Update on The Open Compliance Program

Phil Koltun, Ph.D.Director, Open Compliance Programpkoltun@linuxfoundation.org

Looking back, looking forward

Accomplishments since Open Compliance Program announced in August, 2010

What to look for from the Open Compliance Program in the coming year

2

Compliance Training Curriculum

3

• 4 courses are now available» LF488 Implementation and Management of Open Source Compliance (2 days)

» LF384 Overview of Open Source Compliance End-to-End Process (1 day)

» LF281 Executive Review of Open Source Compliance (4 hrs)

» LF272 Open Source Compliance Programs: What You Must Know (2 hrs)

The training was structured and well organized from overview to in-depth details.

Thank you for the great training. I found there were many items to be taken care of when using open source software that had not been in our organization.

It was a great opportunity to learn about open source compliance.

I think the content and the tone of the presentation was just right. The Linux Foundation’s neutral standpoint was also very important in making the course more appealing.

Educational Material

4

13 papers published– Also available in Japanese

3 Webinars – 2 available from LF site:

• “6 Tips for Getting Started With Open Source Compliance”

• Self-Assessment Checklist

– 1 in collaboration with the “Practicing Law Institute”

Compliance at LF Events– FOSS compliance track – SPDX track

Self-Assessment Checklist

5

• Released on 11/01/2011

• Available in English, Japanese and Korean

• Over 1000 downloads, including 200+ for Japanese version

• Companies are using this checklist as:• An internal self-administered benchmark to evaluate their compliance

practices, and

• A tool to engage their suppliers in discussion about needed compliance processes

I have downloaded, printed and read the compliance checklist. I think it is a fine initiative and I believe I will let it inspire our process and handling of FOSS at <COMPANY>.

Congratulation for your work. It is a precious working document.

I believe that these efforts and specifically your Checklist will significantly help companies with their compliance efforts.

Rapid Response Compliance Directory

Goal Connect open source developers & GPL enforcers with companies to resolve compliance concerns as soon as possible and without unnecessary escalations

What happened since Aug 2010?• Worked with developers / GPL enforcers / companies• Several compliance inquiries were resolved to the satisfaction of the

inquirer • None of these cases became “news”

Impact of the Compliance Directory

Connect developers/GPL enforcers to companies.

Contribute to resolving compliance issues before they become news. Less FUD.

7

Tools for Compliance Due Diligence

8

• Identifies code combinations at the dynamic and static link level

• Offers a license policy framework to define combinations of licenses and linkage methods that are to be flagged

• Provides linguistic review capabilities to flag comments in source code about future products, product code names, mention of competitors, etc.

• Maintains a db of keywords that are scanned for in the source code files to ensure code released is safe and ready for public consumption

SPDXTM Workgroup

Goal:

Create a set of data exchange standards to enable companies and organizations to share license and component information (metadata) for software packages and related content with the aim of facilitating license and other policy compliance

9

SPDXTM Workgroup

SystemsSystems

OS DistributionsOS Distributions

ApplicationsApplications

Integration & ServicesIntegration & Services

Device OEMsDevice OEMs

End-UsersEnd-Users

Semiconductor VendorsSemiconductor Vendors

Open Source OrganizationsOpen Source Organizations

…and others

Participation is from a range of organizations and across various roles

SPDXTM Roadmap

Spec started

Spec v1 Beta

Spec v1 Release

Candidate

StartBeta

Program

Beta ProgramFeedback

Spec v1Final

@ LinuxCon

Jan2010

Aug2010

Apr2011

Jun2011

Aug2011

Partners in Beta Programs:HP & Wind RiverMotorola & TIOpen Logic & Antelink

11

SPDXTM Workshop @ Collab

SPDX Sessions at Collaboration Summit:

• SPDX Technical Working Session• Thursday 1:15pm – 5:30pm in Spring A

• SPDX Business Working Session• Friday 9:00am – 12:15pm in Sakura C

12

FOSSBazaar

• A community focused on FOSS governance for the enterprise

• Self-sustaining; publishes wiki, news items, FAQs, videos, etc.

13

Compliance Challenges to Tackle

1. Extending compliance throughout the supply chain• Training courses, white papers, webinars, conference tracks• Self-Assessment Checklist, facilitated discussions, and on-site

consulting

2. Reducing the cost of compliance, especially for small companies• White papers, open source compliance tools, SPDX, roadmaps

14

Future Direction

More of everything: education, papers, training, SPDX, events, tools, etc.)

FOSS Compliance Certification (under consideration)

1515

Linux Foundation Compliance Resources

• Open Compliance Program: http://www.linuxfoundation.org/programs/legal/compliance

• Compliance Publications: http://www.linuxfoundation.org/publications

• The Software Package Data Exchange™:http://spdx.org/

• FOSSBazaar: http://fossbazaar.org/

• Got questions? compliance@linuxfoundation.org

16

Q & A

Phil Koltun, Ph.D.Director, Open Compliance Program

pkoltun@linuxfoundation.org

17