The OpenChain Project
In 2013 the Linux Foundation started the OpenChain Project led by Shane Coughlan. The project sought to define an effective specification for open source license compliance throughout the software supply chain.
So why is compliance important?
David Rudin, Assistant General Counsel at Microsoft says,
‘When companies, especially large enterprises, purchase software, they need to know what open source is included in the product so they can be sure to meet their compliance obligations. As supply chains grow, each link in the chain must meet its open source obligations – a weak link means you can’t trust the code… and if you can’t trust the code… you can’t easily use it.’
When members of the supply chain are OpenChain compliant, the use of open source software becomes much easier. Organisations can use open source software and trust that the provider has quality governance in place to ensure the software is compliant.
Microsoft announced its conformance to the OpenChain specification back in 2019. Many other organisations have also publicly announced OpenChain conformant programs including Arm, Cisco, Siemens and Uber.
Conformance to the specification can be self-assessed or assessed independently. The specification is also supported by extensive reference material including information on training, policies and case studies.
Introducing ISO/IEC 5230
The OpenChain specification was published as an industry standard by the International Organization for Standardization in December of 2020. Therefore, the ISO/IEC 5230 standard and the Open Chain specification are functionally identical.
The standard defines the key requirements of a quality open source license compliance program, which builds trust between organisations exchanging software solutions composed of open source software.
This ‘trust’ is founded on the fact that an organisation’s conformant program indicates to others that it has been designed to achieve license compliance for the open source software it shares.
The importance of a quality compliance program
An important and often overlooked aspect of open source is compliance with the obligations of open source licenses.
When developers are utilising third party components from repositories it is likely those components have an open source license attached to them.
The obligations you must fulfil are dependent on the terms of the licenses for each component. These licences may have conditions related to providing attributions, copyright statements, or a written offer to make the source code available.
By fulfilling the license obligations you are respecting the intellectual property of the developers and organisations that have contributed code for re-use.
ISO/IEC 5230 defines the key requirements for a quality program which governs compliance with these obligations.
The idea is that the compliance program should become part of the business-as-usual quality assurance process for a software project. This will ensure open source license obligations attached to components, libraries and packages used to deliver a solution are met correctly.
What does the standard tell us?
The standard highlights what needs to be done by organisations to achieve a quality compliance program and the reasons for this. What the standard does not do is provide a template for your compliance program. This allows for the specific decisions regarding license compliance to be left to you.
Open Chain refer to this as the ‘what’ and ‘why’ approach. This ensures flexibility for different organisations, of different sizes, in different markets so they may choose specific policy and process content that fits their goals and scope.
In practice, this means that a conformant program may address a single product or the entire organisation as a whole.
Information you may expect to see in the standard includes:
Building a foundation for your compliance program and policy
Open source content review and approval
Open source community engagement
Conformance has its benefits!
What are the benefits for your organisation if you adopt the standard?
Matt Conway, CTO of Interneuron says “OpenChain conformance benefits our whole organization – from developers onboarding and releasing their first FOSS products, through to the implementation team building trust and confidence with our customers,”.
Conformance to the standard increases the probability that license compliance will be achieved in your software releases. This allows you to build trust amongst your customers whilst also decreasing business, legal and reputational risks around non-compliance.
The OpenChain specification also compliments existing Quality Assurance programs and standards such as ISO 9001:2015 which, sets out the criteria for a quality management system.
Adherence to the standard will reduce your overall compliance effort, saving time, legal and engineering resources.
For example, in a typical supply chain, each member may be working to different compliance standards. This often means that duplicate compliance efforts for the software of others need to be made, this wastes time and resources.
Whereas the Open Chain specification provides a consistent standard to which all those in a supply chain can follow. Meaning no duplication of efforts need to be made as organisations can trust that other members of the supply chain are working towards the same compliance standard.
As an example, ‘just like an individual car buyer should not have to inspect the factory floor to make sure their car was made to be safe, a user of software should not have to inspect how the software was made to make sure it meets its open source obligations’, says David Rudin, Assistant General Counsel at Microsoft.