Suzhou Prism Colorful Information Technology Co., Ltd. is the latest company to complete self-certification to OpenChain ISO/IEC 5230, the International Standard for open source software license compliance.
From our UK Work Group Chair, Andrew Katz:
First of all, a big thank-you to Tom Sadler and David Buckhurst [at the BBC] for hosting the meeting yesterday. I’m sorry not to be able to make the meeting personally and I remain envious! And thank you also to all those who took the time to attend, both virtually and in person. Thank you also to Shane for a great update on everything going on in the world of OpenChain, and to Martin Yagi for the great work he’s done on the bite-sized training project. Also, thanks to Steve Kilbane for his questions and thoughts on the end-to-end compliance issue, and also to Sami for his input and agreeing to hold the fort. I hope that, for those who travelled, that you had safe and uneventful journeys home.
I will be circulating a note shortly summarising the outcomes from the meeting, and suggesting some dates for the next meeting, which will also be a hybrid in-person/virtual event, probably at the end of May or the beginning of June.
This post will be updated with Andrew’s notes as they become available.
During our presentation and open discussion with the LG Electronics team, we also had a chance to tour the offices and see recent awards for things like the release and growth of the FOSSLight Project.
The OpenChain Project was at LG Electronics on the 27th of March to discuss the current market and developments around trust in the supply chain.
There was a special meeting and presentation hosted at SK Telecom to SK Group companies on 2023-03-27. Haksung Jang of SK Telecom, and the leader of the Korea Work Group, kindly wrote a summary of the event. Find some of the introduction and conclusion below, with a link to the full article as well.
Take it away Haksung!
기업이 개발하는 제품 소프트웨어의 93% 이상이 오픈소스를 사용한다고 할 정도로 현대 소프트웨어 개발에 오픈소스를 사용하는 건 거의 필수적입니다.
그런데, 사용하는 오픈소스의 53%는 라이선스 컴플라이언스 이슈가 있고, 81%는 보안 취약점을 갖고 있다는 보고가 있습니다.
복잡한 현대 소프트웨어의 개발환경과 방대한 Software Supply Chain을 고려한다면,
기업이 오픈소스로 제품을 개발하면서 라이선스 컴플라이언스와 보안 취약점 리스크 최소화를 위한 오픈소스 관리 노력이 필요한데요,
Linux Foundation의 OpenChain Project는 이러한 노력을 커뮤니티 차원에서 여러 기업이 공유와 협업으로 함께 하기 위한 Project입니다.
2023년 3월 27일, OpenChain Project의 General Manager인 Shane Coughlan이 SK텔레콤을 방문하여 OpenChain Project의 주요 활동,
오픈소스 관련 국제 표준 및 글로벌 동향에 관해 설명하는 시간을 가졌습니다.
이 자리에는 SK텔레콤 OSRB와 SK그룹 오픈소스 협의체 멤버(SK플래닛, SK쉴더스, SK(주), Supex추구협의회 등)가 참여하여 다양한 의견을 나누었는데요,
이날 Shane은 OpenChain Project에 대해 소개하고, 어떻게 글로벌 협력을 통해 Software Supply Chain에서의 오픈소스 관리 이슈를 공동으로 해결해 가는지 설명하였습니다.
글을 마치며
OpenChain Project는 기업의 오픈소스 관리 영역도 오픈소스의 공유와 협업 방식을 적용하여 모두 함께 적은 비용과 리소스로 높은 수준의 리스크 관리 practice를 달성하기 위한 커뮤니티입니다.
이러한 취지에 공감하는 기업들이 모여 있는 곳이 OpenChain Korea Work Group입니다.
OpenChain Korea Work Group에는 100명에 가까운 기업의 오픈소스 담당자들이 메일링리스트에 가입하여 활동하고 있습니다.
마침 코로나 이후 3년만에 오프라인 모임이 3월 28일에 있었습니다. 다음 글에서 이에 대해 자세히 다루겠습니다.
