Responsible open source usage: Building a trusted supply chain with OpenChain

Free and Open Source Software (FOSS) is the licensed software that grants rights for anyone to freely access, use, change and share software for any purpose. Developed through open collaboration and transparency, FOSS has become a driving force for industry innovation and alignment. This licensing and development model has fundamentally changed how software products are developed. By sharing the development cost of a big part of the products codebase, companies can focus more on innovation and operate more effectively.

At Nokia, we have a long history of using open source in our products, and we have always done so responsibly. A testament to our consistent responsible use of open source is our recent adoption of OpenChain Open Source License Compliance specification ISO/IEC 5230:2020. This specification, which has been an ISO standard for open source compliance since 2020, is designed to assist organizations in managing and demonstrating effective adherence to open source software licenses.

Here compliance refers to adhering to the legal and licensing requirements associated with the use, modification and distribution of open source software. This includes understanding and following the rights and obligations of various licenses, such as providing attribution, including license texts, and ensuring that derivative works also comply with their respective licenses. Compliance is an integral part of every organization that aims to be a good “open source citizen” while leveraging open source. It ensures that legal risks are avoided and promotes the responsible use of open source software.

We take this seriously at Nokia. We established our open source compliance program 20 years ago and for the past decade, we've had a dedicated Open Source Program Office focused on managing and supporting the strategic use of open source software across the company. At Nokia, we are proud of our compliance program, and we believe it is exemplary in the industry. Our recent self-certification demonstrates and proves that the compliance program we have developed over the past two decades is comprehensive and complete.

In these 20 years, open source itself has changed significantly. It has grown from a software development approach that was a little more than a curiosity to an integrated and valued part of modern product development. Together with the software itself, open source compliance has become a key part of product development at Nokia and more recently in the whole industry.

In companies like ours, the virtuous circle of innovation is important as it ensures that we can protect our innovative ideas, while sharing them openly with others. To ensure that patent licensing allows us to continuously invest in future technologies we need a high quality and robust Intellectual Property management to maintain an effective open source compliance program. We need to make sure that we successfully market our products and boost our R&D, while protecting our inventions.

The rapid dissemination of open source use makes it imperative for the entire supply chain to guarantee that their customers and partners have in place qualitative compliance programs. In addition, over time the compliance requirements have evolved, and have clearly become more complex. Open source compliance is neither static, nor a simple matter. The scale that Nokia is using open source makes this even more challenging. We recently discussed this topic at the Open Source Summit Europe 2024 and we will also explain later this week at the Linux Foundation Open Compliance Summit.

During a keynote at the Open Compliance Summit 2024 in Tokyo, we have the opportunity to share with the open source community as well as different stakeholders from legal departments, what the lessons learned were during the process of conforming to this ISO standard and how different open source initiatives, and especially the OpenChain Project, are constantly supporting the industry players in their endeavors.

The OpenChain Open Source License Compliance standard provides a comprehensive framework for Nokia to assess that our compliance program does the things it needs to do the right way. It enables our customers and partners to ensure that we respect various licenses, so that they can confidently collaborate with us knowing their legal requirements are met. We hope that our example inspires others to do the same.