The Linux Foundation is working on improving open-source compliance with the formation of a new project. The Automated Compliance Tooling (ACT) project has been set up to consolidate investments, increase interoperability and help organizations manage compliance obligations.
According to the foundation, while the use of open-source code is becoming very popular, it is important to remember there are licenses that users have a responsibility to comply with along with the using the code, which can be difficult or complex to deal with.
RELATED CONTENT: Going to school on open-source security
“There are numerous open source compliance tooling projects but the majority are unfunded and have limited scope to build out robust usability or advanced features,” said Kate Stewart, senior director of strategic programs at The Linux Foundation. “We have also heard from many organizations that the tools that do exist do not meet their current needs. Forming a neutral body under The Linux Foundation to work on these issues will allow us to increase funding and support for the compliance tooling development community.”
As part of the announcement, ACT is also welcoming two new projects that will be hosted at the Linux Foundation: OpenChain, a project that identifies key recommended processes for open-source management; and the Open Compliance Project, which will educate and help developers and companies better understand license requirements.
In addition, ACT will encompass four other projects:
- FOSSology: An open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from the command line.
- QMSTR: Or Quartermaster is a tool for implementing best license compliance management practices.
- SPDX Tools: The Software Package Data Exchange is an open standard for communicating software bill of material information such as components, license, copyrights and security references. While SPDX itself will remain separate from ACT, its tools for helping meet the specification will become apart of the initiative.
- Tern: an inspection tool for finding metadata from packages installed in a container image.
Going forward, ACT will continue to look for additional projects as well as add new members and community partners.