Good cannot exist without evil. Giving cannot exist without ownership. Copyright cannot exist without attribution. Ok, maybe that last one is a stretch, but it makes a point. If copyright is saying “this is mine," and a license is saying “how you can use it,” then attribution is saying “Yeah, I am using it.” If attribution is done right, it is akin to saying “thank you,” except for the fact that you are usually required to say it by the licenses. But, just as saying “thank you” is a basic requirement for good manners, attribution is often the minimum requirement needed to be a polite and courteous citizen in the open source world.
So, saying “Thanks” is easy… right? Well, sure, if it's a habit. It is not difficult to give thanks ifyou are aware when situations require it. However, if you have ever watched someone make an award acceptance speech in which they are supposed to acknowledge all the other folks who helped them be successful, then you can see how easy it is for them to screw it up. Which individuals or groups do they thank? Do they remember all those individuals who made contributions, especially those that were a while back? Who will really be hurt (and cause them to potentially damage a relationship) if they do not thank? And, even if they do remember when writing their speech and have the best intentions, will they actually do it when delivering it, or just blow it and look like a jerk?
This analogy can apply to the open source attribution process. Some applications, when released, can contain hundreds of open source components. These components may require many copyright holders to be acknowledged. If you are trying to assemble all this at the end, it's easy to have incomplete information. Someone will be forgotten. And, rather than simply being impolite, you will be infringing upon a license and not respecting someone’s intellectual property rights. And, if that copyright holder is hurt enough, they can even raise a claim against you. In fact, some of the recent copyright troll activity in Europe has focused on improper attribution along with other items.
Systematic Attribution Compliance
The best way to handle open source attribution, along will all the other obligations of open source licenses, is to make compliance systemic in your processes. At Black Duck, we say “built in compliance.” In the Hub v3.4, we have enhanced our product to make it easier for development managers (or whoever is responsible for ensuring open source software compliance) to make proper attribution documentation based upon the open source in their code base. So engineering groups can do it as they go along. When they introduce new open source, they easily can review it, examine the Black Duck provided information required for attribution (primarily license text) and edit this information if desired. At release time, customers can use this information to create attribution reports in multiple formats to create their notices, readme or web page lists of open source acknowledgements that they can include with their products. Here's what the dialog box to create a report looks like and a sample report.
For existing Hub customers who want to know more, we have created a training course on open source software attribution on our Black Duck Academy training site. Please check it out. If you are not a Hub customers and want to learn more about how the Hub can help with open source attribution, please contact us.
As always, we are considering additional features to help customers manage the open source attribution process, and will be rolling those out in future releases. We welcome your feedback, so you have additional things that you would like to see, please let me know. And stay tuned for future developments.