Shane Coughlan

Attendees:

• Jimmy Ahlberg, Ericsson
• Takashi Ninjouji, Honda
• Marc-Etienne Vargenau, Nokia

We show the anti-trust notice https://github.com/OpenChain-Project/Reference-Material/tree/master/OpenChain-Templates/Work-Group-Slide-Template as reminded by Shane.

Jimmy is back from his Asia trip. He will go in Japan for the Open Source and Compliance summits.

Jimmy has concerns about the recently released version 1.7 of the CycloneDX standard. CycloneDX v1.7 introduces first-class support for patents and patent families. These new fields could be used by patent trolls.

Shane will be leaving his role as OpenChain General Manager. His last day will be the 12^th of December. There is no replacement for him yet. It might take some time. Everyone is welcome to propose candidates.

We have no news from CISA about their Minimum Elements document. Nokia comments were provided, but they are still not visible at https://www.regulations.gov/document/CISA-2025-0007-0001/comment. So we have no idea when the final version of the document will be published.

The Python ntia-conformance-checker https://pypi.org/project/ntia-conformance-checker/ has been updated. It is now possible to check also conformance to the CISA document, meaning checking also Licenses and Copyright Holder. But the default is still to check NTIA, an option has to be added to check for CISA. So it has no impact on the openchain-telco-sbom-validator that uses this library.

It is now also possible to check conformance for SPDX 3 SBOMs. But we have not yet tested this capability.

A new release 0.3.3 of the openchain-telco-sbom-validator has been published. It only fixes a very small bug in the handling of the CISA SBOM type when followed by more text in the comment.

Nokia has published a new Python tool https://pypi.org/project/pypispdx/ to create SBOMs for Python packages available on https://pypi.org/. It will create an SBOM in multiple SPDX 2.3 formats (tag:value, JSON, RDF, XML, YAML). The SBOM will be compliant with the OpenChain Telco SBOM Guide. It includes the recursive dependencies of the package. For every package, it contains the PackageDownloadLocation, the PackageChecksum in both SHA256 and MD5 and the licenses when available.

Takashi-san reminds that the last version of the German BSI document requires SPDX in version 3, whereas the previous version required only SPDX 2. Most tools, including for example Black Duck, produce only SPDX 2 for the moment. We do not know the reason why the BSI requires it. In practice, the simplest solution could be to convert SPDX 2 to SPDX 3 using the Java tools https://github.com/spdx/tools-java.

Takashi-san shows the work done by the automotive group about SPDX 3.

The OpenChain automotive work group handles SPDX 3 generate by Yocto and would like to validate it against the Telco Guide. Currently, the validator can only handle SPDX 2, as the Python library it uses (https://github.com/spdx/tools-python/) cannot parse SPDX 3. The last release of this library is more that one year old. A new maintainer has been nominated, so we hope to have a new release that can handle SPDX 3, but we have no date.

We can start to think to an update of the SBOM Guide to allow SPDX 3. The OpenChain SBOM work group has produced in its document a mapping table of the Telco Guide between SPDX 2 and SPDX 3.

Jimmy will provide a better wording of the paragraph about encryption (see https://github.com/OpenChain-Project/Telco-WG/pull/214).

Watch the Recording:

Be part of this:

Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/telco

💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/Telco-WG

You are also welcome to participate in any of our other working groups around the world:

• https://openchainproject.org/participate

We continued to explore the question of how to address the intersection of open source, AI and process management in our regulation OpenChain AI Work Group Workshop for North America and Europe. Chaired by Matthew Crawford of Arm and Dave Marr of Qualcomm, this work group is building on the knowledge gathered and deployed to market in the OpenChain AI System Bill of Materials Compliance Guide.

