Skip to main content
All Posts By

Shane Coughlan

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source. Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.

OpenChain Specification Bi-Weekly Call #2 – Fourth Monday June 2020 – Full Recording

By Featured

The full recording of the 2nd OpenChain Specification bi-weekly call is now available. This call went over the general parameters of the editing process for the next generation of the OpenChain specification. Our goal is to ensure all comments and suggestions can be captured.

Join the next call on the second Monday of July at 9am Pacific.

Join the Meeting via Zoom

OpenChain Newsletter #38

By Monthly Newsletter, News

Newsletter – Issue 38 – June 2020


We have two big announcements leading the news this month.

Cisco Systems, Inc (Cisco), a Platinum Member of the OpenChain Project, announced conformance with the industry standard for open source compliance in the supply chain on June 2. As a founding member of the OpenChain Project, Cisco has been instrumental in defining, developing and deploying both the standard and its extensive corpus of reference material. Their conformance marks another milestone in the broadening adoption of the standard throughout silicon, embedded, mobile, telecommunications, enterprise, software and cloud market segments.
https://www.openchainproject.org/featured/2020/06/02/cisco-systems-inc-announces-openchain-conformance

Fujitsu

Fujitsu, an OpenChain Platinum Member, is the first organization to attain two OpenChain 2.0 conformant programs. Fujitsu is the leading Japanese information and communication technology (ICT) company, offering a full range of technology products, solutions, and services. Approximately 132,000 Fujitsu personnel support customers in more than 100 countries.
https://www.openchainproject.org/featured/2020/06/03/fujitsu-attains-second-openchain-conformant-program


OpenChain @ Webinars #5 & 6:

OpenChain @ Work Groups (Selected Highlight)

  • The OpenChain UK Work Group is being launched with its first meeting on July 23. The inaugural UK meeting, which follows the path of successful OpenChain work groups established in China, Japan, Germany, Korea, India and Taiwan, will feature an introduction from Shane Coughlan who leads the OpenChain project at the Linux Foundation. Andrew Katz (Orcro) and Sami Atabani (Arm) will share their experiences of OpenChain implementation in the real world.
    https://www.openchainproject.org/featured/2020/06/30/openchain-uk-work-group-launches-on-july-23rd

OpenChain @ Events (Selected Highlight)

  • The OpenChain Project and its collaboration with the Joint Development Foundation was explored during a session at the ISO WG21 2020 Plenary on the 9th of June. Shane Coughlan, OpenChain General Manager, lead the primary discussion and Seth Newberry, General Manager of Standards at Joint Development Foundation, explained the JDF PAS approach both in terms of OpenChain and more broadly in the years ahead.
    https://www.openchainproject.org/featured/2020/06/09/openchain-at-iso-wg21-2020-plenary-9th-june

More News

Check Out All Our Previous Newsletters

Guest Blog – OpenChain: Open Source Compliance Comes of Age In the Supply Chain

By Featured

ISO Standard Imminent

This is a guest post from Matthew Jacobs, Esq., Director, Legal Counsel at Synopsys Software Integrity Group. The views in this guest post are those of the author alone.

The goal of the Linux Foundation’s OpenChain Project, and the specification it maintains, is to promote predictability and uniformity in the management of open source. It aims to also create consistency in how critical open source compliance information is collected and retained so that it may be properly communicated to others.

The specification is gaining momentum and will likely be adopted by the International Organization for Standardization by mid-2020. With open source use on the rise and more and more demanding proof of compliance becoming mainstream, this is a perfect time to reevaluate how you address compliance. But first, let’s explore an illustrative analogy.

The automotive supply chain.

Car recalls are costly and time-consuming events. However, considering the complexity of today’s vehicles and the number of components found in the average vehicle, recalls often seem strikingly well organized. In particular, the level of detail and granularity in the typical recall notice speaks to the information that must be obtained by automotive manufacturers from their multitudes of suppliers, and then maintained and stored regarding the elements composing the bill of materials (BOM) of each car.

The very fact that recalls are successful at keeping the public safe is a testament to the incredible level of information sharing from supplier to customer and the standards and trust between the parties. Parts from different tiers of the automotive supply chain, and the component sub-elements of those parts (and so on), must be identified and important information about those parts shared up and down the supply chain. Given the sheer volume and complexity of this, and the rapid evolution of the industry, an automotive manufacturer must rely heavily on their suppliers to provide comprehensive and accurate information concerning that supplier’s respective elements. The final BOM for a given vehicle is dependent on comprehensive information communicated in a common language by members throughout the vast supply chain.

Contrast this to software.

Much like assembling a vehicle, modern software development involves software components from a wide variety of sources. This may be third-party commercial code, “homegrown” code or, as is very often the case, significant amounts of open source code. Tracking the provenance of the multitude of software parts and pieces that make up the modern software programs that we interact with and rely upon is often murky at best.

This challenge is clearly compounded by the fact that each component of software, with its own constituent elements, is then rolled up into a more complex assembly with other software elements. Further, since an ever-growing amount of this software is open source which, by design, is the product of often many mostly anonymous contributors, it quickly becomes easy to see how assembling a reliable BOM for today’s software programs is a daunting challenge.

Open source challenges.

