OSCake, the Open Source Compliance artifact knowledge engine compiles open source compliance artifacts. Embedded in open-source compliance toolchains, it takes the output of open-source scan tools. And on the base of the license knowledge represented in it, OSCake computes the really required compliance artifacts. Eventually, it gathers them in a single open-source compliance file that — if bundled with the respective collection of programs and components — allows us to distribute this collection compliantly.
In general existing scan-tools follow the Principle of Overfulfillment. They gather also in all other packages what a specific license requires for a specific component. So, they create ‘overcomplete’ collections of Open Source compliance artifacts. Often, the distributors add them to their products hoping that the really required artifacts are somewhere in the collection. Regardless of what else might be in it. This is a problematic strategy:
- On the one hand, the distributors must take responsibility for incorrectly created compliance artifacts even if the respective licenses do not oblige them to create or supply them.
- On the other hand, the surplus compliance artifacts could overwrite or lever out the artifacts which are really necessary.
The Open Source Compliance artifact knowledge engine follows the Principle of a Context-Sensitive License Fulfillment. It compiles only the compliance artifacts required by the relevant licenses. To do so, it uses Open Source license knowledge inherently embedded into the respective Domain Specific Language.
OSCake is developed by Deutsche Telekom — as part of the initiative Test Driven Open Source Compliance Artifacts, which DT has started under the umbrella of the Open Chain-project of the Linux Foundation. Technically the Open Source Reference Tooling Work Group hosts the respective code. Thus, OSCake is distributed under the terms of the Eclipse Public License 2.0. As an employee of DTAG and as a member of its Open Source Program Office (= Telekom Open Source Committees ) I have the honor to take part in the development of OSCake at a central point.
And in what way is this …
… part of the overarching topic FOSS Compliance? For fulfilling the requirements of FOSS licenses, we have to consider specific individual cases as well as side effects — for software, pictures, or documents. We should unhide trends and write guidelines. Above all, however, we must drive forward the automation of license fulfillment, make our licensing knowledge freely available, cast it into smaller tools, and bring it into larger systems: Because FOSS thrives on freedom through license fulfillment, large and small. That’s what also this article is about.
- OSCake Repository: https://www.github.com/Open-Source-Compliance/OSCake
- Open Chain Reference Tooling Work Group homepage: http://oss-compliance-tooling.org/
- OpenChain homepage: https://www.openchainproject.org/
- Test-Driven Open Source Compliance Initiative: https://github.com/Open-Source-Compliance/tdosca