Compliance is big… so big, in fact, that ‘they’ now have an Open Compliance Summit.
The last Open Compliance Summit was held in Yokohama in Japan at the tail end of last year — the The Linux Foundation used it as a chance to load up on sushi and also announce a new project to help improve open source compliance tooling called Automated Compliance Tooling (ACT).
ACT is an umbrella brand that will host various open source projects related to compliance tooling — so the initial four projects to fall under ACT are: FOSSology (existing LF project); QMSTR (being contributed by Endocode); SPDX tools (existing LF project); Tern (being contributed by VMware).
The foundation says that its members have said that existing tools do not fully meet their needs in terms of ensuring compliance with open source licenses, which is we now see this effort to improve them.
“License compliance is an important hygiene factor in the open source ecosystem. With QMSTR, we started to create a toolchain that focuses on fact finding and accurate, complete and up-to-date compliance documentation for every software build. Endocode is extremely happy to contribute QMSTR to ACT and to take it to the next level together with The Linux Foundation and the other project partners,” said Mirko Boehm, CEO of Endocode and the initiator of the QMSTR project.
The new projects are complementary to existing Linux Foundation compliance projects such as OpenChain, which identifies key recommended processes to make open source license compliance simpler and more consistent — and the Open Compliance Program, which aims to educates and helps developers understand their license requirements and how to build efficient (and often automated) processes to support compliance.
Four parts of ACT
FOSSology is an open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from the command line.
QMSTR (also known as Quartermaster) is a tool that creates an integrated open source toolchain that implements industry best practices of license compliance management.
SPDX Tools standing for Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information including components, licenses, copyrights and security references.
Tern is an inspection tool to find the metadata of the packages installed in a container image. It provides a deeper understanding of a container’s bill of materials so better decisions can be made about container based infrastructure, integration and deployment strategies.
“There are numerous open source compliance tooling projects but the majority are unfunded and have limited scope to build out robust usability or advanced features,” said Kate Stewart, senior director of strategic programmes at The Linux Foundation.
Stewart insists that forming a neutral body under The Linux Foundation to work on these issues will allow the industry to increase funding and support for the compliance tooling development community.
ACT is seeking new members, community partners and additional tooling projects.