The OpenChain Project has released an updated version of the project introduction slides. These contain the latest membership information, the latest conformance information, and improved formatting.
The OpenChain Project is being featured today at the Software IP event hosted by IAM and located at Golden Gate Club at the Presidio, San Francisco.
Our representative is Hung Chang, Senior Product Counsel at Workday, and one of the founders of the OpenChain Project. You can catch his panel between 1 and 2pm.
Learn More:
The OpenChain Project previously maintained a document for “manual OpenChain Conformance.” The idea was that companies could download, print and/or the document to suit workflows beyond our online conformance web app. You can find a version of that document here:
Gary O’Neall from our Conformance Work Team has been doing some exciting work to make it quicker and faster to create a manual conformance document. He is automating the creation from inside the conformance web app. Check it out here:
Check out the background code on GitHub:
This is still a beta and we are seeking comments. You can submit comments via the main OpenChain mailing list here:
Get these guides and many more documents in the OpenChain Reference Library.
There is a lot of cross-pollination between Linux Foundation open source projects. The latest is a contribution from Fukuchi-San, a driving force in the OpenChain Japan WG, to SPDX. Motivated by a suggestion from Thomas Steenbergen at Open Source Summit Europe 2017 he has prepared a Japanese translation of the SPDX Specification. The draft document is available for comments, suggestions and improvements here:
About The Linux Foundation Compliance Stack
The OpenChain Project sits at the top of a stack of open source projects to address open source compliance. OpenChain is a high level standard defining the key requirements of a quality open source compliance program. Immediately below providing more specifics are the SPDX and TODO Group. The former is a standard for how the contents of software packages are described. The latter contains practical, timely information about how open source program offices can run. Moving further down the stack there are specific frameworks like FOSSology to scan code and confirm what software packages contain.
About The OpenChain Project
The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.
About The SPDX Project
Software Package Data Exchange® (SPDX®) is an open standard for communicating software bill of material information (including components, licenses, copyrights, and security references). SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses, copyrights, and security references, thereby streamlining and improving compliance. The SPDX specification is developed by the SPDX workgroup, which is hosted by The Linux Foundation. The grass-roots effort includes representatives from more than 20 organizations—software, systems and tool vendors, foundations and systems integrators—all committed to creating a standard for software package data exchange formats.
Newsletter – Issue 18 – October 2018
Context
The OpenChain Project has active bi-weekly calls and a central mailing list that provide the “nuts and bolts” of our community activity. These are joined by various releases of documents and announcements of OpenChain-related events throughout each month. We collect key developments in this newsletter once a month.
Introduction
October was an incredible month for the OpenChain Project. We had more outreach, more collaboration and more announcements than ever before. Key items include new membership from Toshiba, new conformance from SUSE, and the release of beta documents to help with initiating and tracking OpenChain Conformance.
New Member
The OpenChain Project, which builds trust in open source by making open source license compliance simpler and more consistent, announced Toshiba has become a Platinum Member. Toshiba has long been a driving force in the OpenChain Japan Work Group, and their new Platinum membership will enable the company to contribute even more to the global adoption of the OpenChain standard.
“OpenChain is not just a project for OSS license compliance, it also helps to improve mutual trust and effective communication between open source developers and users,” says Tetsuji Fukaya, Director of the Corporate Software Engineering and Technology Center of Toshiba Corporation. “Open source is publicly recognized as an essential part of digital transformation and widely used in numerous products. In order to use open source appropriately, we think that license compliance alone is not enough. Mutual trust between developers and users is also essential. OpenChain will be key to achieve both. For that reason, we feel proud of being part of the OpenChain Project.”
New Conformant Organization
The OpenChain Project announced it has welcomed SUSE to its community of conformance. Conformance with the OpenChain Specification confirms that an organization follows the key requirements of a quality open source compliance program, and builds trust between organizations in the supply chain. SUSE is the first enterprise Linux distributor to earn conformance with the OpenChain Project Specification.
