Our general counsel, Paul Bosco, is a super nice guy. Among his many responsibilities, he helps Sonatype make the right decisions about appropriate license use of open source components within our software. But you would think that having a lawyer hang over the shoulders of a developer would get a little uncomfortable.
Paul is not part of our development team, he doesn’t want to be, and he certainly does not slow them down. But with that said, Paul knows how to work at DevOps speed.
He knows legal reviews need to happen at the speed of development on every component, every build, and every release.
So how much time does Paul spend reviewing open source and third-party software components in the software we are building? Almost none. Yup. That is because we have automated him.
It's all about dogfooding. At Sonatype, we have automated our open source policies. Paul’s guidance on the proper use of every component license we use is built into Sonatype CLM. CLM is then integrated with our developer IDEs and our Bamboo CI platform. With CLM performing the adjudication, Paul is free to focus on other more pressing matters. At the same time, our developers have instant access to the legal analysis run by CLM. Therefore, no time is wasted on legal reviews at the end of the development lifecycle.
Sonatype CLM’s IDE integration provides rapid, data-based feedback on versions, licenses, and known security vulnerabilities
Reviews are built-in, automated, instant and continuous. CLM is not just discovering problems with open source and third-party licenses. If issues are discovered, it also guides our developers to alternative component versions that may meet acceptance criteria. By selecting the best components from the start, we eliminate long legal reviews and rework that negatively impact our release velocity and add to operational costs. With CLM in place, Paul can keep up with our development team at any pace they choose to run.