The ITAM Review

The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

GitHub Open Source licensing tool

GitHub, the online home of over 20 million developers, have open-sourced “Licensed” – their own, internal tool for managing Open Source licenses.

What does it do?

This tool is aimed at helping developers work towards compliance with the license terms of Open Source dependencies (an external software package used in an application) within their programs.

It finds, caches and checks the license metadata of dependencies and works across multiple languages and package managers across multiple projects. Using a project called “Licensee”, it automates the reading of license files and attempts to determine the license type. This will flag up if the license appears to be:

  • Explicit copyright
  • An exact match to an existing license
  • X% similar to an existing license i.e. 95% similar to the MIT license

Licensed will store the dependency data in a source control repository, which helps make checking this data part of the development workflow. Whenever dependencies change, the license data must be updated which helps things remain compliant.

Typically, the license terms of an Open Source dependency will require that a copy of the license is distributed with future applications that contain it. Licensed helps automate this process and can also be used to create a “Bill of Materials” that enables users to see all the Open Source components used within the application.

Will it help?

A tool like this certainly looks to be useful for organisations trying to get a handle on their Open Source usage and compliance. Something that fits into the development workflow will help flag any issues as soon as possible and, with GitHub being familiar to so many developers around the world, the chances of it being adopted should be quite high.

However, perhaps that is also a flaw. Will the developer style nature of Licensed mean that ITAM departments stay away from it as they don’t understand it? If usage of this tool is left to the developers, there is an element of “who will watch the watchers?” If it can’t be managed centrally alongside existing SAM tools and as part of existing processes, perhaps organisations will be averse to adopting it?

Further Reading

Licenseehttps://github.com/benbalter/licensee

Licensedhttps://github.com/github/licensed

Licensed Documentationhttps://github.com/github/licensed/blob/master/docs/configuration.md

More Licensed infohttps://githubengineering.com/improving-your-oss-dependency-workflow-with-licensed/

Related articles:

Software-enforced obsolescence undermines Microsoft’s sustainability credentials
A quick guide to Open Source licensing
Podcast Episode 10: Doing SAM on the cheap
New UK Microsoft Licensing Training Course
Benchmark & Build ITAM Maturity by Aligning with the C-level
WannaCry? Time to dry your tears and act!

About Rich Gibbons

Rich has been in the world of IT and software licensing since 2003, having been a software sales manager for a VAR, a Microsoft licensing endorsed trainer, and now an ITAM analyst looking at software licensing and cloud.

A Northerner renowned for his shirts, Rich is a big Hip-Hop head, and loves travel, football in general (specifically MUFC), baseball, Marvel, and reading as many books as possible. Finding ways to combine all of these with ITAM & software licensing is always fun!

Connect with Rich on Twitter or LinkedIn.
View all posts

Leave a Comment