Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source.
Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.
The OpenChain Project was invited by Max at Alibaba to present at the OpenAnolis Standardization SIG Meeting on the 25th of February event held between 15:00 ~ 18:00 CST. The focus was on explaining the current OpenChain specifications for open source license compliance and security assurance, and how the OpenChain community supports organizations of all sizes engaging with the open source supply chain.
Overview
The Anolis OS Standardization SIG and Anolis OS ecological partners jointly develop the Anolis OS standard. The Anolis OS standard is used to ensure the compatibility and consistency of Anolis OS in the upstream and downstream of the industry chain.
The OpenChain Reference Library has been significantly updated to improve navigation. This is an administrative item that was pending for a while. Its completion should make it possible (and easy!) for anyone to access our library and find material. It should also make it a lot easier for our Education Work Group to assess and improve or expand existing material.
This new structure is designed to overcome discoverability issues with the previous repository and to make it easier for continual improvement both of individual documents and for the navigation of the repository as a whole. This means that your feedback, suggestions and help are most welcome. You can leave feedback and ideas for improvement as GitHub issues or via our Education Work Group mailing list.
ISO/IEC 5230 (known as OpenChain) is an international standard on the key requirements for a high-quality open source license compliance program. The standard was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in late 2020. The standard is based on the Linux Foundation OpenChain Specification 2.1. It focuses on software supply chains, easier procurement and license compliance. Organizations that meet the requirements of the standard can self-certify to ISO/IEC 17021, from an accredited certification body or after successfully completing an audit.
We would love your help in reviewing and improving this new resource to help spread understanding of our standard for open source license compliance, and expanding our presence over time to include the OpenChain Security Assurance Specification. You can do so through the normal Wikipedia editing process. Here is an example for the English page.
Huge thanks to Marc-Etienne Vargenau at Nokia for leading this process. He put a lot of effort into making this happen, and is due great credit for helping to improve the supply chain through easily available educational material.
We would create an equally short and easy to understand FAQ to help creating OSPO and running
reference: OSS License FAQ Created by OpenChain Japan WG
◇Future activities
Second Friday: OSS Strategy & OSS Hosting / Leader Motai
Fourth Friday: OSPO Launch & FAQ / Leader Owada
◇Action
Future activities listed above will be disclosed on the LF Event site (Kuwata)
Sharing GGI materials ( Koizumi, Kobota)
From now on, the meeting rules will be explained at the beginning of the meeting.
■proceedings
◇OSPO launch at a company and OSS document structure summary
a state of thirst for expert know-how, opinion, and advice
The OSS Licensing Institute site is useful
The problems that will be encountered during the OSPO startup phase,
I’d be happy if you could give me a Q & A or something.
C) Some come from OpenChain,
What OpenChain policy can’t do, it gets it out of the lab
I doubt if I can say that the FAQ collection is for OSPO.
Q) Do you want answers specifically tailored to your company?
Either you want a general answer or
A) There are companies that offer support,
Some companies get support from C-class people, but software development takes a different form if the company is a small part of the business, so I want to know the case
C)If it’s the former, I think other people might want it,
I thought the latter was a new point of view.
C) The former is close to what you once suggested on Lightning Talk.
C) You might want to join OpenChain
C) It would be nice to have a forum to mainly discuss how to set up OSPO.
C) Know-how to set up OSPO, in favor of creating best practices
I doubt if it can be compiled into a beautiful document, but I agree with the challenge of compiling it into an FAQ.
C) It is interesting to use a brief, FAQ as an example.
The TODO line has a lot of long sentences.
It’s interesting to challenge yourself to put it all together in a short sentence.
C) The checklist attached to the translated GGI may be close
C) I think the words that speak of OSPO go off on their own and think of different things in each.
It would be interesting if we could converge and go, it would help to create a common understanding.
C) If we can put it together, it will be useful when we explain to the high officials in each company.
Q) Do you do FAQs by format, or do you argue and then summarize?
A) How to extract Q first and then make a sentence before PPT
Q) Classified as OSPO launch and strategic use, OSPO launch?
C) If it’s about OSPO, it doesn’t have to be limited to the launch
C) Wouldn’t it be that from being able to answer “yes” and “no” easily, it would become a Q that simply can’t be answered when strategy and other things get higher?
C) OSPO activities come and go on stage with the same agenda
C) Every organization has its own OSPO, but it’s worth trying
C) I think we can make good things if we shape what we say in writing and discuss it again.
Q) Are we talking about giving GGI feedback?