Shane과의 미팅 세션 이후에는 SK텔레콤 Tech HR팀의 후원으로 맛있는 점심을 즐겼습니다. (상기님 감사합니다~ ^^ )
Our 50th webinar will feature Alexios Zavras, Chief Open Source Compliance Officer at Intel Corporation and a long-term friend and collaborator around the OpenChain Project. This time the topic will be SPDX 3.0, a significant generational update to SPDX, a sister standard to OpenChain ISO/IEC 5230 and OpenChain ISO/IEC DIS 18974.
SPDX is a Software Bill of Materials (SBOM) specification, so it operates one layer down from the fundamental processes outlined by OpenChain’s standards, and it provides an excellent way to meet our requirements for an SBOM to be used by companies. The second generation of SPDX has been an ISO/IEC standard for two years as ISO/IEC 5962. The third generation shows interesting promise as a way to manage license compliance, security and more.
Join For Free Via Our Zoom Room
Our regular monthly meeting continued our work to edit the next generation of our license compliance and security assurance specifications. Our focus this time was on some open issues around the next generation of the Security Assurance Specification.
The specific issues we covered:
Add triage entry to specific situations where vulnerability not applicable:
https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/29
Outcome: improved language suggested, needs work to further tighten phrasing.
Comments on the Known Vulnerability in the proposed Security Assurance Specification:
https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/19
Outcome: issue closed with adjustment to language in the specification.
Current draft of next generation security specification here:
https://github.com/OpenChain-Project/Security-Assurance-Specification/blob/main/Security-Assurance-Specification/2.0/en/openchain-security-specification-2.0.md
The slides we used are below
The OpenChain Project is delighted to be part of the OSPO Summit held in Beijing during March 2023. You can check out our speech from the event below.
Learn more about the event
The OpenChain Security Assurance Specification 1.1 is now ISO/IEC DIS 18974, OpenChain Security Assurance Specification. It is a de-facto industry standard and a draft ISO/IEC international standard.
What Is This?
ISO/IEC DIS 18974 defines the key requirements of a quality open source security assurance program. It was previously known as the OpenChain Security Assurance Specification 1.1.
What Does It Do?
ISO/IEC DIS 18974 helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts.
It identifies:
- The key places to have security processes
- How to assign roles and responsibilities
- And how to ensure sustainability of the processes
ISO/IEC DIS 18974 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources. Pending a successful ballot, it is expected to become a formal ISO/IEC International Standard in mid-2023.
What Should You Do?
From today, you can adopt ISO/IEC DIS 18974 through self-certification or in collaboration with one of our official partners. Your adoption will also be valid for ISO/IEC 18974:2023. The first company to announce a program using ISO/IEC DIS 18974 was Interneuron in the UK, and the first company to announce whole entity adoption was BlackBerry.
Learn More About The Standard
Adopt The Standard
Checklists
Questionnaires
Get Third-Party Support
Report Your Adoption
Share With Others
History
This specification is built from the source material of ISO/IEC 5230:2020, the International Standard for open source license compliance (specifically OpenChain 2.1, which became ISO/IEC 5230 via the JTC-1 PAS Transposition Process).
This specification was drafted by our community as a Security Assurance Reference Guide due to interest in applying ISO/IEC 5230 processes to the security domain. The draft specification went through a review process via our specification list and calls before a governing board vote to transform it into a published security specification on 2022-09-14.
Past Versions of the Standard
Releases as a Specification
Releases as a Guide
Improving The Standard
ISO/IEC DIS 18974, the industry standard for open source security assurance, is available for everyone to review, adopt and to submit suggestions for improvement. We collect these comments on the OpenChain Security Assurance Specification GitHub Repository. You can add your comments in the “Issues” section.
You can also send questions and feedback to the mailing list or by email to the OpenChain Project administration team if you prefer to remain anonymous. We discuss the suggestions on our calls and via our mailing lists to decide what to refine, update or improve in future versions.
