License Scanning and Compliance Programs for FOSS Projects

For many new open source software project communities, licensing may at first take a back seat to the project’s technical goals, design and architecture considerations, and community involvement. But as a project grows and sees greater adoption, it will eventually encounter questions about license compliance. Getting license compliance right early on in a project can help the project attract contributors and users. Too often projects never reach their full potential because someone looked at the licensing, found issues and moved on to alternatives.

This paper describes the benefits of license scanning and compliance for open source projects, together with recommendations for how to incorporate scanning and compliance into a new or existing project. It does not address specific requirements under different types of licenses (for example, what is required to comply with a copyleft or permissive license). Rather, the paper addresses how to structure a project so that it, and its downstream consumers, can gain the information needed so that they are able to meet those requirements.

Steve Winslow is Director of Strategic Programs at The Linux Foundation. He runs The Linux Foundation’s license scanning and analysis service, advising projects about licenses identified in their source code and dependencies. Steve is also involved with projects including SPDX, FOSSology and the Community Data License Agreement; manages The Linux Foundation’s trademark program; and assists on other legal matters. Steve has presented on license scanning and trademark matters at The Linux Foundation’s Legal Summit 2017 and Open Compliance Summit 2017. Previously, Steve was Vice President of Technology Law at Intralinks and an associate at Choate, Hall and Stewart in Boston. Steve graduated from Georgetown University Law Center and majored in computer science at Williams College.