Skip to main content

OSR Checklist

Warning: Possibly out-of-date

Warning: Possibly out-of-date

This is content originally from the FINOS OSR Checklist Project which has not been updated recently. Feel free to suggest edits.

Consider folding into the OSMM checklist.

Strategy

Document your open source strategy covering the following areas, as relevant:

  • Strategic objectives: what benefits you intend to realize through using and engaging with open source, and how.
  • Compliance strategy: high-level strategy for ensuring open source compliance across enterprise, including the process for implementing that strategy.
  • Communications stategy: how to and who will respond to open source compliance inquiries from customers, the public, and open source projects.
  • Legal & risk strategy: how legal risk will be managed as part of the open source strategy and when legal review will be required.
  • Community engagement strategy: which communities to get involved in and how; event participation.
  • M&A/corporate development: how open source compliance fits in to M&A and corporate development strategies.
  • Software procurement: how open source diligence will be managed for new software procurement (and audits of oustanding procurement).

Policy and process

Establish policies -- and separate implementing processes -- for open source engagement that cover:

  • Usage of open source in internal development
  • Contribution to third-party projects (varying as appropriate for contributions of different significance)
  • Distribution of open source within proprietary products
  • Publication of in-house open source projects
  • Supporting approved external open source engagement efforts to ensure success
  • Auditing existing products and codebases for open source
  • Fulfillment of open source license obligations, including process for responding to requests for source code, where applicable

People

Establish a core open source review team, typically consisting of participants from:

  • Legal
  • Risk & compliance
  • Security (information, network, application)
  • Software engineering
  • OSS Support
  • Line-of-Business head for specific requests
  • Community manager

Establish a cross-functional open source policy team with representatives from every area affected by open source policies, including:

  • Legal
  • Risk & compliance
  • Security (information, network, application)
  • Software engineering
  • Office of the CIO & CTO
  • Software Architecture
  • Software Development Lifecycle
  • Network Policy
  • Internal and external communications
  • Human Resources
  • Digital Transformation

Establish reporting & approval chains for key open source-related issues:

  • License approval
  • Third-party OSS component approval
  • OSS-based security vulnerability remediation
  • Product release approval
  • OSS contribution approval
  • OSS project release approval

Open source management toolchain

Put in place software tools to manage key open source management processes:

  • Approval workflows: managing and automating the initiation, review, and approval of requests subject to open source policies, e.g. to use/incorporate a new open source component or license, modify an open source component, release a project as open source, etc.
  • Project management: tracking usage of and modification of open source components within an internal development project.
  • Inventory management: tracking open source components in use across versions and projects.
  • Code review: enforcing and facilitating review of open source contributions and open source usage in products prior to contribution or publication.
  • Compliance automation and audit: see separate Open Source Compliance Toolchain Checklist.

Training and Education

Institute training and documentation to increase awareness of and compliance with open source processes, including:

  • Formal training on intellectual property, open source licensing and risk, internal policies and processes, and industry practices.
  • High-level review of policies and guidelines in new employee orientation.
  • Comprehensive, accessible documentation of policies, processes, systems, and guidelines relevant to engineers
  • Presentations from internal and external speakers on open source success stories, best practices, etc.

Communication

Publish materials communicating your open source strategy, policies, and related content as applicable, including:

  • Internal messaging
  • External messaging
  • Internal website content
  • External website content

Industry initiatives

Where appropriate, align policies and processes with, and participate in, industry open source compliance-related initiatives, such as:

  • FINOS Open Source Readiness working group
  • FINOS Open Source License Compliance Handbook project
  • OpenChain Project (Linux Foundation)
  • SPDX Project (Linux Foundation)
  • TODO Group (Linux Foundation)
  • Open Compliance Program (Linux Foundation)
  • Open Source Compliance Tooling Group (OpenChain/LF)