With very few exceptions, IT in Canada does not accept contributed content – articles written by third parties (generally, product vendors or consultants) and submitted to our print or online editors for publication. Once in a while, though, we get content that goes beyond the usual promotional nature of these submissions.

I got one such article yesterday, written by Mahshad Koohgoli, CEO of Kanata-based open source license management vendor Protecode (www.protecode.com ) – and while I don’t want to deviate from our no-contributed-articles policy, I thought it would be fair to post the central elements of Koohgoli’s piece to the software forum.

Koohgoli believes that because today’s software combines open source, commercial and other 3rd party code as well as contributions from developers and outsourced developers, it’s important to set up a process for tracking/managing code provenance. He offers a eight step process for open source software adoption, which includes the following steps:

1. Establish a Software Licensing Policy - addressing questions such as what license terms are acceptable and unacceptable, what vendors are approved, and what software products or packages are authorized for use. The policy also defines the procedure for pre-approval of packages, for auditing software at different stages of development, and what to do once a policy violation is detected. Capturing the licensing policy digitally allows linking the policy with automated license management tools used in other steps of an open source software adoption policy.


2. Software Package Pre-Approval - this define and implements the procedures that determine approved software packages in an organization.


3. Existing Portfolio Assessment – audit of the existing portfolio, and establishing a baseline of what already exists in the organization.


4. Incoming 3rd Party Software Assessment - a software licensing audit of any package that is brought into the organization, for example, by outsourcers or contractors to the company.


5. Regular Software Assessment - regular software audits are best carried out on pre-determined intervals. An automated tool, linked to the licensing policies and pre-approved package database, is invaluable here. Intelligent tools can detect the “new” software compared to the software that was previously analyzed. The scanning process can be carried out very quickly since the content-delta between the scans is typically small.


6. Real-Time Library Check-in Assessment - library check in-assessment provides a near-real-time visibility of the content that could find its way into a company’s products. Any deviation from established organizational policies that are detected and remedied at this stage would reduce the time and costs of remedial actions further down the road.


7. Real-Time Assessment by Automated Developer Assistants - ensure licensing compliance right at the developer workstation. During the course of development, a developer may access content from a web site, download a whole package from an open source forge, or bring in content already accessed from a storage medium (such as a USB stick). Koohgoli notes that real-time, developer-level assessment is only possible/feasible if this is done automatically and carried out in the background without disrupting development.


8. Pre-shipment Software Assessment - compile a full understanding of the content and obligations associated with the product before it is released to the market.