Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source. Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.
During the Operations Management Summit at Open Source Summit Europe in Vienna, Kobota San (Sony) and Ninjouji San (Toshiba) from the OpenChain Project gave a deep-dive into some of the original and current market realities behind the creation and use of the SPDX Lite SBOM format.
Their slides contain a wealth of information that is useful for anyone working in this field.
Korea Telecom (KT), South Korea’s largest telecommunications operator, has announced an OpenChain ISO/IEC 18974 Conformant Program. With 50,000 employees group-wide, KT has a long history in open source engagement, and has operated a dedicated team for its management since 2012.
KT’s decision to adopt OpenChain ISO/IEC 18974 continues their strategic interest in aligning with international standards for managing the supply chain, and builds on their previous adoption of OpenChain ISO/IEC 5230 for open source license compliance. [See note 1 below]
The adoption of OpenChain ISO/IEC 18974 further enhances KT’s contribution to open source security and enable them to take a more proactive and systematic approach to open source security activities.
“Today’s announcement is another milestone for both KT and the OpenChain Project,” says Shane Coughlan, OpenChain General Manager. “KT has demonstrated continued leadership in open source best practices with certification to OpenChain ISO/IEC 18974, and their activity coincides with deeper telecommunication adoption of OpenChain standards in recent months. Great credit is due to the open source and the management team of KT for driving this forward, and for the inspiration it provides to many other companies in the ecosystem.”
KT Corp., Korea’s largest telecommunications service provider, is leading the new era of innovations in one of the world’s most connected countries with 5G, Big Data, Cloud, IoT, Blockchain and other transformative technologies. KT launched the world’s first nationwide commercial 5G network in April 2019, after showcasing the first trial 5G services at the PyeongChang Winter Olympic Games in February 2018. To help cope with COVID-19, KT is staging a social campaign, dubbed “Ma-Eum:TACT (Heart to Heart),” providing technology supports for people and businesses in need. KT will deliver most essential and innovative services and solutions to its customers around the world as the first frontier in the next technology revolution and number one Global ICT Company.
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The OpenChain Project will be featured at the OSCAR event in Beijing, China on the 16th of October. OpenChain will be represented by Zhenhua Sun of ByteDance, the current Chair of the OpenChain China Work Group.
The OpenChain AI Study Group held its regular workshop on the 1st of October. Karen Bennet from SPDX provided a briefing on AI BOM. Work also progressed on the draft scratchpad for management of AI BOMs.
You can follow and contribute to the work of the OpenChain AI Study Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
You can find and get the dial-in details for all future AI Study Group meetings from our participate page here:
We held our regular Monthly North America and Europe Call on the 1st of October. The focus was on discussing the Public Comment period for our draft proposed updates to the licensing and security specifications, and on the outcomes of the recent Steering Committee meeting.
We keep all the slides from our monthly calls online and they can be a useful way to access direct links and more details:
Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/
You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate
This webinar will cover the topic of SBOM visualization to provide an alternative approach to review code.
In order to comply with the use of open source, when setting up the SBOM, care must be taken not only to list the components, but also to show how they are incorporated into your products (this is a multidimensional space consisting of hierarchy, linking, modification, export restrictions, security vulnerabilities, distribution type, versions, etc.), and how properties may propagate through the dependency tree. Keeping track of these complex relationships based on a text file or tables is extremely difficult.
As part of a research project funded by the Federal Ministry for Economic Affairs and Climate Protection (BMWi) and with the Bonn-Rhein-Sieg University of Applied Sciences and Bitsea, a visualization of the meta information was implemented that displays the relationships and potential risks quickly and in an easy-to-understand way.
Dr Kotulla is the founder and managing director of Bitsea GmbH and specializes in the technical audits of software systems. Bitsea assesses open source compliance and advises clients comprehensively on open source management, open source strategy, open source governance, open source processes, tool chains and offers an Open Source Program Office (OSPO) and scanning as a managed service.
Dr Kotulla is a computer scientist, has been active in IT for more than three decades, leads workshops and gives lectures on open source, software engineering, software quality and worked for 12 years for international telecommunications providers. He is a member of the Linux Foundation’s OpenChain project, is active in Bitkom e.V.’s Open Source working group and is the author of several books and publications.
