We are delighted to announce that the second edition of the OpenChain guide to ‘Managing Your Open Source Software Supply Chain’ is now available. This builds on the excellent contribution from the OpenChain Japan Work Group in 2019 in building the first edition, and takes into account market developments since that time.
Overview:
This document is designed to help companies in the supply chain understand and manage Open Source Software (open source). The OpenChain Project maintains the OpenChain ISO/IEC 5230:2020 for open source license compliance and OpenChain ISO/IEC 18974:2023 for open source security assurance. These standards can help companies manage open source. You can learn more about the OpenChain Project and its standards at www.openchainproject.org.
Open source has become essential to modern software development and is incorporated into almost every electronic product, from consumer to industrial devices, from cloud to embedded software. Open source is an indispensable part of helping companies to bring products or services to market.
Much open source is developed through the collaboration of expert developers from individuals and organizations throughout the world.
Open source can be used, modified, and distributed by anyone who complies with the associated license conditions. When open source is distributed within the supply chain, the distributor is required to comply with the terms and conditions of the license. There have been cases where suppliers were sued because they failed to satisfy their legal obligations. This document is designed to help introduce the best practices needed to prevent issues occurring and to solve them when they do occur. It leads to further resources available through the OpenChain Project and other Linux Foundation Projects.
Like all other software, security issues sometimes occur with open source. By understanding how open source is created, used, and maintained, it is possible to identify, prevent and address many of these issues before they become a concern. The key thing is for all relevant personnel to understand the basic principles of open source.
Please note that this document is designed to provide insight based on experience shared from our global community. It does not contain legal advice.
Direct Links to the Text Version:
(It is provided as MarkDown, which can easily be taken and reformatted as needed. We intend to add more print-ready language versions over time)
Direct Link to the Print-Ready Version:
(We intend to add more print-ready language versions over time)