Google, VMware Headline Linux Foundation’s ACT Program

The Linux Foundation has formed a new open source code licensing program that is headed by heavyweights Google, VMware, and Siemens. The Automated Compliance Tooling (ACT) program is looking to manage the responsibility and investment challenges facing open source code, which has seen considerable duress over the past year. The Linux Foundation has formed a new open source code licensing program that is headed by heavyweights Google, VMware, and Siemens. The Automated Compliance Tooling (ACT) program is looking to manage the responsibility and investment challenges facing open source code, which has seen considerable duress over the past year. “Using open source code comes with a responsibility to comply with the terms of that code’s license,” the Linux Foundation explained. “The goal of ACT is to consolidate investments in these efforts and to increase interoperability and usability of open source compliance tooling.” The program includes five primary projects. One is the existing Linux Foundation FOSSology open source license compliance software system and toolkit. This allows users to run license, copyright, and export control scans from a REST API. It also includes the OSS Review Toolkit (ORT), which was donated by HERE Technologies. ORT supports automated and customizable open source compliance checks of source code and dependencies of a project. It does this by scanning a project’s code base, downloading its sources, reporting any errors and violations against user-defined rules, and creating third-party attribution documentation. The next is Quartermaster, which was contributed by Endocode. This project integrates into the build system to learn about the software products, their sources, and dependencies. It can be run locally to verify outcomes, review problems, and product compliance reports. The program also includes an aspect of the existing Linux Foundation Software Package Data Exchange (SPDX) Tools project. This project is an open standard for communicating software bill of material information like components, licenses, copyrights, and security references. The ACT program will gain SPDX tools that help users and SPDX document producers, but will not include the main SPDX specification. The final project in the Linux Foundation ACT program is the VMware-developed Tern inspection tool. Tern is designed to find metadata of the package installed in a container image, which allows it to provide depth in understanding a container’s bill of materials. The ACT program release comes as the open source world has been struggling with licensing issues. This was brought up over the past year when a number of firms changed the licensing model on some of their technology in an attempt to prevent larger cloud providers from taking that technology, changing up a bit of the code, and offering it as-a-service. That move ignited considerable debate within the open source community as to the continued “openness” of those platforms. Chris Aniszczyk, CTO and COO of the Linux Foundation-based Cloud Native Computing Foundation (CNCF), earlier this year told SDxCentral that such moves could “confuse” downstream adopters that these new models were still open source. “We are cool with businesses trying to come up with new and innovative business models, but don’t call it open source,” Aniszczyk said. Stewart noted that the ACT program is not connected to those licensing issues. “New licensing experiments like Commons Clause and others have nothing to do with interoperability of the tools used to identify all licenses throughout an organization’s software supply chain,” she explained. UPDATE: Story updated with comments from the Linux Foundation.