Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source.
Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.
We held the first monthly workshop for the OpenChain AI Work Group in 2025. It was a two-hour session to allow topics related to AI compliance to be discussed, explored and defined. The key focus for the Work Group is to develop and finalize a Guide to AI Bill of Material Compliance in the Supply Chain, and there is active drafting going on during each meeting.
You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
The end of the comment period for proposed updates to ISO/IEC 5230 and ISO/IEC 18974 (2024-06-19 ~ Ending 2024-12-19) [1]
What happens next in the three-month Freeze Period [2]
What to expect from the Steering Committee meeting to review the Specification Drafts on 2025-02-03 adjacent to the Q1 2025 Governing Board Meeting in Brussels
What is happening with the separate ISO/IEC 5230 periodic review at ISO as it reaches five years of age, and what to expect next
What happens next with the OpenChain Explainer Series – Documents (Release) and Videos (Beta) [3]
The status of the Capability Model and what to expect next [4]
A proposal to consider where we can go with online training for ISO/IEC 5230 (LFC 193 and LFC 194 refresh with LF Training?) and ISO/IEC 18974 (New LFC courses with LF Training?)
A note on the timing of the call, and sustainability:
This call takes place between 01:30 and 02:30 in Japan to allow North American and European participants to collaborate. However, this makes it difficult for the General Manager to attend. There is a request to action one of two things:
Move the meeting to a North America / Asia schedule, complementary with the other OpenChain Monthly Specification and Education Call (Europe / Asia) on 3rd Wednesdays or
A community volunteer to run the meeting on a regular basis
Issue to be discussed further.
Coming Next:
We will be following up on the activities outlined above on the mailing lists, and we will continue our regular series of calls and meetings throughout the year.
AVL List GmbH has announced an ISO/IEC 5230 conformant program.
About AVL
AVL is a world-leading technology company specialising in development, simulation and testing in the automotive industry and other sectors such as rail, marine and energy. Through extensive research, AVL delivers concepts, technology solutions, methodologies and development tools for sustainable, safe and advanced mobility and beyond.
AVL supports international partners and customers in sustainable and digital transformation, with a focus on electrification, software, AI and automation. AVL also supports companies in energy-intensive sectors on their way to green and efficient energy generation and supply.
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The Electronics and Telecommunications Research Institute of South Korea (ETRI) has announced recertification of their ISO/IEC 5230 conformant program. Learn about their original ISO/IEC 5230 conformance on our previous blog post.
ETRI is a global information and communication technology (ICT) research institute under the Ministry of Science and ICT. It has led the growth of the information and communication industry in Korea for 45 years. The research institute is working to realize the concept of ‘Korea, an AI powerhouse’ with a vision of “a national intelligence research institute that creates a future society.” ETRI has been conducting open source verification as a software quality management since 2008, and established the Open Source Center as an enterprise-wide organization to support open source R&D activities, governance and compliance in 2017.
“We are delighted to have ETRI underscore their commitment to our standardization approach and the development of a more trusted open source supply chain,” says Shane Coughlan, OpenChain General Manager. “We will continue to work together in Korea and beyond to help educate, inform and inspire others in our field.”
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
When walking into a shop, there’s a lot of choice for electronic devices like WiFi routers, IP cameras, and more. Many devices are identical, or nearly so, as they come from the same manufacturer or use the same chip and code from the chipset manufacturer.
CVEs, however, often focus on individual devices rather than classes of similar devices, leaving many vulnerable ones unreported. For example, CVE-2006-2560 and CVE-2006-2561 describe the same vulnerability on devices from different vendors—likely from the same ODM. Many more devices with the same vulnerabilities are overlooked, possibly giving a false sense that only the listed devices are at risk.
Information about device hardware, such as the ODM or chipset used, isn’t easily accessible, as companies rarely disclose this. Fortunately, a wealth of data has been crowd-sourced globally via various wikis. However, this information is hard to reuse outside those specific platforms.
This is where DeviceCode comes in: it unlocks and cleans data from various wikis (as not all users input data correctly or consistently) and integrates it with other sources. This makes it possible to query by chipset, manufacturer, ODM, and even installed software. It helps answer questions like, “Which other devices are similar to a known vulnerable device?” enabling security researchers to identify additional vulnerable devices.
Watch The Webinar
About Our Speaker
Armijn Hemel, MSc, is the owner of Tjaldur Software Governance Solutions, a consultancy specializing in open-source license compliance engineering and provenance research.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Product teams, R&D teams and OSPOs occasionally find themselves in an adversarial situation with IP Departments around open source and how it should be managed in an organization. This is usually due to misunderstandings about how open source provides value and how the risks associated with it can be contained. With open source increasingly necessary for organizations to compete effectively, it is important to ensure all departments understand its strategic importance, and how to manage it in the context of their KPIs and requirements. This talk will explain how to collaborate with IP Departments using the language of external risk containment and internal portfolio management, and help IP Department staff assess open source as part of a diversified IPR strategy.
This talk will explain the process of going from a blank page to an ISO standard using OpenChain ISO/IEC 5230:2020 as a case study. It will explain how the OpenChain specification team came together, how they created the first iterations of what would become ISO/IEC 5230, and how they collaborated with Joint Development Foundation (JDF) to evolve from de-facto industry standard into formal international standard through the JTC-1 PAS Transposition Process. Attendees will learn how to frame, build and deploy their own specifications and standards, with a particular focus on the practical decisions required: should this be a specification, should it be an ISO standard and what do I need to do to make this happen?
Honda is the latest company to join the OpenChain Project as a Platinum Member and to take a seat at the Governing Board and Steering Committee. This builds on their engagement with the OpenChain Project in adopting ISO/IEC 5230 and ISO/IEC 18974.
“Joining the OpenChain Project board is an example of how Honda takes a leadership position in managing open source,” says Yuichi Kusakabe, IVI software PF and OSPO Tech Lead at Honda.
“Honda is an exceptional company in the management of large, complex supply chains,” says Shane Coughlan, OpenChain General Manager. “Today’s announcement underlines their commitment to developing excellence in open source, and in building trusted supply chains. The OpenChain Project Governing Board is delighted to formally welcome them, and looks forward to doing great things together in 2025.”
About Honda
Honda is a mobility company powered by everyone’s dreams, creating mobility that helps and inspires people, in a wide range of fields such including motorcycles, automobiles, power products and aircraft.
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
This session will present an overview of how OpenChain ISO/IEC 5230:2020 for open source license compliance and OpenChain ISO/IEC 18974:2023 for open source security assurance will impact legal professionals in 2024. It will cover the key points regarding procurement negotiations, mergers and acquisitions, and supply chain management foreseen in the year ahead. This will be informed by recent developments around the CRA and in adjacent standards like SPDX ISO/IEC 5962. The session will also expand on existing and forthcoming reference material, community support and commercial providers available for when help is needed. We will end with an outline of what may come next for the market, highlighting a new OpenChain Study Group around AI Compliance.
You can get involved with the OpenChain Telco Work Group through their dedicated mailing list. At this link, you will also find connections to other working groups around the world:
Please note: you do not have to be an expert in telecommunications or work for a telecommunications company to join the group. Work on subjects like the Telco SBOM Quality Guide is intended to also help other market sectors.
