Linux Foundation Helps Vendors Comply with FOSS Licenses
Tools For Compliance
The Linux Foundation's new effort comes as legal issues around open source are once again in the headlines. Just last week, consumer electronics vendor Westinghouse lost in a court ruling over GPL open source licensing compliance.
"We decided we could develop a program that could drive cost out and accelerate Linux adoption," Jim Zemlin, executive director of the Linux Foundation, told InternetNews.com. "It's not just about having point tools either; it's about having a holistic health regime for the entire industry."
Though license compliance issues aren't limited to open source software alone, with proprietary software also carrying licenses that enterprises need to adhere to as well, open source compliance issues have surged along with the upswing in use of open source technologies. As a result, Zemlin said that companies are also increasingly realizing that the cost of not complying with licenses are high, and can include fines, legal fees and negative public relations.
Among the tools that the Linux Foundation's compliance effort will include is a dependency checker, which will help to identify open source code and licenses. There will also be bill-of-materials tools and resources to identify the open source components present in an application, thereby assisting in ensuring license compliance.
The Linux Foundation is also ramping up its Software Package Data eXchange (SPDX) working group, which helps to build out and identify bill-of-materials components in a standardized manner. The Foundation will also be creating a compliance directory of open source officers at vendors to help aid in communications.
Zemlin said that the new Linux Foundation compliance effort and its associated tools will complement existing tools in the industry from Black Duck, Palamida and OpenLogic that all help enterprises with open source license compliance.
Though the Linux Foundation effort aims to help enterprises achieve compliance with open source licensing, there is no formal certification program as part of the initiative. Instead, the effort relies on companies to evaluate their own open source usage.
"There is a self-assessment checklist," Zemlin said. "I think that's the best way to start with an effort like this. Overall, our goal is to make this as operationally effective as possible, and everything we're doing is focused on operational implementation -- not a certification."
That approach stems from Zemlin's view that he's never known a company that intentionally set out to violate an open source license, he said. Instead, he added that problems arise usually due just a lack of knowledge and understanding about what the requirements are of the various open source licenses. That's why he sees the Linux Foundation's compliance program as being a critical driver for future growth.
"I want to see a future where there are no lawsuits and I never talk to a company that has any concern or lack of understanding about how to easily integrate free and open source software into what they are doing," Zemlin said. "Today we're seeing great adoption of open source as the value is high, and we want to increase the benefits by making compliance costs low."