Learn More About Our Standardization Status
Joint Development Foundation (JDF), the PAS Submitter used by the OpenChain Project, has provided our Draft International Standard (DIS) number for the OpenChain Security Assurance Specification 1.1. This is the number used in the JTC-1 PAS Transposition ballot process prior to the granting of formal ISO/IEC standard status and obtaining the related ISO/IEC number. The OpenChain Security Assurance Specification 1.1 is now ISO/IEC DIS 18974, OpenChain Security Assurance Specification.
JDF has also received an update on the timing of our JTC-1 PAS Transposition ballot for DIS 18974, OpenChain Security Assurance Specification. We are currently scheduled for late March 2023. Pending a successful initial ballot, we are on schedule for having our formal ISO/IEC designation in mid-2023. Our expected ISO/IEC number for the OpenChain Security Assurance Specification 1.1 will be ISO/IEC 18974:2023. The formal name of the standard is expected to be ISO/IEC 18974:2023, OpenChain Security Assurance Specification.
China Electronics Standardization Institute (CESI) is the latest official partner of the OpenChain Project. From today, CESI is offering third-party certification around the standards produced by the OpenChain Project, with an initial focus on ISO/IEC 5230:2020, the International Standard for open source license compliance.
“The OpenChain Project is delighted to deepen our collaboration with CESI,” says Shane Coughlan, OpenChain General Manager. “CESI has an exceptionally important role in helping the world’s most populous country engage with, leverage and innovate around open source. Their new status as an official partner of the OpenChain Project opens doors for more companies in China to begin using our standards, and to begin benefiting from increased efficiency in their supply chains.”
“CESI is delighted to become an official partner of the OpenChain Project,” says Liyun Yang, Director of Cloud Computing Research Office. “We will offer third-party certification and assist in developing next generation versions of the OpenChain standards to help support Chinese companies, and the wider global supply chain.”
About CESI
Founded in July 1963, CESI is a nonprofit institution directly under the MII that is engaged in standardization, conformity assessment and measurement activities in the field of electronic information technologies. Authorized by government competent departments, CESI organizes the development of national and industry standards and participation in the international standardization activities in electronic information technologies. CESI provides product certification, quality system certification, experiments and tests, measurement and calibration as well as training for the public.
The objective of CESI is to become a world-renowned, domestically authoritative institution for standardization and conformity assessment in the field of electronic information technologies.
Learn More
TÜV NORD Taiwan is the latest official OpenChain Partner. TÜV NORD Taiwan was founded in 1988 and is one of the leading providers of quality, safety, information technology, and renewable energy solutions. The company has highly qualified employees and offers national and international customers the complete provide the one-stop service for local customers.
“We are delighted to being our official partnership with TÜV NORD Taiwan,” says Shane Coughlan, OpenChain General Manager. “The availability of certification and other support services is critical to ensure companies have options when using our standards for license compliance and security assurance. Especially in mission critical industries like automotive, the option of third-party certification alongside self-certification is vitally important.”
About TÜV NORD Taiwan
TÜV NORD Taiwan is one of the world’s largest technical service providers.
We owe our leading market position to our technical competence and a wide range of engineering support, testing and servicing activities in the Systems, Mobility, Certification, Energy, training and International Divisions.
With over 14,000 employees in more than 70 countries of Europe, Asia, America and Africa, the TÜV NORD GROUP is actively committed to its national and international customers. Its broad consulting, service and testing/inspection portfolio encompasses both specific individual tests/inspections and also management of complex safety solutions.
The TÜV NORD GROUP is made up of the following divisions: Mobility, Industrial Services, International, Natural Resources and Training and Human Resources. As a customer-oriented competence centre, it is in constant contact with its customers for analyzing, consulting, developing individual solutions and joint implementation with the customer.
TÜV NORD GROUP customers benefit from the broad, well-founded expertise of the consultants and inspectors. Through their understanding of the subject and the customer, the employees form the backbone of the company’s success.
Learn more:
