Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source.
Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.
As always, this is where we are editing the next generation versions of our license compliance and security assurance specifications. Mary Hardy (OpenChain board representative from Microsoft) kindly acted as MC in support of Helio and Chris, co-chairs of the specification work group. Check out the full recording below.
Curious about where we are editing the specifications on GitHub?
The OpenChain Project held a mini-summit adjacent to the Linux Foundation Open Source Summit North America. Check out our opening keynote for some substantial data points on our project, our standards for license compliance and security assurance, and the type of support you can get with adoption.
We continued with a presentation from our board member Helio (CARIAD), with a strong focus on how people can use automation in the practical implementation of important compliance and security processes at scale.
The final presentation drilled further down the stack, and we had a great contribution from the LG Electronics team as their explained FOSSLight, an open source tool for open source compliance or security management with sophisticated dashboard and automation. This solution is gaining traction in South Korea and is well worth attention globally.
The overarching event this year had around 2,000 physical attendees and 2,000 virtual, and we were delighted to welcome some new faces to our corner of the open source community. It was also a pleasure to see many familiar faces in the room.
Minutes Prepared By Steve Kilbane of Analog Devices
Expecting the Security Spec to graduate from ISO/IEC at end of July.
Shane has produced 8 case studies using ChatGPT.
Helio on “State of Tooling in Open Source Automation” (Helio can probably share his slides, if they’re not already on the LF platform)
Tools, Trends, Insights.
Previous trend was license compliance.
Current trend is security.
Few can consume SBOMs.
Lots of gaps for license compliance automation.
We need open data, avoiding control of that data by one entity.
Binary analysis will displace source-only scans.
I think this point here is that, current binary scans aren’t sufficient, but as we move up SLSA levels, we’ll have more attestations from the build, and those will be sufficient.
Poor data quality, especially vulnerability databases.
PURLs prevent vendor lock-in to a given DB.
We need unique identifiers for software.
We need to share the data of package review and curation, but need to overcome concerns from legal departments.
Should we share scanner output first? (ahead of curations?)
We should try to fix upstream (to have better compliance info / metadata)
Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn’t clear whether the call was for a federated network of standard servers.
Licensing isn’t the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
License compatibility: Multiple tools / matrices in use, but they’re all legally subjective and dependent on jurisdiction.
Snippet matching
V. expensive in terms of time (and, therefore, money)
Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they’ve all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it’ll generate new boilerplate from everyone’s code.
Note to self: Look into MatchCode, which Helio mentioned.
SBOMs
Not good, don’t have all the data.
Often can’t read them anyway.
Tools do not integrate them well.
SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
Collaboration opportunities
“Live inventory of FOSS tools and their capabilities” – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
Has a Supply Chain Management section, for third-party code.
Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
I didn’t spot where the clearing/curation decision feeds back into a later scan.
Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn’t catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black Duck. So we have a way to go on making tooling easier to set up.
CARIAD, the wholly-owned division of VW Group creating advanced software for future vehicles, has joined the Governing Board of the OpenChain Project as a Platinum Member.
Helio Chissini de Castro, who will be representing CARIAD on the OpenChain Governing Board, is a familiar face to many in the OpenChain Project. He was previously our board member for BMW and is currently our co-chair of the Specification Work Group. As an old hand at Linux and other open technologies, Helio brings immense practical experience about open source and business management to the table.
About CARIAD
CARIAD is the software powerhouse of Volkswagen Group. Its mission: to bundle and further expand the software competencies of the Volkswagen Group. Mobility made easy. For everyone. Software driven. With a focus on the digital experience and automated driving, CARIAD is building the leading tech stack for the automotive industry. Aiming to create a new automotive experience and increase the innovation speed of Volkswagen Group to make the car a digital companion. The software-defined vehicle powered by CARIAD is a crucial contribution to the success of the Group’s NEW AUTO strategy.
The OpenChain Project is releasing the first draft case studies created by ChatGPT on our GitHub. These are not intended to replace our community contributions, but to make it fast for people to add ideas and adjustments. This will specifically address one of the greatest challenges in creating new material: the initial time spent for drafting.
Why?
Our community feedback shows that people usually enjoy commenting and polishing more than drafting. Check them out and let us know what you think!
The OpenChain Newsletter provides a monthly summary of our work. It contains an overview of what we are doing to build trust around license compliance and security in the open source supply chain. We accept suggestions and ideas. Feel free to mail us at any time.
This edition of the newsletter was created and shared by Qiuyue Qi of OpenSCA, and we provide our thanks for the contribution!
Enlargement
Cloudera, Alibaba Cloud, China Mobile, SAIC Z-ONE and ByteDance have all announced conformance with ISO/IEC 5230.
Nathan chaired the latest Education Work Group meeting with a focus on updating our supplier education leaflet. Check out the full recording below to learn more. You can also join our education mailing list to keep track of progress here and around other documents.
LG Electronics has published a news item about their recent adoption of OpenChain ISO/IEC DIS 18974, the de facto industry standard for open source security assurance.
An extract from their post:
(서울=연합뉴스) 김아람 기자 = LG전자[066570]는 미국 비영리단체 리눅스재단의 오픈체인 프로젝트가 규정한 ‘오픈소스 소프트웨어 보안 관리체계 국제표준’ 준수 기업으로 인정받았다고 21일 밝혔다.
이 인증 획득은 국내는 물론이고 글로벌 제조업계를 통틀어 LG전자가 유일하다.
소스코드가 공개된 오픈소스 소프트웨어 사용에서 ▲ 내부 보안정책 수립 ▲ 보안정책의 주기적 업데이트 ▲ 보안 테스트를 위한 각종 툴 사용 여부 등 30여개 보안 인증 요건을 모두 충족했다.
Dr. Andreas Kotulla over at BitSea has flagged some interesting concerns when using ChatGPT to talk about open source licenses. While a conversation about open source licenses in China correctly identified the Mulan Permissive Software License, other Chinese “licences [discussed by ChatGPT] seem to come from ChatGPT’s pure imagination!”
From his research:
China is playing an increasingly important role in the open source world. Especially for globally active companies with their own software development, it is worth taking a look at the Far Eastern market. But caution is advised in research efforts: Those who trust in the help of artificial intelligence should be prepared for misjudgements. In my blog, I show by example what can happen or what should be taken into account when software like ChatGPT is supposed to provide support in this still young field of research.
This webinar features an update on ClearlyDefined by Nick Vidal at the Open Source Initiative (OSI). A lot has happened since we last covered this project for open source metadata, including the move to a new home at OSI.
About The Project
ClearlyDefined and its parent organization, the Open Source Initiative, are on a mission to help FOSS projects thrive by being clearly defined. Lack of clarity around licenses and security vulnerabilities reduces engagement – that means fewer users, fewer contributors and a smaller community.
As such, the goals of the project are to:
Raise awareness about this challenge within FOSS project teams
Automatically harvest data from projects
Make it easy for anyone to contribute missing information
Crowd-source the curation of these contributions
Feed curated contributions back to the original projects
