/
Checklist: establishing an open source compliance program

Checklist: establishing an open source compliance program

Owned by Aaron Williamson
Nov 05, 2019
3 min read

Strategy

Document your open source strategy covering the following areas, as relevant:

Strategic objectives: what benefits you intend to realize through using and engaging with open source, and how.
Compliance strategy: high-level strategy for ensuring open source compliance across enterprise, including the process for implementing that strategy.
Communications stategy: how to and who will respond to open source compliance inquiries from customers, the public, and open source projects.
Legal & risk strategy: how legal risk will be managed as part of the open source strategy and when legal review will be required.
M&A/corporate development: how open source compliance fits in to M&A and corporate development strategies.
Software procurement: how open source diligence will be managed for new software procurement (and audits of oustanding procurement).

Policy and process

Establish policies for open source engagement that cover:

Usage of open source in internal development
Contribution to third-party projects
Distribution of open source withing proprietary products
Publication of in-house open source projects
Auditing existing products and codebases for open source
Fulfillment of open source license obligations, including process for responding to requests for source code, where applicable

People

Establish a core open source review team, typically consisting of participants from:

Legal
Risk & compliance
Security (information, network, application)
Software engineering

Establish a cross-functional open source policy team with representatives from every area affected by open source policies, including:

Legal
Risk & compliance
Security (information, network, application)
Software engineering
Office of the CIO & CTO
Software Architecture
Software Development Lifecycle
Network Policy
Internal and external communications

Establish reporting & approval chains for key open source-related issues:

License approval
Third-party OSS component approval
OSS-based security vulnerability remediation
Product release approval
OSS contribution approval
OSS project release approval

Open source management toolchain

Put in place software tools to manage key open source management processes:

Approval workflows: managing and automating the initiation, review, and approval of requests subject to open source policies, e.g. to use/incorporate a new open source component or license, modify an open source component, release a project as open source, etc.
Project management: tracking usage of and modification of open source components within an internal development project.
Inventory management: tracking open source components in use across versions and projects.
Code review: enforcing and facilitating review of open source contributions and open source usage in products prior to contribution or publication.
Compliance automation and audit: see TBD Open Source Compliance Toolchain Checklist.

Training and Education

Institute training and documentation to increase awareness of and compliance with open source processes, including:

Formal training on intellectual property, open source licensing and risk, internal policies and processes, and industry practices.
High-level review of policies and guidelines in new employee orientation.
Comprehensive, accessible documentation of policies, processes, systems, and guidelines relevant to engineers
Presentations from internal and external speakers on open source success stories, best practices, etc.

Communication

Publish materials communicating your open source strategy, policies, and related content as applicable, including:

Internal messaging
External messaging
Internal website content
External website content

Industry initiatives

Where appropriate, align policies and processes with, and participate in, industry open source compliance-related initiatives, such as:

FINOS Open Source Readiness working group
FINOS Open Source License Compliance Handbook project
OpenChain Project (Linux Foundation)
SPDX Project (Linux Foundation)
TODO Group (Linux Foundation)
Open Compliance Program (Linux Foundation)
Open Source Compliance Tooling Group (OpenChain/LF)

Related content

Need help? Email help@finos.org we'll get back to you.

Content on this page is licensed under the CC BY 4.0 license.
Code on this page is licensed under the Apache 2.0 license.