Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source.
Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.
S-core, Self-Certified for OpenChain ISO/IEC 5230 International Standard
S-core has officially obtained the OpenChain ISO/IEC 5230 certification, a globally recognised standard for open source compliance. This certification acknowledges the reliability and transparency of S-Core’s open source management system on an international scale.
OpenChain ISO/IEC 5230 is an open source compliance management standard created by The Linux Foundation’s OpenChain Project and published by the International Organization for Standardization (ISO). It provides guidelines to help companies effectively manage open source and mitigate legal risks.
Open Source Specialist S-core’s Journey
S-core is a company that specializes in open source services, leveraging its extensive experience in open source-based infrastructure development.
This company offers full-care service for open source use, from open source adoption, migration, technical support, to governance consulting in order to help customers establish management systems for safe and strategic use of open source.
It has recently strengthened its capability of open source compliance to deliver more reliable and secure services to customers by aligning its open source management system with OpenChain ISO/IEC 5230.
Internally, a dedicated team continuously reviews licenses, assesses risks and operates in-house training programmes to ensure developers use open source correctly. Additionally, S-core has implemented a structured system using open source management tools to proactively identify and mitigate potential risks throughout the development process.
Sunghan Suh, Head of the Open Source Business Division at S-core, stated, “Open source has already become fundamental components in software development and operation across all industries.” He added, “With the acquisition of the OpenChain certification, we will take the lead in the development of the open source ecosystem to enable companies and developers to use open source more safely and efficiently by sharing our extensive expertise accumulated from adoption, development, operation, management to technical support.”
S-core’s Future Efforts
S-core plans to obtain ISO/IEC 18974 certification to further enhance open source security management, reinforcing its ability to address open source vulnerabilities. Looking ahead, the company aims to commit to the growth and development of the open source ecosystem with continued innovation and progress.
The OpenChain Project will be delivering a major talk for the open source ecosystem at the LF Member Summit in March. This is a “lessons learned” talk to help everyone understand how to build and deliver open standards to the community.
Talk Abstract:
The OpenChain Project has built two open source process management standards (ISO/IEC 5230 and ISO/IEC 18974) and deployed them across the open source supply chain. While OpenChain was the first Linux Foundation project in 14 years to produce an ISO standard, it is far from the last.During the 2023~2024 period, we saw growing engagement around Joint Development Foundation and committee discussions around standards or specifications in other LF projects.
This talk will consolidate OpenChain’s lessons learned in creating, submitting and deploying open source standards. It will help projects at any stage in the development lifecycle of specifications, including those only just considering this option for long-term impact. It will also help people with a specific interest in a more trusted supply chain to get more involved in OpenChain, building on our existing work or participating in new potential standards.
Our optics will be on the legal, risk and compliance side due to the nature of the OpenChain Project’s mission for a more trusted supply chain, but the core material will be equally applicable to technical, code or other projects working on this topic.
Registration is required for this free event / kostenlose Veranstaltung, aber Registrierung ist erforderlich
OpenChain and The FOSS-Länd Community Invite You To An Information Exchange
Want to get better at Open Source?
Open Source offers significant advantages for businesses, but effectively managing it with your developers, vendors, or within your software supply chain can be challenging. Whether you are new to the topic or a seasoned expert in open source management, we invite you to join us from April 7 to 9 in Stuttgart for a share and learn event. During this event, you will have the opportunity to:
Hear from industry peers as they share their open source processes and best practices.
Experience demonstrations from tool creators showcasing automated compliance solutions.
Participate in technical sessions focused on overcoming common challenges in the field.
Discover available support options from both the community and government resources.
OpenChain und The FOSS-Länd Community laden zum Open Source Austausch ein
Wollen Sie die Open Source Reife Ihrer Organisation verbessern?
Open Source bietet allerhand Vorteile, aber ein effektives Open Source Management im Spannungsfeld zwischen Entwicklern, Zulieferern oder generell in der Software Lieferkette kann eine Herausforderung sein. Ob Sie nun neu in dem Thema sind oder schon langjährige Erfahrung haben, wir laden Sie vom 7. bis 9.April nach Stuttgart ein, um uns gegenseitig dazu auszutauschen und dazuzulernen. In unserem Event werden sich folgende Gelegenheiten bieten:
Einblick in Open Source Prozesse anderer Organisationen und deren Erfahrungsberichte
Überblick über frei verfügbare Open Source Automatisierungs-Tools zum korrekten Umgang mit Open Source inkl. Demonstrationen durch deren Entwickler
Ausblick auf mögliche Lösungsräume zu geläufigen Open Source Management Herausforderungen durch Teilnahme an technischen Austausch-Runden
Durchblick zu den vielfältigen Unterstützungs-Angeboten, die sich durch die Open Source Community im Allgemeinen und durch „The FOSS-Länd“ für Baden-Württemberg im Besonderen ergeben.
