{"id":67239,"date":"2018-12-06T19:02:47","date_gmt":"2018-12-06T19:02:47","guid":{"rendered":"https:\/\/www.sickgaming.net\/blog\/2018\/12\/06\/open-source-compliance-projects-unite-under-new-act-group\/"},"modified":"2018-12-06T19:02:47","modified_gmt":"2018-12-06T19:02:47","slug":"open-source-compliance-projects-unite-under-new-act-group","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2018\/12\/06\/open-source-compliance-projects-unite-under-new-act-group\/","title":{"rendered":"Open Source Compliance Projects Unite Under New ACT Group"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2018\/12\/open-source-compliance-projects-unite-under-new-act-group.jpg\" class=\"ff-og-image-inserted\" \/><\/div>\n<p>As open source software releases and customer adoption continue to increase, many companies underestimate what\u2019s involved with going open source. It\u2019s not only a matter of volunteering for the encouraged, but optional, <a href=\"https:\/\/www.linux.com\/news\/2018\/10\/55-percent-cloud-developers-contribute-open-source-says-survey\">upstream contributions<\/a> to FOSS projects, but also complying with the legal requirements of open source licenses. Software increasingly includes a diverse assortment of open source code with a variety of licenses, as well as a mix of proprietary code. Sorting it all out to can be a major hassle, but the alternative is potential legal action and damaged relations with the open source community.<\/p>\n<p>The Linux Foundation has just launched an Automated Compliance Tooling (ACT) project to help companies comply with open source licensing requirements. The new group consolidates its existing FOSSology and Software Package Data Exchange (SPDX)\u00a0projects and adds two new projects: Endocode\u2019s QMSTR for integrating open source compliance toolchain within build systems and VMware\u2019s Tern, an inspection tool for identifying open source components within containers.<\/p>\n<p>Announced at this week\u2019s <a href=\"https:\/\/events.linuxfoundation.org\/events\/open-compliance-summit-2018\/program\/schedule\/\">Open Compliance Summit<\/a> in Yokohama, Japan, the ACT umbrella organization aims to \u201cconsolidate investment in, and increase interoperability and usability of, open source compliance tooling,\u201d says the project. <\/p>\n<p>\u201cThere are numerous open source compliance tooling projects but the majority are unfunded and have limited scope to build out robust usability or advanced features,\u201d stated Kate Stewart, Senior Director of Strategic Programs at The Linux Foundation. \u201cWe have also heard from many organizations that the tools that do exist do not meet their current needs. Forming a neutral body under The Linux Foundation to work on these issues will allow us to increase funding and support for the compliance tooling development community.\u201d\u00a0<\/p>\n<p>The four ACT projects, with links to their websites, include:<\/p>\n<ul>\n<li>\n<p><strong><a href=\"https:\/\/www.fossology.org\/\">FOSSology<\/a><\/strong>\u00a0&#8212; This early project for improving open source compliance was <a href=\"http:\/\/linuxgizmos.com\/linux-foundation-values-linux-and-open-source-at-5-billion-dollars\/\">adopted<\/a> by the Linux Foundation in 2015. The FOSSology project maintains and updates a FOSSology open source license compliance software system and toolkit. The software lets users quickly run license and copyright scans from the command line and generate an SPDX file &#8212; a format used to share data about software licenses and copyrights. FOSSology includes a database and web UI for easing compliance workflow, as well as license, copyright, and export\u00a0scanning tools. Users include Arm, HP, HP Enterprise, Siemens, Toshiba, Wind River, and others.<\/p>\n<\/li>\n<\/ul>\n<ul>\n<li>\n<p><strong><a href=\"https:\/\/spdx.org\/tools\">SPDX<\/a><\/strong> &#8212; The Software Package Data Exchange\u00a0project maintains the SPDX file format for communicating software Bill of Material (BoM) information including components, licenses, copyrights, and security references. The SPDX project was spun off from FOSSology as a Linux Foundation project in 2011 and is now reunited under ACT. In 2015, <a href=\"http:\/\/linuxgizmos.com\/spdx-v2-simplifies-open-source-license-dependency-tracking\/\">SPDX 2.0<\/a> added improved tracking of complex open source license dependencies. In 2016, <a href=\"http:\/\/linuxgizmos.com\/open-source-compliance-specs-advance-at-linuxcon\/\">SPDX 2.1<\/a> standardized the inclusion of additional data in generated files and added a syntax for accurate tagging of source files with license list identifiers. The latest 2.1.15 release offers support for deprecated license exceptions. The SPDX spec will \u201cremain separate from, yet complementary to, ACT, while the SPDX tools that meet the spec and help users and producers of SPDX documents will become part of ACT,\u201d says the project.<\/p>\n<\/li>\n<\/ul>\n<ul>\n<li>\n<p><strong><a href=\"https:\/\/qmstr.org\/\">QMSTR<\/a><\/strong> &#8212; Also known as Quartermaster,\u00a0QMSTR was developed by Endocode and is now hosted by ACT. QMSTR creates an open source toolchain that integrates into build systems to implement best practices for license compliance management. QMSTR identifies software products, sources, and dependencies, and can be used to verify outcomes, review problems and produce compliance reports. \u201cBy integrating into DevOps CI\/CD cycles, license compliance can become a quality metric for software development,\u201d says ACT. <\/p>\n<\/li>\n<\/ul>\n<ul>\n<li>\n<p><strong><a href=\"https:\/\/github.com\/vmware\/tern\">Tern<\/a><\/strong> &#8212; This VMware hosted project for ensuring compliance in container technology is now part of the ACT family. Tern is an inspection tool for discovering the metadata of packages installed in container images. Tern \u201cprovides a deeper understanding of a container&#8217;s bill of materials so better decisions can be made about container based infrastructure, integration and deployment strategies,\u201d says ACT.<\/p>\n<\/li>\n<\/ul>\n<p>The ACT project aligns with two related Linux Foundation projects: <a href=\"https:\/\/www.openchainproject.org\/\">OpenChain<\/a>, which <a href=\"https:\/\/techcrunch.com\/2018\/12\/06\/linux-foundations-openchain-project-welcomes-google-facebook-and-uber\/\">just welcomed Google, Facebook, and Uber<\/a> as platinum members, and the <a href=\"https:\/\/compliance.linuxfoundation.org\/\">Open Compliance Program<\/a>. In 2016, the OpenChain project released <a href=\"http:\/\/linuxgizmos.com\/open-source-compliance-specs-advance-at-linuxcon\/\">OpenChain 1.0<\/a> with a focus on tracking open source compliance along supply chains. The project also offers other services including OpenChain Curriculum for teaching best practices. <\/p>\n<p>The Open Source Compliance group hosts the Open Compliance Summit. It also offers best practices information, legal guidance, and training courses for developers. The group helps companies understand their license requirements and \u201chow to build efficient, frictionless and often automated processes to support compliance,\u201d says the project.<\/p>\n<p>ACT has yet to launch a separate website but has listed an\u00a0<a href=\"mailto:act@linuxfoundation.org\">act@linuxfoundation.org<\/a> email address for more information.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As open source software releases and customer adoption continue to increase, many companies underestimate what\u2019s involved with going open source. It\u2019s not only a matter of volunteering for the encouraged, but optional, upstream contributions to FOSS projects, but also complying with the legal requirements of open source licenses. Software increasingly includes a diverse assortment of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":67240,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40],"tags":[],"class_list":["post-67239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-freebsd-unix"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/67239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=67239"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/67239\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/67240"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=67239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=67239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=67239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}