Learn More: www.bitsea.de
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
We held our regular Monthly North America and Europe Call on the 3rd of September. The focus was on discussing the Public Comment period for our draft proposed updates to the licensing and security specifications.
We keep all the slides from our monthly calls online and they can be a useful way to access direct links and more details:
A process shall exist for creating the set of compliance artifacts for the supplied software.
A process shall exist for creating the set of compliance artifacts for the supplied software.
a “Software Bill of Materials” (SBOM) is a inventory for software, a list of ingredients that make up software components. An example is the (Software Package Data Exchange) SPDX specification created by the Linux Foundation’s SPDX Project to exchange bill of materials for a given software package (see spdx.org). Regardless of the SBOM specification used, it should follow a complete profile for the intended use case.
a “Software Bill of Materials” (SBOM) is an inventory for software, a list of ingredients that make up software components. An example is the Software Package Data Exchange (SPDX) specification created by the Linux Foundation’s SPDX Project to exchange bill of materials for a given software package (see spdx.org). Regardless of the SBOM specification used, it should follow a complete profile for the intended use case.
a set of open source software licenses identified as a result of following an appropriate method of identifying open source components from which the supplied software is may contain
a set of open source software licenses identified as a result of following an appropriate method of identifying open source components which the supplied software may contain
“Under Terms and definitions there were some sub-headings with ## and some with ### so changed them all to be ### level sub-headings.”
3.3.2 – Security Assurance
A process shall exist to detect, identify, and document the existence of Known Vulnerabilities in each Open Source Software component on the Software Bill of Materials (SBOM) for the Supplied Software.
3.3.2 – Security Assurance
A process shall exist to detect, identify, and document the existence of Known Vulnerabilities in each Open Source Software component in the Software Bill of Materials (SBOM) for the Supplied Software.
Starting 2024-06-19 ~ Ending 2024-12-19
The OpenChain Project has announced the beginning of its six month Public Comment Period for proposed draft updates to the open source license compliance (ISO/IEC 5230:2020) and open source security assurance (ISO/IEC 18974:2023) specifications.
As per our specification development process outlined in the project FAQ, this Public Comment Period will run for six months, and it will be followed by a three month Freeze Period.
During the Public Comment Period everyone is invited to review and comment on the specifications. As an open project developing open standards, we host the draft documents on our GitHub repositories.
Learn More:
You can comment on this process by joining our monthly calls or via our Specification Mailing list. You can also leave comments via GitHub issues as detailed below.
朝晩涼しくなってきましたね。先週はめちゃ寒いところにいたので、体がついてきてくれません。
皆さまも期末でお忙しいでしょうが、ご自愛くださいね。
さて、ご連絡しておりますとおり10月17日&18日に【OpenChain Japan Community Day Vol.32】を開催します。
本日より参加申込フォームを公開しておりますので、現地参加の方はご登録をお願いいたします。(参加費無料)
↓参加登録フォームはこちら↓
https://cvent.me/Am1Z10
今回も充実の内容でお送りします。アジェンダは以下のとおり。(詳細は添付のリーフレットをご覧ください)
★ダイキンさんの取組み紹介
★ホンダさんのOpenChain認証取得の事例紹介
・SBOM最新動向の共有&有識者によるパネルディスカッション
・OSPO Japan Local Meetup(TODOグループのAnaさんが来日参加)
・OpenChain Japan FAQ SWG体験会&ワークday
どなたでも自由にご参加いただけますので、周囲の方やお友達にもお声がけの上、是非現地でご参加ください。
Day1のみ、Day2のみのご参加でも大丈夫です。
(オンライン配信は一部だけです。重要な情報を逃がさないよう、是非現地でのご参加をご検討ください。)
どうでもいいんですけど今日わたし誕生日なんですよね。普通に仕事してるんですけど。社会人って悲しい。
As part of their engagement with the OpenChain Project, the Nokia Open Source team have contributed the ‘openchain-telco-sbom-validator’, a script to validate SBOMs against the OpenChain Telco SBOM Guide.