“For more than 25 years, SUSE has created and engaged with open source communities as a foundation for its enterprise solutions,” said Thomas Di Giacomo, SUSE CTO. “We always engage with the community to better meet customer needs, and our OpenChain certification is another indication to enterprises that we are committed to making their experience with open source software more reliable and cost effective.”
Learn more:
https://www.openchainproject.org/news/2018/10/23/suse-joins-the-openchain-community-of-conformance
Media
We began October with an interview from the EFY Group covering the key requirements of quaility open source compliance programs. Find out more here:
https://www.openchainproject.org/news/2018/10/01/interview-openchain-project-managing-open-source-compliance-across-the-software-supply-chain
We continued with a Flexera Webinar designed to highlight OpenChain as a great starting point for any organization seeking to adopt the key processes of a quality open source compliance program. Learn more here:
https://www.openchainproject.org/news/2018/10/02/openchain-explained-on-a-forthcoming-flexera-webinar
Events
The OpenChain Project announced a a Birds of a Feather (BoF) at 6pm on Monday the 22nd of October at Open Source Summit Europe. This BoF was designed to provide a “ground level” introduction to what we are doing, how we are doing it, and why you should be part of this. Learn more:
https://www.openchainproject.org/news/2018/10/16/openchain-bof-open-source-summit-europe-22nd-october
The OpenChain Project announced a workshop co-located with the Open Source Summit Europe in Edinburgh on the 23rd of October. This provided a deeper dive into OpenChain then the BoF held the previous day. Learn more here:
https://www.openchainproject.org/news/2018/10/10/openchain-workshop-open-source-summit-europe-23rd-october
The OpenChain Project was featured at the Software IP event hosted by IAM and located at Golden Gate Club at the Presidio, San Francisco on the 30th of October. The project was represented by Hung Chang, Senior Product Counsel at Workday, and one of the founders of the OpenChain Project. Learn more:
https://www.openchainproject.org/news/2018/10/30/openchain-featured-software-ip-an-iam-event
The OpenChain Japan Work Group held its sixth meeting on the 31st of October between 2pm and 4:45pm at Toshiba Smart Community Center in Kanazawa. As with the previous five OpenChain Japan Work Group meetings the discussion included a mix of structured reports, activity planning and case studies. Learn more:
https://www.openchainproject.org/news/2018/10/31/openchain-japan-work-group-meeting-6
It was announced that the OpenChain Project will be featured at a forthcoming Bird & Bird event on the 20th of November in Frankfurt, Germany. Learn more:
https://www.openchainproject.org/news/2018/10/10/openchain-bird-bird-event-20th-november
Emerging Internal Services
The OpenChain Project previously maintained a document for “manual OpenChain Conformance.” The idea was that companies could download, print and/or the document to suit workflows beyond our online conformance web app. You can find a version of that document here:
Gary O’Neall from our Conformance Work Team has been doing some exciting work to make it quicker and faster to create a manual conformance document. He is automating the creation from inside the conformance web app. Check it out here:
We also announced the public Beta of a new Web App for benchmarking OpenChain Conformance. The idea is to provide a quick, simple and attractive way for companies to check their status regarding meeting the OpenChain standard. This project is being managed by our good friends at Source Code Control. Learn more:
https://www.openchainproject.org/news/2018/10/04/new-in-beta-web-app-for-benchmarking-openchain-conformance
We are seeking feedback on the current offering regarding:
- Ease of use
- If it helps solves friction around conformance
- How complementary it is to our Conformance Web App
Emerging External Services
TÜV SÜD Japan have launched an OpenChain Certification Program. This is the first such program and foreshadows a series of announcements over the coming months. The core of the OpenChain Project is our specification (standard) and our simple, free process for self-certification. Commercial activities adjacent to this by TÜV SÜD Japan and other organizations are complementary, providing an avenue for verified/audited certification for entities that want to have this level of assurance. Learn more here:
https://www.openchainproject.org/news/2018/10/02/tuv-sud-japan-announces-openchain-certification-program
Project Collaboration
There is a lot of cross-pollination between Linux Foundation open source projects. The latest is a contribution from Fukuchi-San, a driving force in the OpenChain Japan WG, to SPDX. Motivated by a suggestion from Thomas Steenbergen at Open Source Summit Europe 2017 he has prepared a Japanese translation of the SPDX Specification. The draft document is available for comments, suggestions and improvements here:
Learn more:
https://www.openchainproject.org/news/2018/10/29/openchain-♥-spdx
Summary
This was easily our busiest month yet, with a rocket-ship launch into Q4, and providing a strong foundation for our next steps towards formal standardization in 2019/2020. Of particular note is that we are building out membership, conformance and awareness. This will continue through November and the end of the year. Watch this space!
