Skip to main content
All Posts By

Shane Coughlan

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source. Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.

CALL TO ACTION: The OpenChain Automotive Work Group will hold a face-to-face workshop on the 10th of September in Stuttgart – Register Now

By News

The OpenChain Automotive Work Group will hold a face-to-face workshop on the 10th of September in Stuttgart. Please register if you will be attending, and please help spread the word!

The event page is here:
https://openchain-project.github.io/Automotive-WG/2024-09-10-workshop-agenda.html

The registration link is here:
https://cvent.me/Mg4w9o

Like all OpenChain Automotive activities, this belongs to you. You can contribute to, leave notes on, or make suggestions about the agenda. You will find our work group overview and links to our mailing list here:
https://openchain-project.github.io/Automotive-WG/

If you are feeling technical, you can open an issue or make a pull request on GitHub:
https://github.com/OpenChain-Project/Automotive-WG/blob/gh-pages/2024-09-10-workshop-agenda.md

Let’s make this a great workshop. It has been a while since our last face-to-face meeting, and there are a lot of things to talk about.

Managing Your Open Source Software Supply Chain – A Guide From The OpenChain Project

By News

We are delighted to announce that the second edition of the OpenChain guide to ‘Managing Your Open Source Software Supply Chain’ is now available. This builds on the excellent contribution from the OpenChain Japan Work Group in 2019 in building the first edition, and takes into account market developments since that time.

Overview:

This document is designed to help companies in the supply chain understand and manage Open Source Software (open source). The OpenChain Project maintains the OpenChain ISO/IEC 5230:2020 for open source license compliance and OpenChain ISO/IEC 18974:2023 for open source security assurance. These standards can help companies manage open source. You can learn more about the OpenChain Project and its standards at www.openchainproject.org.

Open source has become essential to modern software development and is incorporated into almost every electronic product, from consumer to industrial devices, from cloud to embedded software. Open source is an indispensable part of helping companies to bring products or services to market.

Much open source is developed through the collaboration of expert developers from individuals and organizations throughout the world.

Open source can be used, modified, and distributed by anyone who complies with the associated license conditions. When open source is distributed within the supply chain, the distributor is required to comply with the terms and conditions of the license. There have been cases where suppliers were sued because they failed to satisfy their legal obligations. This document is designed to help introduce the best practices needed to prevent issues occurring and to solve them when they do occur. It leads to further resources available through the OpenChain Project and other Linux Foundation Projects.

Like all other software, security issues sometimes occur with open source. By understanding how open source is created, used, and maintained, it is possible to identify, prevent and address many of these issues before they become a concern. The key thing is for all relevant personnel to understand the basic principles of open source.

Please note that this document is designed to provide insight based on experience shared from our global community. It does not contain legal advice.

Direct Links to the Text Version:

(It is provided as MarkDown, which can easily be taken and reformatted as needed. We intend to add more print-ready language versions over time)

Direct Link to the Print-Ready Version:

(We intend to add more print-ready language versions over time)

Historic Link to the First Edition from 2019:

OpenChain Telco SBOM Guide – General Availability

By News

We are delighted to announce that the OpenChain Telco SBOM Guide Version is available in English, French, Japanese and Simplified Chinese.

Overview:

The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs. 

Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.

This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”

Direct Links to Text Versions:

(These are provided as MarkDown, which can easily be taken and reformatted as needed)

Direct Link to the English Print-Ready Version:

(We intend to add more print-ready language versions over time)

Coming Next:

Development of the next generation of the guide will occur via the Telco Work Group, and everyone is welcome to contribute.

The OpenChain Telco Work Group mailing list is here: 

The OpenChain Telco Work GitHub (for drafting) is here: 

OpenChain SBOM Study Group Kick-Off 2024-07-30 – Full Recording

By News

The OpenChain Project has required Software Bill of Materials for its compliance and security standards since we started the project in 2026. Over the years, we have contributed to the field in various ways, including the development of SPDX Lite (a simple SBOM for suppliers) to a guide to judging SBOM Quality.

Our new SBOM Study Group brings all our various activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?”

This kick-off call:

  • Introduced the practical considerations of using SBOMs in supply chains
  • Discussed who these considerations apply to
  • Talked about existing market solutions: Case Study SPDX Lite
  • Had an open discussion on next steps

Watch the Full Recording:

Check Out The Overview Slides:

Check Out The SPDX Lite Case Study:

Everyone with an interest in SBOMs, the use of SBOMs in the supply chain, and in increasing trust in the supply chain is invited to be part of our work. Kobota San from Sony is the chair of this study group in 2024. Kobota San, thank you for stepping forward to start this activity!

We have a dedicated mailing list:

We have a dedicated Slack Channel:

We have a dedicated GitHub Repo:

https://github.com/OpenChain-Project/SBOM-sg

OpenChain Japan Work Group All Member Meeting #31 – 2024-06-27 – Full Recording

By News

The OpenChain Japan Work Group had its 31st All Member Meeting on the 27th of June. As always, this event featured a series of talks, case studies and plenty of space for networking. This was a meeting with a lot of international focus, including engagement with activities around the OpenChain AI Study Group, and discussion about the (at the time) forthcoming OpenChain SBOM Study Group.

