Shane Coughlan

As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?” We are dealing with the reality of supply chains with many participants who have different levels of skill, use different formats, and perhaps follow different regulations or policies.

In this meeting, we had a great presentation from Marc-Etienne Vargenau of Nokia about a forthcoming update to the Telco SBOM Guide (a guide to SBOM Quality in the Telco industry). Version 1.0 of the Telco Guide came out in July of 2024. Version 1.1, previewed in this call, was released to the OpenChain Telco Work Group in March 2025, and will be getting a general release in April 2025.

Learn More About This Study Group:

Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.

Get Involved:

✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/sbom

💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/SBOM-sg

Open source software providers are facing a triple threat: tightening US and EU regulations, rising IP litigation, and the risks introduced by Gen AI. Soon, your board—and your customers and suppliers— might be asking that you have specific insurance that actually covers OSS-related liabilities. But, does such insurance exist? Does it work? And how should it work?

Historically, insurers have struggled to grasp OSS risks, offering inadequate or unclear coverage. Now, a new wave of insurance solutions is emerging, informed by OpenChain standards and best practices.

Join this session to explore how the insurance industry is evolving, what new OSS-specific coverage looks like, and how you can help shape it to meet the real needs of the open source community.

Join using this link: 

• https://zoom-lfx.platform.linuxfoundation.org/meeting/97506580721?password=bce4f9d8-0db5-49f5-a5fa-d6dad0a8f81f

We start on 2025-04-22 @ 08:00 UTC / 09:00 BST / 10:00 CEST / 16:00 CST / 17:00 KST / 17:00 JST

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

• https://www.openchainproject.org/webinars

This time we discussed strategic matters like next steps in our existing ISO standards, board strategy discussions underway, and community considerations. We also took a look at two items from sister projects related to project health and security:

OpenSSF Scorecard:
https://scorecard.dev/

CHAOSS Metrics
https://chaoss.community/software/

Check out the Meeting Slides:

• https://github.com/OpenChain-Project/Meeting-Minutes/tree/main/Slides/2025

Watch the Recording:

Coming Next:

We will be following up on the activities outlined above on the mailing lists, and we will continue our regular series of calls and meetings throughout the year.

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate

The OpenChain Telco Work Group is in the final stages of preparing Version 1.1 of the Telco SBOM Guide, an industry-specific but adaptable guide to addressing the question of SBOM quality in the supply chain. Learn more in their latest meetings.

Be part of this:

You can get involved with the OpenChain Telco Work Group through their dedicated mailing list. At this link, you will also find connections to other working groups around the world:

• https://openchainproject.org/participate

Please note: you do not have to be an expert in telecommunications or work for a telecommunications company to join the group. Work on subjects like the Telco SBOM Quality Guide is intended to also help other market sectors.

This meeting featured a special presentation by Jeronimo Ortiz of SCANOSS. It provided an overview of the open source SCA tooling and technologies that SANOSS has open sourced and maintains, and looked at some of the user guides and documentation to reduce the adoption effort.

In addition, Jeronimo demoed how to make use of the osskb.org service from Software Transparency Foundation at scale using GitHub Actions, and how you can leverage scanoss.py to make use of such a service for detecting open source at file and snippet level, getting license and copyright information, or creating simple and quick SBOMs in different formats.

The presentation also included an overview of the work being done to integrate osskb.org with well known tools like ORT or FOSSology.

An introduction to DeepSeek, its technical highlights, its history, its company, and its vision. The main presentation for this webinar will be by Jerry Tan, a long-time contributor to the open source ecosystem in China.

Join using this link up to ten minutes before the official start: 

• https://zoom-lfx.platform.linuxfoundation.org/meeting/94251632341?password=b71b8068-fb68-4f02-8afb-d8b9b20f8099

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

• https://www.openchainproject.org/webinars

We held our regular workshop for the OpenChain AI Work Group on March 5th. It was a two-hour session to allow topics related to AI compliance to be discussed, explored and defined. The key focus for the Work Group is to develop and finalize a Guide to AI Bill of Material Compliance in the Supply Chain, and there is active drafting going on during each meeting.

The Draft Guide:

• https://docs.google.com/document/d/1g1kdmx1bDlQ0feSeW-ZY5JRFAF-HC30a/edit

Watch the Recording:

Track This Work:

You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:

• https://lists.openchainproject.org/g/ai

Attend Future Meetings:

You can find and get the dial-in details for all future AI Work Group meetings from our participate page here:

• https://www.openchainproject.org/participate

Open source and insurance has long been a topic of interest to commercial providers of products and solutions. This webinar will help unpack the reality of insurance considerations in this space. All welcome.

Abstract:

Open source software providers are facing a triple threat: tightening US and EU regulations, rising IP litigation, and the risks introduced by Gen AI. Soon, your board—and your customers and suppliers— might be asking that you have specific insurance that actually covers OSS-related liabilities. But, does such insurance exist? Does it work? And how should it work?

Historically, insurers have struggled to grasp OSS risks, offering inadequate or unclear coverage. Now, a new wave of insurance solutions is emerging, informed by OpenChain standards and best practices.

Join this session to explore how the insurance industry is evolving, what new OSS-specific coverage looks like, and how you can help shape it to meet the real needs of the open source community.

Meet Your Presenters:

Lewis Parle, Head of Intellectual Property Risks @ Lockton

Andrew Katz, CEO @ Orcro

Stephen Pollard, Director Open Source Advisory @ Orcro

Join the Webinar:

LINK PENDING

The 25th Meeting of the OpenChain Korea Work Group is coming soon! Join one of the most energetic, friendly and productive open source communities dedicated to better supply chain management. All welcome, even if you do not speak Korean.

Time and Date: 25th of March (2025-03-25) 14:00 – 17:00

Location: Korea Digital Certification Association (Yeouido Park One Building Tower 2, 48th floor) – https://maps.app.goo.gl/YnxTkz8LjHPXFJBv6

Check out the agenda and learn more here:

• https://openchain-project.github.io/OpenChain-KWG/en/meeting/25th/

Please note: Format registration will launch soon. You can already express your interest on the OpenChain Korea Work Group mailing list (https://lists.openchainproject.org/g/korea-wg).