Aaron Williamson

We'll review The group reviewed the open source compliance tools presented over the last several meetings (SW360, FOSSology, Quartermaster, OSS Review Toolkit) in the context of the broader compliance toolchain model below. We'll discuss, discussing:

• the role of tooling in the larger open source compliance process
• considerations for choosing whether to build (with open source components) or buy a compliance solution
• different approaches to various aspects of compliance (e.g. scanning versus dependency mapping)
• participants' experiences with different tools, workflows, and vendors.

It was suggested that FINOS lead efforts to:

• gather comparative data on different open source compliance vendors and their offerings
• produce information describing discrete open source compliance workflows for common use cases and covering the tools available for each
• produce a short whitepaper on the specific risks open source compliance processes are meant to control for, how to evaluate them, what common antipatterns are, etc.