This is a curated collection of open source compliance related resources maintained by Validos r.y., an association established to help its members share open source compliance related work and information. For more information on Validos, please see the Validos main site.

This list is maintained in a GitHub repo and is open to contributions from members and non-members alike. If you have a high-quality resource in mind that is missing from the list, feel free to drop us an email (team at validos dot org) - or just create a pull request!

Introductory and Training Resources

• OpenChain Curriculum - Training reference slides on open source compliance basics.
• Compliance Basics for Developers - Online course by the Linux Foundation.

Guides and Tutorials

• Open Source Compliance in the Enterprise (press release, download page) by Ibrahim Haddad, published by the Linux Foundation. A guide for enterprises for establishing an open source management program and other best practices.
• Practical GPL Compliance (blog post, PDF), a guide by Armijn Hemel and Shane Coughlan, published by the Linux Foundation. A hands-on resource for businesses and engineers tackling with GPL compliance. The guide includes instructions, checklists and flowcharts for setting up compliance measures to meet GPL requirements such as including proper notices and making the source code available in “complete and corresponding” form.
• Reuse.software by FSF Europe. FSFE’s take on developer best practices for expressing license and copyright information in FOSS projects.
• Copyleft and the GNU General Public License: A Comprehensive Tutorial and Guide by Bradley M. Kuhn et al. An extensive commentary on GPL licenses by authors close to the Free Software Foundation and Software Freedom Law Center.

Example Policies

• Google’s Internal Open Source Documentation (redacted public version). Includes documentation of Google’s policies and processes for using and releasing OSS and running open source community programs.

FAQs and Other Commentary

• Frequently Asked Questions about the GNU Licenses (GPL FAQ) by the Free Software Foundation. Includes FSF’s interpretations on various GPL-related questions, such as the scope of the GPL copyleft effect, static vs. dynamic linking, providing corresponding sources, mutual compatibility of GNU licenses, etc.
• Various Licenses and Comments about Them by the Free Software Foundation. Includes FSF’s comments on various OSS licenses, particularly regarding what licenses they consider compatible with the GNU licenses.

Books

• Open Source Licensing by Lawrence E. Rosen. Prentice Hall 2005. (Available online)
• Understanding Open Source & Free Software Licensing by Andrew M. St. Laurent. O’Reilly 2004. (Available online)

Journals

• International Free and Open Source Software Law Review (IFOSS L. Rev) - A collaborative legal publication aiming to increase knowledge and understanding among lawyers about issues around Free and Open Source Software. Topics covered include copyright, license implementation, license interpretation, software patents, open standards, case law and statutory changes.

Standards

• Open Source Definition by the Open Source Initiative
• OSI-approved Licenses - licenses that comply with the Open Source Definition
• Software Package Data Exchange (SPDX) specification - a standard format for communicating the components, licenses and copyrights associated with software packages

Compliance Tools

• Open source
  • FOSSology - An OSS compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. A database and a web UI are provided for a compliance workflow.
  • Eclipse SW360 - A software component catalogue application designed to work with FOSSology.
  • Scancode Toolkit - Open-sourced tools for OSS license discovery, provenance documentation and component tracing.
  • OSS Review Toolkit (ORT) - A suite of tools to assist with reviewing open source software dependencies.
  • SPDX tools - Various tools to help users and producers of SPDX documents.
  • jslicense - Software licensing and compliance tools for the npm ecosystem. Check out e.g. licensee.js which enables you to check package.json license information in project dependencies against SPDX-based rules. For CI purposes, the rules can also be enforced via passing/failing tests.
• Commercial
  • Black Duck - Products for open source license security and management.
  • FlexNet Code Insight (formerly Palamida) - OSS license compliance and vulnerability risk management product.
  • DejaCode - Open source and third-party software component management.
  • Fossa.io - Toolkit for automated dependency tracking, license compliance and attribution notices.
  • git.legal - Automated project code scanning, configurable license policies.