Platform-agnostic tools are a key part of modernizing developer workflows. License compliance is no exception. Like the rest of the tools that help you write, test, deploy, and manage code, license-compliance tools shouldn't lock you into one type of CI server or other CI/CD tool. They should instead work with whatever setup you choose to use today, tomorrow, and your toolset in the more-distant future.
Platform-Agnostic vs. Vendor Lock-in
While there's a certain appeal that comes from hyper-targeted, proprietary solutions, there's nothing more frustrating than vendor lock-in. Having your process or product handcuffed due to the inflexibility of moving from one tool to another is a frustrating experience, not to mention expensive. The cost of switching can set back your company in terms of productivity, output, and dollars. However, every company hits a point where they need to transition despite the pain it will cause.
Platform-agnostic tools are built to eliminate this pain point in order to help companies through growth and modernization efforts. A platform-agnostic tool is one that can be run on multiple platforms with minimal caveats or limitations on the part of the integrator. For example, programming languages like PHP and Ruby or open-source database systems like MySQL and PostgreSQL are platform-agnostic because they aren't limited to only one vendor or cloud provider. It doesn't matter if you use Google Cloud Platform or Amazon Web Services — these tools will run within either, and can be easily migrated to another provider if necessary.
On the flip side, services like BigQuery and S3 are examples of platform-specific tools that are only available through their respective vendors (Google and Amazon, in this case). While there are a lot of benefits to using proprietary or managed solutions like these, they require a significant commitment on the part of the developers, because pivoting to another provider at some point in the future can be significantly more difficult. Even developing against them can be a difficult and costly experience, as there are rarely self-hosted solutions that can be used in a development environment. This concept is called vendor lock-in, and can cost an arm and a leg to escape from.
Continuous Open Source License Compliance
When it comes to open source license compliance, vendor lock-in can be a killer, especially in the context of an open source project. Project management costs can be significant for popular packages and open source projects are often beholden to their budgets. Having the flexibility to change up the tools used to build, maintain, and administer a project can go a long way towards achieving some level of sustainability. While many license-compliance tools offer platform-specific integrations for source code hosting services like GitHub, GitLab, and Bitbucket, not every project across a company or even a team lives within these services. In some circumstances, a service like GitHub may be used to mirror an official source code repository, but outside of a read-only view, these mirrors are almost entirely ignored.
This is why utilizing platform-agnostic tools inside of a continuous integration (CI) process is so valuable. Using a platform-agnostic license compliance tool like FOSSA's command line application makes it possible to integrate your license compliance process into any continuous integration platform with minimal headache. Rather than relying on the vendor-specific integrations to tools like GitHub or GitLab, open source maintainers can instead get the information they need anywhere they need it, whether it is from a popular cloud-based CI tool like Travis CI, or an open source, self-hosted solution like Jenkins.
Parity, Parity, Parity
One of the biggest advantages to using a platform-agnostic (and by extension, CI-agnostic) license compliance tool (or any tool, for that matter) is the ability to achieve parity between development and production environments. While it is possible to hook up a CI tool to any contribution to a source code repository, there is a lot of value in encouraging the execution and validation of these tools prior to code submission. A platform-agnostic tool like FOSSA's CLI application can be run on every developer's machine before every commit or push to a central version control repository, increasing the accuracy of the results, regardless of the environment.
Parity is an important part of ensuring a productive, seamless development experience, especially as the number of contributors to a project grows. "It works on my machine" isn't an acceptable answer to production ready code, and when it comes to more nuanced solutions like license compliance analysis, being able to clearly and easily communicate how it works without any caveats can go a long way towards creating a positive atmosphere for contributors.
Once More, With Feeling
All things considered, open source license compliance is a relatively new concern for open source maintainers. While the concept is hardly new, the need to be aware of the limitations and requirements of the packages you are consuming is becoming more necessary every day, regardless of the size of the project. As these tools grow, so too does our need for rapid feedback and analysis, and as CI platforms grow and change (and get acquired by bigger fish), having the ability to move from one to another is more valuable than many realize.
Zachary Flower (@zachflower) is a Fixate IO Contributor , principal engineer at Automox — a Boulder-based patch management startup — and freelance writer. With a passion for simplicity and usability within the development pipeline, Zach puts a strong emphasis on the importance of documentation, developer productivity, and shift-left testing strategies.