The latest OpenChain AI Study Group meeting was hosted by our co-chair, Matthew Crawford of Arm. Check out the full recording and get the slides below.
This week we have the following international meetings:
Tuesday 20th February:
– OpenChain Monthly North America / Asia Call @ 01:00 UTC
– OpenChain AI Study Group (North America / Europe) @ 16:00 UTC
Wednesday 21st February:
– OpenChain Webinar #71 – FOSS License Management: meta-osselot project for integrating OSSelot-Data in OpenEmbedded @ 09:00 UTC
– OpenChain Automation Work Group Meeting (European Afternoon) @ 16:00 UTC
Thursday 22nd February:
– OpenChain Webinar #60 – SPDX 3.1 – Services Profile Overview @ 01:00 UTC
– OpenChain Education Work Group Meeting @ 17:00 UTC
You can check out all our international meetings and get instructions on adding our calendar to your client here: https://www.openchainproject.org/participate
Caren Kresse from OSADL talks about sharing and reusing publicly available FOSS compliance material, as provided by the OSSelot project (https://www.osselot.org/), which requires trust in the reliability of the data. Such trust can be fostered by ensuring high quality and consistency of the data through a standardized curation process and strict review of all contributions. This presentation will demonstrate the curation process for the OSSelot project, present the resulting material, and give an example of how a contribution is reviewed.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Check Out The Rest Of Our Webinars
This is OpenChain Webinar #59, released on 2024-02-14.
Join the mailing list here:
We covered a lot of ground:
- Elections
- ISO Standards
- Contribution Spec Proposal
- Maturity Models
- and more…
Get The Slides
Agenda:
• Recap of discussion so far
• Scope – how to build trust in the open source AI supply chain
• What are the “compliance artifacts”?
• How do we know they can be trusted?
• Discuss use cases
• Inbound
• Deployment internally
• Hosting externally
• Distributing externally
Get The Slides
Learn more about the activities of this study group via their dedicated mailing list:
“Security has continued to be a focus across all our project communities at the Linux Foundation. In today’s blog, we highlight the recent efforts and impact of four Linux Foundation project communities: OpenSSF, FINOS Common Cloud Controls Project, OpenChain, and SPDX. Each community addresses aspects of security from a different perspective and helps contribute to our shared goal of having a more secure software ecosystem for everyone.”
Read the blog:
https://www.linuxfoundation.org/blog/a-spotlight-on-security-efforts-at-the-linux-foundation
Learn more about the activities of this study group via their dedicated mailing list:
The OpenChain Project ran a series of webinars about using open source tools for open source compliance ran between September and December 2021. They have been re-published in the main webinar series to improve discoverability. This episode explores how a tool called VulnTotal can help with open source security management.
Philippe Ombredanne from nexB lead a technical deep dive into VulnTotal on the 7th of February 2023. It was about an aspect of the AboutCode Project, with VulnerableCode providing tools to collect, aggregate and refine software vulnerability information from more than 20 sources and tools to quickly create new “importers”. Called VulnTotal, it came out of Google Summer of Code 2022:
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode (Keshav Priyadarshi)
VulnerableCode is a unique project that collates and cross-references FOSS vulnerability data from multiple sources. Inspired by the VirusTotal multi-scanner virus scanning service, the VulnTotal project will cross-validate the vulnerability coverage of VulnerableCode against other publicly available vulnerability check tools and databases. For instance, a package may be reported as vulnerable by one tool or database but not by another. We can gradually work with these tool providers to keep each other apprised about newly discovered vulnerabilities, making FOSS more secure.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Check Out The Rest Of Our Webinars
This is OpenChain Webinar #68, released on 2024-02-01. It was originally published as “Automation Case Study #7 – VulnerableCode technical deep dive into VulnTotal” on 2023-02-07.
