Skip to main content
THE LINUX FOUNDATION PROJECTS
All Posts By

Shane Coughlan

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source. Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.

OpenChain Newsletter #81

By Monthly Newsletter, News

Newsletter – Issue 81 – August 2025

The OpenChain Newsletter provides a monthly summary of our work. It contains an overview of what we are doing to build trust around license compliance and security in the open source supply chain. We accept suggestions and ideas. Feel free to mail us at any time.

Key Updates and Announcements

  • AI System Bill of Materials Guide: The public comment period for the “Artificial Intelligence System Bill of Materials – Compliance Management Guide for the Supply Chain” has now closed. The AI Work Group, Governing Board, and Steering Committee are reviewing the feedback received. You can follow the progress and view the draft guide here.
  • OpenChain at Open Source Summit Europe: The OpenChain Project had a strong presence at the recent Open Source Summit Europe, with talks and panels from board members and work group chairs. A mini-summit was also held to share knowledge on license, security, and regulatory compliance. You can learn more about the event here.
  • Call for Translation Collaboration: The OpenChain Project is seeking community assistance in translating the self-certification materials for ISO/IEC 5230 (Open Source License Compliance) and ISO/IEC 18974 (Open Source Security Assurance) into German, Japanese, Korean, and Chinese (Simplified and Traditional). If you are fluent in these languages, you can contribute to this important effort. Draft machine translations are available on GitHub to get you started. Find out more here.
  • Improved Self-Certification: The online self-certification process for both OpenChain ISO/IEC 5230 and OpenChain ISO/IEC 18974 has been updated and improved, making it easier for organizations to assess and declare their conformance. Check out the updates here.
  • OpenChain in China: A successful mini-summit on “Open Source Software Supply Chain Security Compliance in the AI Era” was held at the 2025CCF China Open Source Conference in Shanghai. The event was led by the OpenChain China Work Group and covered both legal and technical aspects of compliance. Read more about it here.
  • Understanding the CHAOSS Project: A recent webinar explored the CHAOSS (Community Health Analytics for Open Source Software) project, a Linux Foundation initiative focused on developing metrics and software to better understand the health of open source communities. You can find more information about this informative session here.

Recent Meeting Recordings

For those who missed them, recordings of recent OpenChain meetings are now available:

  • Monthly Specification and Education Call (North America – Europe) – August 13, 2025: This call covered the latest project news, a call for papers for the Open Compliance Summit, and updates from the Specification and Education Work Groups. You can watch the recording here.
  • OpenChain Japan Community Day #34 at Mitsubishi Electric: Recordings from this two-day event, featuring discussions on OSPO activities, preventing common licensing mistakes, and an introduction to OSS compliance for beginners, are now online. Access the recordings here.

Potential Further Actions for Readers

  • Attend Future Meetings: The best way to stay informed and contribute is to participate in the various OpenChain work group calls. The monthly Specification and Education calls, along with other topical and regional meetings, are open to everyone. You can find the full schedule of upcoming meetings and information on how to join on the OpenChain participation page.
  • Contribute to Translations: If you have language skills, your contribution to the translation of self-certification materials would be highly valuable. This is a practical way to help the global community adopt OpenChain standards.
  • Engage with Work Groups: Consider joining the mailing lists of the work groups that align with your interests, such as the AI Work Group, Specification Work Group, or Education Work Group. This will allow you to follow discussions and contribute your expertise.

To get more involved in any of these activities and to help build a more trusted open source supply chain, please visit: https://openchainproject.org/participate

Note: This newsletter usually only contains primary meetings. Some community meetings are not recorded or are released through other channels.

Read Previous Newsletters:

AI Usage:

This newsletter is created by using a template, curating links from a month of OpenChain news posted on the blog and using these prompts on Google Gemini to fill out the central news:

  • “Summarize the following newsletter for folks interested in the open source compliance to learn the latest changes in the space and find possible items that can act on. Include the links in this newsletter. Add notes on potential further actions by readers, particularly around attending future meetings. Direct people to this link to participate further: https://openchainproject.org/participate”

The newsletter is then subject to an edit cycle. If you spot any errors we missed, please contact us.

