The Enterprise Open Source Blog

Why You Should be Using SPDX for Open Source License Compliance

Posted by Peter Williams on April 25th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning

The Software Package Data Exchange (SPDX) standard is getting some love lately and this is good news for open source license compliance. Which is, in turn, good for open source in general. If you are involved in software license compliance activities you need to include SPDX in your plans for the future. It will allow you to manage the risks of software licensing in a more efficient and predictable way than ever before.

SPDX defines a standard way to represent the contents and licensing of software packages. This standard representation provides a shared vocabulary for tools involved in managing license compliance. The SPDX standard is being developed under the auspices of The Linux Foundation as a way to ease complying with the licenses of open source software. The model provided by SPDX is fully compatible with proprietary software licensing also. This means that SPDX provides a uniform way to represent the licensing of any software package. Being able to treat both open source and commercial software the same way allows license compliance processes and tools to be simplified and streamlined.

Open Source Software Management: A Recap of the Top Articles

Posted by Aaron Mandelbaum on April 16th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning, Support, The Cloud

Pin It  Open Source Management: Dealing with New OSS Releases The first quarter of this year has be a busy time in open source management. JBoss has had two releases in the 7.1 series, the Apache web server has had two releases in the 2.4 series and Ruby on Rails has had two releases in [...]

Creating an Open Source Compliance Checklist

Posted by Dave McLoughlin on April 13th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning

In a recent blog article Using Categorization to Simplify Open Source License Compliance I talked about simplifying open source compliance through license “categorization” where I listed the common categories used in many open source licenses. In this article I’m going to talk about creating an open source compliance checklist based on those categorizations.

In OpenLogic Exchange (OLEX) Enterprise Edition we have analyzed several hundred open source licenses and created a list of high-level obligations for each license. For example, in OLEX the Apache License 2.0 list of obligations looks like this:

• Distribute copy of license
• Give notice of or fulfill other requirements related to modified files
• Obligation to include notice text or files
• Obligation to include copyright or trademark notice
• Obligation to indemnify contributors
• Obligation to apply license to original or derivative works
• Restrictions regarding use of trademark
• Termination of patent license upon filing of patent litigation

Open Source Software Management: A Review of Wazi Articles

Posted by Aaron Mandelbaum on April 11th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning, Support, The Cloud

Open Source Software Management: A Review of Wazi Articles
The 5 most recent articles published on http://olex.openlogic.com/wazi/

Upcoming Webinar: Using SPDX to Streamline Open Source Compliance

Posted by Aaron Mandelbaum on April 2nd, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning

The SPDX (Software Package Data Exchange) standard is designed to help companies streamline their open source compliance efforts by sharing information about open source licenses that are used in software packages.

Building the Business Case for Open Source Code Scanning

Posted by Jesse Hood on March 30th, 2012 in Governance, Legal & Compliance, Open Source Management, Open Source Trends, Scanning & Provisioning

I often talk to people who are having a hard time developing the business case for purchasing and implementing a source code scanning tool or purchasing an application audit service. I respond by describing that a legitimate and successful business case in 2012 needs to include the following:

At minimum, a general understanding of the basics of open source software
Both the want and need to find and implement a solution
The organizational drivers and resources to develop a solution to a problem or to enhance and compliment an existing system that lacks efficiency or accuracy
Cross-functional approvals and resources from multiple departments
Accurate and balanced vendor evaluation and selection criteria

Hopefully some of the ideas in this article will resonate to help all of you continue building the business case as you consider how or when to start a scanning and license compliance initiative.

Open Source Management: Guidelines for Setting your OSS Scan Objectives

Posted by Dave McLoughlin on March 21st, 2012 in Governance, Open Source Management, Scanning & Provisioning

When scanning your software for open source software, it is important to set and understand your objectives. Your objectives may effect how you approach the task of finding the various open source software components and licenses, what the final reports will look like, and what you ultimately do with the information.

In this article I will provide a few guidelines and some examples that you can use to help determine your scanning objectives.

First, consider what you already know about the code base you are planning to scan. Have you been diligent in tracking the use of open source software in your codebase? If you have a robust tracking system resulting in a comprehensive list of OSS, then your objectives may focus on verifying that list. If your list of OSS is more ad hoc and based on “memory” or partial lists of libraries used, or you have not been tracking OSS at all, then your objectives may be about creating a comprehensive list of all components.

Second, consider what information you hope to obtain from your scanning efforts. Here’s where it can get tricky, especially if you are new to OSS scanning. For most organizations, scanning is about compliance. Developing a comprehensive list of OSS components and their associated licenses to reduce overall liability and also to ensure compliance with the various open source licenses. However, there may be specific types of information that is of particular interest to you or your organization, which will shape your search and your report.

Open Source Management: Take the Open Source Maturity Quiz

Posted by Kim Weins on March 16th, 2012 in Governance, Legal & Compliance, Open Source Trends, Scanning & Provisioning, Support, The Cloud

Open source management is increasingly becoming an important point of discussion as today’s companies are using open source software more widely in their IT infrastructure. So much so that Gartner expects open source to make up 30% of enterprise IT portfolios in 2012.

Open source software can provide both cost and innovation benefits, but in order to user OSS successfully, companies must have an open source management capability. OpenLogic defines four stages of Open Source Maturity that measure your company’s open source management capability.

The four stages are: Prevent, Manage, Promote and Transform:

Establish an Open Source Governance Process to Improve Open Source Support

Posted by Greg Bell on March 14th, 2012 in Governance, Support

I’ve been blogging a lot lately about the benefits of open source governance – as well as suggesting ways to get started on your open source policy and create an open source governance training program – but one thing I haven’t yet talked about is the relationship between open source support and governance. In many respects, open source governance and support are two sides of the same coin, but interestingly many of the organizations we speak to about open source support haven’t yet established formal governance processes.

In this post I’ll make the case that a formal process for open source governance can greatly improve the efficacy of your open source support procedures, and likely even save you money in the long run.

Open Source License Management

Posted by Aaron Mandelbaum on March 13th, 2012 in Governance, Legal & Compliance, Open Source Trends, Scanning & Provisioning

Open Source License Management:

Understanding and interpreting open source licenses is not always an easy task. Open source licenses are essentially unilateral; if you use the software, you agree to the terms of the license. There is no protracted negotiation process during which to ruminate and refine terms as is often the case for custom-developed software.

Adding to the difficulty in understanding and interpreting open source licenses is the fact that the more troublesome compliance terms have yet to be litigated, most notably the derivative works question in regards to the GNU General Public License. However, that does not mean there is no guidance.