SCA Tool

Open source, safe and easy

Good Governance Certification

As discussed, open source governance at its core consists of governing

  • how and which open-source software to use,
  • how and when to contribute to open source projects, and
  • how and why to create and lead open source projects.

The OpenChain project, hosted by the Linux Foundation, is an attempt by industry to specify good open source governance of companies to make the flow of open-source software along the software supply chain as smooth as possible.

To this end, the OpenChain project is defining a standard for good governance. Like any specification, it does not provide best practices, but rather focuses on requirements like “define open source use cases” or “have an open source approval process”.

At the time of writing, the OpenChain 2.1 specification of 2020 was the most recent standard. Version 2.1 covers:

  • The open source program office (OSPO). The specification covers requirements for
  1. Having a defined OSPO mandate, 
  2. Having posts and roles with defined responsibilities, 
  3. Having specific posts like the legal counsel or public contact,
  4. Managing the evolution of this structure, and last but not least, 
  5. Having a defined and secured budget for operating the OSPO.
  • Using open-source software in products. The specification covers requirements for having an open source usage policy and processes for ensuring license compliance.

The usage policy requirements cover

  1. Having a policy, 
  2. Creating awareness for the policy, and 
  3. Assessing a company’s competence with it. 

The license compliance requirements cover

  1. Defining use cases, 
  2. Having a standardized license interpretation, 
  3. Managing the open source components in your products, 
  4. Tracking the corresponding license compliance artifacts, 
  5. Responding to third-party inquiries, and 
  6. Remediation of compliance issues.
  • Contributing to open source projects. The specification only states that you should have a contribution policy.

Nothing is said about creating or leading open source projects.

The OpenChain specification is work in progress and will likely keep evolving and extending its scope. However, this does not diminish its significance. Already today, certification agencies have set up OpenChain compliance marks and are offering certification with (their interpretation of) the OpenChain specification.

At the time of writing, no company was requiring that its suppliers provide such a certification mark, but it may only be a matter of time until companies will be required by their customers to demonstrate proper open source governance, most likely by featuring an OpenChain compliance mark.

© 2024 Dirk Riehle, used with permission.

Return to overview.