Trust is key to open source. Developers should be able to trust users to respect their licensing choices. And when you receive software, you should be able to trust that the open source licenses were followed. The OpenChain Project plays an important role in building trust by setting standards that define how to operate a high-quality open source compliance program. It means that when you receive open source from a company that follows the OpenChain standard, you can be assured that the code went through a rigorous license compliance process. You can trust it.
At Microsoft we’re continually working with the community to help build and enhance trust in open source. When we first started working with OpenChain, our goal was to help develop a specification that could meet the compliance needs of the entire open source community – from the single developer to the largest enterprise. And today we’re happy to announce that Microsoft is now OpenChain 2.0 conformant.
So why does this matter? When companies, especially large enterprises, purchase software, they need to know what open source is included in the product so they can be sure to meet their compliance obligations. As supply chains grow, each link in the chain must meet its open source obligations – a weak link means you can’t trust the code.
And if you can’t trust that the code in your supply chain meets its open source obligations, you can’t easily use it. You need to verify it yourself. That requires money and time. It imposes friction. Sometimes it means that companies resist accepting open source. Other times it means that open source purveyors need to navigate the difficult and often conflicting open source compliance requirements of various enterprise customers.
OpenChain aims to remove that friction by establishing a standard for what it takes to create and operate a high-quality open source program.
Just like an individual car buyer should not have to inspect the factory floor to make sure their car was made to be safe, a user of software should not have to inspect how the software was made to make sure it meets its open source obligations. Working with OpenChain compliant individuals and enterprises, enterprises can now consume open source software solutions knowing that the provider has programs and processes in place to make sure the software is compliant.
So how has Microsoft implemented OpenChain? A few short years ago we used only a small handful of open source components. Today, it’s not uncommon that Microsoft uses over 150,000 open source components per month. We do this responsibly via a strong partnership between our legal and engineering teams. We’ve developed industry-leading tooling, policies, and automations. We participate in ClearlyDefined, an open source project working to help all open source developers clearly define and state their license so that users can comply with them. We have clear roles around our open source programs office, legal open source efforts, open source engineering, and support. We work actively to make sure our engineers are aware of our open source policies and know where to go internally and externally. And we work to make sure that source code is available for open source software that we ship with source-availability requirements.
All of this and many more activities are part of our OpenChain conformance. We do this because it’s the right thing to do. We do it so our customers trust the software they receive from Microsoft. And we do this with OpenChain to build trust across the larger ecosystem. Together, we hope to drive open source adoption and make using open source easier for everyone.
Questions or feedback? Please let us know in the comments below.