License and Trademarks
Copyright 2018 The Linux Foundation. This newsletter is licensed under the Creative Commons Attribution-NoDerivs 2.0 Generic (CC BY-ND 2.0). Please feel free to share it onwards! OpenChain is a trademark of The Linux Foundation. It may be used according to The Linux Foundation Trademark Policy and the OpenChain Terms of Use. All other trademarks belong to their respective owners.
SAN FRANCISCO and EDINBURGH (OPEN SOURCE SUMMIT EUROPE) – October 23, 2018 –The OpenChain Project, which builds trust in open source by making open source license compliance simpler and more consistent, announces Toshiba has become a Platinum Member. Toshiba has long been a driving force in the OpenChain Japan Work Group, and their new Platinum membership will enable the company to contribute even more to the global adoption of the OpenChain standard. OpenChain member organizations provide resources and support to enable the community to be effective in recommending key processes for effective open source management.
“The OpenChain Project has seen exceptional engagement by the Japanese community,” says Shane Coughlan, OpenChain General Manager. “Toshiba has been at the forefront of this, actively contributing to our meetings and our strategic planning. Their Platinum Membership is a natural evolution of their roles as thought leaders in open source and we are looking forward to accomplishing great things together.”
“OpenChain is not just a project for OSS license compliance, it also helps to improve mutual trust and effective communication between open source developers and users,” says Tetsuji Fukaya, Director of the Corporate Software Engineering and Technology Center of Toshiba Corporation. “Open source is publicly recognized as an essential part of digital transformation and widely used in numerous products. In order to use open source appropriately, we think that license compliance alone is not enough. Mutual trust between developers and users is also essential. OpenChain will be key to achieve both. For that reason, we feel proud of being part of the OpenChain Project.”
Every organization of every size in every market is invited to conform to the OpenChain Specification free of charge. This builds trust in open source by making open source license compliance simpler and more consistent.
Start today by visiting:
https://www.openchainproject.org
Go directly to online self-certification here:
https://www.openchainproject.org/conformance
Platinum Members of the OpenChain Project include Adobe, ARM Holdings, Cisco, Comcast, GitHub, Harman International, Hitachi, Qualcomm, Siemens, Sony, Toshiba, Toyota and Western Digital.
About Toshiba
In over 140 years, Tokyo-based Toshiba Corporation has built a global network of almost 400 companies that channels reliable technologies into “Social Infrastructure”, “Energy”, “Electronic Devices” and “Digital Solutions”—the basic infrastructure that sustains modern life and society. Guided by The Basic Commitment of the Toshiba Group, “Committed to People, Committed to the Future”, Toshiba promotes value creation that helps to realize a world where generations to come can live better lives. In fiscal year 2017, the Group and its 141,000 employees worldwide secured annual sales surpassing 3.9 trillion yen (US$ 37.2 billion).
Find out more about Toshiba at www.toshiba.co.jp/worldwide/about/index.html
About the OpenChain Project
The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.
About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.
Linux® is a registered trademark of Linus Torvalds.
SAN FRANCISCO and EDINBURGH – OPEN SOURCE SUMMIT EUROPE – October 23, 2018 – The OpenChain Project, which builds trust in open source by making open source license compliance simpler and more consistent, announces it has welcomed SUSE to its community of conformance. Conformance with the OpenChain Specification confirms that an organization follows the key requirements of a quality open source compliance program, and builds trust between organizations in the supply chain. It makes procurement easier for purchasers and preferred status easier for suppliers. Conformance is accomplished by answering a series of questions online.
