License compliance in the open-source supply chain

The supply chain in the open-source world is lengthy and global; it also suffers from compliance problems with the GPL and other licenses. The OpenChain project was created to help the companies in the supply chain with their compliance. At the 2017 Free Software Legal and Licensing Workshop (LLW), OpenChain program manager Shane Coughlan described the project, some of its history, the release of version 1.1 of its specification, and more.

For quite a few years, there has been a belief in the community that license compliance is "something that needs to be urgently addressed", Coughlan said. Many in the room have done lots of work to help address that with information on how to comply, how to train employees on compliance, and so on. The community has worked out how to adhere to the licenses properly, but that has not yet taken hold in the supply chains providing open-source code for various devices.

The last great barrier to ensuring license compliance throughout our industry is these supply chains. Three years ago, Dave Marr of Qualcomm brought it up as a problem that needed to be solved. The companies in the middle of the supply chain need help, Marr said, so perhaps a project to do so would make sense. Everyone liked the idea, Coughlan said, but for a while nothing happened. That is common in our industry; we sometimes take a while to "mull over the approaches", he said.

One way to approach it would be to make an enormous list of all of the "stuff you need to do to be super awesome at compliance"—targeted at both small and large organizations. That is something of an academic approach and one that is likely to be looked upon in horror by small and medium-sized companies. So that was more of a thought experiment.

Another way would be to define the overarching processes that an organization needs to follow with regard to open source. It would establish the baseline processes that need to be followed for open-source software as it comes in, is used, and goes out to customers. In addition, material supporting these best practices would need to be provided along with a way for organizations to self-certify that they have the appropriate processes in place. That is the approach that OpenChain has taken.

The idea is to start with the minimum needed and then build on that, Coughlan said. Over the last one and a half years, people have been working on OpenChain and, at this point, OpenChain is a "refined project". In October 2016, the 1.0 specification was released; since then, there has been feedback on the specification and the project has reworked and polished it for the 1.1 release, which was made a few hours before his talk. At this point, the project fully "breaks cover"; it is something that is ready for mass-market consumption now.

The specification [PDF] is augmented with open training materials. OpenChain 1.1 has also overcome the barriers to online self-certification, he said. That allows companies to quickly check what kinds of questions they need to ask themselves to ensure they have the right processes in place.

This is not just some esoteric exercise, Coughlan said, it is helping to solve a real problem. But there is a larger challenge, that goes beyond adhering to one license or a particular compliance regime; there is a need to build trust within the industry. Companies need to have the sense that everyone is playing by the same rules. If other companies are complying with the OpenChain specification, especially suppliers, that can help provide the trust.

The specification has been built by a large team, he said. There were comments from more than 100 people. The mastermind behind the specification has been Mark Gisi of Wind River Systems. Gisi created a realistic baseline that can be trusted throughout the industry. Miriam Ballhausen is the mastermind behind the online self-compliance mechanism; she took an earlier questionnaire and turned it into a web app.

The final piece of the OpenChain puzzle is the creation of a training program, an effort that Coughlan has been the chair for, but many others have "devoted lots of time" to it as well. The materials are being translated into Korean, Japanese, and Spanish, with more languages planned. The project originally got slides from multiple companies that were combined into a "Frankenstein deck", but the slides have been improved and condensed into something more cohesive. In addition, the slides can be converted into other formats more easily now; originally they were only available as PowerPoint and PDF files, but now there is a beta version of the slides in LibreOffice format.

OpenChain was "brought to life" at LinuxCon Europe in 2016 and organizations like Wind River adopted it. That helped the project learn what was needed for the 1.1 version, which is "ready for mass adoption". The project likes to make a splash with its announcements, Coughlan said; at the time of its release, OpenChain 1.1 had already been adopted by Siemens, Qualcomm, Pelagicore, Wind River Systems, and, on the previous day, by Harman. He is enthusiastic about the project because it solves a problem "that we haven't been able to solve".

He noted that the GPL compliance book that he and Armijn Hemel wrote marked something of a finishing point for him on the subject of compliance for individual companies. He is now moving on to compliance in the global supply chain.

Working on license compliance is not only for our own self-interest, but to help these companies use open source properly. If there are hiccups with compliance, it indicates that companies have not fully realized the value that open source brings. With best practices information, training programs, partners, and a community, OpenChain will help them get there.

There are over 150 people on the mailing list, but there is a need for more people to get involved. OpenChain is not a typical project, Coughlan said; it has a more global focus than many others. That global nature is backed up by things like efforts to translate all of the project materials to Chinese, so that it is not restricted to English. In addition, planning phone calls are not done only in US-friendly time zones; one call per month is scheduled at a time convenient for Asian contributors, while the other is scheduled for contributors in Europe and the Americas.

In summation, Coughlan said that OpenChain is going to be a beneficial part of the open-source ecosystem. He was asked about license translations by an audience member, but said that was outside the scope of the project. OpenChain is not license-specific, it is at a higher level. The idea is to ensure that companies have the right approach on bringing open source in, working with it internally, and then in shipping it to customers. In some ways, OpenChain is like ISO 9001; it ensures that the right processes are in place, but leaves specific decisions, like which licenses to use, up to the companies.

[I would like to thank Intel, the Linux Foundation, and Red Hat for their travel assistance to Barcelona for LLW.]