Schedule and Locations / Ablauf und Veranstaltungsorte
Day 1 – 7th April 2025
13:00-19:00: Afternoon Meeting @ Venue 1
FORUM Haus der Architektinnen und Architekten (HdA) (See “Venue and Travel” below for details)
19:30-21:00: Informal Socializing Event
Location to be announced / Veranstaltungsort wird noch bekanntgegeben
Day 2 – 8th April 2025
08:00-16:45: Full-Day Meeting @ Venue 1
FORUM Haus der Architektinnen und Architekten (HdA) (See “Venue and Travel” below for details)
Day 3 – 9th April 2025
08:00-16:45: Full-Day Meeting @ Venue 2
Bosch Digital | Lb079 (Halle 8) (See “Venue and Travel” below for details)
Program / Programm
Day 1
Time
–
Lobby / Halle
–
Room 1 / Raum 1
–
Room 2 / Raum 2
12:30-13:00
—
Registration
—
—
—
—
13:00-13:15
—
—
—
Welcome and Introduction
—
—
13:15-13:45
—
—
—
Establishing trusted and consistent open source management across the supply chain with the OpenChain ISO standards
—
—
13:45-14:30
—
—
—
FOSS-LÄND and TODO Group – helping you with Open Source
—
—
14:30-15:00
—
—
—
Meet the experts – Introduction to the marketplace
—
—
15:00-15:30
—
Break and Marketplace
—
—
—
—
15:30-19:00
—
—
—
Communities and Good practices Open Source from an SME perspective Open Source aus der KMU Perspektive
—
Boot-Camp?
19:00 Joint walk to the restaurant
19:30 Socializing Event
Day 2
Time
–
Lobby / Halle
–
Room 1 / Raum 1
–
Room 2 / Raum 2
7:30-8:00
—
Registration
—
—
—
8:00-8:10
—
—
—
Welcome and Introduction to Process Track Open Source as business – the ecosystem and chances for SMEs Open Source als Geschäftsmodell – Chancen für KMUs im Ökosystem
—
Welcome and Introduction to Tooling Track The Open Source Tooling Portfolio for the Software Supply Chain Das Open Source Tool Portfolio für Software Lieferkette
—
—
—
—
Updates and Outlook
—
Updates and Outlook
8:10-9:30
—
—
—
Process Track – Session 1 * Open Source as business * Upstream orientation * Examples for SMEs in Open Source business * Business context influence * The different dimensions of Open Source Managemen
—
Tooling Track – Session 1 * How to find Open Source solutions for your problem? * Digital sovereignity, community health and ways to support * Community Editions and commercial services * Open Source portfolio and feature alignment
9:30-10:00
—
Break and Marketplace
—
Break
—
Break
—
—
—
—
Workshops Use Cases As a < WHO >, I want < WHAT > so that < WHY > – updating and refining the user stories based on the latest non-functional requirements
—
Workshops Architecture Common view on and wording for building blocks and capabilities
10:00-12:00
—
—
—
Process Track – Session 2
—
Tooling Track – Session 2
12:00-13:00
—
Break and Marketplace
—
Break
—
Break
—
—
—
—
Workshops Blueprints Matching Problem Spaces to blueprints supported by the Open Source Tool Portfolio
—
Workshops Toollist Updating and refining the Open Source Toollist
For participants attending the FSFE Legal Workshop in Essen from the 9th of April, we will end Day 2 of our event at 16:45 on the 8th of April. This will allow for easy train connections to Essen. Here is a link to the train connections from Venue 1 to Essen via Stuttgart Main Station.
Q&A
Who is the target audience of this event?
Software developers, security professionals and OSPO representatives
What the event location?
Day 1& 2 – Haus der Architekten in Stuttgart, Day 3 – Urban Harbor Ludwigsburg
No, this is a free event but you are required to register for a ticket
Is this a Linux Foundation event?
This is a community event co-hosted by the Linux Foundation’s OpenChain Project, and it will adhere to the Linux Foundation’s policies and code of conduct
Is the event language english? / Ist die Veranstaltungssprache englisch?
Yes, as we will have international participants, we plan to have english as event language, but for specific sessions we can also discuss to provide it in german (e.g. for people new to the topic) / Ja, wir haben internationale Teilnehmer, daher planen wir mit Englisch als Veranstaltungssprache. Aber wir können uns auch vorstellen bei entsprechendem Bedarf spezifische Themen (z.B. Themen für regionale Teilnehmer, die im Thema neu sind) auch in Deutsch / Schwäbisch 😉 zu machen.
Target group is also SME / KMU – is this acc. to KMU 2003/361 with < 250 employees?
