The OpenChain Promise
While grocery shopping, do you search for products bearing trustworthy labels like an organic process guarantee, non-GMO, grass-fed cattle or wild-caught fish? Purchasing software can be analogous to seeking certain guarantees. The software industry continually adopts new program certifications designed to convey specific promises. For instance, the industry currently embraces ISO 9001:2015, which ensures product quality; CMMI, which ensures continuous development process improvements; and ISO 26262 and DO-178B which ensure functional safety.
A new standard gaining traction is the Linux Foundation's OpenChain certification for Open Source license compliance and usage. This certification ensures that one can trust the open source from which software solutions are built. Influenced by customers seeking greater assurance for their supply chain's increasing use of open source software, Wind River, a leading IoT Linux platform and solutions supplier, maintains OpenChain conformance for all its product lines.
Open Source Compliance and the Supply Chain
Regardless of whether it’s an application, library, container, or a device runtime, today’s software solutions are typically comprised of some percentage of open source software. To secure the legal rights to redistribute these components and the resulting product, companies need to comply with the components’ licenses. This means they need to comply with the relevant open source licenses by delivering the required compliance artifacts to secure the freedom to distribute their products.
The required artifacts typically include:
A collection of obligatory legal notices (sometimes delivered as a single document); and,
A collection of obligatory source code
Although not a license requirement, an additional artifact increasingly being requested by customers may also include:
The open source component “bill of materials” - a list of all open source components used in the construction of the product, analogous to the ingredients list on food packaging and useful for security vulnerability analysis. This is why in late 2018, the Food and Drug Administration (FDA) added the requirement for premarket device submissions by medical device vendors.
While there are many different ways to implement an open source compliance program, not all ensure the output achieves a sufficient level of quality
Similarly, a software supplier must maintain a licensing compliance program for the open source components which comprise a software solution. This program’s workflow can be divided into three stages:
1. Identification: Identify the open source components and licenses used in the product or software solution by creating the open source component “bill of materials”.
2. Review & Comply: Review and comply with the distribution obligations of each component’s license by preparing the required compliance artifacts.
3. Delivery: Bundle and deliver the compliance artifacts when distributing the product, whether via packaging, web delivery, etc.
The compliance artifacts represent the program’s output.
The OpenChain Promise
The OpenChain Specification is an initiative hosted by the Linux Foundation that defines a standard for assessing a company’s open source compliance program completeness. Companies achieve OpenChain conformance by asserting that the delivered artifacts were prepared by following a comprehensive and disciplined program. In other words, it conveys a supplier’s promise that the provided open source artifacts are of high quality. This includes the legal notices, source code, bill of materials, and any other artifacts requested by the customer.
While there are many different ways to implement an open source compliance program, not all ensure the output achieves a sufficient level of quality. The OpenChain specification provides a core list of requirements that every high-quality compliance program should adhere to, which intentionally focuses on the “what” and “why” aspects while avoiding the “how” and “when”. That is, the specification is focused on “what” the core qualities of a quality compliance program are and “why” they are important. At the highest level, the OpenChain specification ensures:
A documented open source policy exists and is followed
Key compliance roles and responsibilities are assigned
Program participants are trained and demonstrate a sufficient level of competence
Procedures exist for identifying, tracking, and archiving the open source used in a product
Procedures exist for preparing and delivering the required compliance artifacts
The OpenChain Specification is an open source project that has incorporated feedback from hundreds of contributors. Any organization can download it for free (atwww.openchainproject.org) and perform a self-certification using the OpenChain conformance website. If both parties agree, a manufacturer can also arrange to audit a supplier. Some of Wind River’s larger customers conduct software development process audits which typically include a section on How is open source software handled? This represents an open-ended question, where one could potentially spend a whole day describing the program’s different facets; however, when a copy of the OpenChain specification is provided, along with evidence demonstrating how each requirement is satisfied, the discussion is typically completed within two hours. More importantly, it provides assurance that all the relevant aspects of the program were covered.
OpenChain conformance is obtained per program, so the logo can only be associated with software solutions evaluated under such a program. Large organizations may include multiple departments, divisions, or product lines that each use a different program, so they may choose to obtain conformance for a program covering the entire organization’s deliverables or just a specific product line. In either case, the organization must declare the scope of the program when demonstrating conformance.
So, the next time you go software shopping and want an OpenChain Promise, look for the OpenChain logo.