Automating Open-Source License Compliance
03-04, 14:35–15:05 (Europe/Berlin), Stage Wintergarten

Open-source license compliance can require a lot of effort and manual work. Fortunately, most of the tasks can be automated. Would you like to know how to automate the open-source license compliance process using open-source tools?

X-Road® is open-source software and ecosystem solution that provides unified and secure data exchange between organisations. X-Road is a digital public good verified by the Digital Public Goods Alliance, and it’s released under the MIT open source license and is available free of charge. X-Road is used as a national data exchange solution in Estonia, Finland, Iceland and many other countries around the world.

X-Road utilises many third party open source libraries and components that are licensed under various open source licenses. The dependencies are managed using different package management systems depending on their implementation technologies, e.g., Gradle / Java, NPM / Javascript. Overall, the number of direct dependencies is counted in tens and the number of transitive dependencies is counted in hundreds.

The main challenges regarding the open source license compliance are how to meet the requirements of the licenses of different 3rd party components and how to know that they're not conflicting with the main license? Until 2021 the legal qualities of the X-Road’s software packages were validated approximately once year using a project based approach that required a lot of manual work. In summer 2021, the open source compliance was automated to the largest effective extent by taking into use Open Source Review Toolkit (ORT) and integrating it into the development process and CI/CD pipelines.

In my talk, I'm going to give an overview of X-Road first. Then, I'm going to discuss the open source compliance automation project, its different phases and deliverables. The main scope of the presentation is to discuss the benefits of open source compliance automation and what should be taken consideration in the process.

See also: Slides (4.5 MB)

Petteri Kivimäki is the CTO of the Nordic Institute for Interoperability Solutions (NIIS). NIIS is a non-profit association with the mission to ensure the development and strategic management of X-Road® and other cross-border components for digital government infrastructure. The republics of Estonia, Finland and Iceland are members of NIIS.

Before joining the NIIS, Petteri worked as a technology architect in a leading global professional services company. From 2014 to 2017 Petteri worked at the Population Register Centre of Finland as an information systems manager. He was the technical lead of X-Road implementation project in Finland and was coordinating the joint open source development of the X-Road solution between Finland and Estonia.

Petteri holds a Bachelor of Science in Software Engineering from the Metropolia University of Applied Sciences, Finland. Also, Petteri is a certified cloud and technology architect.