Open Source License Compliance with OpenChain
What is the OpenChain Project, and how has SAP adopted the corresponding standard? In my current role in the SAP Open Source Program Office, I was involved in several activities around SAP’s OpenChain certification and would like to share some insights in this blog post.
With numerous open-source licenses available (more than a hundred licenses approved by the OSI) and new ones emerging constantly, it is important for companies that manage open-source software to fulfill all legal requirements and obligations. The OpenChain Project, launched in 2016 under the umbrella of the Linux Foundation, aims to support companies with their license compliance across the open-source software supply chain and has been adopted by a wide range of companies and a broad community. The mission of OpenChain is “a supply chain where open source is delivered with trusted and consistent compliance information” (more). In 2020 it had matured enough to be accepted as an ISO standard, which runs under the name of ISO/IEC 5230 and is considered the International Standard for open-source license compliance. Global and local working groups address the needs of different industries and regional adopters and help to improve and enhance the project continuously. Anybody is invited to freely use the existing OpenChain content, whether training material, policy templates, or developer guidelines. There are more than 1000 reference documents, such as how-to guides available on GitHub including reference guides for software supply chain security.
In March 2022, SAP finished its certification for ISO/IEC 5230 conformance. As mentioned in the related press release this was “the first time an enterprise application software company has undergone whole entity conformance” meaning that SAP as an entire company was certified. What was SAP’s experience with the OpenChain certification? What were the prerequisites and how much effort did it take?
A well-defined open-source consumption process has already been in place at SAP since 2001 with guidelines and tools that have been continuously improved. Having well-structured open-source management already established, coordinated by the SAP Open Source Program Office, only limited additional efforts were required to fulfill the certification requirements. For a successful self-certification, we needed to set-up a global open source policy and roll it out.
The new policy that we defined in 2021 is legally binding for all SAP employees in all of SAP’s legal entities worldwide. It encourages our developers to use open source as well as to contribute to open source and provides them with binding rules, guidelines, and tools to mitigate associated risks with respect to license compliance, security, operations, and long-term maintenance. The most time-consuming part before launching the policy was the alignment and review process with all required experts, lines of business and all stakeholders such as the social partners in specific countries. The production of a short policy training (15-20 minutes of online training with self-assessment) was eased by the fact that we already had created an open-source training program in 2020 and could make use of existing material and expertise. In fact, this short and crisp training is very positively received by our development colleagues.
As Peter Giese, Head of the Open Source Program Office, pointed out in a recent webinar with Shane Coughlan, OpenChain General Manager at the Linux Foundation, OpenChain defines the key requirements (i.e., the ‘why’ and ‘what’) but doesn’t impose ‘how’ to implement them. These degrees of freedom helped us to build on our existing framework.
In the future, our whole entity OpenChain conformance and our new global open-source policy will be beneficial for the onboarding of acquired companies and for building trust among the entire open-source software supply chain in our industry.