egarcia

OSCHINA has officially joined the OpenChain Partner Program, an initiative of OpenChain under the Linux Foundation dedicated to improving trust, security, and compliance in software supply chains worldwide.

As one of China’s leading open-source and developer platform providers, OSCHINA will contribute its expertise in software supply chain security, open-source governance, and developer ecosystems while collaborating with organizations around the world to advance industry best practices and international standards.

OpenChain, established by the Linux Foundation in 2015, brings together companies, industry groups, and public sector organizations to develop practical standards and reference materials that support effective open-source compliance and software supply chain management.

Strengthening Software Supply Chain Security

Over the years, OSCHINA has developed comprehensive software supply chain security capabilities through its developer ecosystem and enterprise R&D platforms. The company has built a full-lifecycle framework that addresses security requirements across source code management, component analysis, build processes, software delivery, and runtime operations.

Its platform integrates technologies such as Static Application Security Testing (SAST), Software Composition Analysis (SCA), reachability analysis, and intelligent auditing to help organizations identify vulnerabilities, manage open-source risks, and improve license compliance. Through deep integration with the Gitee DevOps platform, security checks can be incorporated directly into development workflows, providing continuous feedback throughout the software development lifecycle.

Supporting Global Standards and Industry Collaboration

OSCHINA currently operates two core platforms: the Gitee DevSecOps R&D Efficiency Platform and the Moark AI Platform.

As the designated operator of several national open-source initiatives in China, OSCHINA serves more than 18 million developers and supports organizations across industries including finance, government, manufacturing, and technology. Gitee DevSecOps has established a strong presence in enterprise software development environments, while Moark provides AI engineering capabilities spanning models, datasets, computing resources, and application development.

Participation in the OpenChain Partner Program provides an opportunity to contribute practical implementation experience to international discussions around software supply chain security while aligning with globally recognized approaches to open-source governance, compliance, and risk management.

Building a Trusted Open Source Ecosystem

“Joining the OpenChain Partner Program reflects our commitment to advancing trusted software supply chains and strengthening collaboration across the global open-source ecosystem,” said Ma Yue, Chairman of OSCHINA.

“From our origins as an open-source community and code hosting platform to our current role supporting enterprise software development and AI infrastructure, we have consistently focused on enabling innovation through open technologies. We look forward to working with the OpenChain community to promote best practices in compliance, security governance, and software supply chain management.”

Through its participation in OpenChain, OSCHINA aims to support organizations in establishing standardized and trustworthy software supply chain governance practices while contributing to the continued growth and security of the global open-source ecosystem.

norxs Technology LLC has announced an OpenChain ISO/IEC 5230:2020 and ISO/IEC 18974:2023 conformant program, covering both open source license compliance and open source security assurance.

norxs is a functional safety and cybersecurity engineering firm working on systems where failure is not an option: EV powertrains, power distribution, and industrial controls. Its engagements span the full safety and security lifecycle — from hazard analysis and risk assessment (HARA) and threat analysis and risk assessment (TARA), through safety and security concepts, requirements decomposition, and implementation, to the verification, validation, and assessment evidence required for certification against ISO 26262, ISO/SAE 21434, IEC 61508, ISO 21448 (SOTIF), and the UN R155 / R156 regulations.

Safety-critical software is now built on open source, and the standards norxs’s clients answer to increasingly treat the software supply chain as part of the safety and security case itself. Conformance to ISO/IEC 5230 and ISO/IEC 18974 applies the same engineering discipline norxs brings to hardware and firmware — defined responsibilities, traceability, configuration management, and independent verification — to the open source it uses and ships. In practice this means knowing precisely which components are in a deliverable and the license obligations attached to each, alongside a defined process for identifying and responding to vulnerabilities across the product lifetime.

For norxs, license compliance and security assurance are two halves of a single obligation: providing customers an auditable account of the software they integrate. This maps directly onto the software supply chain expectations of ISO/SAE 21434 and UN R155, and norxs intends to contribute its safety-critical engineering perspective to the OpenChain community.

About norxs

norxs Technology LLC is a functional safety and cybersecurity engineering firm for safety-critical systems. It delivers hardware, firmware, and certification as a single team — built in from the first schematic rather than bolted on at the end — across EV powertrains, power distribution, and industrial controls.

norxs supports OEMs, Tier 1 suppliers, and industrial clients to standards including ISO 26262, IEC 61508, ISO/SAE 21434, ISO 21448 (SOTIF), UN R155 / R156, and ASPICE.

Learn More About norxs

• https://www.norxs.com

Teoresi Group is an international engineering company that supports businesses in developing projects using cutting-edge technologies: from electric and autonomous vehicles to AI applied to medical diagnostics. With strong global expertise in engineering and machine learning, we focus on developing the intelligence layer that enables devices to operate autonomously and efficiently. 

Teoresi Group has been paying close attention to new technologies since 1987. So when open source software became impossible to ignore in products, in client deliverables, and in every layer of the engineering stack, the question was never whether to engage with it, but how to do so responsibly.

The honest answer to “why now?” is that the need became impossible to defer. In recent years, Teoresi’s work has shifted significantly toward turnkey projects. That shift changes the governance equation entirely. A service provider can rely on the client’s open source policies. A solution provider cannot. You need your own house in order.

“If you do not have governance, you carry all the risks we have been describing: legal exposure, security gaps, and compliance failures. The risk does not disappear because you did not look for it.” — Alberto Bertone, Teoresi Group FOSS Manager

A working group was established, including technical leads, legal experts, and project managers. The result, published by the end of 2025, was a Group-wide open source policy and procedure. All Teoresi Group companies are covered. The process runs from pre-sales through to delivery. Licence constraints are evaluated before commitments are made, codebases are scanned and inventoried during development, and a named FOSS Manager is accountable for the programme’s integrity across projects.

Training is already underway across the organisation. The goal is straightforward: every person who works with third-party code understands what that code requires of them, and why. Compliance that rests on understanding is durable. Compliance that rests only on instruction is not.

Teoresi has also declared its openness to contributing back to open source. This is a formal commitment under ISO/IEC 5230, the international standard with which the programme is aligned. Research projects and innovation initiatives offer natural pathways. Open source is not something Teoresi simply consumes; it is something the company intends to be a responsible part of.

The open source community made the tools we build on available to everyone. Managing that inheritance with care is not just a regulatory obligation. It is a professional one.