Automating Licensing Compliance When 90 Percent of Components are Open Source
FOSSA is an open-source software company that helps companies manage open-source dependencies with an emphasis on automated license compliance, said Kevin Wang, founder and CEO of FOSSA in this episode of The New Stack Makers from the Open Source Leadership Summit in Sonoma earlier this month.
Wang arrived at our TNS Makers Livestream studio in the big white conference tent at the Fairmont Hotel with cards on a binder ring titled “The State of Open Source Licensing.” We went through the cards to review what FOSSA has found in the span of the year building the company’s extensive knowledge base.
FOSSA is using this data help build an automated compliance engine based on the open-source being used by more than 3,000 companies. Out of this, the company has:
- Amassed data for 23 million open source packages and insights from companies such as Mapbox, Docker and Hashicorp — all companies with modern workflows.
- Through its work, FOSSA has found that about 90 percent of components are open source but the management complexity is enormous.
- Found how complex it is to build and manage modern build systems. Tools are not always deterministic making investment in management systems a higher priority. FOSSA has developed feedback loops that are built from behavioral workflows based on how developers are configuring FOSSA, which they have downloaded from GitHub. With FOSSA embedded into the workflow, the tool serves as a way of informing developer and developer teams with simple green or red alerts.
Wang is the first person we have interviewed who brought cards on a ring binder to talk through his story. It was effective and provided some insights into questions that any organization must face. For example: Is the application I built using open-source components in compliance with all the licenses being used?
In this Edition:
2:44: How well do teams understand their open source dependencies?
4:55: Exploring the ways developers share code.
6:52: How are the discovery tools these days?
9:55: Copyleft and the GPL license family.