HH Partners offers open source compliance automation as a service under the brand Double Open. The following study is about the case of the Nordic Institute of Interoperability Solutions (NIIS) taking Double Open into use.
Background
NIIS is a non-profit association developing open source solutions for digital government infrastructure. X-Road® and Harmony eDelivery Access are the current software products of NIIS. Both X-Road® and Harmony eDelivery Access rely on a significant number of third-party open source software (“OSS”) dependencies, as does any modern software.
NIIS requested our assistance in bringing their software license compliance up to date for an upcoming release. This was a one-shot review for both products related to a specific release only, and we included a NOTICE file which NIIS could distribute with the release. We also ensured that NIIS would be able to meet the obligations of all applicable licenses and that there would be no incompatibility between the licenses of the OSS components included in the products.
Challenge
NIIS used a compliance process at the heart of which was the constant tendering of one-shot license reviews from third parties. All NIIS products incorporate various third-party OSS components, containing dozens of direct dependencies and hundreds of transitive ones. The products use different technologies and multiple package management systems. In addition, not all dependencies are managed using package management systems but rather just included in the source code repositories.
In addition to the high cost of NIIS’ former compliance process, the risks in a release-phase review are particularly high because the audit findings can be costly in the form of late changes and delayed or even cancelled releases. NIIS needed to reform its OSS compliance processes. With finite resources to devote to compliance, the solution was to be largely automated. Improving the process also meant that NIIS would adopt best practice policies and increase the compliance competence of all employees.
Solution
After running both the X-Road® and Harmony eDelivery Access codebases through the OSS Review Toolkit (ORT), we at Double Open assessed the suitability of the codebases for continuous use of ORT. ORT is a fully open source OSS license compliance tool designed to assist with and automatize tasks typically performed during open source license compliance reviews. It does this by organizing a highly customizable toolkit that abstracts the underlying services.
To create a near-automated process, Open Source Policies were needed to allow NIIS to understand and stipulate how to deal with different types of licenses. A machine-readable version of the Open Source Policies was also created to enable ORT to make independent decisions based on the Open Source Policies. We utilized Double Open’s license-classifications.yml, a public OSS license categorization database created by Double Open.
In addition to implementing ORT for the projects, we trained NIIS employees in using the toolkit. Currently, ORT runs as part of NIIS’ CI/CD pipeline, so that NIIS employees can manually trigger ORT when needed.
Petteri Kivimäki, CTO, NIIS
Experiences and benefits
ORT is initially a pretty complex toolkit and implementing it into a CI/CD pipeline requires both technical and legal expertise. ORT’s documentation is somewhat incomplete and primarily aimed at technically more advanced readers, but after user training and initial configuration, operation of the implemented solution is straightforward. However, not everything can be fully automated, at least for the time being, the need for some manual work remains. Still, the workload at NIIS has decreased considerably compared to carrying out open source compliance in the form of third-party one-shot reviews performed non-incrementally for every release, i.e., starting from scratch each time. Scaling ORT and adding new projects after the initial configuration has not proved challenging.
After the implementation project, we concluded that NIIS’ maturity in open source compliance had increased and that, in particular, their ability to manage the compliance activities independently had improved significantly. Once we implemented ORT into NIIS’ CI/CD pipeline, NIIS has remained a continuing support customer for Double Open, allowing them to contact us on an ongoing basis in situations where they need assistance. These include technical issues related to the use of ORT, and legal matters such as the categorization of individual new licenses or reviewing specific components inside their products.
NIIS, the association
Nordic Institute for Interoperability Solutions (NIIS) is a non-profit association whose mission is to ensure the development and strategic management of X-Road® and other cross-border solutions for digital government infrastructure. The republics of Estonia, Finland and Iceland are members of NIIS.
The operating model of the Institute is something unique in the world. NIIS both serves as a network and a platform for cooperation and develops information technology for the common benefit of its members. The focus is on practical collaboration, sharing of experience and promotion of innovation.
Background on HH Partners and Double Open
HH Partners is a Helsinki-based law firm focusing on technology, intellectual property and transactions, with exceptional expertise in open technologies. Whether you need help in open source compliance, policies or guidelines, publishing your code or opening other assets, devising open source and IPR strategies, setting up an Open Source Program Office, or carrying out software-heavy transactions, HH Partners is ready to help you.
We are also excited to pilot Double Open, our new solution for automating open source compliance. Double Open leverages OSS Review Toolkit (ORT) and the Double Open database and extensions to ORT. The solution is highly automated and can be integrated into CI/CD pipelines for continuous open source compliance. Currently, there are Double Open integrations for many web development environments as well as particularly Yocto-based embedded Linux systems. Double Open also maintains a human- and machine-readable license list made available for all.