Concerning the event we would welcome also bigger companies but want to explicitly support the small and medium businesses with the content. Only the concrete FOSS-LÄND offerings (e.g. vouchers/Beratungsgutschein etc.) are explicitly for SME / KMU in the region, see details in german only: https://www.transformationswissen-bw.de/beratung/beratungsgutschein
CRA and NIS2 would be expected as topics & Will the new Software Product Liability Act be a topic?
We are currently collecting proposals from all sides (see question about content above with link to the topic backlog). The general questions about What and Why will be addressed in the opening presentation. You can also join the mailing list to pre-discuss the contents for the workshops/round-tables: https://groups.io/g/oss-based-compliance-tooling
Is this event limited to the automotive supply chain only?
Via OpenChain we are open to more interested parties along other supply chains but want to explicitly support the small and medium businesses in the automotive supply chain (The FOSS-LÄND target group) in the region with the content. If there is bigger interest we can think about a follow-up in an extended setup., please feedback on the mailing-list https://groups.io/g/oss-based-compliance-tooling
Is the Process Stream focussed on Software Development Processes?
While the process stream was originally meant for OSPO and Open Source Management Processes in the supply chain, the Software Development Process perspective may become relevant for the mapping of blueprints around tooling and the automated handling of non-functional requirements.
Will there also be a “Community Stream” e.g. how to collaborate in communities, how to get your OSS project big?
There will be two sections in the target groups: A) new to the topic/management and B) advanced/experts => for the second section such a “Community Stream” could be covered e.g. by TODO Group and Good Governance Initiative contributions. Contributions are welcome, see “content question” above with the link to the topic-backlog.
OpenChain is part of the fabric of quality open source process management. During the Automotive Grade Linux All Member Meeting in Tokyo, we will discuss how our ISO process standards – ISO/IEC 5230 and ISO/IEC 18974 – support technology management activities in Japan and beyond.
“Grab a beverage and food at the AGL Showcase then sit down and learn how AGL and the Linux Foundation can help you gear up your company’s OSPO. Join a special event that will be mostly conducted in Japanese for companies to learn more about OSPO activities within the AGL OSPO Expert Group. This will include presentations from OEM OSPO leaders at Toyota and Honda, OpenChain, and AGL leadership and much more. Afterwards, stick around and talk to AGL developers about what is happening on the project during the AGL Showcase.”
– 17:15-17:25 OSPO Introduction by HONDA – 17:25-17:35 OSPO Introduction by TOYOTA – 17:35-17:45 AGL Introduction by Dan Cauchy – 17:45-17:55 AGL OSPO-EG introduction – 17:55-18:05 break – 18:05-18:15 OpenChain Introduction – 18:15-18:25 OpenChain Japan Introduction – 18:25-18:35 Civil Infrastructure Project Introduction – 18:35-18:45 Discussion & QA
We held our regular workshop for the OpenChain AI Work Group this week. It was a two-hour session to allow topics related to AI compliance to be discussed, explored and defined. The key focus for the Work Group is to develop and finalize a Guide to AI Bill of Material Compliance in the Supply Chain, and there is active drafting going on during each meeting.
You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
Netcore Cloud is the latest company to announce adoption of OpenChain ISO/IEC 18974, the international standard for open source security assurance.
“We are pleased to see a diversity of companies adopting ISO/IEC 18974,” says Shane Coughlan, OpenChain General Manager. “Our goal was always to create and support improved trust across the supply chain regardless of industry, and Netcore Cloud is an example of this in action. We look forward to next steps together in helping even more of the supply chain understand the need for and benefit of process standards for managing open source technology.”
About Netcore Cloud
Netcore Cloud is a global MarTech product company that helps B2C brands create amazing digital experiences with a range of products that help in acquisition, engagement, and retention. The first and leading AI/ML-powered marketing automation and customer engagement platform, Netcore Cloud was established in 1997 by Rajesh Jain, an internet pioneer. Today Netcore Cloud is revolutionizing the way marketing & product teams engage with the consumers.
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The Erlang Ecosystem Foundation has set goals for 2025 of raising the community infrastructure, processes and tooling profile to accommodate the latest industry standards for supply chain and cybersecurity. The Erlang/OTP team is thrilled to announce that the Erlang/OTP project now are conformant to OpenChain ISO/IEC 5230, the international standard for open source license compliance. The team would like to extend their thanks to EEF staff and community, the OpenChain community, and Ericssons Open Source Program Office for their support in getting to this point.
Erlang/OTP is an open source programming language made for programming concurrent, distributed, and fault-tolerant systems. The language is more than 30 years old, and has had 1,000s of contributions. By being OpenChain ISO/IEC 5230 conformant, we can build confidence among our ecosystem that Erlang/OTP manages licensing effectively, and has processes in place to do this in a sustainable way.
