As our members get more involved in open source development, license compliance is inevitably a major focus. But while there's no shortage of information out there about the various open source licenses, it’s not easy to find practical information about license compliance that's accessible to the developers on the front lines of compliance.
To help address this, FINOS has collaborated with open source attorney Jilayne Lovejoy to produce the Open Source License Compliance Handbook, a reference guide to practical compliance information for the most common open source licenses. We're excited to release the Handbook today as an open source resource for our members and the broader open source community!
The goal of the Handbook is to provide developers and engineers with "self-serve" compliance information for common terms and use cases. It also aims to call out more complex compliance conditions that may require closer review or consultation with open source counsel.
Just like developers, lawyers prefer to work on interesting challenges, rather than answer the same questions over and over. Much of the work of open source license compliance is relatively simple and shouldn’t require a lawyer’s input. By addressing the most common provisions and use-cases, we want to empower technology organizations to manage most of the compliance workload and limit legal review to more complex license compliance questions. We hope the end result will be more efficient compliance reviews and more open source contributions!
How to use the handbook
The license entries in the Handbook are not exhaustive summaries, but focus on the terms relevant to on-the-ground license compliance. Complying with any open source license requires you to know:
what open source software you’re using;
what licenses apply to that software and what those licenses mean; and
how you’re using the open source software (i.e. the “use-case”).
The Handbook comes in between steps 2 and 3: the license and use case determine your compliance obligations. The license entries specify which obligations apply in the each of the four most common use cases, which account for 99% of compliance requirements:
distribution of unmodified binary code;
distribution of modified binary code;
distribution of unmodified source code; and
distribution of modified source code.
Where licenses include requirements directed at other use cases or are particular about the method of compliance, we have tried to include references to external resources that may be useful in resolving those harder questions.
We heard you like open source...
In keeping with our open source mission, we’ve made the Handbook itself an open source project! Check out the project on GitHub.
We store the license compliance data in a simple, machine-readable, custom YAML format, so it can be easily incorporated into other tools and databases, while remaining accessible to lawyers and compliance professionals who may want to contribute improvements. We also wrote a little Python code to process the compliance data into readily consumable document formats, including asciidoc, DocBook, docx, and pdf.
The Handbook content is licensed under the Creative Commons Attribution-ShareAlike 4.0 license and the code is licensed under the Apache License 2.0. We encourage lawyers and developers alike to check out the project’s GitHub repository and participate by contributing new licenses (or improvements to covered license info), improvements to the data formats and code, , or anything else you think is useful.
We hope you find the Open Source License Compliance Handbook helpful and look forward to hearing how you end up using it!
About Jilayne Lovejoy
Jilayne is a lawyer specializing in open source and community leader. Jilayne participates in various open source groups: she leads the Software Package Data Exchange® (SPDX) legal team and is the SPDX License List maintainer; she was also a founding member of the OpenChain project. Jilayne was principal open source counsel at Arm, where she advised legal, business, and engineering on open source related issues, provided training, and drove improved processes related to open source, including forming and chairing the Arm Open Source Office. Prior to that Jilayne was sole counsel at OpenLogic, a provider of open source software support, provisioning, and compliance solutions to enterprises. Currently, Jilayne provides consulting services related to open source policy, strategy and other software licensing related issues. In her spare time, Jilayne can be found riding her bike(s) in the mountains of Colorado or co-hosting the geeky podcast, FOSS+beer.
The Fintech Open Source Foundation (FINOS) is an independent nonprofit organization focused on promoting open innovation during a period of unprecedented technological transformation within financial services. FINOS believes that organizations that embrace open source software development and common standards will be best positioned to capture the growth opportunities presented by this transformation. The Foundation offers an Open Developer Platform (ODP), a compliant Open Source Readiness Program and The Open Source Strategy Forum (OSSF), the leading global event for financial executives and technologists dedicated to open innovation. Foundation OSS Projects are Apache 2.0 licensed and available on GitHub. For more information, visit www.finos.org.