SUSE is the first enterprise Linux distributor to earn conformance with the OpenChain Project Specification. In doing so, SUSE is helping free industry resources to focus on innovation by reducing complex processes. SUSE joins 17 other organizations with publicly announced conformant programs.
“The OpenChain Standard is suitable for every organization involved in the open source supply chain,” says Shane Coughlan, OpenChain General Manager. “Welcoming SUSE to our community is a landmark milestone that illustrates how we positively impact the beginning of the supply chain. It has been a pleasure to collaborate with a great team toward goals that will ultimately benefit thousands of companies across the globe.”
“For more than 25 years, SUSE has created and engaged with open source communities as a foundation for its enterprise solutions,” said Thomas Di Giacomo, SUSE CTO. “We always engage with the community to better meet customer needs, and our OpenChain certification is another indication to enterprises that we are committed to making their experience with open source software more reliable and cost effective.”
Every organization of every size in every market is invited to conform to the OpenChain Specification free of charge. This builds trust in open source by making open source license compliance simpler and more consistent.
Start today by visiting:
https://www.openchainproject.org
Go directly to the online self-certification here:
https://www.openchainproject.org/conformance
Platinum Members of the OpenChain Project include Adobe, ARM Holdings, Cisco, Comcast, GitHub, Harman International, Hitachi, Qualcomm, Siemens, Sony, Toshiba, Toyota and Western Digital.
About the OpenChain Project
The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.
About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.
Linux®is a registered trademark of Linus Torvalds.
The OpenChain Project will host a Birds of a Feather (BoF) at 6pm on Monday the 22nd of October at Open Source Summit Europe.
This BoF is designed to provide a “ground level” introduction to what we are doing, how we are doing it, and why you should be part of this.
Speaking more formally, here is the abstract:
“Open source compliance across the supply chain is a challenge known but unsolved for more than a decade. This BoF will explore recent developments in standards and tooling that can help reduce compliance errors as code moves between teams or companies.”
Learn More
Pro Tip
The OpenChain Project will be featured at a forthcoming Bird & Bird event on the 20th of November in Frankfurt, Germany. Find out more or register for this event by contacting the Bird & Bird team:
Bird & Bird LLP
Marienstraße 15
60329 Frankfurt am Main T: +49 (0)69 74222 6000
F: +49 (0)69 74222 6011
frankfurt@twobirds.com
Bird & Bird & Open Source License Compliance in Softwarelieferketten
Am 20. November 2018 findet in unserem Frankfurter Büro ein Seminar zur Open Source License Compliance statt, das wir in Kooperation mit dem OpenChain-Projekt der LinuxFoundation durchführen. Sprecher sind u.a. Andreas Bärwald (TÜV SÜD Product Services GmbH), Dr. Michael Jaeger (Siemens AG), Dr. Catharina Maracke (Software Compliance Academy) und Shane Coughlin (OpenChain Projekt).
Datum: 20. November 2018
Ort: Bird & Bird, Frankfurt am Main
The OpenChain Project will host a workshop co-located with the Open Source Summit Europe in Edinburgh on the 23rd of October. Details below. All welcome!
The OpenChain Workshop – The Supply Chain Compliance Solution (Not A Blockchain)
The OpenChain Project defines the key requirements for a quality open source compliance program through a single, simple specification. It supports this specification with free online self-certification and educational reference material for organizations of all sizes. This workshop will feature the latest developments around supply chain compliance and provide an excellent opportunity for attendees to both learn from and contribute to the project work teams. The goal is to provide practical solutions for real-world challenges across all market sectors.
Date: Tuesday, October 23
Time: 15:00 – 16:30
Location: Edinburgh 1, Sheraton Grand Hotel & Spa Edinburgh
Registration Cost: Complimentary; Pre-registration required
