Shane Coughlan

Nathan chaired the latest Education Work Group meeting with a focus on updating our supplier education leaflet. Check out the full recording below to learn more. You can also join our education mailing list to keep track of progress here and around other documents.

The Recording Of The Meeting

The Education Work Group Mailing List

• https://lists.openchainproject.org/g/education

Apologies to everyone that it took a while to release this recording. Big thanks to PwC for hosting and to all our participants for a lively and useful discussion. You can see the previous outcomes blog post with this video added here:
https://www.openchainproject.org/news/2023/03/31/openchain-germany-work-group-meeting-2023-03-30-outcomes

LG Electronics has published a news item about their recent adoption of OpenChain ISO/IEC DIS 18974, the de facto industry standard for open source security assurance.

An extract from their post:

(서울=연합뉴스) 김아람 기자 = LG전자[066570]는 미국 비영리단체 리눅스재단의 오픈체인 프로젝트가 규정한 ‘오픈소스 소프트웨어 보안 관리체계 국제표준’ 준수 기업으로 인정받았다고 21일 밝혔다.

이 인증 획득은 국내는 물론이고 글로벌 제조업계를 통틀어 LG전자가 유일하다.

소스코드가 공개된 오픈소스 소프트웨어 사용에서 ▲ 내부 보안정책 수립 ▲ 보안정책의 주기적 업데이트 ▲ 보안 테스트를 위한 각종 툴 사용 여부 등 30여개 보안 인증 요건을 모두 충족했다.

Read The Full Article

https://www.yna.co.kr/view/AKR20230421023900003

Dr. Andreas Kotulla over at BitSea has flagged some interesting concerns when using ChatGPT to talk about open source licenses. While a conversation about open source licenses in China correctly identified the Mulan Permissive Software License, other Chinese “licences [discussed by ChatGPT] seem to come from ChatGPT’s pure imagination!”

From his research:

China is playing an increasingly important role in the open source world. Especially for globally active companies with their own software development, it is worth taking a look at the Far Eastern market. But caution is advised in research efforts: Those who trust in the help of artificial intelligence should be prepared for misjudgements. In my blog, I show by example what can happen or what should be taken into account when software like ChatGPT is supposed to provide support in this still young field of research.

Read the full article

• https://bitsea.de/en/2023/04/chinesische-open-source-lizenzen-obacht-beim-einsatz-von-chatgpt/

The first meeting of the Legal Work Group took place on the 25th of April 2023. We explored model provisions for including OpenChain ISO/IEC 5230 and OpenChain ISO/IEC DIS 18974 (and potentially other standards) in procurement contracts or similar material.

The goal is to ensure people can understand options. We will not be prescriptive and these model provisions will remain part of the OpenChain reference material. They will not be included in the standards themselves.

The call started by looking at model provisions done before via the Risk Grid:
https://docs.google.com/spreadsheets/d/1yh3wPTRyRZ0NmYh5V5JtXeknlYGYe53BtyLIMSFsoTY/edit#gid=208806775

The document, under public domain, has been moved to the OpenChain GitHub for ease of access and editing:
https://github.com/OpenChain-Project/Reference-Material/tree/master/General-Compliance-Support-Material/Risk-Grid

Our outcome was to use this basic format as a way to structure our first round of model provisions, and to have the option of merging the documents in the future.

Full Recording

Some Post-Call Outcomes

Risk Grid Version 11 (last published version) is now fully translated to MarkDown:
https://github.com/OpenChain-Project/Reference-Material/blob/master/General-Compliance-Support-Material/Risk-Grid/risk-grid-11.md

Risk Grid Version 12 has been created to help set the template for our adjacent work on model language for ISO/IEC 5230 and ISO/IEC DIS 18974. This document needs review:
https://github.com/OpenChain-Project/Reference-Material/blob/master/General-Compliance-Support-Material/Risk-Grid/risk-grid-12.md

This is a continuation of the risk grid that:
– makes a first attempt to reorder the issues based on their granularity – highest first and;
– adds the issue title to the issue number for ease of navigation and;
– merges the Commentary and Comments fields to reduce redundancy.

This version removes issue numbers because the titles replace the numbering, and it avoids long term issues with quotations of different issue numbers across different versions of the risk grid.

Shane Coughlan, OpenChain General Manager, delivered a talk entitled ‘How The Linux Foundation Standards For License Compliance And Security Will Fix Your Supply Chain‘ at FOSS North 2023 on the 25th of April 2023.

Formal Talk Outline

The OpenChain License Compliance (ISO/IEC 5230) and Security Assurance standards provide simple and effective ways for companies in the supply chain to improve open source software management. Organizations around the world have engaged with these standards over the last five years for cost reduction, time optimization and to allow staff to work on tasks directly related to improving products and services. Data suggests significant traction in adoption, with an example being a recent PwC-sponsored survey showing 20% of German companies with more than 2,000 employees using ISO/IEC 5230. This talk will explain how the OpenChain Project is building the support structures needs to accomplish ever broader market adoption, ranging from community activities to reference material to a commercial ecosystem. It will focus on recent developments, especially around expanding work in security, in editing the next generations of the standards, and in lessons learned to revise our supplier education material. Attendees will leave this talk knowing current options for assessment, deployment and – in the case of customer companies – encouraging suppliers to use these standards too.

Check Out Our Slides