Establishing an Open Source Review Board is one key way that companies can help ensure compliance with open source licenses, community norms and requirements (see the previous article, Why Companies That Use Open Source Need a Compliance Program, for more details.) In larger companies, a typical board is made of representatives from engineering, product teams and legal resources in addition to a Compliance Officer (sometimes called Director of Open Source).
While FOSS compliance is more of an operational challenge related to execution and scaling than a legal challenge, legal counsel is an essential component of any review board and compliance program. Companies may choose to use internal legal counsel, or utilize external counsel on a fee basis. Regardless of how it’s achieved, there are five essential duties of an open source lawyer to ensure that a company observes all of the copyright notices and satisfies all the license obligations for the FOSS they use in their commercial products.
Five essential duties of legal counsel in open source compliance
1. Provide approval around the use of FOSS in products.
The approval of the legal counsel is required when using FOSS in a commercial product. Typically, the legal counsel reviews the compliance ticket, the source code scan report, and the license information provided with the source code package. They then evaluate any risk factors based on the feedback provided by engineering and the open source compliance officer. As part of this exercise, the legal counsel decides on the incoming and outgoing licenses of the software component in question.
2. Advise on FOSS licensing.
Typically legal counsel will offer guidance about FOSS license obligations that must be fulfilled. Your legal counsel will be important in advising on potential license conflicts or incompatibilities. Some of the more common questions we see are often, “can I combine X FOSS-licensed code with Y FOSS-licensed code.” To many developers and product architects, these are critical questions to resolve early in building a product based on FOSS. Doing so later can lead to expensive and time intensive re-engineering. Your legal counsel should be well integrated with engineering teams to provide recommendations and guidance on FOSS questions and concerns.
3. Review and approve updates to end-user documentation.
This form of legal support is related to ensuring that appropriate FOSS notices are provided to users in relation to any FOSS included in the product (e.g. proper attribution statements) along with any other requirements (e.g. for GPLv2 licensed code, a written offer on how to obtain the source code).
4. Contribute to establishing and running the FOSS compliance program.
Your FOSS obligations or concerns won’t stop the day you ship your product. Many software products are updated over time. Those updates will likewise require a similar review and process to ensure the FOSS obligations are met. Your legal counsel will be helpful in establishing and maintaining a FOSS policy and process across products and product teams. This should include directions for how to handle compliance inquiries sent to the company in relation to FOSS compliance.
One example we have seen in compliance activities that fail is users will contact technical support and the technical support personnel lack guidelines or scripts on where to direct users seeking the source code for a GPL licensed product. A long term FOSS compliance program will also provide training around FOSS licenses, company policies and guidelines that your legal counsel will be instrumental in drafting and evolving over time.
5. Participate in legal community programs and activities
One helpful role of your legal counsel will also be to participate in the broader legal community focused on FOSS issues and topics. The organic communities that have sprung up are based on lawyers sharing practical, pragmatic topics with each other. These support communities enable your legal counsel to learn best practices and new ideas that can be incorporated back into your internal FOSS compliance program. Without your counsel accessing these communities, your company may fall behind on best practices and accepted norms, or miss critical issues that should be factored into your compliance program.
In part three of this blog series, we’ll cover practical ways for legal counsel to advise software developers. For more detail, download the full white paper, Practical Advice to Scale Open Source Legal Support. You can find me on Twitter at @mdolan.
Read more:
Part 1: Why Companies That Use Open Source Need a Compliance Program
Part 3: 5 Practical Ways for Legal Counsel to Advise Developers on Open Source
The Open Compliance Program at the Linux Foundation aims to help organizations achieve compliance faster and cheaper by providing a number of resources that are accessible via http://compliance.linuxfoundation.org.
- Dent Introduces Industry’s First End-to-End Networking Stack Designed for the Modern Distributed Enterprise Edge and Powered by Linux - 2020-12-17
- Open Mainframe Project Welcomes New Project Tessia, HCL Technologies and Red Hat to its Ecosystem - 2020-12-17
- New Open Source Contributor Report from Linux Foundation and Harvard Identifies Motivations and Opportunities for Improving Software Security - 2020-12-08