About Erlang:
Erlang is a programming language originally developed at the Ericsson Computer Science Laboratory. OTP (Open Telecom Platform) is a collection of middleware and libraries in Erlang. Erlang/OTP has been battle tested in a number of Ericsson products for building robust fault-tolerant distributed applications, for example AXD301 (ATM switch). Main developer and maintainer is the Erlang/OTP unit at Ericsson.
Since OTP 18.0, Erlang/OTP is released under Apache License 2.0. The older releases were released under Erlang Public License (EPL), a derivative work of the Mozilla Public License (MPL).
About the OpenChain Project:
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The OpenChain Project provides ISO standards to help ensure open source is professionally managed, and to build increased trust across the open source supply chain. One important aspect of our work is explaining why this is beneficial to different teams in an organization.
What is Happening?
Today, we take a significant step forward to support better understanding of OpenChain open source process management standards by releasing “Explainers” for different teams in organizations. These have been released as CC-0 (effectively public domain) to help companies around the world benefit from adoption best practices for building trusted compliance programs.
These Explainers were developed by Andrew Katz from Orcro, Martin Yagi from First Light Fusion and the rest of the community of contributors who make up the OpenChain Education Work Group.
Get the Explainers
We host the Explainers in our Reference Library in GitHub. You can find them in a dedicated directory called “Education-For-Internal-Teams.”
The Explainers were developed by the OpenChain Education Work Group after initial work through the OpenChain UK Work Group. You can participate in further development by joining the Education Work Group mailing list: https://lists.openchainproject.org/g/education
This is reference material to help inspire understanding about the value of OpenChain open source process management standards for teams across organizations. It is not designed to be (a) legal advice, (b) assured to work in your context or (c) replace internal or third-party professional support and advice.
The OpenChain Project frequently talks about how open source is more professionally managed, and how this helps make using open source quicker, more efficient and more effective across the supply chain.
What is Happening?
Today we take a huge step forward in supporting this evolution of maturity by releasing capability modeling as CC-0 (effectively public domain) to help companies around the world do open source license compliance and other types of compliance using the same approaches as the world’s best and most funded companies.
This model was developed by Orcro, DeLoitte and the rest of the community of contributors who make up the OpenChain Education Work Group.
Why?
Capacity or maturity modeling in Software Asset Management (SAM) plays a vital role in understanding an organization’s current state regarding SAM practices. Here’s a structured overview of its importance:
Assessment of Current Practices: It evaluates the organization’s existing SAM processes, identifying strengths and gaps that need attention.
Improved Decision-Making: By highlighting gaps, it enables informed decisions on software investments, tool acquisitions, and optimization strategies, enhancing efficiency and compliance.
Enhanced Efficiency and Compliance: A mature SAM practice can reduce redundant purchases, minimize license overuse, and mitigate audit risks, ensuring better management of assets.
Support for Open Source Management: It aids in managing open-source usage, ensuring compliance to avoid licensing issues, thereby facilitating innovation by allowing proper use and adaptation of open-source tools.
Facilitation of Open Innovation: In collaborative environments, it helps track external code usage, ensuring compliance and fostering better collaboration without legal risks.
In summary, capacity modeling is essential for establishing a robust SAM framework, enhancing operational efficiency, and supporting both open source management and open innovation, thereby driving organizational success.
Get the Model
We host the model in our Reference Library in GitHub. You can find it in a dedicated directory called “Capability-Maturity-Model” and you will find latest releases sorted by date.
The Capability model was developed by the OpenChain Education Work Group after initial work through the OpenChain UK Work Group. You can participate in further development by joining the Education Work Group mailing list: https://lists.openchainproject.org/g/education
This is reference material to help inspire individual organizations in their own development and use of models. It is not designed to be (a) legal advice, (b) assured to work in your context or (c) replace internal or third-party professional support and advice.
The Cyber Resiliency Act (CRA) is coming and this European regulation will impact software development worldwide. Organizations (and projects) of all sizes need efficient compliance processes to correctly identify software components and strengthen cybersecurity efforts.
The AboutCode stack of 100% open source tools and open data is engineered to automate compliance, with a practical approach. Tools like ScanCode and DejaCode paired with aggregated open databases like PurlDB and VulnerableCode ensure accurate origin, licensing, vulnerability detection, and comprehensive SBOM management. Newer projects like Massive FOSS Scan, CRAVEX, and AI-Generated Code Search deliver new performance improvements and advanced capabilities to improve the automation of compliance processes.
In this presentation, AboutCode lead maintainer Philippe Ombredanne shared the latest updates on how to use the AboutCode stack for better, faster, and more efficient license and security compliance automation.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.