A key impulse for the development of QMSTR was the realization that there is still no industry standard for FOSS compliance tooling, and the understanding that the management of software copyright and license compliance in FOSS needs to improve. While from a legal perspective, every obligation and liability technically boils down to managing the risk of running into trouble and the mitigation of possible damage, we believe that this is not the right mindset to approach FOSS license compliance.
FOSS compliance as a hygiene factor
Instead, we suggest to view FOSS license compliance as a hygiene factor. Hygiene factors “do not give positive satisfaction or lead to higher motivation, though dissatisfaction results from their absence.” In the context of FOSS, this means that members of the wider open source community – users, downstream communities, businesses and others – expect all other community members to deliver their best effort to fulfill all their obligations from consuming and distributing FOSS. The wider open source community forms a society, and being a member of good standing in that society requires actively supporting the norms of the community. In this thought-model, neglecting FOSS compliance amounts to anti-social behavior.
This approach may sound a bit theoretical, but it has real-life implications. Contributors prefer to be part of companies that hold up community standards. Shirking obligations or free-riding may deter potential customers and suppliers. Litigation is costly and unpleasant. But the most important aspect is that uncertainty about compliance and litigation undermines the motivation to collaborate within the global upstream/downstream network that is the fabric of Open Source.
Creating an industry standard for FOSS compliance documentation
The QMSTR community aims at creating industry standard tooling for compliance by being truly open from two perspectives: All of the project’s source code is open and the project is openly governed. Every interested stakeholder is invited to contribute and to participate in roadmap setting and requirements development. This approach reduces barriers to the adoption of FOSS compliance solutions across the industry and supports the emergence of an industry standard for FOSS license compliance management.
Contributors and project history
QMSTR is a FOSS project both by licensing and by governance. It originated from a brainstorm session of the FSFE Legal Network in April 2017 on what tooling functionality is needed to streamline the maintenance of FOSS license compliance across international supply chains. A first proof of concept was developed summer and fall 2017 and demonstrated to interested parties. After the proof of concept was found to be viable, product development started in January 2018 with the support of Google and Siemens. The first 0.1 release was made in April 2018.
The QMSTR development team is initially hosted by Endocode. With the launch of the Linux Foundation Automated Compliance Tooling (ACT) project, QMSTR will incubate there together with other FOSS compliance like Fossology. Since summer 2018, Endocode is part of the FASTEN consortium that got funded for three years by the European Commission H2020 program. FASTEN stands for “fine-grained analysis of software ecosystems as networks”. The consortium develops FOSS tooling that delivers dependency information to developer’s finger tips. QMSTR will continue to be developed as part of the project and provide the FOSS compliance related functionality as well as the client side command line integration of the FASTEN functionality.