A) We’re talking about a challenge to step away from GGI and try to sort through the FAQ
C) a good challenge to try because it’s easy to get started
C) There are some sentences in terms of the stance to be taken after the systematization of Europe, but I think it would be good to complement each other if we take the Japanese stance and approach.
■future plan
OSS Business strategy area
OSS hosting area
C) First, I wanted to know how many people wanted to do it.
So far, four have raised their hands.
C) Wouldn’t it be better to divide the first and second half of the month by themes?
Q) Is it not necessary to make a summary by adding only the month of reporting?
A) You don’t have to get together to report, the organizer just has to report in English once every three months what you could do in Japan.
C) It is better to decide who will read each.
C) Week 2 OSS Strategy & Hosting / Leader Motai
C) Week 4: OSPO launch / Leader Owada
★Publish the above to the LF Event site
C) Sharing Materials (Daikoku)
C) GGI materials also shared (Mr. Koizumi, Mr. Kobota)
There was a time like this in the past, but it seems to have passed
◇2. Compliance
It seems that they worked hard on the site, it is not an issue for the entire company
see it as a legal issue
◇3. Participation
Misunderstandings that rely on others
Maintained even if left alone
No need to keep up with upgrades
◇4. Co-creation (collaboration)
Contribute only when you can afford it
No immediate effect
◇5. Strategy
we don’t have to do it ourselves
■OSPO GGI Mapping
◇OSS business strategy
OSS activities are positioned as part of the business, and targets are set with both the business and the community in mind.
OSPO representatives are able to communicate at C-Level regular meetings
Some employees do not understand the OSS business model
I’m trying to get the conversation across
There are contributors, but they are not in a form that leads to business
Classified as Strategy goal activities
Mapping to maturity level 5 could not be assigned
C) I felt that even at the maturity level they were going as far as strategy
Isn’t it that there are things that are done and things that are not done?
A) Communication at the top is done, but there are some areas such as education that are lacking
◇OSS hosting
Develop product A with OSS
Became a sponsor of the base OSS PJ and has also contributed
It is open on Github, but the problem is that there are few external contributors and users
There is no internal system in place to deal with the increase in external
Product B Source released, development closed
Activities to revitalize the user community have been activated
There are also users who customize
Categorized as Engagement goal activities
Maturity level is weak in Leadership Community Education Engagement
C) be able to act as a leader, but not able to engage
◇OSS contribution
I want a more influential approach to the community
It would be good if we could accumulate know-how on how to do this within the company.
We also support private and open source activists
I can get information and I can visualize it
Some people don’t want to be open as individuals and don’t want support
I’m trying to automate and collect contribution logs
I want to make use of the experience and know-how of employees who are responsible for board members
Classification is Engagement gaol activities maturity level
◇ What we want to do at TODO Group Japan
OSS Business strategy area
Not enough things that are organized in Japanese
Isn’t it easier to talk if you have something to show?
Combination of support type and open core type,
I think it would be easier to apply OSS to business if there is a place to analyze and discuss such things, such as using paid services as users use OSS.
OSS hosting area
It’s out there, but it’s revitalizing and gathering people
Know-how and best practices should be created
C) I would like to work with someone who is interestedI want to be able to bring out the results from Japan to the world.
C) Posing a very good challenge
there are many people who are interested in
Some people may be interested but unable to contribute
There was a company analysis at OSSJ, so It might be useful
thinking about doing it broadly or deeply.
Q) There was talk of researching external community contributions. how it ultimately intends to use the results
A) The company is happy to know individual skills
You can’t just get results
We provide financial support when making presentations at overseas events.
We want to create a win-win relationship from both sides
C) Motivation seems to increase
A) Incorporating skill development leave, we have prepared a system that allows you to go without using your paid leave.
Q) Is it better to set up a sub-work or continue here?
A) I don’t know the framework yet, but I want to do it
■ Issue mapping by OSPO maturity level and individual ⇔ company/OSPO scope
The usage status of Open Source can be grasped at the project level for the purpose of satisfying compliance, but it is not grasped in the necessary form when considering strategic utilization throughout the company.
I have mapped to 2 compliance and 3 participation in the OSPO maturity levels, but the objectives are 5 strategies and I feel that the OSPO maturity levels will come and go rather than monotonously climb
C) Issues that do not allow you to jump into the community as your own matter and issues such as being recognized by your superiors and improving the personnel system are related
Is there a link between individual issues and organizational issues?
The timing of individual motivation and organizational motivation is out of sync
want to raise my personal motivation, even if it’s just a little
If you try to make it fair, you can’t make it
Value standards such as the size of the community and the number of committed lines are difficult
OSS activities are not recognized by the company
are introducing new technology
Some people have good networks and some people don’t.
