Practical GPL Compliance — The Checklists

A book that is designed to act as a well-worn companion to compliance engineers

I said “watch this space” and now it is time to deliver! Today I am delighted to announce the release of the checklist section of ‘Practical GPL Compliance’ under CC-0 and its donation to the OpenChain Project.

Get the material as DOCX, ODT or PDF here. Read below to scan the content. Our goal with releasing this material is to kick off a deeper discussion and deeper engagement with the topic of building checklists to assist with open source compliance. If you have something to contribute around this area please reach out to me at

And…keep watching this space. There is more to come. Meanwhile, you can also download a copy of the full book for free from

Open Source Compliance Checklists

A quotation worth bearing in mind with regards all aspects of compliance engineering comes from C. Northcote Parkinson:

Work expands so as to fill the time available for its completion.

When used properly checklists can be a useful way to manage your GPL compliance tasks in a quick, consistent and effective manner. When used incorrectly they can be too general to cover the work at hand or become overwhelming task lists requiring endless review. A happy medium is the goal. What constitutes a happy medium really depends on your organizational size.

See the ‘General Compliance Checklist’ for a short and simple checklist. This is from the OpenChain Curriculum slides. It is based — in turn — on the Linux Foundation Open Compliance Program Self-Assessment Compliance Checklist. It may be suitable for a small organization or for framing the general issue for a large organization.

General Compliance Checklist

You might elect to have more specific checklists to address specific compliance goals. For example, the concept of addressing the “complete and corresponding” source code for distribution is arguably the first and most useful area to have a specific checklist. One way of approaching this would be to create an exhaustive list of all the steps possible and necessary. Another way would be to cover the “core” of the issue and leave details to trained personnel or sub-checklists as needed. See ‘Checklist For Rebuilding Product X’ for an example of the latter.

Checklist for Rebuilding Product X

Plenty of options exist for more comprehensive checklists. A great place to start is the Open Compliance Program Self-Assessment Compliance Checklist. This is a more detailed list running through the whole process and may be required for a larger organization. This checklist, like the material above, is free of charge and freely available so you can explore what is best to meet your requirements.