Free Open Source Compliance Training

For years, the same questions have arisen again and again in the context of open source:

  • Am I allowed to use open source in applications used for business purposes?
  • What are the consequences of using open source?
  • Is the GPL a “toxic” license?
  • What do the American licenses mean for us in Europe?

The irritation hits developers in particular, who are confronted with the use or deployment of open source in the front line. Now, computer scientists are rarely also lawyers, and even if law and computer science are similar in many aspects, it is not trivial to interpret a license without prior legal knowledge.
To help overcome this gap, we have provided a basic Open Source Compliance – Training. The training introduces the topic, briefly describes the background and gives insight into the essential aspects of licenses. More than 4 hours of video material, presentations and quizzes have been incorporated into the freely available, self-paced online training course.

In the course the participant gets an overview of:

  • The motivation and background of open source compliance,
  • The challenges that make open source compliance more than just making a list,
  • Solution concepts that help to anchor standard compliant open source compliance in an organization.

The presentations, held in English, are divided into small, short bites, so that they can be easily consumed in between online meetings or in short doses at the beginning of each day.
Direct access can be found here on the Trainings page.

Module 2 - Open Source Compliance and Security

Module 2 - Achieving Compliance and Security


  • Goals:
    Understanding of managing compliance and security risks, operational fulfilment using TustSource
  • Contents:
    Compliance & Security goals, risk management approach, handling compliance risk, handling technical risk (security, viability),
    Part I: achieving compliance , practical questions (cases), TrustSource tools to achieve compliance (understanding legal settings in detail, functionality of legal engine, private licenses, black- & whitelists for components and licenses, etc.), detailed assessment of a notice file, collecting attributions, change notifications making use of DeepScan to qualify sources, quizz
    Part II: managing and assessing vulnerabilities, finding further vulnerability information, limitations of vulnerability data, examples analysing vulnerability data, using vulnerability reports, assessing viability, versions-analysis, forwarding tasks/tickets, handling developer versions, muting vulnerabilities, quizz
    Part III: making use of infrastructure, 3rd party & COTS, handling private and commercial licenses, using linked modules in a different context , COTS report, SOUP list, quizz, Summary and test 
  • Target Groups: project Managers, compliance Managers, developers

Modul Basics

Module 1 - Compliance basics

Module 1 - Compliance Basics


  • Goals:
    Create awareness for the topic, introduce basic meanings
  • Contents:
    Challenge of OSC (clarify direct vs. transitive dependencies) , recent and important cases, What if not?, basic terms, grants, obligations & their consequences, limitations and the termination of grants, matching to basic license classifications, check basic understanding, sample cases, roles and their responsibilities, general compliance process, Overview of the OpenChain specification, summary & test
  • Target Groups:
    developers, administrators, compliance managers, product managers, project managers, senior managers

Module 4 - Developer Guidelines

Module 4 - Developer Guidelines


  • Goals:
    Provide understanding of relevant Compliance goals and artefacts , provide basic understanding of TrustSource elements as well as how to use them to achieve compliance
  • Contents:
    Explain basic TrustSource constructs (Scans, Analysis, Reports, project settings, etc.), explain Compliance Artefacts (BoM, Notice File, SOUP-List, Compliance Report, etc.), clarify Developers responsibilities (Compliance & Security), TrustSource Support tools (using the UI, filtering, searching, dependency graphs), manage loose coupling and modification, how to manage settings, explain legal circumstances and their impact, Project manager responsibilities (Compliance & Security), TrustSource tools (Legal Analysis, Security Analysis, Viability Analysis, VersionCheck, different Reports), Understanding the approval flow, approval Dry-Run, integrating approvals (Git-flow, Github-flow), using projects and modules to structure work, running tests, using linked modules, adding infrastructure modules, integrating COTS, qualifying external repositories, sample assessments, resolution of sample cases (making it green), summary & test
  • Target Groups:
    Developer, Project Manager, Administrators, Compliance Managers

Module 5 - Procurement

Module 5 - Procurement


  • Goals:
    Understand the challenges to OS compliance poses to purchase departments
  • Contents:
    Challenges in adding 3rd party and proprietary components, OS impact on purchasing agreements, managing 3rd party licenses in TrustSource, COTS & SOUP, components manager role, requesting 3rd parties to provide inbound BoMs, mutli-org-setup of TrustSource, alternative scanning approaches, summary & check
  • Target Groups: Purchasers, Developers, Project managers

Module 6 - Audit

Module 6 - Audit


  • Goals:
    Provide understanding of how to conduct an OS audit 
  • Contents:
    Scoping, the audit process, the deliverables, evidence, evidence, evidence, how to audit, escalation, version management, tooling support, binary analysis, source code analysis (repositories), build time analysis, legal compliance, security, other tests, what TrustSource can do for you, compiling a report, summary and check
  • Target Groups:
    Compliance Manager, Developer

Module 7 - TrustSource Administration

Module 7 - Tools & Tooling / TrustSource


  • Goals: Provide basics of Tooling and TrustSource Administration
  • Contents:
    Open Source Compliance Capability map. matching open source tools, TrustSource Architecture, TrustSource Services, Users, LDAP & Identity integration, MFA, inviting external users, managing roles and rights, general settings, handling API and API keys, throtteling and usage limitations, configuring environment specific settings, using multi-entity setup, information about system status, contacting sup- port, stay tuned
  • Target Groups: TrustSource administrators

Module 3 - Open Source Governance

Module 3 - Governance

Open Source Governance is key to achieve Open Source Compliance.

  • Goals:
    Understand the challenges of achieving and maintaining compliance across large organisations and how TrustSource may help
  • Contents:
    understand the OpenChain Specification and OC Self certification procedu- re, Challenges of OS Compliance in large organisations, Goals of Governance, OS Governance Board and OS Governor, OS Policy ingredients, Policy distribution, TrustSource support for OS policy distribution, Inbound governance, Outbound Go- vernance, Committer Governance, Working contracts and OS Governance / work time vs sparetime, International law and work contracts in the context of OS gover- nance, managing OS and external workforces , Summary & test

Target group: compliance managers, CISOs, business unit respsonsibles

Module 8 - Recent Developments

Module 8 - Recent Developments

Open Source is on the move – tools, legal requirements and business models are constantly changing. This module gives an overview of the current developments of the last 12 months

  • Current case law and new legal requirements
  • New and updated licensing conditions
  • Overview of new tools, features and functions
  • Duration: approx. 60 minutes

Target group: developers, project managers, product owners, compliance managers, architects

June 19th, Compliance Breakfast @ Frankfurt a.M.

To achieve a fast Go-to-market for innovative products and services, the application of software, especially open source software is essential.

But, open source software is no free lunch!

What obligations are related to the use of open source software, what triggers the different obligations and what is resulting therefrom? What are athe risks and how to manage them? All this will be part of this informational event. You will receive an overview of the current legal situation as well as practical experiences of the introduction of Open Source Governnace.

0830-0900 Welcome coffee & tea

0900-0915 Introduction of speakers

0915-0945 Current legal situation and challenges (Heinzke)

0945-1000 Questions and discussion

1000-1045 Lessons learned from introducing Open Source Governance in a conglomerate (Thielscher)

1045-1100 Questions and discussion

Tickets can be booked here. To ensure a sound experience, the event is limited to 25 participants. Please note, the event will be in German.