Now the validator is available in Pipy: https://pypi.org/project/openchain-telco-sbom-validator/ and can be installed with `pip install openchain-telco-sbom-validator`
This reference tool is available to everyone under the Apache 2.0 license.
Marc-Etienne Vargenau of Nokia, chair of the OpenChain Telco Work Group, Gergely Csatari and their colleagues have been instrumental in helping to ensure the determination of SBOM quality is easier, faster and more effective.
usage: python3 openchain-telco-sbom-validator.py [options] input
positional arguments:
input The input SPDX file.
options:
-h, --help Shows this help message and exits.
--debug Prints debug logs.
--nr-of-errors NR_OF_ERRORS
Sets a limit on the number of errors displayed.
--strict-purl-check Runs a strict check on the given purls. The default behaviour is to run a non strict purl check what means that it is not checked if the purl is translating to a downloadable URL.
--strict-url-check Runs a strict check on the URLs of the PackageHomepages. Strict check means that the validator checks also if the given URL can be accessed. The default behaviour is to run a non strict URL check what means that it is not checked if the URL points to a valid page. Strict URL check requires access to the internet and takes some time.')
This script is written in python and uses a requirements.txt to list its dependencies. To install python on an Ubuntu environment run sudo apt install python3-pip.
It is usually a good practice to install Python dependencies to a Python virtual environment. To be able to manage virtual environments you need to install venv with sudo apt install python3-venv.
If you do not have a virtual environment yet cretate it with python3 -m venv .env and install the dependencies with pip3 install -r requirements.txt, if you already have a virtual environment start it with . .env/bin/activate.
This software is Copyright Nokia and is licensed under the Apache 2.0 license.
In case of any issues please create a GitHub issue, while also any contributions are warmly welcome in the form of GitHub merge requests.
This OpenChain webinar focused on the current legal landscape of AI, covering four main topics: (1) open source and AI, (2) current litigation around AI, (3) an overview of current and forthcoming laws and regulations pertaining to AI, and (4) privacy and data protection and AI, including a case study on scraping biometric data for a facial recognition AI system. It is recommended for all legal, business executive and project management personnel with a remit to engage with open source and/or AI projects and products.
Tony is a member in GTC’s IP Strategy, Mergers & Acquisitions, and Business & Technology Transactions groups. He focuses on mergers and acquisitions, strategic development of patent portfolios, valuing and commercializing intellectual property assets, and licensing and other technology-related transactions. In addition, Tony founded and oversees the firm’s Open Source Compliance and Due Diligence practice and has extensive experience advising clients regarding the use of open source software. He has reviewed the results of literally thousands of code scans.
Tony is also the Co-Lead of GTC’s Artificial Intelligence practice and has counseled clients regarding traditional AI/ML (i.e. algorithmic/rules-based) for many years and has more recently focused on generative AI. He specializes in data set licensing and strategies for acquiring and collecting data, developing patent portfolios focused on AI inventions and applications of AI technologies, developing AI-related contract terms, risk assessment and mitigation, and related policies and guidelines, in respect of using AI to generate and test software code and the intersections between open source software and AI. Tony is the co-chair of the AI & Cloud Computing sector of the Licensing Executives Society.
Tony’s clients range from individual inventors to Fortune 100 companies. Given his extensive experience on both the buy and sell sides of mergers and acquisitions, patent purchases/sales and IP/technology licensing transactions, he is a trusted advisor to clients on all sides of the table. For acquirers, a key strength is his ability to leverage this experience to quickly identify and assess IP-related risks. On the sell side, this experience translates to grooming clients and positioning IP assets to maximize value and minimize issues during rigorous due diligence.
Prior to joining GTC, Tony was a member of the IP & Technology, Internet & E-Commerce and M&A practice groups at Skadden, Arps, Slate, Meagher & Flom. He has research and professional experience in a diverse range of fields, including patent valuation, law and economics, molecular evolution, apoptosis, and lipid biochemistry. Tony holds an Honors B.Sc. in Biochemistry from McMaster University, an M.A. in Economics and a J.D., both from the University of Toronto, where he was a law review editor. He is admitted to practice in Massachusetts, New York, Ontario, and before the United States Patent and Trademark Office (with Limited Recognition).
