No individual, no matter how adept, can successfully implement open source compliance across an entire organization. Keeping track of where and how open source code is used, approved, and shipped must be a cross-functional team effort.
From core engineering and product teams, to legal counsel and upper management, compliance involves individuals in many roles from various departments throughout the company.
In this article, highlighting a chapter of The Linux Foundation ebook Open Source Compliance in the Enterprise by Ibrahim Haddad, we’ll give an overview of the roles and responsibilities that any open source compliance program should include. Together, these are the individuals who will make sure your company stays current and compliant with the open source licenses in the code you use and ship.
3 Key roles on an open source compliance team
There are generally two teams involved in achieving compliance: a core team and an extended team, with the latter typically being a superset of the former. The core team, often called the Open Source Review Board (OSRB), consists of three key representatives from engineering and product teams, one or more legal counsels, and the compliance officer/ open source program office manager.
Legal representative: A legal counsel or paralegal, depending on the task. Reviews and approves usage, modification, and distribution of free and open source software (FOSS); provides guidance on licensing; contributes to compliance training; reviews and approves open source notices; and more.
Engineering and product team representative: Follows compliance policies and processes; requests approval to use (and/or contribute) to open source projects; responds quickly to all questions; conducts design, architecture, and code reviews; prepares software packages for distribution; and more.
Open source compliance officer, manager, or director: Not necessarily a dedicated resource, this person drives all compliance activities; coordinates source code scans and audits and distribution of source code package; contributes to compliance training and creation of new tools to facilitate automation and FOSS discovery in a dev environment; and more.
Others involved in open source compliance
The extended team includes a larger group of individuals from across multiple departments who contribute on an on-going basis to the open source compliance efforts. However, unlike the core team (in substantial organizations), members of the extended team are working on compliance only on a part- time basis, based on tasks they receive from the core review board. Roles and responsibilities include:
- Documentation – Includes open source license information and notices in the product documentation including license text, written offer, copyrights and attribution notices
- Supply Chain – Mandates third-party software providers to disclose open source in licensed or purchased software components and assists with ingress of third-party software bundled with and/or including open source software
- Corporate Development – Requests open source compliance be completed before a merger or acquisition, or when receiving source code from outsourced development centers or third-party software vendors.
- IT – Provides support and maintenance for the tools and automation infrastructure used by the compliance program and creates and/or acquires new tools based on OSRB requests
- Localization – Translates basic information in target languages about open source information related to the product or software stack
- Open Source Executive Committee (OSEC) – Typically includes executives representing Engineering and Legal. The OSEC reviews and approves proposals to release IP and proprietary source code under an open source license.
Read other articles in this series:
The 7 Elements of an Open Source Management Program: Strategy and Process
The 7 Elements of an Open Source Management Program: Teams and Tools
How and Why to do Open Source Compliance Training at Your Company
Basic Rules to Streamline Open Source Compliance For Software Development
How to Raise Awareness of Your Company’s Open Source License Compliance
Establishing a Clean Software Baseline for Open Source License Compliance
Ibrahim Haddad (Ph.D.) is Vice President of R&D and the Head of the Open Source Group at Samsung Research America. He is responsible for overseeing Samsung’s open source strategy and execution, internal and external R&D collaborations, supporting M&A and Corporate VC activities, and representing Samsung towards open source foundations. He is currently serving as Vice President of the Open Connectivity Foundation and the Director on the Board representing Samsung Electronics.
- Dent Introduces Industry’s First End-to-End Networking Stack Designed for the Modern Distributed Enterprise Edge and Powered by Linux - 12/17/2020
- Open Mainframe Project Welcomes New Project Tessia, HCL Technologies and Red Hat to its Ecosystem - 12/17/2020
- New Open Source Contributor Report from Linux Foundation and Harvard Identifies Motivations and Opportunities for Improving Software Security - 12/08/2020