Watch the Recording:

Get Involved:

Everyone is welcome to be part of this activity! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list for the AI Work Group: https://lists.openchainproject.org/g/ai

Attend Future Meetings:

You can find and get the dial-in details for all future meetings from our participate page here: https://www.openchainproject.org/participate

Save the date! We will hold the second annual OpenChain and Friends event in Sttutgart from the 24th to the 26th of March 2026.
(learn about last year’s edition here: https://openchainproject.org/news/2025/02/20/openchain-and-friends-stuttgart )

Main Event Location:

• Service and Supply Chain Campus Feuerbach,

Satellite Event Locations:

• Mercedes in Vaihingen
• Bosch in Ludwigsburg

In Partnership With:

FOSS-LÄND

Work Streams:

1. Open Source Compliance and OSPOs – contact: Nikola.Babadzhanov@bosch.com
2. Cybersecurity – contact: Dirk.Targoni@bosch.com
3. Women in Open Source – contact: Adamantia Goulandris goulandris@fzi.de
4. Embedded SW and OpenHW – contact: Rüdiger laschewski-grossbaier@innolintec.eu
5. Artificial Intelligence – contact: thomas.uslaender@iosb.fraunhofer.de

Contact helpdesk@lists.openchainproject.org for more information. We would love for you to be part of this, and to help contribute to our welcoming community of open source governance professionals. We welcome everyone from small, medium and large companies, local and national government, non-profit organizations, academica and also independent parties curious about what is happening in this space.

OpenChain is hosting a panel featuring experts from Bitsea, Jun Legal, FossID and SCANOSS discuss their experience and opinions on the topic of managing Generative AI in corporate environments. This discussion will feature both structured commentary and plenty of opportunity for the audience to engage and ask questions.

Join here 2025-12-04 @ 08:00 UTC / 09:00 CET / 16:00 CST / 17:00 KST + JST:

• https://zoom-lfx.platform.linuxfoundation.org/meeting/99505474824?password=77048af8-0226-4d4e-974a-2f7c95251b6f

The OpenChain Meridian 22 Work Group held its second meeting in early December with a focus on planning next steps for the region. Given the geographic scope, crossing over many cultures and languages, there was plenty to talk about. Open Source Summit Europe in Prague during 2026 was a key point of focus.

Watch the Recording:

Taipei, Taiwan — Sun Square has been officially recognized as both an OpenChain Service Provider and a Third-Party Certifier. This dual status enables the company to support global organizations in adopting ISO/IEC 5230 and ISO/IEC 18974, improving open source governance and software supply chain security.

This dual recognition enables Sun Square to support organizations adopting ISO/IEC 5230 (Open Source License Compliance) and ISO/IEC 18974 (Open Source Security Assurance), helping them build transparent and secure software-supply-chain governance.

The OpenChain Project, led by the Linux Foundation, establishes global standards for open source software supply chains. Its core specification, ISO/IEC 5230, defines best practices for license compliance, while ISO/IEC 18974 extends those principles to vulnerability management and security control.

As both a Service Provider and a Third-Party Certifier, Sun Square bridges advisory guidance with independent assessment. This combined capability allows enterprises to develop robust processes and obtain formal certification demonstrating their commitment to international standards.

“Becoming an OpenChain Partner reflects Sun Square’s long-term commitment to open collaboration and secure software supply chains,” said SZ Lin (林上智), Chief Cybersecurity Advisor at Sun Square. “By combining our OT cybersecurity and open source compliance expertise with OpenChain’s global framework, we aim to enable organizations to strengthen governance and resilience throughout the software lifecycle.”

Sun Square offers integrated services that include OT cybersecurity training and advisory based on the ISA/IEC 62443 standard, open source compliance and security governance for ISO/IEC 5230 and 18974 implementation, and software lifecycle security management covering SBOM development and vulnerability remediation.

By combining international standards with local implementation expertise, Sun Square continues to promote trusted and sustainable open source and cybersecurity practices in Taiwan and across the Asia-Pacific region.

About Sun Square

Sun Square Co., Ltd., headquartered in Taiwan and serving clients worldwide, provides cybersecurity and open source advisory services that help organizations align with international standards and regulations. The company specializes in OT security training, open source compliance, and software supply chain assurance, delivering consulting, training, and certification support aligned with ISO/IEC 5230, ISO/IEC 18974, and other global standards.

Learn more: https://sunsquare.tech