Legal Tech Case Study – Automated open source compliance provided to NIIS by HH Partners’ Double Open

Picture: Unsplash / Joshua Woroniecki

Picture: Unsplash / Joshua Woroniecki

HH Partners offers open-source compliance automation as a service under the brand Double Open.  The following study is about the case of Nordic Institute of Interoperability Solutions (NIIS) taking Double Open into use.

Double Open logo

Background

NIIS is a non-profit association that develops open-source solutions for digital government infrastructure. X-Road® and Harmony eDelivery Access software are the current products of NIIS. Both X-Road® and Harmony eDelivery Access rely on a significant number of third-party open-source (“OS”) dependencies as any modern software does.

NIIS requested our assistance in bringing their software license compliance up to date for an upcoming release. This was a one-shot review for both products for a specific release only, and we included a NOTICE file that NIIS could distribute with the release. We also ensured that NIIS would be able to meet the obligations of all licences and that there would be no incompatibility between the licenses inside the products.

Challenge

NIIS used a compliance process, at the heart of which was the constant tendering process of one-shot license reviews from third parties. In addition, all NIIS products contain multiple third-party OS components, containing dozens of dependencies and hundreds of transitive dependencies. The products use different technologies and multiple package management systems. In addition, not all dependencies are managed using package management systems, but some dependencies are included in the source repositories.

In addition to the high cost of the compliance process formerly used by NIIS, the risk of a release-phase review is particularly high because the audit findings can be costly in the form of late changes and delayed releases or even cancelled releases. NIIS needed to reform its OS compliance processes. With finite resources to devote to compliance, the solution should be largely automated. Improving the process would also mean that NIIS must establish best practice policies and increase compliance competence for all employees.

 

Solution

After running both the X-Road® and Harmony eDelivery Access codebases through the OSS Review Toolkit (“ORT”), we at Double Open assessed the suitability of the codebase for the implementation of continuous use of ORT. ORT is a fully open-source OS license compliance tool designed to assist with tasks typically performed during OS license compliance reviews. It does this by organising a highly customisable toolkit that abstracts the underlying services.

To create a near-automated process, OS Policies were needed to allow NIIS to understand and stipulate how to deal with different types of licenses. A machine-readable version of the OS Policies was also created to enable ORT to make independent decisions based on the OS Policies. We utilised Double Open’s license-classifications.yml, a public OS license categorisation database created by Double Open.

In addition to implementing ORT for the projects, we trained NIIS employees on using ORT. Currently, ORT runs as part of the NIIS CI/CD pipeline so that NIIS employees can manually trigger ORT when needed.

Petteri Kivimäki, CTO, NIIS

Petteri Kivimäki, CTO, NIIS

Experiences and benefits

ORT is initially a pretty complex toolkit and implementing it into a CI/CD pipeline requires technical and legal expertise. ORT’s documentation is somewhat incomplete and aimed at technical people, but after user training and initial configuration, the operation is straightforward. However, nothing is fully automated, at least for the time being, and manual work is still required. Still, the workload at NIIS has decreased considerably compared to doing OS license compliance as third-party one-shot reviews for every release from scratch. Scaling ORT and adding new projects after the initial configuration is not challenging.

After the implementation project, we conclude that NIIS’ OS compliance maturity has increased, and the ability to manage OS compliance independently has improved significantly. Once we had implemented ORT into NIIS’ CI/CD pipeline, NIIS remained an ongoing support customer for Double Open, allowing NIIS to contact us on an ongoing basis in situations where they need assistance. These include technical issues related to the use of ORT and legal matters such as the categorisation of individual new licenses or reviewing specific components inside their products.

Background on NIIS, the association

Nordic Institute for Interoperability Solutions (NIIS) is a non-profit association with the mission to ensure the development and strategic management of X-Road® and other cross-border solutions for digital government infrastructure. The republics of Estonia, Finland and Iceland are members of NIIS.

NIIS is both a network and cooperation platform and executioner of IT developments in members’ common interests. The institute focuses on practical collaboration, sharing of experience and promoting innovation. The operating model of the institute is something unique in the world.

Background on HH Partners and Double Open

HH Partners is a Helsinki-based law firm focusing on technology, intellectual property and transactions, with exceptional expertise in open technologies. Whether you need help in open-source compliance, policies or guidelines, publishing your code or opening other asset, devising open-source and IPR strategies, setting up an Open Source Program Office, or carrying out software-heavy transactions, HH Partners can help you.

HH Partners is also excited to pilot Double Open, our new solution for automating open source compliance. Double Open leverages OSS Review Toolkit (ORT) and the Double Open database and extensions to ORT. The solution is highly automated and can be integrated into CI/CD chains for continuous open-source compliance. Currently Double Open integrations have been made to many web-development environments and Yocto embedded Linux environments. Double Open also maintains a human and machine readable license list that is available for all.