A major advantage of FOSS is the possibility to reuse existing components. Thus, it seems obvious to adopt the same strategy for FOSS compliance material in those areas where the required efforts are identical for all users of the software. With standard formats, such as SPDX, it is possible to share the results of data curation with the community, and thereby reduce the individual effort. The OSSelot project has set itself precisely this task: Creating a publicly available database of curated compliance materials for frequently used FOSS components including SPDX reports for each component. In order to foster usability of the data and external contributions, aspects such as trustworthiness, liability and integration of the data into existing tools must also be considered.

This presentation will demonstrate the stringent curation and review process of the OSSelot data that ensures that all internal and external contributions meet the same high quality standard. It will also exemplify how the OSSelot resources can be used to fulfill FOSS license obligations. To increase the project’s practical relevance, a discussion is encouraged on how the data can be used with existing tools and what adaptions are required to do so.

OSSelot project page: https://www.osselot.org/ OSSelot git repo: https://github.com/Open-Source-Compliance/package-analysis