File diff 85577d597ac5 → 764802727541
compliance-guide.tex
Show inline comments
...
 
@@ -225,49 +225,49 @@ presence of GPL'd components  becomes challenging.
 

			




	
	
	
		
 
Such a situation often requires use of a tool to ``catch up'' your knowledge


			




	
	
	
		
 
about what software your product includes.  Most commonly, companies choose


			




	
	
	
		
 
some software licensing scanning tool to inspect the codebase.  However,


			




	
	
	
		
 
there are few tools that are themselves Free Software.  Thus, GPL enforcers


			




	
	
	
		
 
usually recommend the GPL'd


			




	
	
	
		
 
\href{http://fossology.org/}{Fossology system}, which analyzes a


			




	
	
	
		
 
source code base and produces a list of Free Software licenses that may apply to


			




	
	
	
		
 
the code.  Fossology can help you build a catalog of the sources you have


			




	
	
	
		
 
already used to build your product.  You can then expand that into a more


			




	
	
	
		
 
structured inventory and process.


			




	
	
	
		
 

			




	
	
	
		
 
\section{Track Your Changes and Releases}


			




	
	
	
		
 

			




	
	
	
		
 
As explained in further detail below, the most important component of GPL


			




	
	
	
		
 
compliance is the one most often ignored: proper inclusion of CCS in all


			




	
	
	
		
 
distributions  of GPL'd


			




	
	
	
		
 
software.  To comply with GPL's CCS requirements, the distributor


			




	
	
	
		
 
\textit{must} always know precisely what sources generated a given binary


			




	
	
	
		
 
distribution.


			




	
	
	
		
 

			




	
	
	
		
 
In an unfortunately large number of our enforcement cases, the violating


			




	
	
	
		
 
company's engineering team had difficulty reconstructing the CCS


			




	
	
	
		
 
for binaries distributed by the company.  Here are three simple rules to


			




	
	
	
		
 
follow to decrease the likelihood of this occurance:


			




	
	
	
		
 
follow to decrease the likelihood of this occurrence:


			




	
	
	
		
 

			




	
	
	
		
 
\begin{itemize}


			




	
	
	
		
 

			




	
	
	
		
 
\item Ensure that your


			




	
	
	
		
 
developers are using revision control systems properly.


			




	
	
	
		
 

			




	
	
	
		
 
\item Have developers mark or ``tag'' the full source tree corresponding to


			




	
	
	
		
 
  builds distributed to customers


			




	
	
	
		
 

			




	
	
	
		
 
\item Check that your developers store all parts of the software


			




	
	
	
		
 
development in the revision control system, including {\sc readme}s, build


			




	
	
	
		
 
scripts, engineers' notes, and documentation.


			




	
	
	
		
 
\end{itemize}


			




	
	
	
		
 

			




	
	
	
		
 
Your developers will benefit anyway from these rules.  Developers will be


			




	
	
	
		
 
happier in their jobs if their tools already track the precise version of


			




	
	
	
		
 
source that corresponds to any deployed binary.


			




	
	
	
		
 

			




	
	
	
		
 
\section{Avoid the ``Build Guru''}


			




	
	
	
		
 

			




	
	
	
		
 
Too many software projects rely on only one or a very few team members who


			




	
	
	
		
 
know how to build and assemble the final released product.  Such knowledge


			




	
	
	
		
 
centralization not only creates engineering redundancy issues, but also


			




	
	
	
		
 
thwarts GPL compliance.  Specifically, CCS does not just require source code,


			




        

    



    




    








    
        Server instance: kapok.sfconservancy.org-3385
    
    
        This site is powered by
            Kallithea 0.6.3,
        which is
        © 2010–2020 by various authors & licensed under GPLv3.
            – SupportPrivacy Policy