Last year I had the opportunity to work across the country with our partners at Brooks Kushman P.C., to present a unique mix of legal and technical expertise on open source licensing, in particular how these impact the embedded software space.
As we begin 2017, I took a moment to reflect on the key legal and practical concerns with using open source software (OSS) and what organizations should continue to watch.
The first rule of open source software management is knowing what you have
Although you can ask developers what they use and stick it all in a spreadsheet, you’ll get a much better result if you don’t rely on quickly out-of-date documents or developer memories. Instead, get an audit from professionals that look at OSS every day and understand the intricate relationships between OSS packages and their dependencies. Your audit report should include a Bill of Materials (the list of OSS packages you’re using), a list of licenses associated with those packages, and, most importantly, the set of obligations you must meet to use those packages.
Once you know what you have and what to do about it, you can get on the road to compliance.
There is a clear path for organizations to achieve open source compliance
In our presentations, we talked about the road to OSS compliance a lot, and the key steps an organization should follow:
• Appreciate the benefits of the OSS model. Realize that your compliance likely means the software will continue to improve through your own contributions so that all users benefit, just as you did from the contributions of others.
• Develop an OSS strategy and policy so all developers understand which types of packages and licenses are okay to use, how they get approval (if required), how to contribute back to the community, and the like.
• Educate developers on safe OSS adoption and assign a point person in your organization to answer questions and provide direction.
• Understand what you have. You can only comply if you know which OSS packages you’re using and therefore which license obligations you need to meet. Third party auditing services can help.
One thing was clear in our travels, the embedded development community is still playing catch up when it comes to open source software understanding and compliance.
• Read this white paper: The importance of open source audits in the face of emerging litigation
• Learn more about Rogue Wave Open Source Audit.