Individual study until community feedback is available
OSS activities are far away
Is the introduction of new technology evaluated?
OSS is even more unacceptable if it is not evaluated
A place to discuss careers
Individuals are not necessarily part of a community associated with the company
I want to promote it, but it is difficult to evaluate
Difficult in business evaluation
Establish other forms of awards or rewards
The next time you start working on your company’s business
SW human resource development
eventually return to business
Business is difficult if you don’t understand it
After all, SW is a human resource.
Scale of support for individuals
For example, overseas events are big, or they are paying attention to technology
■ Other
◇ Relationship with legal
Q) Are legal people familiar with OSS licenses and able to intervene?
C) Isn’t it an area that has been talked about in Open Chain?
C) We also aim to cooperate with legal affairs
I hold study sessions and get involved
No one understands OSS in ordinary company legal affairs
C) No legal involvement
Since it starts with compliance, it starts with a legal proposal, but the legal department cannot handle it, so the open source team is supposed to take responsibility.
C) The parent company is doing well, so we can do commercial distribution from there, but there are cases where we can’t do it ourselves.
◇ SBOM and department in charge, procurement contract text
Q) Is the procurement department in charge of SBOM or is the project doing it?
A) It is in the form that the place requested from procurement takes responsibility
It is supposed to be included in the instructions at the time of procurement, but the requesting department is supposed to include it
C) I think that the OSPO functions in the LF organizational form.
I think there are various ways to actually do it, but I was wondering if I would intervene or get involved
C) There are various aspects, SBOM can not do even if they know the law
Tooling is essential, OSPO’s position needs to be promoted when introducing Tooling
I can’t understand the contents of the software unless I’m on site,
collaboration is needed
C) OSPO is being asked to wield the flag, but there are various ways to do it, such as creating a new mechanism
C) It doesn’t matter if OSPO is a departmental organization or a company organization
Small steps to try to do things right together
C) SBOM does not proceed unless C-Level thinks SBOM is necessary
There are still not many companies that think that they have to do it desperately while thinking that it is exciting
C) There are many parts that move in the security system
that one is more motivational
C) The word SBOM stands alone, and the image differs from person to person
Security is shifting from the purpose of checking what license is included
It will also be used to understand the information we are using to make strategic decisions.
It will be different depending on what you emphasize, but it will be easier to talk if you use a common language
C) Concerning procurement, OSPO also participates in the preparation of the template and incorporates the conditions of OSS.
Regarding SBOM, the product security unit has started to move mainly in cooperation with OSPO.
With the cooperation of LF, we are planning an in-house lecture by asking the GM of OpenSSF and SPDX.
All of the issues appear “done” but naturally you can access, review and reopen on GitHub. We will also be speaking about these topics on the next call for North America / Europe on the 1st Tuesday of March. See our Global Calendar for the precise schedule: https://www.openchainproject.org/participate
Nathan continues to lead collaboration around the OpenChain education material. We have a lot of reference material, ranging from self-certification to training to policy material, and the community is currently preparing updates to help people get started more quickly. Our goal is not only to make adopting our license compliance and security assurance standards easier, but also to provide great material that can be repurposed for other aspects of open source management.
… aims to offer high quality, performance and reliable products, ensuring the protection, security and productivity of its customers. The provision of personalized services, in an agile and assertive way is one of our main focuses, acting in the identification and resolution of problems, guiding the IT professional on the functionalities of the tools, ensuring the full use of the resources offered by it. With a close relationship with manufacturers and distributors it is possible to offer affordable projects that suit the needs of each company.
The OpenChain Korea Work Group is holding its 17th meeting between 14:00 and 16:00 on the 28th of March 2023. This will be the first physical meeting of the work group since COVID hit in 2020. Learn more at the event link: https://openchain-project.github.io/OpenChain-KWG/meeting/17th/
안녕하세요, OpenChain KWG 멤버 여러분! 장학성입니다. 새로운 한해를 뜻깊게 시작하고 계신가요?
This OpenChain Webinar features an overview of GPLv2 licensing fragmentation based on research initiated by Philippe Ombredanne of NexB and continued by Armijn Hemel of Tjaldur Software Governance Solutions. The key takeaway is that a significant number of variations exist (40 “vanilla” copies from the FSF or GNU website, 12 with the Linux kernel linking exception in the Linux kernel), but the impact of these variations is nuanced. The requirements do not change but the variability may throw errors for automation and review. Process awareness is required.
