Product Security Glossary

FOSS Compliance

What is FOSS compliance?

FOSS compliance concerns ensuring that anyone who deploys Free, Open-source Software does so in compliance with the licensing terms of the software.

What is FOSS?

FOSS stands for “Free, Open-source Software”.  But when we talk about “free”, we’re talking about “freedom”, not necessarily free of cost.  Indeed, it is perfectly acceptable to charge money for “free” software.  FOSS compliance helps ensure that software users comply with any applicable free software licenses. 

Free software is released under any of a variety of licenses that are all designed to protect the software users’ freedom.  To be considered as “free”, software must be released under a license that adheres to the Four Freedoms

that were promulgated by the free software pioneer, Richard Stallman.  (And yes, he really does start counting them with Freedom Number 0.)
 

0. The freedom to run the program as you wish, for any purpose. 

1. The freedom to study how the program works and change it so that it does your computing as you wish. 

2. The freedom to redistribute copies so you can help others. 

3. The freedom to distribute copies of your modified versions to others--giving the whole community a chance to benefit from your changes. 

How can FOSS compliance be challenging?

FOSS compliance can be challenging because there are so many free software licenses, each with a different set of conditions.  For example, some free software licenses, such as the BSD licenses, allow a company to embed free software code into a commercial, closed-source product.  Other free software licenses, such as the GNU licenses, don’t allow that, and instead require that any producer of GNU-licensed software make the source code of their products available free-of-charge to anyone who wants it.

In some cases, you might see two free software licenses conflict with each other.  For example, Sun Microsystems released the ZFS filesystem under a free software license that conflicts with the GNU licenses.  For this reason, it’s not legally possible to merge the ZFS code into the Linux kernel, which is released under the GNU license.  These types of scenarios can make FOSS compliance even more challenging. 

How do we maintain FOSS compliance?

The first step for maintaining FOSS compliance is to become familiar with the various types of free software licenses. The SPDX database

of free software licenses is a great reference.  You should also be able to find license information in the source code of the free programs that you’re using.  Software developers also need to be familiar with these licenses, and carefully choose which license that they want to use for their software. 

Unfortunately, many times software developers do not track what external source code they have taken, or not fully aware of the complexity that comes with Open-source Software license, or even receive code from a subcontractor or a vendor not a knowledgeable in FOSS compliance. Therefore, it is advised to use a service that can automatically detects the software components (SBOM), recognize the license(s) of each components, and alert on clashes of license, high risk license and other essential parts of FOSS compliance. Such service can also be integrated into the CI/DC process and prevent the breach in compliance as part of the development process. 

FOSS compliance is important.  Knowing how to deal with it can help keep you and your organization out of trouble.