We all know that open source software is ubiquitous. It’s not unusual for a modern software application to contain hundreds or even thousands of open source components. Devices containing software such as TVs, cars, routers, phones or even fridges are likely to be shipped with a complete software stack (frequently based on Linux). In that case, the complete firmware delivered with the device could easily contain over 100,000 different components.
Every open source component can only be modified, used and distributed in compliance with the specific open source licence. Each open source licence will have requirements such as the provision of attribution and copyright notices, supply of the specific licence texts, and, in some cases, a copy of the source code applicable to that component (or other software that that component is linked to).
Historically, this information was typically provided in a spreadsheet, with a row for each individual component, but when you are dealing with hundreds, thousands, or even hundreds of thousands of components this becomes cumbersome at minimum, and, in many cases, impossible, so companies and projects have developed systems and, in many cases, automated tooling to deal with this. There are in-house, open source, and proprietary solutions available. But different companies take different approaches to compliance, and this means that it’s not always easy for one company in the supply chain to trust and verify the compliance efforts of their own suppliers.
This is where OpenChain comes in. Open source development is all about reduction of friction, but the compliance process can present obstacles. OpenChain, an ISO standard (ISO5230:2020), provides a framework to open source software licence compliance. In essence, it provides a checklist of activities that a well-run open source development project carries out to ensure compliance.
- Does the project understand open source licensing and the typical conditions which apply to open source licences?
- Is there a policy covering the use and deployment of open source code? Does the project keep accurate and up-to-date lists (“software bills of materials”)of all open source components used in their software?
- Does it generate the appropriate compliance materials (e.g. attribution notices, licence texts, offers to provide source code) required by the relevant licences?
- Does it check that the components used are able to be combined without breaching the applicable licences?
- Is there a management structure in place to ensure that the compliance programme is managed properly, and everyone (even outside the organisation) knows who to contact if there are any open source related problems?
- Does everyone involved with the project have training on the compliance programme?
If the organisation complies with OpenChain, ISO5230:2020, then it will be able to satisfy its customers that it knows and understands open source compliance. This simplifies the procurement process, and reduces risk. And, in a complex supply chain, where the customer may well be taking software from its supplier, combining it with other software, and distributing it onwards, if all the members of the supply chain are OpenChain compliant, the process will be much more straightforward since the software will not need to be checked and re-checked for compliance at every step.
OpenChain is supported and used by some of the biggest companies in the world: Google, Microsoft, Meta, Siemens, Toyota, BMW and many more. But it’s equally applicable to smaller companies.
The key component for any software development project to be OpenChain compliant is the software bill of materials. Once you know the complete list of software which is contained in your shipping application, then as well as having the tools you need for open source licence compliance, you can then easily check for security issues and vulnerabilities and also verify that you are not breaching any export control requirements. The OpenChain project has recently issued its security assurance specification: https://www.openchainproject.
OpenChain workgroups are active throughout the world, including in the UK. We’re holding our next meeting both physically (in London) on 13th October and virtually, Our next meeting after that will likely be in Salford in January. Everyone is welcome to all OpenChain UK meetings.
To find out more about OpenChain, take a look at openchainproject.org. Details of the OpenChain UK workgroup can be found at openchainproject.org. Or feel free to contact me, Andrew Katz, at andrew.katz@orcro.co.uk
Andrew Katz is a lawyer who has specialised in open source advice for over 20 years at law firm Moorcrofts LLP. He is CEO of Orcro Limited, a sister company of Moorcrofts, which provides specialist open source compliance services to companies, foundations and public sector bodies around the world. Both businesses are OpenChain Partners. Andrew was formerly General Counsel of OpenUK, and is a contributor to the upcoming OUP book on Open Source Software, edited by Amanda Brock (CEO, OpenUK). You can reach him at andrew.katz@moorcrofts.com or andrew.katz@orcro.co.uk.