OpenChain, currently in version 1.1, is a project sponsored by the Linux Foundation to provide a centralized set of resources to create a specification, to educate about open source, and to self-check for conformance, all from a single site.

OpenChain (not to be confused with a short-lived blockchain project of the same name in the United Kingdom) began in 2013 when Dave Marr, vice president and legal counsel at Qualcomm suggested it as a way to ensure open source compliance and best practices. The first release of the OpenChain Specification occurred in October 2016, but until the 1.1 release, the project avoided publicity in favor of testing and refining its resources. With the release of the 1.1 specification, OpenChain is also publishing a new web site and a publicity campaign to encourage the use of its resources. Already, four companies have self-certified with the 1.1 specification during beta testing – Siemens, Qualcomm, Pelagicore, and Wind River.

“This may sound like a dry subject at first,” says project manager and long-time advisor to Free Software Foundation – Europe, Shane Martin Coughlan. “However, if companies follow different processes or best practices, then problems can arise. If we do the opposite and embrace a shared approach to compliance, then the chance of errors or issues is dramatically reduced.”

Producing the Specification

OpenChain does not enforce its specification. Instead, in a concise 10-page document, the specification offers educational material covering such topics as the obligations of FOSS users, documenting FOSS, and interacting with the community, as well as overviews of how to apply OpenChain’s material to projects and businesses of any size. Accompanying the specification is a curriculum that discusses the basic concepts of open source software and a conformance questionnaire that those interested can take for themselves.

“This service takes the pain out of becoming OpenChain conformant,” Coughlan says, “Any organization can access and process the questionnaire without cost. If they meet our criteria, they will join the OpenChain circle of trust.” The borrowing the term “circle of trust” from security keyrings is deliberate; as Jilayne Lovejoy, principal open source counsel at ARM, makes clear, OpenChain’s intent is to apply the collaborative spirit of FOSS software development to legal and best practices as well.

OpenChain 1.0, Coughlan says, “was the first refined, publicly adoptable version of our specification. This was the milestone when OpenChain turned from [a] good idea into [an] active and growing project. By going public with OpenChain and by welcoming OpenChain 1.0-conformant companies, we had the opportunity to learn. We got feedback on language that might be vague. We got feedback on requirements for better understanding by non-native English speakers. The growing community provided a sounding board that made it clear we could take what we had and dramatically ease adoption and use. OpenChain 1.1 is a refinement of 1.0 that makes things better in every way. If OpenChain’s first release was comparable to the iPhone of open source supply chain compliance, then [1.1] is our iPhone 3G.”

Even with the improvements of the later version, Coughlan describes the current specification as “minimal.” He adds, “We are not in a rush to push boundaries. Our key focus over the next 12 months is adoption. This means you can expect additional material in the near term and [in about two years] OpenChain 2.0. You can expect that we will refine and potentially raise the bar on certain items based on feedback from the market. This will not invalidate the value of conformance to OpenChain 1.0 or OpenChain 1.1; however, with each revision the specification gets better, and that is the bar that is being raised.”

The Curriculum Presentation

Although the specification has been OpenChain’s main concern until recently, the project is also developing a curriculum for those who want to educate themselves about open source. The curriculum is in the form of a slide show, with a series of – so far – minimal notes.

The curriculum begins with an overview of intellectual property and copyright. From there, it moves on to FOSS licenses, presenting permissive and copyleft licenses neutrally, except so far as they differ in compliance. As Coughlan points out, from OpenChain’s perspective, conformance is the same regardless of the specific license. “Our level could be framed,” he says, “as ‘do you have a way to identify and meet the requirements of the respective licenses?’”

The curriculum continues with advice about monitoring the use of free software in an organization and identifying possible pitfalls. Not including title pages, each chapter is about half a dozen slides long and ends with a brief quiz about key concepts. Coughlan raises the possibility that, before the end of 2017, the quizzes could be offered independently to benefit “organizations that might be time-constrained.” Other training material might also be in the works.

Noticeably, the curriculum is not nearly as polished as the specification. Yet, even so, it is more concise and free of bias than most material of its kind, and – having been released under the Creative Commons Universal or public domain license – is likely to find more uses beyond the OpenChain project.

Self-Certification

Until the release of the 1.1 specification, conformance has had the least attention of OpenChain project’s concerns. Now, however, “conformance has become a first-class citizen in the project,” Coughlan says.

Currently, conformance takes the form of a self-administered test. When an organization passes the test, it can be listed on the OpenChain site to publicize the fact. According to Coughlan, OpenChain is preparing a badge that organizations can display to announce their conformance.

“We want organizations to see our material, realize its importance, and understand they can engage via self-certification,” Coughlan says. However, he adds that “down the road, we will introduce processes for audits and additional support for organizations that may be having trouble meeting current conformance requirements. What will remain consistent is that we are building a community, we are welcoming new members, and we will be seeking to create the most supportive environment possible.”

Next Steps

“We have some fantastic early adopters,” Coughlan says. “However, this is just the beginning. We need to tell our story to many more people and organizations in the coming months. To some extent this will mean talking at events, but we also have an expectation that a lot of our useful discussions will happen face-to-face and will be supported by our expanding on-boarding material.”

Coughlan concludes, “I have spent more than a decade dealing with issues around open source compliance. It quickly became clear that we faced challenges that originated primarily in the pressures, the miscommunications, and the occasional missteps that occur throughout the complexity of the supply chain. One thing I privately said to old friends and colleagues like Harald Welte, Armijn Hemel, and Till Jaeger was, ‘how do we fix that?’ I believe OpenChain is the answer. We are looking at the way for the processes and best practices used by the very largest and most experienced entities to be shared with the entire IT market. This is the standard for how to deal with Open Source compliance in the supply chain and it is freely available, easily available, to everyone who wants to engage.”

Clearly, OpenChain is just beginning. However, at this point, it appears to be off to a strong start.