25 June, 2020
Open Source Compliance is not a singular process or a single tool, let alone a self-runner, but an ecosystem that requires a combination of different tools, methods and responsibilities. Individual tools usually serve only one aspect or perspective of the compliance process.
Thus, integration work often needs to be done, from the technical level of data collection and the effective overview for compliance officers, to the generation of compliance artefacts. In addition, a patchwork of diverse Open Source Compliance processes and tools can quickly become a bureaucratic hurdle and slow down innovation and productivity.
Open Source software is software that is made available to the general public by its authors in source code. Frequently, the software is not in the foreground for the authors as a product but as a means to an end, and in development projects the synergy effects of public cooperation can outweigh the costs. However, the cooperation is usually subject to conditions. Which ones these are, is up to the authors, who place their source code under Open Source license conditions.
Especially the Open Source Initiative and the Free Software Foundation contribute significantly to standardizing these conditions in the form of licenses. These licenses can, among other things, require the disclosure of the source code or a naming of the components and their authors. Creating a reliable, secure basis for the use of Open Source is the elementary challenge of Open Source license compliance.
43 % of all companies surveyed stated that they had an OSS Compliance Process and as many as 17 % already confirm a written policy for dealing with Open Source.
Source: Bitkom Open Source Monitor, published Feb 2020
To be able to use the chances of Open Source Software means to use the source code according to the license conditions and to fulfil the obligations associated with the software. License declarations often differ from each other in form and content several times even within the same OSS project. In order to get these complex issues under control, initiatives such as the OpenChain Project are establishing organisational guidelines. Without technical aids, however, it is often not possible to maintain an overview and meet all requirements due to the thousands of components that are quickly involved.
The exchange of information between development teams, compliance offices and software recipients is another challenge of Open Source Compliance. Today, software is in many cases a changing product. For example, a contracted software development or a supplier may integrate new components at different points in time. In the short term, these new software components should be communicable to the recipients of the software and any licensing issues should be addressed before essential parts of the development are based on them.
“We experience the perception that Open Source Compliance is a simple and optional documentation work. However, a subsequent review of years of development is neither quick nor easy. An early commitment, for example to the GPL, can result in significant legal obligations and possibly affected products are already on the market at the time of testing.”
The search for illegally used, incorrectly declared or copied code passages in your own or supplied software makes it clear how necessary technical aids are in the creation and evaluation of a reliable data basis.
One of the strengths of Open Source is the collaborative solution of challenges - this approach is increasingly being pursued with regard to the compliance of Open Source itself. Some Open Source projects deal with tool development and knowledge creation of OSS compliance, as well as the establishment of processes. These building blocks are the foundation of the ecosystem. In addition, service providers offer specialized tools with a wide range of functions and tailored services.
For the custom-fit establishment of Open Source Compliance in companies, a middle course between Open Source and proprietary services is often sensible. For example, work steps in the identifying phases - such as resolving software dependencies or detecting license declarations - are well supported by Open Source. They embed themselves seamlessly into development processes. Forensic work steps such as snippet and security vulnerability scanning of own or supplied artefacts dominate the proprietary market. Afterall, qualitative considerations such as the maturity level, scope, cost and available support of a solution, as well as strategic factors such as data ownership, confidentiality and scalability can also be included in the decision.
Thus, various criteria can be used to weigh up whether a proprietary service provider, an Open Source service provider or self-tailored OSS applications are the best solution for your company in economic, technical and legal terms.
“A tailored OSS Compliance Toolchain is an important element of functioning and efficient OSS compliance within companies.”
The team of OSS experts at PwC supports you from interdisciplinary planning to the implementation of your tailor-made Open Source Compliance process. We advise you on aspects of the legal framework, structural requirements and technical implementation, as well as on the individual selection of tools, solutions and possible service providers.
Finally, the PwC certification according to OpenChain, can be the seal of approval of a successful Open Source Compliance Management System for you and your products. In this way, you create trust among your customers in the proper use of Open Source software in your products and services.
Director Open Source Software Services & IT Sourcing, PwC Germany
Tel: +49 151 16157049