OSCake

The Open Source Compliance artifact knowledge engine

OSCake, the Open Source Compli­ance arti­fact knowl­edge engine is a com­po­nent that — embed­ded in open source com­pli­ance tool­chains — takes open source com­pli­ance arti­facts com­piled by oth­er open-source scan tools and cre­ates — based on the license knowl­edge rep­re­sent­ed in OSCake — the one open-source com­pli­ance file that — if bun­dled with the respec­tive col­lec­tion of pro­grams and com­po­nents — allows us to dis­trib­ute this col­lec­tion com­pli­ant­ly.

In gen­er­al exist­ing scan tools fol­low the Prin­ci­ple of Over­ful­fill­ment: They gath­er also in all oth­er pack­ages what only the one license requires. So, they cre­ate ‘over­com­plete’ col­lec­tions of Open Source com­pli­ance arti­facts. In the end, the dis­trib­u­tors add them to their pack­age col­lec­tions in the hope that the real­ly required arti­facts are some­where in the set of com­pli­ance arti­facts — regard­less of what else might be in it. This is a prob­lem­at­ic strat­e­gy:

• On the one hand, the dis­trib­u­tors are also respon­si­ble also for incor­rect­ly cre­at­ed com­pli­ance arti­facts even if these arti­facts are not required by the real­ly rel­e­vant license and should not have sup­plied with it

• On the oth­er hand, the sur­plus com­pli­ance arti­facts could over­write or lever out the arti­facts which are real­ly nec­es­sary.

The Open Source Compli­ance arti­fact knowl­edge engine fol­lows the Prin­ci­ple of a Con­text-Sen­si­tive License Ful­fill­ment: It com­piles only the com­pli­ance arti­facts that are required by the rel­e­vant licens­es. For doing so, it uses the knowl­edge about Open Source license require­ments that is inher­ent­ly embed­ded into the respec­tive Domain Spe­cif­ic Lan­guage.

OSCake is devel­oped by Deutsche Telekom — as part of the ini­tia­tive Test Driv­en Open Source Compli­ance Arti­facts, that DT has start­ed under the umbrel­la of the Open Chain-project of the Lin­ux Foun­da­tion. Tech­ni­cal­ly the work is host­ed and dri­ven by the Open Source Ref­er­ence Tool­ing Work Group. Thus, OSCake is dis­trib­uted under the terms of the Eclipse Pub­lic License 2.0. As an employ­ee of DTAG and as a mem­ber of its Open Source Pro­gram Office (= Telekom Open Source Com­mit­tees ) I have the hon­or to take part in the devel­op­ment of OSCake at a cen­tral point.

OSCake Links

• OSCake Repos­i­to­ry: https://www.github.com/Open-Source-Compliance/OSCake
• OSCake Home­page: http://www.oscake.de/
• Open Chain Ref­er­ence Tool­ing Work Group home­page: http://oss-compliance-tooling.org/
• Open­Chain home­page: https://www.openchainproject.org/
• Test-Dri­ven Open Source Com­pli­ance Ini­tia­tive: https://github.com/Open-Source-Compliance/tdosca