FOSSA: Open source open source license management


No one has ever become a programmer to be able to manage open source licenses. But, that’s what many developers have to do these days. Black Duck Software, the logistics and legal solutions provider of open source software, and North Bridge discovered in 2015 that 66% of companies create open source software. That’s great, but all of this code comes with a huge variety of licenses, each with their own set of requirements. What should a developer or a company do?

There have long been corporate programs, such as those from Black Duck Software, White Source Software, and Sonatype, that provide open source code analysis and license management. This is no small job. According to Sonatype, the average app contains 106 open source components.

Kevin Wang, CEO of FOSSA, takes a different approach. The 22-year-old founder told me at the Open Source Leadership Summit in Sonoma, Calif., “Code analysis is not enough anymore. FOSSA’s approach to dependency analysis leverages both static and dynamic code analysis. Dynamic analysis allows FOSSA to get a see which dependencies are pulled in in builds. Static analysis complements the results with metadata about how dependencies are included to power deep intelligence features and recommendation engines. These two approaches are used to create the most precise, efficient, and intelligent infrastructure to manage your open source. “

That’s all well and good, but in open source its dependency analysis infrastructure, the company is taking an interesting step forward. FOSSA uses open source to automatically manage open source licenses. I like this plan.

The program supports more than 15 languages ​​and environments. These include JavaScript, Java, Ruby, Golang, and PHP. FOSSA is now a web service, written in Go, that you import from GitHub.

FOSSA works by analyzing your project’s dependencies after your build system builds your project. This provides much more accurate dependency information than just reading the package manifest files. This is a real problem. As FOSSA points out:

  • Some build tools are not deterministic, so two builds with the same configuration may result in the use of different dependencies.
  • Many ecosystems use semantic versioning to specify dependency ranges, so running the same version at different times can result in different dependencies if a new version has been released.
  • Some build tools will execute external commands or arbitrary code that cannot be statically parsed.

So instead of trying to guess the behavior of your build system, FOSSA runs locally using your build tools to determine a list of exact dependencies used by your binary.

There is a real need for this. Despite the commercial tools already available, Wang said, most people still use a spreadsheet to manually track licensing requirements.

So, why the open source approach of FOSSA? Wang explained, “At the end of the day, everyone uses open source differently. Even though in many languages ​​there are conventions and a dependency structure, you will still have many extreme cases due to the breadth of ways people share code. This is why it is essential that it is an open and collaborative project. “

FOSSA itself is licensed under the Mozilla Public License 2.0. To make money with this plan, Wang explained that although the command line interface (CLI) version is free and open source, the dashboard and web support will provide the revenue needed to keep the FOSSA doors open.

I think Wang is on to something here. Open source licensing is a necessary evil, and FOSSA tackling it head-on with an open source approach may be just what it takes to bring it to fruition.

Related stories:


Comments are closed.