Please help our OpenChain work move forward by contributing high-level answers to the following questions. These answers will guide our collaboration to focus on shared OpenChain problems, starting from where we are and moving forward. Please do not worry overly about the style of your answers, our greatest need is to gather input relating to the gaps to close and desired achievable tangible goals.

Please feel free to add to what others posted, using this as a collaborative space for collective information.

• Contract Terms, applied as-needed:
  • Specify acceptable licensing
    • this varies by situation/use
    • approaches ranging from conservative to more realistic:
    • - representation that no open source is included
    • - disclosure (above) plus certain excluded open source
    • - disclosure of what open source is included
    • - usually missing is the request, form and timing of license information
  • Request a list of license information, as a deliverable
    • this might also be addressed less formally
    • also more typically is entirely absent
• Know the supplier
  • Case-by-case scanning of source code for licenses
  • Reputation/relationship

• Improved license information deliverables
  • Easily processed to confirm compatibility:
    • mutually-compatible, as a set
    • policy-compatible, suitable to the business/project goals
• Trust the upstream chain
  • Minimize the need for [redundant] license scanning/review
  • Accepted industry practices
  • Accepted baseline knowledge
  • Adherence to source code availability requirements
• Less critical: upstream contributions