A proactive approach to open source governance

This is a guest post for the Computer Weekly Open Source Insider blog written by Lacey Thoms, a marketing specialist and blogger at software analysis and code attributes management company Protecode — Lacey has a Bachelor’s Degree in Mass Communications from Carleton University and has written many articles on open source software management.

Omnipresent openness


Open source software has become an omnipresent and major driver of software activities worldwide. Many organisations, from small start-ups to large multinationals, are using open source code to accelerate development and reduce costs.

As open source adoption increases, the processes for managing open source code and its associated license obligations, security vulnerabilities and export content are maturing. The days of manually auditing the code before the product ships are losing out in favour of more proactive, cost effective approaches.

The modern approach for an open source software adoption process is similar to the one used for any other third party software, which revolves around uncovering all external code used in a project, and identifying their license and copyright attributes, as well as any security vulnerabilities or encryption content associated with the code.

Like other quality assurance processes, it is best to start managing open source governance in the early stages of development.

Organizations are beginning to take more proactive steps towards managing open source software licenses, beginning with an established open source policy and a defined workflow process that can reject any packages that violate the policy before the developer is permitted to use the code. From there, organisations follow practices that can detect and flag violations as the code is brought onto a developer’s workspace.

Creating an open source policy

The first stage of implementing an open source governance process it to draft an open source policy. The policy regulates the open source governance process and covers topics such as who the stakeholders are within the organisation, and outlines acceptable attributes, such as open source licenses and communities. The open source policy is drafted with input from all the relevant stakeholders in the organisation.

Typically an open source committee consists of representatives from legal, R&D, and product management. An open source policy also includes a workflow for requesting and approving open source packages that can be used in specific projects or within the entire organisation and defines the course of action once an open source policy violation is suspected.

Implementing a pre-approval workflow

A good open source policy puts emphasis on catching open source governance issues at the earliest stage of development, therefore vastly reducing the time and effort involved in remedying them. An important element of any solid open source policy is a package pre-approval process. In essence, this process is a series of actions that allows anyone to request a certain open source package to be used in a project. Through a streamlined workflow process, a licensing person can approve or reject the requests based on the available information about the project, how the package is to be used in the project, and the open source package attributes.

So, what does a package pre-approval workflow entail?

First, developers must submit a request including details such as package’s name, a link to the code, and information such as version, authors, and the license cited on the site or specified in the package. Other information such as known open source security vulnerabilities and presence of encryption content in the package will help the compliance examiner streamline the approval process. Another important item accompanying the pre-approval request is a description of how the package is going to be used in the product, including whether or not the code will be modified, redistributed, or if it will only be used internally.

After the request is submitted, an administrator (usually someone from the open source committee) can review the request. Typically, a combination of manual research and automated open source scanning tools are used to confirm and identify licenses, obligations, copyrights, open source security vulnerabilities, and encryption properties of the requested package. At this stage, the licensing person will review license obligations and other properties of the requested package against the organisation’s policy, taking into consideration how the developer intends to use the package.

If there are no conflicts with the organisations open source policy, the administrator can approve the package. Once a software package is approved, it is then logged and made available to the specific product groups or the whole organisation. A record of the approved packages is made available so that developers can readily use these pre-approved components in the future.

Software package pre-approval can be added to existing open source management processes to further improve governance. Organisations that have a process in place that scans code at regular intervals (e.g. daily weekly, monthly) and also organisations that have a continuous scanning process in place (scanning in real-time as code is brought in by developers) will benefit from a package pre-approval process. Package pre-approval speeds up continuous scanning because code can be approved before it enters the development environment.

The result is a lower number of overall files that need to be scanned thus speeding up the overall scanning process.

A proactive approach

To get the most benefit out of open source code, organisations are turning to more sophisticated practices for open source governance. As with other software lifecycle management processes, automated solutions for package pre-approval exist that significantly reduce the time and effort spent on open source governance and increase the accuracy of the results.

Information that these processes detect includes permissions from the owner to use the software, any known deficiencies such as bugs or security vulnerabilities, and any other information pertinent to carrying out the business such as exportability.

A package pre-approval workflow process, when combined with automated open source scanning, is an effective part of managed adoption of open source software, allowing organisations to reduce their development costs and speed up delivery times using quality third-party software. With a proactive approach to open source management, organisations can harness the benefits that open source has to offer, while creating a streamlined process to avoid challenges associated with open source software.