Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source.
Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.
The OpenChain Project provides the global community with conformance badges. These allow organizations to easily show they have an OpenChain Standard-Related Program.
Note: we have added SVG versions of the badges along with AI, PNG, JPG and other formats. This tracks our move towards MarkDown and SVG where possible to make it easier to use things anywhere at any size.
Our 2nd meeting will take place on 2023-05-25 at 16:00 UTC (09:00 PDT / 18:00 CEST / 00:00 CST) to continue our work. Meanwhile, keep up-to-date via our mailing list: https://lists.openchainproject.org/g/legal-wg
Reminder:
The goal is to ensure people can understand options. We will not be prescriptive and these model provisions will remain part of the OpenChain reference material. They will not be included in the standards themselves.
Linux Foundation Research has launched the World of Open Source: Global Spotlight 2023 survey to explore the state of open source around the world. The research will investigate regional open source trends including the size and scope of open source programs across organizations and industries, opportunities and challenges in private and public sector engagement in open source, the value proposition of open source, and the use and adoption of open source technologies and best practices.
Your perspective is critical for us to capture open source trends at a global level.The survey should only take 10-15 minutes to complete.
*This offer is available to anyone who completes the World of Open Source: Global Spotlight 2023 survey and uses the applicable coupon to purchase an e-learning course or certification between April 18, 2023 and August 30, 2023, 23:59 UTC. It is NOT valid for any other combination of e-learning or instructor-led-training courses or certifications. Discount limited to individual purchases ONLY. Offer not valid with any other discount combinations. Offer does not include FINOPS.
PRIVACY
You will not be asked for any personal identifying information. Reviews are attributed to your role, company size, and industry. Responses will be subject to the Linux Foundation’s Privacy Policy, available at https://linuxfoundation.org/privacy.
VISIBILITY
The data we collect from this survey will be analyzed to produce an in-depth survey report that will be shared with all survey participants and will be published on the Linux Foundation website in 2023. The dataset from this survey and instructions for its use will be made publicly available on the Linux Foundation’s Data.World account.
QUESTIONS
If you have questions regarding this survey, please email us at reseach@linuxfoundation.org
You can catch the recording of our latest OpenChain Education Work Group meeting below. Work was focused on the supplier education leaflet. We are getting close to an updated release version and your review would be super useful. This document will be formatted for PDF distribution (as well as MarkDown final source), and is targeted towards being a “one attachment” way to get your suppliers up-to-speed on the basics needed for open source, compliance and security assurance.
The next meeting of the workgroup will be occurring on the 7th of June. Martin has kindly offered to host us at First Light Fusion in their office in Yarnton, just outside Oxford. We’ll be starting things off at 12:45 with arrivals welcome from 12:00 for refreshments and informal discussions. Both in-person and online attendance are possible.
We’ll set up an Eventbrite shortly with a detailed agenda. Please drop me an email if you would like to add anything. Our initial draft agenda includes:
An update from Martin on the bitesized videos.
An update from myself (Finnian) on the anonymised case study project. If people have any suggestions about how to tailor this project to suit you and your organisation, please let me know.
Case studies workshop.
Discussion around liaising with the Japan WG.
A studio area (potentially – tbc) available 16:00-17:00 for videoing of introductions and testimonials.
Shane Coughlan, OpenChain General Manager, was invited to participate in the four part NLnet webinar series The Ins and Outs of Open Software Supply Chain Management. Our talk was about ISO standards and certification.
As always, this is where we are editing the next generation versions of our license compliance and security assurance specifications. Mary Hardy (OpenChain board representative from Microsoft) kindly acted as MC in support of Helio and Chris, co-chairs of the specification work group. Check out the full recording below.
Curious about where we are editing the specifications on GitHub?
The OpenChain Project held a mini-summit adjacent to the Linux Foundation Open Source Summit North America. Check out our opening keynote for some substantial data points on our project, our standards for license compliance and security assurance, and the type of support you can get with adoption.
We continued with a presentation from our board member Helio (CARIAD), with a strong focus on how people can use automation in the practical implementation of important compliance and security processes at scale.
The final presentation drilled further down the stack, and we had a great contribution from the LG Electronics team as their explained FOSSLight, an open source tool for open source compliance or security management with sophisticated dashboard and automation. This solution is gaining traction in South Korea and is well worth attention globally.
The overarching event this year had around 2,000 physical attendees and 2,000 virtual, and we were delighted to welcome some new faces to our corner of the open source community. It was also a pleasure to see many familiar faces in the room.
Minutes Prepared By Steve Kilbane of Analog Devices
Expecting the Security Spec to graduate from ISO/IEC at end of July.
Shane has produced 8 case studies using ChatGPT.
Helio on “State of Tooling in Open Source Automation” (Helio can probably share his slides, if they’re not already on the LF platform)
Tools, Trends, Insights.
Previous trend was license compliance.
Current trend is security.
Few can consume SBOMs.
Lots of gaps for license compliance automation.
We need open data, avoiding control of that data by one entity.
Binary analysis will displace source-only scans.
I think this point here is that, current binary scans aren’t sufficient, but as we move up SLSA levels, we’ll have more attestations from the build, and those will be sufficient.
Poor data quality, especially vulnerability databases.
PURLs prevent vendor lock-in to a given DB.
We need unique identifiers for software.
We need to share the data of package review and curation, but need to overcome concerns from legal departments.
Should we share scanner output first? (ahead of curations?)
We should try to fix upstream (to have better compliance info / metadata)
Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn’t clear whether the call was for a federated network of standard servers.
Licensing isn’t the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
License compatibility: Multiple tools / matrices in use, but they’re all legally subjective and dependent on jurisdiction.
Snippet matching
V. expensive in terms of time (and, therefore, money)
Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they’ve all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it’ll generate new boilerplate from everyone’s code.
Note to self: Look into MatchCode, which Helio mentioned.
SBOMs
Not good, don’t have all the data.
Often can’t read them anyway.
Tools do not integrate them well.
SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
Collaboration opportunities
“Live inventory of FOSS tools and their capabilities” – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
Has a Supply Chain Management section, for third-party code.
Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
I didn’t spot where the clearing/curation decision feeds back into a later scan.
Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn’t catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black Duck. So we have a way to go on making tooling easier to set up.
