The Linux Foundation recently launched the ACT project (Automated Compliance Tooling), which will work on the development of tools related to ensuring compliance with the requirements of open licenses
El ACT's main objective is to consolidate investments in these tools, ensuring portability between them and increasing usability, which help organizations manage compliance obligations.
About ACT
The initiative involves tools used to automate areas such as metadata maintenance with information on code licenses, analysis of projects for code loan and use of open licenses, evaluation of the compatibility of products developed with open and free licenses.
The tools allow companies to simplify their work to meet with the authorized purity of the products that are opened.
As well as being able to perform an audit of new software dependencies or verify the code Developed behind closed doors to avoid adding components distributed under incompatible licenses.
The tools can also provide significant assistance in monitoring license compliance for large projects that use a combination of many open and proprietary components.
For example, It is possible to determine the open licenses involved in the code, identify possible intersections and conflicts, assess potential risks and build a map of the intellectual property used in the project.
What projects will be part of ACT?
The ACT project and with the contributions of the Linux Foundation organization will develop the following tools:
- FOSSology is a set of tools for the automated detection of facts of use of certain software licenses.
Source code analysis, package metadata mapping in DEB and RPM formats, identification of copyrights, URLs, and email addresses is supported. Designed by HP.
- QMSTR (Quartermaster) - A toolkit with the implementation of proven business practices for managing license compliance when developing software products.
QMSTR is integrated into the DevOps CI / CD development cycle and in the assembly stage it accumulates metrics with information about the code collected and the dependencies used. The project was developed by Endocode.
- SPDX (SPDX) is a set of specifications and related utilities for publishing and exchanging licensing and intellectual property information used in various components of software packages.
It allows to specify not only the general license for the whole package, but also the particularities of the license of files and individual fragments, the owners of the code property rights and the persons involved in the review of its licensed purity.
Tern is a tool for inspecting container images, which allows you to determine which packages are used to form your fills. The project was developed by VMware and submitted to the Linux Foundation.
“License compliance is a very important factor in the open source ecosystem.
With QMSTR, we started building a toolchain that focuses on finding data and accurate, complete, and up-to-date compliance documentation for each software build.
Endocode is very excited to contribute QMSTR to ACT and take it to the next level together with The Linux Foundation and the other project partners, "said Mirko Boehm, Endocode CEO of the QMSTR project.
Two other projects also join
ACT also welcomes two new projects that will be hosted by the Linux Foundation as part of the initiative, in addition to the two existing Linux Foundation projects that will be part of the new project.
The new projects are complementary to existing Linux Foundation compliance projects.
Such is the case of OpenChain, which identifies recommended key processes to make open source license compliance be simpler and more consistent.
And the Open Compliance Program, which educates and helps developers and companies understand their licensing requirements and how to build efficient, frictionless, and often automated processes to support compliance.