Background on a compliance program

Jeremiah Foster <jeremiah.foster@...>


Thanks everyone for the OpenChain call today. I wanted to follow up with some background on my experience with a compliance program and the pitfalls and benefits we found in GENIVI. 

Firstly, I have to again express sincere thanks to the folks on the call. There is an amazing amount of experience and knowledge in the group and I feel it has produced a specification of real value. Many of you come from large companies and this kind of knowledge often is only found there. Making this knowledge available to SMEs will truly help FOSS in the marketplace since OpenChain provides the framework for a business model to SMEs. I hope they adopt it.

While GENIVI's compliance program is somewhat different than OpenChain's proposed conformance program, it shares more similarities than differences -- it even has something of a Linux Foundation pedigree. GENIVI's specification was designed on the "Carrier Grade Linux" model. (0)  CGL was all about bringing GNU/Linux to the carrier ecosystem. It designed a spec and granted compliance if you fulfilled the spec. GENIVI was fortunate to have one of the CGL leads, Dan Cauchy (then at Monta Vista, today at the Linux Foundation) design GENIVI's program. GENIVI inherited a lot from CGL. 

Like CGL our spec is paper-based. (1) You fill out a spreadsheet with information on how you're compliant and submit that spreadsheet to a mailing list that hold all the members of the compliance team. The compliance team members are the keepers of the spec, they're software architects, so they quickly understand the domain and can ask pertinent questions about the submission, but there is only so much you can do with a paper-based process. Even if you have an automated system that checks the input, if you don't have a means to actually introspect the process. Be it software or artifacts, you'll never have an ability to truly determine compliance. This is fine. As Eben Moglen says, you want a culture of voluntary compliance around the GPL, you don't want a harsh, introspective enforcement regime. OpenChain gives companies a great start on voluntary compliance, I would trust the process and plug holes that may appear as you go. Starting out with something really heavyweight and expensive will be counterproductive to OpenChain's goals IMHO.

How would one strike that balance between enough structure and enforcement as to be credible, and a lightweight process? I feel strongly that OpenChain has already taken steps in that direction. Having the collection of artifacts and data able to be done online is going to be highly effective -- no gatekeepers in the way. Also, the fact that software can analyze the submissions to check for accuracy and completeness is going to be valuable. What I think can't be replaced is the human judgement needed to ensure that everything adds up. 

In GENIVI, we use a private mailing list for compliance. Only those who've submitted their registration and the compliance team on allowed. Once a registration is sent to GENIVI's mailing list two reviewers are assigned to go through the submission in some detail. They can query those who submitted the registration and nitpick. Then they recommend the submission for approval to the whole compliance team who vote using a majority system with quorum. Most of the time the vote follows the recommendation of the reviewers, nearly always the compliance team is unanimous. Reviewing compliance registrations becomes fairly easy after a while. We promise a turn-around in a couple weeks but the time it takes the engineers to actually review the spreadsheet is only hours. Some folks can quickly suss out if the spreadsheet is actually possible to build in software, but most of the time all we can do is trust that those who've submitted the information aren't lying. The alternative, as we've discussed on many occasions, is a software tool that actually runs on the target hardware. We've seen limited interest in that. 

I strongly suspect that a review process involving humans in combination with software will be the fastest and easiest for OpenChain. 



Jeremiah C. Foster

Pelagicore AB
Ekelundsgatan 4, 6tr, SE-411 18
Gothenburg, Sweden
M: +1.860.772.9242

Join to automatically receive all group messages.