As financial services firms get serious about open source collaboration, one of their first priorities is getting a handle on the open source software they're already using. Open source may be free-of-cost but it's not free of obligation: using it responsibly means compliance with open source licenses and keeping current with updates to ensure the products using it remain secure.
A successful open source compliance process requires tools and procedures to track open source components in use, monitor updates, and build compliance information into software releases. Because these tasks each require significant human involvement, every company has a different compliance workflow.
There are a number of vendors that provide tools and automation to manage open source compliance, including FINOS Member WhiteSource (technology currently in use in our FINOS Open Developer Platform), Black Duck, Flexera, FOSSA and nexB. But some companies prefer to keep some or all of their compliance workflow in-house, whether to integrate better with bespoke software development lifecycle tooling, because of budget constraints, or for other reasons.
Over the next couple of months, the FINOS Open Source Readiness Working Group will be exploring the open source tools available to help companies build and manage their own open source compliance workflows.
Kate Stewart of the Linux Foundation will discuss LF's Automated Compliance Tools (ACT) Project to consolidate investment in, and increase interoperability and usability of, open source compliance tooling to help organizations manage compliance obligations. ACT supports the development of several tools, including: QMSTR, a toolchain that focuses on producing compliance documentation for software builds; Tern, an open source project for inspecting container images for open source compliance; FOSSology, a toolkit for running license, copyright, and export control scans; and SPDX Tools, a collection of software tools for managing SPDX-formatted compliance information.
Gary O'Neall of Source Auditor will present the Linux Foundation's SPDX Project, which provides a standard format for communicating the components, licenses and copyrights associated with a software package. Gary is the maintainer of the SPDX Tools project and will discuss how to use those tools to produce an open source bill of materials for a product.
Join us Wednesday at 10am EDT to learn more! Conference info for the Open Source Readiness working group is available here. You can add the event to your calendar by importing the FINOS Program calendar.