Rose Judge, an Open Source Engineer, a co-maintainer of Tern, and one of VMware’s crown jewels, gave a keynote presentation at this year’s Open Compliance Summit (which was virtual, based in Japan) surrounding updates on the Automating Compliance Tooling (ACT) Project where she serves as a chair of ACT’s Technical Advisory Council.
The ACT Project exists to support development of open source tooling for efficient and effective exchange of software bill of materials to enable license compliance, security, export control, pedigree and provenance workflows. ACT is made up of maintainers and developers associated with compliance-focused open source tools like FOSSology, OSS Review Toolkit, SPDX Tools, Tern, QMSTR and more. ACT is a project from the Linux Foundation that was born from the ethos that open source code comes with a responsibility to comply with the terms of the code license — which seems simple, in theory, but in practice is a lot more difficult. The goal of ACT is really to increase open source compliance tooling interoperability and build a community that accelerates the progress toward a more perfect compliance tooling ecosystem.
ACT was first announced at the Open Compliance Summit in 2018, with founding member commitments coming a year later from Google, Siemens and VMware. These founding members believed that easy access to advanced automation tooling was crucial to successfully conducting open source compliance at scale. During her presentation, Rose walks through some of the history of ACT and discusses recent project additions to the ACT umbrella — namely, REUSE Software and Kubernetes SIG Release BOM tool. She notes that one of the working goals of ACT in the coming year is to create an integrated tool stack based completely on open source software to enable things like license compliance, security, export control, pedigree and provenance workflows.
The ACT umbrella now encompasses 8 total projects that vary slightly in terms of scope and application but are all interoperable with SPDX documents in some capacity. This chart below highlights each project’s contribution to producing, consuming and transforming SPDX documentation.
If you’re interested in learning more about ACT enabling more coordinated and integrated tooling, or any of the member projects mentioned, make your way over to the ACT page or GitHub page for detailed information.