SPDX format is key to success or failure of Linux Foundation's Open Compliance Program

Add the Linux Foundation to the numerous list of organizations and companies founded to protect Linux users and developers from legal risk.At the opening of the annual LinuxCon 2010 here today in Boston, the San Francisco-based foundation, which sponsors the work of Linux creator Linus Tovalds, announced a new open compliance program with the support of heavy hitters including Google, Adobe, Cisco, Novell, AMD, ARM, HP, IBM, Intel, Sony, Nokia and Motorola.

Add the Linux Foundation to the numerous list of organizations and companies founded to protect Linux users and developers from legal risk.

At the opening of the annual LinuxCon 2010 here today in Boston, the San Francisco-based foundation, which sponsors the work of Linux creator Linus Tovalds, announced a new open compliance program with the support of heavy hitters including Google, Adobe, Cisco, Novell, AMD, ARM, HP, IBM, Intel, Sony, Nokia and Motorola.

The long list of supporters also includes big Linux defenders including the Software Freedom Law Center, Open Invention Network and gpl-violations.org as well as Black Duck, which makes a business ensuring open source compliance. Even CodePlex – which was founded by and led by many employed at Microsoft – supports the program.

Jim Zemlin, director of the Linux Foundation, maintained in his blog that it easier for CIOs to ensure compliance with open source licenses than proprietary ones. Yet he also noted that the explosion of Linux use in embedded devices, consumer electronics and mobile phones calls for a foundation-sanctioned compliance program.

Included in the program are “tools, training, a standard format to report software licensing information, consulting and a self-assessment checklist that will help companies comply with open source licenses, increasing adoption of open source and decreasing legal FUD present in the marketplace,” the foundation noted in its press release Tuesday.

“The Open Compliance Program also includes a new data exchange standard so companies and their suppliers can easily report software information in a standard way, a crucial missing link in the compliance landscape,” the foundation noted.

This is a very smart move. There are a number of commercial outfits such as Black Duck Software that make a business out of open source compliance services.  Some companies offer open source compliance insurance policies. Tons of organizations have been founded and legal indemnification policies have been adopted by distributors to eliminate legal FUD generated by large proprietary companies. Unsuccessful efforts to take down Linux in US courts have helped reduce fears.

Customers have become far more hip about mixing open source and closed source licenses on site and willing to deploy open source applications in recent years.  A recently released study conducted by Accenture testifies to ubiquitous open source deployment by large corporations.

Yet, the boogeyman still keeps CEOs and IT pros up at night.  Check out this recently released survey by ActiveState and Olliance Group.  Violations continue to be reported on an ongoing basis, and that will no doubt continue.

The Linux Foundation has significant credibility because of its encompassing industry support and because it sponsors the work of the Linux creator himself – Linus Torvalds.  His name continues to carry the most weight in the industry.

Deploying the tools and training in house will help alleviate fears. But the kingpin of the program is the standard format for data exchange.  The Software Package Data Exchange (SPDX) working group will do what it can to accelerate adoption.  If this takes off, it will vastly reduce the complexity involved in ensuring compliance and enable customers and developers to develop and deploy open source software with far greater confidence – and fewer costs.  It will be interesting to see if this format makes gains or dies on the vine.

The tools -- which are complementary to existing commercial services offered by Black Duck and others --  will also help a great deal.

The Linux Foundation released initial versions of two of these tools as open source projects. These are the three under development, and described by the Foundation:

o Dependency Checker: capable of identifying code combinations at the dynamic and static link level. In addition, the tool offers a license policy framework that enables FOSS Compliance Officers to define combinations of licenses and linkage methods that are to be flagged if found as a result of running the tool.

o Bill of Material (BoM) Difference Checker: capable of reporting differences between BoMs and therefore enabling companies to identify changed source code components and to better report included open source components in updated product releases. Development on the BOM Difference Checker will begin in late 2010.

o The Code Janitor: This tool provides linguistic review capabilities to make sure developers did not leave comments in the source code about future products, product code names, mention of competitors, etc. The tool maintains a database of keywords that are scanned for in the source code files to ensure code released is safe and ready for public consumption.