RECORDING: OpenChain SBOM Work Group – Monthly Meeting – 2025-09-24

By News

As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?”

This Meeting Discussed:

  1. The next steps for the SBOM Work Group and its Guide to SBOM Quality
  2. Any Other Business

Watch the Meeting:

Learn More About This Study Group:

Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.

Get Involved:

Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list: https://lists.openchainproject.org/g/sbom

💻 We have a dedicated GitHub Repo: https://github.com/OpenChain-Project/SBOM-sg

Attend Future Meetings:

You can find and get the dial-in details for all future meetings from our participate page here: https://www.openchainproject.org/participate

OpenChain @ Balkan Computer Congress (BalCCon2k25)

By News

OpenChain was represented by Vladimir Slavov at the Balkan Computer Congress (BalCCon2k25) on the 21st of September with a talk entitled ‘OpenChain: Towards a More Secure and Compliant Software Supply Chain.’

The talk was split into three parts of roughly the same length.

Part 1 made the case for implementing a program to manage OSS in your organization. It focused on both the positive effects of establishing such a program, as well as the risks assumed by not having one.

Part 2 focused on the OpenChain ISO Standards and how they can be used as simple reference documents for upgrading your operations for a secure and compliant software supply chain.

Part 3 was about the OpenChain community, what it has to offer, and how you can get involved and contribute. Special focus was placed on the OpenChain Eastern European chapter we are currently in the process of establishing, with an open invitation to anyone who would like to participate.

Learn more:

RECORDING: OpenChain Monthly Specification and Education Call (Europe / Asia) – 2025-09-17

By News

We Discussed:

Lead by Martin Yagi (Chair Education Work Group), the call covered the following agenda:

  • OpenChain Project News
  • Open Compliance Summit – Call for Papers
  • Specification Work Group – Some Questions for the Community
  • Education Work Group – Update on Status and Community Work Items
  • Any Other Business?

A reminder for those in Asia – while this edition of the monthly call is happening in the darkest hours of the night (01:30 in Japan!), we also have a monthly Europe / Asia call that works better for those in Eastern time zones. Check out the schedule for this and all our other meetings here:
https://openchainproject.org/participate

Watch the Recording:

Coming Next:

  • A ton of work pending on education, and a survey to be released for the spec. Expect a strong focus on looking at what we have accomplished, looking at feedback, and making it better.

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate

Update on OpenChain ISO/IEC 18974 and the CRA

By News

Thanks in no small part to the advocacy of SZ Lin, OpenChain ISO/IEC 18974 has been officially referenced in the EU Cyber Resilience Act (CRA) harmonized standards discussion.

You will find OpenChain ISO/IEC 18974 cited in Slide 67 of the “CRA Standards Unlocked: Unlocking CRA Security Controls: preparation for UNE Event” from CEN CENELEC:

We are referenced alongside:
• ISO/IEC TR 5895:2022 – Cybersecurity – Multi-party coordinated vulnerability disclosure and handling
• ISO/IEC 30111:2019 – Information technology – Security techniques – Vulnerability handling processes
• ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure

What this means:

The value of our security standard has been positively recognized by the parties bringing together the official CRA standards / requirements portfolio.

It provides a door to both continue and expand our collaboration in this space. The precise next steps will be determined in collaboration with our community and the governing board.

Welcoming the OpenChain Ambassador Program

By Featured, News

OpenChain Ambassadors are official advocates within the OpenChain Project helping build a more trusted supply chain. They are a point of contact for new participants, and can help connect the community with knowledge and solutions. They provide support, training, mentorship and guidance to help:

  • With OpenChain community through local meetups, events, and content
  • Foster strong community collaboration and relationships
  • Attract and welcome new community participants
  • Provide feedback to the OpenChain Governing Board about community programs and initiatives
  • Advocate OpenChain best practices and OpenChain initiatives around the world

We are delighted to welcome 21 initial ambassadors from around the world, and to provide an even greater community of support for everyone working on a more trusted supply chain.

To learn more about who is in the program, and how to contact them, via our official Ambassadors page.

