(Trust Goal) Managing legal compliance
Organizations need to implement a legal compliance process to secure their usage an participation in open source projects.
Mature and professional management of legal compliance, in the organization and across the supply chain, is about:
- performing a thorough analysis of intellectual property that includes license identification and compatibility checking
- ensuring the organization can safely use, integrate, modify and redistribute open source components as part of its products or services
- providing employees and contractors with a clear process about how to create and contribute to open source software
Software Composition Analysis
A significant part of legal and IP issues result from the usage of components released under licenses that are either incompatible between them, or incompatible with the way the organization wants to use and redistribute the components.
Software Composition Analysis is the first step in sorting out those issues as "you need to know the problem to be able to fix it". The process is to identify all the components involved in a project in the Bill of Material of the project, including build and test dependencies.
A licence checking process uses a tool to automatically analyse the code base and identify licences and copyrights within. If executed regularly, and ideally integrated in continuous build and integration chains, this allows to catch IP issues early.
Checking licences and copyrights can be tricky. Developers need to be able to check IP and legal questions easily. Having a team and a corporate officer dedicated to IP and legal questions ensures a proactive and consistent management of legal questions, helps secure the usage and contributions of open-source components, and provides a clear strategic vision.
With the ever growing use of OSS in an organisation's information systems it is important to be covered with regard to potential legal exposure.
Question: Is there an easy-to-setup Licence checking process available for projects?
- Set up a license checking process as in #2 (closed)
- Set up a legal/IP team as in #13 (closed)
- Question: Do all projects provide the required information for people to use and contribute to the project?
- Question: Is there a contact in the team for questions related to IP and licencing? (level 1)
- Question: Is there a corporate officer dedicated to IP and licencing? (level 2)
- Question: Is there a dedicated team for questions related to IP and licencing? (level 3)
- Inform people about the risks associated with wrong licencing.
- Propose an easy solution for projects to setup licence checking on their code base.
- Communicate on its importance and help projects to add it in their CI systems.
- Provide a template or official guidelines for project structure.
- Setup automated checks to make sure that all projects comply with the guidelines.
- Consider conducting an internal audit to identify licences of the company infrastructure.
- Provide basic IP and licensing training for at least one person per team.
- Provide basic IP and licencing training for the team.
- Provide complete IP and licencing training for the officer.
- Setup a process to escalate IP and licencing issues to the officer.
- There is an extensive list on the Existing OSS licensed OSS license compliance tools group page.
- Recommended Open Source Compliance Practices for the Enterprise. A book by Ibrahim Haddad, from the Linux Foundation, about open-source compliance practices for the enterprise.
- OpenChain Project