Check Out The Full Recording

Join the OpenChain Japan Work Group Mailing List

OpenChain Project Meetings This Week (all times UTC)

By News

This week we have the following international meetings:

Tuesday 30th June:
– OpenChain SBOM Study Group Kick-Off Call @ 07:00 UTC

Thursday 1st August:
– OpenChain Telco Work Group Call (European Morning) @ 07:00 UTC
– OpenChain India Work Group @ 10:00 UTC
– OpenChain Telco Work Group Call (European Afternoon) @ 14:00 UTC

Get dial-in details and see all our international meetings here:
https://www.openchainproject.org/participate

Education Sync Call for Asia: Deep Dive into Maturity Models – 2024-07-25 – Full Recording

By News

On previous OpenChain Education Work Group calls and at recent events, we discussed the emergence of maturity models that included ISO/IEC 5230 or other standards managing open source business processes. We also flagged that there will be reference materially freely available to the community to help everyone benefit from maturity modeling if they choose to go in this direction. This call is a deep-dive on the topic, and helps set expectations and timelines for the release of official OpenChain Project reference material on the topic.

Watch the Full Recording:

View the Maturity Model Example Spreadsheet on Google Drive (Editing Possible):

View the Maturity Model Example Spreadsheet on OneDrive (View Only):

Maturity Model Presentation from Open Compliance Summit 2023:

dSPACE GmbH Has Completed Third-Party Certification Of ISO/IEC 5230:2020

By Featured, News

dSPACE GmbH, a global leader in simulation and validation, has adopted ISO/IEC 5230:2020 via completed third-party certification provided by TÜV SÜD. TÜV SÜD is an official OpenChain Partner and is a well-known certification provider. 

“This certification is another important building block in dSPACE’s compliance management system,” says Stefan Schukat, Software Compliance Manager at dSPACE, “and the commitment to a sustainable, meaningful and compliant use of Open Source as well as the support of Open Source projects. We chose third-party certification via TÜV SÜD to ensure our adoption had assessment from independent, accredited experts, and to support the highest possible quality in our process management.”

“The adoption of ISO/IEC 5230 by dSPACE GmbH and their choice of third- party certification is a notable milestone in the increasing maturity of the open source supply chain,” says Shane Coughlan, OpenChain General Manager. “Our goal has always been to link more and more companies via trusted, reliable and consistent process management. This is an excellent example. Incidentally, the first OpenChain third-party certification was provided by TUV SUD to Hitachi in 2018. We are delighted to see the continuation of their service provision to the market, and our continued momentum in this domain.”

You can view the TUV SUD certificate for dSpace at this link:

About dSPACE

dSPACE is a leading provider of simulation and validation solutions worldwide for developing connected, autonomous, and electrically powered vehicles. The company’s range of end-to-end solutions are used particularly by automotive manufacturers and their suppliers to test the software and hardware components in their new vehicles long before a new model is allowed on the road. Not only is dSPACE a sought-after partner in vehicle development, but engineers also rely on dSPACE  know-how  when it comes to aerospace and industrial automation. The dSPACE portfolio ranges from end-to-end solutions for simulation and validation to engineering and consulting services as well as training and support. With more than 2,600 employees worldwide, dSPACE is headquartered in Paderborn, Germany; has three project centers in Germany; and serves customers through its regional companies in the USA, the UK, France, Japan, China, Croatia, Korea, India, and Sweden.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenChain Project – Main Monthly North America and Asia Call – 2024-07-16 – Full Recording

By News

We held our regular Monthly North America and Asia Call this week. The focus was on discussing the Public Comment period for our draft proposed updates to the licensing and security specifications.

We keep all the slides from our monthly calls online and they can be a useful way to access direct links and more details:

Overview of the Public Comment Period

OpenChain Project Announces Public Comment Period for Draft Updates to Compliance and Security Specifications

Starting 2024-06-19 ~ Ending 2024-12-19

The OpenChain Project has announced the beginning of its six month Public Comment Period for proposed draft updates to the open source license compliance (ISO/IEC 5230:2020) and open source security assurance (ISO/IEC 18974:2023) specifications.

As per our specification development process outlined in the project FAQ, this Public Comment Period will run for six months, and it will be followed by a three month Freeze Period.

During the Public Comment Period everyone is invited to review and comment on the specifications. As an open project developing open standards, we host the draft documents on our GitHub repositories.

Learn More:

You can comment on this process by joining our monthly calls or via our Specification Mailing list. You can also leave comments via GitHub issues as detailed below.

Webinar: IAV, TimeToAct and ISO/IEC 5230 – Third-Party Certification Case Study

By legal, licensing, News, standards, Webinar

IAV GmbH has announced adoption of ISO/IEC 5230:2020 via third-party certification provided by TimeToAct. Adjacent to this, IAV and TimeToAct has collaborated with the OpenChain Project on a webinar and case study about the certification rationale and process. This webinar digs into details on how, why and when decisions were made in the IAV adoption and use of ISO/IEC 5230.

Get the Slides

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-07-16.