On 20 November 2018, the law firm Bird & Bird hosted a seminar about “Open-Source Management in Software Supply Chains – Effective and Consistent License Compliance” in their Frankfurt office. The seminar was organised by Miriam Ballhausen, who is Bird & Bird’s specialist in open-source Licensing.
The seminar offered the opportunity to meet two of Germany’s top lawyers for FOSS license compliance: Miriam Ballhausen and Catharina Maracke. If you have any questions about how to comply with FOSS licenses, Miriam and Catharina will give you invaluable counsel.
The roughly 25 attendees hailed from very different industries: automotive, agricultural, financial, medical, manufacturing and IT services. In late 2018, you cannot escape FOSS: Free open-source software has arrived in the mainstream.
Now, let me give you a summary of the four talks.
Miriam Ballhausen, Bird & Bird, Setting the Stage
Supplier A develops software using open-source components. Supplier B integrates A’s software with its own software, which uses additional open-source components. The same happens when B passes its software to OEM C. C finally sells the software to end customers D. The software could, for example, be an infotainment system in a car.
Ideally, A, B and C would have externally certified FOSS compliance processes in place. So, B could trust A with the compliance of A’s software and C could similarly trust B. As usual, reality is lagging behind. B would again check the compliance of A’s software. C would again check the compliance of A’s and B’s software.
This is a big waste of time and money. The next three talks explained how to reach the ideal – step by step.
Catharina Maracke, Software Compliance Academy, Awareness of FOSS Compliance
“I would like to see the company that doesn’t use any open-source software.” – Think about Catharina’s statement for a moment. I fully agree. Such companies have become rare. Open-source software is a competitive advantage. I know of car OEMs requiring their infotainment systems built only with open-source components.
Companies must be aware that they must comply with FOSS licenses. Non-compliance may lead to hefty fines. Even if companies are aware of that, they don’t know where to start. Catharina recommended that these companies certify their FOSS compliance process using the self-certify procedure outlined by the OpenChain project. The checklist for the self-certification can be found here as a PDF document.
Self-certification is clearly not ideal, but it is a good and important first step. It helps companies to develop a FOSS culture.
Michael Jäger, Siemens, Tooling for FOSS Compliance
Just a month ago, I finished making a customer’s embedded Linux system compliant with dozens of FOSS licenses. Although Yocto has some basic support for license compliance, I had to perform many steps manually. I wish I had heard Michael’s talk about Fossology earlier. Michael also gave a live demo.
Fossology scans source code for license and copyright notices and shows its findings in a Web UI. You must provide these notices together with the source code and show them in the GUI of your product. Fossology exports license and copyright information in several different formats. It even shows where license texts differ from their standard versions.
You decide for each package which license to use. Fossology stores your decision. When the next release comes around, you re-scan the source code. Fossology detects license and copyright changes, which you handle as usual. If nothing has changed for a package, Fossology uses the decision from the previous release.
I would like to point out another license scanner: Quartermaster. It’s certainly worth evaluating both tools.
Andreas Bärwald, TÜV Süd, Certification of FOSS Compliance
Andreas’s talk picked up where Catharina’s talk had left off. Companies have a clear need for an external certification of their FOSS compliance processes. The TÜV is working on such an external certification but it is not ready yet.