Webinar: Introduction to the Cyber Resilience Act (CRA)

By community, legal, licensing, News, standards, Webinar

About This Webinar:

The European Union (EU) Cyber Resilience Act (CRA) is a new law that covers almost all “products with digital elements”, including software, released in the EU. Enforcement will begin in 2026, even on organizations who aren’t based in the EU. This presentation explains the scope and requirements of the CRA. This webinar was lead by David A. Wheeler, Director of Open Source Supply Chain Security at the Linux Foundation.

Check out our online training course diving deeper into this topic:
https://training.linuxfoundation.org/express-learning/understanding-the-eu-cyber-resilience-act-cra-lfel1001/

Watch the Webinar:

Review the Slides:

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2025-09-12.

Webinar: Compliant containers with the OSADL Base Image

By legal, licensing, News, Webinar

About This Webinar:

While containers certainly simplify deploying software, fulfilling FOSS license obligations for containers is made difficult by their layered structure and the lack of compliance material in public repositories. Although every container is customized for its particular use and therefore comprises different software components, many are built on a base image that provides essential system components. It seems obvious to apply the Open Source principle of sharing development of non-differentiating technologies and services to license obligations of container base images. Therefore, OSADL offers the OSADL Base Images that are provided together with all required legal information and material needed to be distributed compliantly. A company may build their individual container images on top of the OSADL Docker Base Image and use the provided instructions to fulfill license obligations for the additional software to achieve license compliant container distribution. This presentation explained how the base images and in particular the license compliance material are created, list what flavors, versions and variants are available and show how they can be used to facilitate licensing of individual containers.

Project page: https://www.osadl.org/base-image

Docker Hub: https://hub.docker.com/r/osadl/

Watch the Webinar:

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2025-09-12.

The SBOM Study Group is now the SBOM Work Group

By News

What Is Happening?

The OpenChain SBOM Study Group has covered a lot of ground since it was formed in July 2024. After just over a year of work, and with a detailed examination of what is needed for quality cross-industry Software Bill of Materials, the Governing Board has voted to turn it into a Work Group.

The full details of Study Groups vs Work Groups can be found in our FAQ, but the short version is that a Study Group *thinks* about something, and a Work Group *works* on something.

The SBOM Study Group has prepared detailed conceptual information for a ‘SBOM Document Quality Guide’

The newly formed SBOM Work Group will turn this into a completed, formal OpenChain Guide. You can read about the future guide in detail from a special post we wrote on the subject.

How Can I Help?

The next step is to close all the comments on the draft document… or add your own! You will find it here:

Learn More About This Work Group:

Our SBOM Work Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.

Get Involved:

Everyone is welcome to be part of this work group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/sbom

💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/SBOM-sg

Attend Future Meetings:

You can find and get the dial-in details for all future meetings from our participate page here:
https://www.openchainproject.org/participate

Special Study Group > Work Group FAQ

Q: Does this mean links will change to the mailing list or GitHub repo?

A: No, nothing will change at this time.

Q: Does this mean leadership of the SBOM activity will change?

A: No, nothing will change at this time.

Q: Does this mean all the participants are even cooler than before?

A: Yes.

RECORDING: OpenChain Monthly Specification and Education Call (North America – Europe) – 2025-09-10

By News

We Discussed:

Quite a few things! Lead by Chris Wood (Chair, Specification Work Group) and Martin Yagi (Chair Education Work Group), the call covered the following agenda:

  • OpenChain Project News
  • Open Compliance Summit – Call for Papers
  • Specification Work Group – Some Questions for the Community
  • Education Work Group – Update on Status and Community Work Items
  • Any Other Business?

A reminder for those in Asia – while this edition of the monthly call is happening in the darkest hours of the night (01:30 in Japan!), we also have a monthly Europe / Asia call that works better for those in Eastern time zones. Check out the schedule for this and all our other meetings here:
https://openchainproject.org/participate

Watch the Recording:

Coming Next:

  • A ton of work pending on education, and a survey to be released for the spec. Expect a strong focus on looking at what we have accomplished, looking at feedback, and making it better.

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate