OpenChain Project: Managing Open Source Compliance Across the Software Supply Chain

0
1438
Advertisement

One of the key requirements for any quality open source program is to comply with the requirements of open source licences. Companies, especially new entrants to the field, often have a lot of questions about what processes to follow, the methods of compliance and what challenges may be involved. The OpenChain Project by the Linux Foundation is a standard developed to solve and answer all these questions. To understand more about the OpenChain Project, Ankita K.S. from the EFY Group had a chat with Shane Coughlan, OpenChain general manager at the Linux Foundation.

Q Could you give us the background for the OpenChain Project?

The OpenChain initiative began in 2013, when two emerging patterns were observed in relation to the source code or devices of a group of companies from the global software supply chain. First, there were significant process similarities that existed among organisations with mature open source compliance programs. Second, there were many organisations exchanging software with less developed programs, which could result in a lack of trust regarding the consistency and the quality of the compliance artefacts and software being exchanged. Therefore, at each tier of the software supply chain, downstream organisations were frequently redoing the compliance work already performed by other upstream organisations.

Q What are the key challenges that the typical software supply chain faces?

Advertisement

The supply chain does not have an obvious way to identify software, to communicate this identification and to manage everything with a clear replicable process. The OpenChain Project and its sister SPDX Project provide ways to address these challenges.

Q What does the OpenChain Project focus on?

This project focuses on identifying and sharing the core components of a high quality open source compliance program. OpenChain Specification is a supply chain standard that establishes a trust relationship between suppliers and purchasers. The OpenChain Project maintains a list of organisations that have a publicly-announced conformance program, though there may be companies in the supply chain that prefer to communicate this fact during procurement discussions. The Specification makes it straightforward for new organisations to join the circle of trust.

Q How does OpenChain help to make Free and Open Source Software (FOSS) more accessible to developers?

The OpenChain Project provides solutions in three parts. One is specific to the standard, and it deals with the type of process and the quality of a program or policy. This identifies the minimum level of processes that organisations of any size can use to address open source compliance issues, effectively.

The second is our self-certification that confirms that you have all the necessary programs and policies in place. OpenChain conformance can be done manually or via a free online self-certification questionnaire provided by the OpenChain Project. This builds trust between organisations in the supply chain. It makes procurement simpler for purchasers and conferring a preferred status easier for suppliers.

The third part relates to the education and reference materials, which offer many examples that help a company to get an idea of what can be done around compliance. This is called the OpenChain Curriculum and it helps organisations meet the requirements of the OpenChain Specification.

Q What were the major challenges you faced while building this project?

Initially, while building the project, we thought that perhaps a big checklist would solve the supply chain problems; so the one that was created had over 100 items. While that represented a clean list of great items to cover, in the real market there was a lack of infrastructure knowledge to implement. Narrowing the wish list down to easy-to-accomplish goals was a significant challenge.

Q What are the standards and frameworks that have been introduced in the last one year and how are these different from the OpenChain Project?

The OpenChain Project is the only standard related to open source compliance in the software supply chain. There are many tools and systems being introduced for practical activities like scanning and record keeping, which have also helped in building the ecosystem.

Q What is the feedback from companies that use the OpenChain Project?

Companies really like the OpenChain Project’s approach and there is interest in making it a formal standard within a body, like the International Organisation for Standardisation (ISO). Being a formal standard can be useful for procurement, in the long run. Another bit of feedback is that companies find it useful to be able to call on outside organisations to check conformance, and we have developed a partner programme to address this. Organisations anywhere can adopt OpenChain easily on their own, but if they wish, they can also get help. The OpenChain Project has very little to no barriers to entry for entities of all sizes.

Q What was the cost of implementing this project?

The OpenChain Project was created and refined by an extensive community of volunteers who wanted to share their knowledge; so from the cost perspective, it was cheap. The contributors had a clear vision of the value because they knew the OpenChain Specification would be directly beneficial to their business areas, in the long run. The primary spending is for outreach and workshops.

Q What lies on the road ahead for the Linux Foundation in terms of technologies and applications?

Many companies are expressing interest in collaborating with us, so we are working on multiple projects, simultaneously. For the OpenChain Project specifically, we expect to become a formal standard in the coming years. Along with this, we are planning on extensive localisation of all our materials. Large strides will be taken in this respect during 2018.

Q What is your advice to future developers who are working with open source?

My advice to future developers is to work with projects like OpenChain and with organisations like the Linux Foundation. This will help them move in the right direction to accomplish their goals. This will also help them use their time efficiently and get better results at their organisation.

Advertisement

LEAVE A REPLY

Please enter your comment!
Please enter your name here