Linux Foundation Launches License Compliance ProgramLinux Foundation Launches License Compliance Program

In a bid to eliminate a barrier to open source code adoption, the Linux Foundation is launching the Open Compliance Program to guide users on how to stay within the GPL and other open source code license limits. Open source licenses have gained a new, court-backed legitimacy, and Eben Moglen's Software Freedom Law Center has taken several well publicized enforcement actions against General Public License violators. The GPL governs use of Linux and other open source code. The Apache license and Berkeley BSD license are also frequently used.

Part of the resolution of the Software Freedom lawsuits has been to impose a compliance process on the future use of open source code at the target company. Jim Zemlin, executive director of the Linux Foundation, said the foundation is trying to make compliance as simple and easy as possible for companies that want to expand their use of open source.

"As open source has proliferated up and down the product supply chain, so has the complexity of managing open source compliance," he said in an interview in advance of LinuxCon, which began today in Boston.

With Linux spreading into mobile and embedded devices, manufacturers have confronted increasingly complex combinations of open source code and commercial code and need guidance on what rules govern the operation of the two. Linux often underlies telecommunications companies' operations. It's often bundled with other open source code to finds its way into the operation of product as an embedded system.

Facing such complexity, his foundation is trying to show "how we can create a vaccination for the software industry" against compliance issues, said Zemlin.

The foundation has released a set of code scanning tools, including a Dependency Checker, which can identify what code is linked to what. If open source code is linked to commercial code, that affects how it can be used, and the tool offers a license policy framework that would allow a code manager to define what licenses he needed.

Another tool is the Bill of Material Checker, capable of detecting changes in the bill of materials that indicates new code components have been added to product. The tool can report on new open source components added to a product, something that's hard to do with rapidly changing mobile devices and embedded systems, said Zemlin.

Another tool is the Code Janitor, which checks comments in the source code to insure developers didn't leave statements about future products, product code names, references to competitors. The tool checks code against its database of keyword to make sure the code is ready for public consumption.

Moglen said in the announcement of the foundation's program that its tools will make "best operational practices for compliance accessible to all and will help commercial and non-commercial (such as open source projects) parties work together…"

The tools are designed to drive down the cost of staying in compliance with open source licenses, Zemlin said.

There are already commercial products to help you do so. Black Duck Software offers license management products. Palamida offers code analysis and compliance products. Coverity offers code analysis and comparison products. HP has produced a multi-tool framework for managing open source code that it calls Fossology.

But the foundation has drawn many compliance elements together and is presenting them as a free, comprehensive program. It offers a self-assessment checklist of best practices that can be used to compare with existing company policies. It also offers a standardized bill of materials for clearer labeling of what open source components are in products. By following the same reporting method, manufacturers will know they are on firmer ground in dealing with their suppliers and each other, Zemlin said. The foundation will also maintain a directory of compliance officers at companies so that changes, or questions about changes, can be dealt with quickly and directly. Names of compliance officers may be reviewed or added to the directory at www.linuxfoundation.org/services/compliance/directory.

IBM, Motorola, Nokia, Adobe, Intel, AMD, Cisco, Google, HP, Sony and Novell are supporting the initiative, along with other companies. Black Duck and Palamida are also supporters.