One of the things that can make compliance more difficult is trying to track which open source components have which obligations. Some require general attribution, some require source code, and everything in between. But keeping track of all the differences isn't necessary if your organization has an "open by default" policy.
What is an "open by default" policy?
An open by default policy is a policy that applies GPL-like disclosure to every open source component unless there is a specific business reason not to do so. For example, a number of permissive licenses require attribution—but not all of them. Under a strict compliance policy, the use of academic and permissive-licensed code should be tracked and proper attribution given when necessary. An “open by default” policy, however, gives attribution for all academic and permissive-licensed code, regardless whether the license actually requires it. This simplifies recordkeeping and helps ensure long-term license compliance.
Similarly, when shipping products that include academic or permissive-licensed components, it is not necessary to provide source code to customers. Under an open by default policy, however, the higher standard of reciprocal-licensed code is assumed. Providing corresponding source code for all open source components, regardless of whether the license requires it, simplifies recordkeeping and helps ensure long-term license compliance.
A good guideline for an open by default policy provides attribution, a copy of the license, and corresponding source code for each open source component used. This generally assures license compliance in all cases except where reciprocally-licensed code has been modified or integrated into a customer product—exceptional cases that should have been individually reviewed and flagged by your OSPO.
The benefits of open by default
There are three reasons why we suggest an open by default policy. First, it reduces the number of special cases your compliance system (and team) need to deal with. Instead of trying to track each individual license obligation, your team is only looking for modified source code and commercially sensitive source code. That will be a small minority of all the open source components that you use.
Second, it leads to easier compliance over the long run. Almost every system makes some mistakes. If your policy is to be open by default, though, the effect of any mistake is mitigated. You are much less likely to run into compliance problems.
Third, there are community and public relations benefits to being a good open source citizen and actively complying (or even over-complying). How you approach your open source disclosures will set a tone between your organizations and the various upstream projects you rely on. An open by default policy helps convince others of your goodwill and can help you over time.