By Pavan Singh
This is part 3 of a series on the main benefits of utilizing a commercially-supported embedded Linux solution. Part 1 explains how you can get to market faster and part 2 outlines the long-term savings associated with commercial embedded Linux.
Commercial embedded Linux is the solution of choice for many software developers working on embedded products. It provides the tools and support they need to ensure that products remain secure and have the low-cost long-term maintenance they require. However, when it comes to using embedded Linux you have to consider more than just labor costs, you must also understand the legal implications of using Linux in embedded systems.
Managing Compliance with Commercially-Supported Embedded Linux
Creating your device with a Linux operating system or using an RYO Linux OS is legally classified as a redistribution under many of the open-source licenses used in Linux, including the GNU Public License (GPL). This redistribution of Linux packages creates additional legal and compliance challenges, so using commercial embedded Linux is the best way to ensure you meet these requirements.
There are on the order of 20 million lines of code for Linux and associated open-source tools—a massive codebase with a multitude of licenses for organizations to trip over if they’re not diligent.
With redistribution comes the responsibility to make sure your company is complying with all license requirements, such as providing free access to the source code for the open-source portions of your product, including any tools that might ship with the product.
Unlike using Linux on a desktop or server, shipping a product with any type of Linux OS is legally considered to be a redistribution, which opens you up to more licensing requirements.
There are usually clauses in the licenses about derivative works that can include kernel modules, libraries or tools, modification of existing code in Linux, statically linking to open-source libraries, and other stipulations. It’s critical that embedded device manufacturers catalog the licenses of the software they are using, understand the level of risk associated with the license, and be prepared to fulfill the obligations associated with each of the licenses. Unfortunately, many companies don’t treat this aspect of Linux seriously and open themselves up to needless liability, impact on brand, and cost to fix problems after the fact.
Commercial solutions make it easy to reduce this risk and associated time and cost. Commercially supported Linux delivers full licensing compliance and reporting. Commercial vendors are experienced with Linux licensing and can aid in the adoption of open source into your codebase mix.
Using commercially-supported embedded Linux reduces risk, time, and cost.
Export Compliance and Encryption Disclosure
Preparing products for international export adds yet another layer of compliance complexity. In addition to the necessary license compliance and documentation requirements, export compliance is focused on the disclosure of cryptography software which presents security concerns in many countries.
International distribution presents an additional set of challenges and compliance requirements for embedded Linux products.
Organizations must have formal processes in place for tracking open-source software (OSS). When it comes to documenting OSS in general and cryptography in particular, many technology companies experience a disconnect between the engineering and export teams. Export teams expect engineering to know everything in the codebase so they can properly report on the cryptography used in a product. If the product has a large number of OSS components and the engineers did not write the code themselves, however, they may not have a clear understanding of the cryptography inside. But export disclosures rely on accurate information from the engineering team, so organizations need to improve the quality of their cryptography discovery in OSS.
When there are hundreds or even thousands of OSS components within a product, a manual search is not practical. Some type of automated tool is needed, but automation alone is likely to yield false positives, which then have to be reviewed manually. The most efficient solution—the one Wind River employs—is a combination of automation and encryption expertise. The process goes as follows:
- A tool is used to search the code for encryption
- A designated team trained in encryption technology analyzes the findings to weed out false positives
- A report detailing the levels and types of cryptography found is generated and added to the compliance envelope
- An export team can then accurately determine which instances of cryptography need to be reported based on the requirements of the country
Wind River’s development and maintenance process are certified to the ISO 9001:2015 quality management standard covering the design, deployment, integration, verification, and maintenance processes.
Conquer Compliance with Wind River
When working with embedded Linux it’s important that you understand all the legal requirements associated with redistribution and international deployment. Commercially-supported Linux will help your organization handle compliance with ease.
Interested in learning more about commercial embedded Linux benefits? Download our free 23-page eBook.