The article deals with the practical handling of open source licences in the everyday life of a public IT service provider. Compliance with copyright rules is supported and enabled by process-orientated open source licence compliance in accordance with ISO/IEC 5230. Particularly in a public company, it is important to ensure verifiable legality even when using ‘free’ open source modules. This is achieved by aligning the procedures with the ISO standard and by an appropriate software quality management which reacts to a possible compliance breach with a failing build.

The report adresses circumvention risks and forensic relevance in germany, and it contains an example SBOM file.