From code-pliance to confidence: A recap of the FSFE Legal and Licensing Workshop

The Free Software Foundation Europe (FSFE) recently brought together the world's leading legal experts and technologists for its renowned Legal and Licensing Workshop (LLW). Recognizing that software is deeply integrated into modern society, the FSFE is a charity committed to promoting digital autonomy. Its mission is to ensure technology serves people by giving them freedom and control, rather than imposing limitations. Since its inception in 2001, the foundation has been a steadfast advocate for Free Software in Europe and beyond, focusing on protecting and extending user rights through its multifaceted activities. Organized annually by the FSFE, the LLW stands as the world’s foremost gathering for experts in Free Software legal and licensing topics and provides a unique forum for lawyers, technologists, and thought leaders to discuss pressing legal issues and share best practices.

Over three days of intensive talks and networking, the LLW advances state-of-the-art knowledge on everything from license compliance to project governance and corporate responsibility. By fostering a collaborative environment, the workshop not only enhances knowledge but also strengthens the professional relationships that are crucial for promoting better license compliance across the industry.

Together with my colleague Marcel Kurzmann, who opened the session by showing the big picture of the Open-Source Tooling Landscape, I co-led a practical workshop on the ORT and ORT Server. The ORT (OSS Review Toolkit) Toolchain is a set of tools that automatically analyze open-source software used in a project. It identifies dependencies, checks licenses, scans for known security vulnerabilities, applies compliance rules, and generates clear reports. Together, the tools help organizations manage open-source risks and comply with licensing and security requirements in their software supply chain.

ORT Server is a scalable server application that runs the ORT as a centralized service. It automates software composition analysis by analyzing dependencies, checking licenses, tracking security vulnerabilities, enforcing compliance rules, and generating reports such as SBOMs (SPDX, CycloneDX). In addition to ORT’s core capabilities, ORT Server adds a web UI, REST API, user and role management, a central database, and Kubernetes-based scalability for organization wide use.

The session provided a hands-on demonstration for legal professionals, showcasing the cutting edge of open-source compliance automation.

As many in the community know, the ORT Server was initially incubated at Bosch before being released as open-source software under the Eclipse Apoapsis project. This workshop was a great opportunity to share our expertise and empower the community with powerful open-source compliance tools.

What began as a chat among our open-source officers blossomed into an unexpected and successful learning journey. This was precisely our experience when the need arose to replace an aging, Excel-based system for managing open-source software license compliance. The goal was to create a modern, internal license compliance tool, but the project's leadership fell into the unlikely hands of the legal department. This unconventional setup initially felt like a daunting challenge, forcing lawyers and developers into a shared arena where their professional languages and priorities often differ. However, this journey pushed us to become "accidentally agile," fostering a dynamic collaboration where we learned to navigate complex legal requirements and technical needs together, transforming a potential hurdle into a model of cross-functional teamwork.

This project's success is not just in the final product – a robust, user-friendly tool that serves as our single source of truth for license compliance – but in the powerful lessons learned along the way. By embracing the collaborative spirit of the open-source community internally, we broke down traditional silos and built a culture of mutual respect and understanding. We discovered the importance of clear communication, such as using precise terminology to bridge the gap between legal and technical experts. This venture stands as a testament to the fact that stepping outside our defined roles and embracing an agile, learning-focused mindset can lead to remarkable innovation and a powerful sense of shared achievement.

We talked about these lessons at FSFE LLW, which provides a unique and confidential forum for professionals to share experiences. The presentation was met with great recognition from company lawyers in other organizations, highlighting the challenges and the value of cross-disciplinary collaboration.