Evolving Open Source License Management Processes
The inclusion of open source code in propriety software projects has become mainstream. As software development organizations have embraced open source, they are looking for ways to better adopt and manage the code to avoid any potential licensing, quality and security pitfalls.
The modern approach for an open source software adoption process is similar to the one used for any other third party software, which revolves around uncovering all external code used in a project, and identifying their license and copyright attributes as well as any security vulnerabilities or encryption content associated with the code.
It's Starts with a Policy
The first stage of implementing an open source governance process is to draft an open source policy. The policy regulates the open source governance process and covers topics such as who the stakeholders are within the organization, and outlines acceptable attributes, such as open source licenses and communities. The open source policy is drafted with input from all the relevant stakeholders in the organization. Typically an open source committee consists of representatives from legal, R&D, and product management. An open source policy also includes a workflow for requesting and approving open source packages that can be used in specific projects or within the entire organization and defines the course of action once an open source policy violation is suspected.
Proactive Approach in Managing Code
A good open source policy puts emphasis on catching open source governance issues at the earliest stage of development, therefore vastly reducing the time and effort involved in remedying them. An important element of any solid open source policy is a package pre-approval process. In essence, this process is a series of actions that allows anyone to request a certain open source package to be used in a project. Through a streamlined workflow process, a licensing person can approve or reject the requests based on the available information about the project, how the package is to be used in the project, and the open source package attributes.
You might be wondering what a package pre-approval workflow actually entails:
- Submission. First, developers must submit a request including details such as the package's name, a link to the code, and information such as version, authors, and the license cited on the site or specified in the package. Other information such as known open source security vulnerabilities and presence of encryption content in the package will help the compliance examiner streamline the approval process. Another important item accompanying the pre-approval request is a description of how the package is going to be used in the product, including whether or not the code will be modified, redistributed, or if it will only be used internally.
- Review. After the request is submitted, an administrator (someone from the open source committee) can review the request. Typically, a combination of manual research and automated open source scanning tools are used to confirm and identify licenses, obligations, copyrights, open source security vulnerabilities, and encryption properties of the requested package. At this stage, the licensing person will review license obligations and other properties of the requested package against the organization's policy, taking into consideration how the developer intends to use the package. If there are no conflicts with the organizations open source policy, the administrator can approve the package. Once a software package is approved, it is then logged and made available to the specific product groups or the whole organization. A record of the approved packages is made available so that developers can readily use these pre-approved components in the future.
A Proactive Approach
Software package pre-approval can be added to existing open source management processes to further improve governance. Organizations that have a process in place that scans code at regular intervals (e.g. daily weekly, monthly), and that have a continuous scanning process in place (scanning in real time as code is brought in by developers) will benefit from a package pre-approval process. Package pre-approval speeds up continuous scanning because code can be approved before it enters the development environment. The result is a lower number of overall files that need to be scanned thus speeding up the overall scanning process.
Taking steps to optimize open source adoption and management can greatly reduce costs associated with fixing potential policy violations. Approving code before it can be brought into the development environment improves compliance and allows developers to focus on innovation. As organizations begin to rely more heavily on open source code, it is imperative that they have a process in place to manage compliance in order to realize the full benefits that open source has to offer.
Read more IT Performance Improvement
Certain names and logos on this page and others may constitute trademarks, servicemarks, or tradenames of
Taylor & Francis LLC. Copyright © 20082014 Taylor & Francis LLC. All rights reserved.