The Open Source Compliance artifact knowledge engine
OSCake, the Open Source Compliance artifact knowledge engine is a component that – embedded in open source compliance toolchains – takes open source compliance artifacts compiled by other open-source scan tools and creates – based on the license knowledge represented in OSCake – the one open-source compliance file that – if bundled with the respective collection of programs and components – allows us to distribute this collection compliantly.
In general existing scan tools follow the Principle of Overfulfillment: They gather also in all other packages what only the one license requires. So, they create ‘overcomplete’ collections of Open Source compliance artifacts. In the end, the distributors add them to their package collections in the hope that the really required artifacts are somewhere in the set of compliance artifacts – regardless of what else might be in it. This is a problematic strategy:
- On the one hand, the distributors are also responsible also for incorrectly created compliance artifacts even if these artifacts are not required by the really relevant license and should not have supplied with it
- On the other hand, the surplus compliance artifacts could overwrite or lever out the artifacts which are really necessary.
The Open Source Compliance artifact knowledge engine follows the Principle of a Context-Sensitive License Fulfillment: It compiles only the compliance artifacts that are required by the relevant licenses. For doing so, it uses the knowledge about Open Source license requirements that is inherently embedded into the respective Domain Specific Language.
OSCake is developed by Deutsche Telekom – as part of the initiative Test Driven Open Source Compliance Artifacts, that DT has started under the umbrella of the Open Chain-project of the Linux Foundation. Technically the work is hosted and driven by the Open Source Reference Tooling Work Group. Thus, OSCake is distributed under the terms of the Eclipse Public License 2.0. As an employee of DTAG and as a member of its Open Source Program Office (= Telekom Open Source Committees ) I have the honor to take part in the development of OSCake at a central point.
OSCake Links
- OSCake Repository: https://www.github.com/Open-Source-Compliance/OSCake
- OSCake Homepage: http://www.oscake.de/
- Open Chain Reference Tooling Work Group homepage: http://oss-compliance-tooling.org/
- OpenChain homepage: https://www.openchainproject.org/
- Test-Driven Open Source Compliance Initiative: https://github.com/Open-Source-Compliance/tdosca