Does your organisation know that it has the legal right to use each piece of software it has - including the myriad of component parts and dependencies? And if you were audited, could you prove it?
You can now demonstrate licence compliance with OpenChain ISO certification.
OpenChain is an auditable system of recording provenance, modification and license of digital assets and has now been approved as ISO standard ISO/IEC DIS 5230.
This ISO certification is based on the ability to audit software to ensure it can actually be used for its intended purpose. Compliance enables the user to understand their licence obligations, which is vital when using open source for professional and business critical applications.
The problem with modern applications
Modern software is complex. Deconstructing all the components used is like peeling back the layers of an onion. An application is built using a framework. The framework uses third-party modules. Those modules are built on other, lower-level modules. And so on until you have hundereds, maybe even thousands of individual components - each with its own license conditions that must be complied with.
Open source software, being free to use and distribute, helps a great deal. But even with open source, some licenses have different conditions. All it takes is one piece of code being marked as "free for non-commercial use" or any other restriction and you risk being unable to continue to use, support or distribute the whole application.
What is the impact?
A real world example of the complexities of the right to distribute software can be seen in the legal case between Oracle and Google, now at the US Supreme Court. https://www.ft.com/content/bdca1f8b-c844-41a7-a4e7-fea29f45d7d6 This case was first brought to the courts in 2010 and due to complexity and lack of international standardization, in 2020 the case is still ongoing. This sets a precedent that anyone using software must understand compliance status.
What are we doing about it?
OpusVL are part of a global working group who are implementing or developing tooling. We have managed customers software with IPR schedules for 20 years and auditing and OpenChain ISO formalises this process. As an implementer of open source software, we welcome this step towards formalising this process as an international standard.
We are working to create automated tools within the working group as part of our DITO (Develop In The Open) project. These tools will enable organisations to complete the audit of open source code required for the OpenChain ISO certification, in a manner which is more effective to implement than if the auditing was attempted with manual or human processes.
Using these tools, software we create and develop can be automatically scanned to ensure ISO standards are met. This is integrated into our software deployment process.
Stuart Mackintosh, CEO at OpusVL comments: "It it essential everyone has confidence that there is no compliance risk stemming from their software projects. It is like having software security - it should be mandatory for customers when making purchasing decisions".