3.1 A process exists for creating and managing a FOSS component bill of materials which includes each component (and its Identified Licenses) in a Supplied Software release.
Verification Artifact(s):
☐ 3.1.1 A documented procedure exists for identifying, tracking and archiving informationabout the collection of FOSS components from which a Supplied Software release iscomprised.
☐ 3.1.2 FOSS component records exist for each Supplied Software release which demonstrates the documented procedure was properly followed.
Rationale:
To ensure a process exists for creating and managing a FOSS component bill of materials used to construct the Supplied Software. A bill of materials is needed to support the systematic review of each component’s license terms to understand the obligations and restrictions as it applies to the distribution of the Supplied Software.
3.2 The FOSS management program must be capable of handling common FOSS license use cases encountered by Software Staff for Supplied Software, which may include the following use cases (note that the list is neither exhaustive, nor may all of the use cases apply):
- distributed in binary form
- distributed in source form
- integrated with other FOSS such that it may trigger copyleft obligations
- contains modified FOSS
- contains FOSS or other software under an incompatible license interacting with other components within the Supplied Software
- contains FOSS with attribution requirements
Verification Artifact(s):
☐ 3.2.1 A procedure has been implemented that handles the common FOSS license use cases for the FOSS components of each Supplied Software release.
Rationale:
To ensure the program is sufficiently robust to handle an organization’s common FOSS license use cases. That a procedure exists to support this activity and that the procedure is followed.