Continuous Compliance - The Introduction, with OpenChain and Quartermaster

Malcolm Bain, Andrew Katz and I presented a workshop at FOSS Backstage 2018 (also the first FOSS Backstage event) in Berlin in June 2018. We presented an introduction to OpenChain and a few use cases, and a introduction and demonstration of Quartermaster.

Great workshop automating open source compliance and governance. You can't contact compliance, says @mirkoboehm. @fosscompliance and #spdx provide an approach to create a technical chain of trust for compliance information. #FOSSBack Malcolm Bain (ID Law Partners) @andrewjskatz pic.twitter.com/wjhx1fjNuU

— Schlomo Schapiro (@schlomoschapiro) June 14, 2018

Workshop: Continuous Compliance - The Introduction, with OpenChain and Quartermaster

As software development becomes ever more dependent on multiple open source components, it becomes increasingly important to ensure that the licences applicable to those components are respected. The workshop moderators have extensive experience in FOSS compliance issues, from both a legal and a technical perspective, within the framework of the Linux Foundation’s OpenChain as well as the Quartermaster Compliance Tooling project.

Obtaining OpenChain compliance is a daunting task, for industrial or even ICT-based companies who have been working with open source for some time, have entrenched development, sales and distribution practices, and no real idea or control over FOSS usage. It requires not just a superficial documentary process (getting the license information, finding the source code) but a “sea” change in quality assurance processes in the company. OpenChain focuses on roles, processes (and artefacts). The combination with Quartermaster helps in achieving compliance by automating “best practises”.

The workshop will focus on the objectives of the OpenChain conformance work at a client, the planning and processes involved, and challenges met so far based on real life experience. We want to share materials we are using, work on creating better model documentation for this type of activity, and discuss and eventually publish “best” practices, and are looking forward to hearing, and building, on the experiences of the workshop attendees.

This workshop will not just be a presentation of materials, cases and examples by the moderators, but requires active input from attendees to suggest new methods of achieving compliance, creating improved documentation and processes that can be shared with the community. We hope to benchmark typical scenarios and challenges and find responses for them.

This section of the workshop will lead into the the subsequent session during which automation and technological facilitation of the compliance process will be demonstrated and explored based on the Quartermaster toolchain. The session will demonstrate how to instrument software builds to gather essential compliance data, run standard and custom analysis to identify licenses, authors, copyright holders or compliance with company policies, and then generate up-to-date, accurate and complete reports for distribution with the product as well as to give feedback to software developers about detected compliance issues or quality metrics.

Who: The workshop moderators include OpenChain Partners who are also partners at their law firms advising clients on open source legal issues, as well as FOSS compliance tool makers. It is aimed at any individual involved in implementing or advising on open source compliance (and not just in the “supply chain”).

Why attend: Through this workshop, you will not only gain a fuller understanding of the OpenChain specification itself, but also see what materials for OC conformance are available, and, in conjunction with the subsequent session, get a view on some tools that are being used (or built!), work on your own or shared materials.