracy of the results. A package pre-approval workflow process, when combined with automated open-source scanning, is an effective part of managed adoption of open-source software, allowing organizations to reduce their development costs and speed up delivery times using quality third-party software.

Lacey Thoms is a technical blogger at Protecode and has written many articles on open-source software management.