Software Licensing Effort Focuses on Compliance Tools
A new project launched this week by the Linux Foundation is designed to provide standard tools for complying with the terms of open-source code licenses.
The goal of the Automated Compliance Tooling (ACT) initiative is “to consolidate investment in, and increase interoperability and usability of, open source compliance tooling, which helps organizations manage compliance obligations,” the foundation said Thursday (Dec. 6).
Early contributors to the ACT project include VMware (NYSE: VMW) and Endocode, a Berlin-based software engineering firm specializing in open-source projects. VMware will contribute Tern, an inspection tool used to inspect the package metadata installed in an application container image. Endocode’s contribution, Quartermaster, or QMSTR, creates a toolchain that implements best practices for managing license compliance.
“License compliance is an important hygiene factor in the open source ecosystem,” said Endocode CEO Mirko Boehm. “With QMSTR, we started to create a toolchain that focuses on fact-finding and accurate, complete and up-to-date compliance documentation for every software build.”
VMware’s contribution, Tern, provides a “bill of materials” for application containers. VMware said the tool would help developers meet open-source compliance requirements as containers make steady inroads in handling enterprise production workloads.
Tern can be used to inspect container images to identify individual software packages and metadata installed in those packages. The tool works by inspecting each layer in a container image’s file system.
“Tern gives container engineers a deeper understanding of the container’s bill of materials in order to make better decisions about container-based infrastructure, integration and deployment strategies,” VMware explained in a blog post.
Tern was released as an open-source tool in June 2017. The most recent release adds features designed to make it more accessible to developers.
Two other projects round out the ACT project. An open-source license compliance toolkit dubbed FOSSology lets users run license, copyright and export control scans. The existing open source project will now be moved under the ACT umbrella, the Linux Foundation said.
Completing the license compliance initiative is the Software Package Data Exchange (SPDX), an open-source standard for communicating software component information that also includes licenses, copyrights and security provisions. SPDX is also an existing Linux Foundation project.
“There are numerous open source compliance tooling projects, but the majority are unfunded and have limited scope to build out robust usability or advanced features,” said Kate Stewart, who is overseeing the license compliance effort at the Linux Foundation.
“We have also heard from many organizations that the tools that do exist do not meet their current needs. Forming a neutral body under The Linux Foundation to work on these issues will allow us to increase funding and support for the compliance tooling development community,” Stewart added.
Software licensing issues are bound to grow as major players like Microsoft (NASDAQ: MSFT) and IBM (NYSE: IBM) play larger roles in open-source development through recent acquisitions. Those include Microsoft’s deal to acquire GitHub and IBM’s deal for Red Hat.