Shea Leitch is a member of GTC’s growing Data Privacy group with over 10 years at the forefront of privacy and data protection law. Shea has served as a trusted advisor to multinational companies in an array of industries who rely on her to provide timely, strategic and practical advice as they build and adapt their global privacy and security programs.
Shea provides strategic guidance to clients regarding a wide array of data protection concerns from the ground-up development of enterprise-wide privacy and security compliance programs and cybersecurity assessments, to targeted guidance on discrete privacy and security issues. With CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals, Shea provides tailored guidance on privacy and cybersecurity issues, including regulatory compliance and risk management, security assessments and remediation, security incident preparation and response, and enforcement matters.
Shea also provides targeted guidance on privacy compliance for clients using emerging technologies, including biometrics, artificial intelligence and AdTech. As a strategic advisor, Shea helps clients bring products to market by identifying practical solutions that facilitate business growth and innovation, while mitigating legal and regulatory risk.
Prior to joining GTC, Shea was Counsel at Squire Patton Boggs, LLP. She holds a B.A. in Political Science and Government from The Ohio State University, and a J.D. from The Ohio State University Moritz College of Law.
Stas Zakharenko practices in GTC’s thriving Technology Transactions and Artificial Intelligence groups and has over 18 years of experience at the forefront of intellectual property, technology and digital media law, including as the General Counsel of Audible, Senior Counsel at Amazon and Director of Product and Tech Legal at Netflix. Stas brings a rare blend of deep legal expertise, demonstrated business experience and executive-level leadership to his clients. Stas’ experience spans providing product development legal counseling, negotiating complex technology and content agreements as well as providing strategic legal and business leadership to clients ranging from startups through Fortune 50 companies.
In his most recent role as the Director of Product and Tech Legal at Netflix, Stas advised engineers and data scientists in navigating the rapidly evolving machine learning landscape and growing artificial intelligence wave. Stas’ demonstrated record of deeply understanding the technical intricacies of emerging technologies, in combination with his legal expertise, allows him to deliver practical, forward-looking legal solutions that support and drive innovation.
In addition to holding a J.D. from Boston University, Stas holds a B.A. in Music from Stony Brook University and is an avid musician in community jazz and classical groups.
Wael Louis Nackasha focuses on M&A due diligence and technology-related transactional matters. Wael specializes in open source and commercial software licensing, agreements for the sharing of strategic and commercially sensitive technology, and IP strategy advice, as well as artificial intelligence and generative artificial intelligence related matters, including risk management, policies, and assessment of training datasets.
Wael drafts and prosecutes patent applications covering a wide range of technologies, including machine learning, blockchain, electrical, telecommunications, and computer-related technology. Before joining GTC, Wael was an Associate at Ridout and Maybee LLP where he practiced before both the USPTO and CIPO.
Prior to becoming an attorney, Wael spent several years as a research scientist and software developer. He has published scientific papers in conferences and journals on machine learning, biometrics, computer vision, signal and image processing, and statistical signal processing. Wael holds a J.D. from Osgoode Hall Law School, a Ph.D. and a Master of Applied Science in Electrical and Computer Engineering from the University of Toronto with dissertations focused on artificial intelligence, and a Bachelor of Engineering in Electrical Engineering from Ryerson University (renamed as Toronto Metropolitan University).
In his Ph.D. dissertation titled “Online and Continuous Electrocardiogram (ECG) Biometric System” (2017), Wael proposed a biometric system for continuously monitoring the identity of subjects using their electrocardiogram signals. The dissertation includes proposing novel feature extraction and detecting and removing abnormal electrocardiogram signals using statistical models.
In his Master of Applied Science dissertation titled “Weakly Trained Parallel Classifier and CoLBP Features for Frontal Face Detection in Surveillance Applications” (2010), Wael developed a computer vision system for face detection using novel discriminative features.
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
This OpenChain Webinar was broadcast on 2024-09-24.
© 2024 OpenChain. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use