Open-Chain publishes open source ISO standard

Good developers do not write code from scratch. They know where to get code. Improving productivity, shortening time to market and reducing development costs are all good reasons to use open source.

“Open source” describes a belief that software is best written in an open collaborative process in which the resulting product is freely available to others to use, improve and distribute. Early proponents of open source based it on moral principles of free access, while later supporters have promoted it as a viable business model for commercial developers and users. In a nutshell, it is software whose source code is freely available to all to use and modify, and that is distinguished from proprietary software. Many server-based systems in wide use today are predominantly open source. There is a massive amount of undocumented open source code used in virtually all software: Far more than 50 percent is open source and third party. Yet it’s not being proactively tracked and managed. In fact, most developers are only aware of less than 10 percent of the open source code in their products.

Software components of the end product: Firm's code base, open source, own and commercial code

However, open source raises risks: the risk of copyright infringement and the risk of license restriction.

There is a somewhat higher risk, compared to proprietary software, that open source violates third-party intellectual property rights, and open source users receive no contract protection for this higher risk. In theory, any programmer can add infringing code to open source because it is developed without the usual commercial controls. Moreover, most providers of open source do not offer the warranty protections customarily given for commercial products.

Open source comes with license restrictions that may impact a company’s strategies, particularly the risk that its own proprietary software may be “tainted” by a duty to open its source code to others. This risk is different from the infringement risk. Open source is not in the public domain but instead is available for use only under one of a variety of licenses that impose restrictions on users. These licenses differ, and it is important to know and observe their terms.

Furthermore, the use of open source is usually subject to license agreements. These can be contrary to the own strategy – for example by the obligation to publish changed code freely again. This risk is different from the risk of infringement. Open source does not mean “public domain”, but is subject to a number of regulations and restrictions defined by the open source license. These terms vary greatly from license to license, and it is important to understand these terms and meet the requirements.

That being said, open source components form the basis for most modern applications. Nevertheless, many companies state that they do not use formal processes to track and manage their open source usage. As a result, many teams find that their applications contain many more open source components than they think.

OSS compliance is achieved through a process that ensures that developers, users, and integrators of open source software adhere to copyright notices and meet licensing requirements for the components of their open source software. A well-established compliance process also ensures that open source licenses are adhered to and helps organizations protect their third-party vendors and their intellectual property from automatic disclosure and other consequences.

In principle, each company can create its own FOSS process; this is how it was handled in the past because there was no uniform standard. The Open-Chain Group has now developed a process that will soon be published as an official ISO standard.
Open-Chain’s vision is a supply chain where open source is delivered with trusted and consistent compliance information. The Open-Chain project maintains the international standard for open source compliance. This enables companies of all sizes and industries to adopt the key requirements of a high-quality open source compliance program.

Further information can be found here.

Comments are closed.