The Need for Build-time Analysis in Open Source Compliance Tooling: Lessons Learned from the Quartermaster Prototype

The talk at the Linux Foundation Open Source Leadership Summit marked the first time we could present Quartermaster to a wider management level audience. It raised quite some interest:

This is the abstract of the talk:

Quartermaster aims art building an industry standard of tooling that supports the Open Source license compliance workflow. It’s workflow engine integrates existing scanning and reporting tools, and integrates into CI/CD processes. It offers API endpoints against which toolmakers, communities and service providers can integrate their products into the open source and open data model of the elemental toolchain. Development of the Quartermaster prototype resulted in a number of key findings, especially that source packages alone do not identify and convey sufficient license information, or that the product build process may be the best time to check compliance. The presentation introduces the Quartermaster project, the novel approach it takes on implementing Open Source compliance tooling, and how the lessons learned from the prototype influenced the Quartermaster toolchain architecture.