Developers are encouraged to reuse open source to do their jobs better, faster and cheaper. There are around 8,000 source forges housing over 500 billion (and growing) lines of open source code to use. Importantly, those reusing open source must confirm initially, and on an ongoing basis, that they are reusing that open source in compliance with the governing open source license terms and conditions. Given that there are approximately 2,700 different flavors of open source licenses, a real challenge arises in (1) managing these compliance risks at an enterprise scale and pace, and (2) effectively communicating to third parties what open source is being used, what license applies and if the user is complying with the applicable license.

Given the critical nature of open source in software development, and the large and growing amount of open source in use, the need to be able to express what open source is being used (the BOM) and any license compliance obligations associated with that use, in addition to the need to be able to communicate that information in a standardized way is key to the free flow of software components in the software supply chain. And, to avoid “garbage in, garbage out” customers need to have confidence in the information received from suppliers based on trust in the compliance processes employed upstream. The OpenChain Project has emerged as the leading voice in bringing organization and certainty to the tracking and communication of open source reuse.

The OpenChain Specification (now in version 2), as described by the OpenChain Project, defines “the key requirements of a quality Open Source license compliance program. The objective is to provide a benchmark that builds trust between organizations exchanging software solutions comprised of Open Source software”. The specification sets forth a basic set of open source management best practices and methods for communicating open source component information, all aimed at furthering that trust.

Managing open source risk.

The value of this trust cannot be understated. Again, much like the automotive supply chain, the software supply chain is highly interdependent and complex. Historically, customers attempted to mitigate their risk during the contract negotiation process by forcing their suppliers to make certain disclosures, representations and warranties concerning that supplier’s software product and the supplier’s compliance with any open source licensing requirements for the open source in that supplier’s product. Supplier’s often don’t have the requisite insight into the composition of their own code, especially as it relates to open source, to make these types of representations and warranties with certainty but bow to economic and time pressure to close a deal.

Occasionally, customers will enlist firms like Synopsys to perform an independent audit of their supplier’s code to confirm that the disclosures made by the supplier concerning the open source in their products is accurate. The purpose of an audit is to identify the open source in the supplier’s code and determine which one of the many open source licenses apply to that code to evaluate the supplier’s compliance with the obligations of the applicable license. It also, by implication, gives customers a sense for how well the supplier is managing compliance. This “trust but verify” approach is certainly warranted in some situations. But, given the pace of commerce, there is often little time for comprehensive due diligence in many of the routine day to day transactions.

Elements of the OpenChain specification and compliance.

The OpenChain specification short-cuts much of the negotiation around a supplier’s open source compliance by offering a basic set of understandings around how each member of the supply chain uses and tracks what open source is present in their products. The specification is comprised of two basic elements: First, an ongoing open source license compliance process (which may include the use of automated open source management tools) for identifying what open source is in that member’s code and verifying that the use of that open source complies with the applicable license for that code. Second, the specification requires an organizational commitment to adherence to the first element by establishing areas of responsibility within an organization for compliance and an organizational commitment to training, process and open source compliance support.

Executing on these two basic elements of OpenChain compliance requires effort. Just because open source software may be freely available does not mean there are no obligations. However, many companies lack the basic process and software tools for identifying what open source their engineers are reusing in the first place. Without that visibility, there is no opportunity to manage the use.

Next, after properly identifying what open source their developers are using and how that open source is being used, compliance requires accurately identifying what license applies to that code, understanding the requirements of that license and taking the necessary steps to adhere to those requirements. Based on the nature of the open source license, this may include something as simple as providing attribution to something more complicated such as having to disclose source code.

A supplier’s ability to certify OpenChain compliance affords their customer comfort and removes open source compliance-related friction from the supply chain. Downstream customers can enjoy a level of comfort that, by incorporating the supplier’s code with their own, they won’t be inadvertently exposing themselves, any further upstream members of the supply chain or, ultimately, the end user to compliance-related litigation or remediation risk and expense.

There are third parties available to help you through your license compliance journey. Law firms that can assist with training, tools and services. Vendors such as Synopsys can audit your code or provide software tools to support in identifying and tracking open source reuse during software development.

OpenChain compliance as a competitive edge.

While compliance is an important goal, and while companies are keen to steer clear of potential litigation, an exceptionally important element of OpenChain compliance is as a competitive differentiator. Companies that have achieved OpenChain compliance are encouraged to advertise that fact and leverage that status in the marketplace as an asset.

Influential companies such as Toyota, Hitachi, Panasonic, Qualcomm, and Bosch are putting top-down pressure on their vendors, and in turn on suppliers to those vendors to demonstrate open source management consistent with the OpenChain Specification. This results in lower tier vendors, who may have never considered open source compliance as an urgent priority, now finding themselves under increasing pressure from other members of the supply chain.

Hans Malte Kern, Head of the Center of Competence Open Source at Bosch underscores this point. “We’re excited to join the OpenChain project, as it reflects the importance of compliant open source usage, distribution and contribution. Instead of negotiating the open source requirements with all our partners and suppliers, Bosch will leverage OpenChain as an open standard that provides common approaches and understanding for open source collaborations – not only in the automotive industry but also the connected world of IoT. We are convinced the OpenChain standard will replace bilateral negotiations, educations and open source risk mitigation discussions.”

OpenChain as an ISO standard.

The value of being able to tout compliance will take on additional importance as by mid-2020 it is expected that OpenChain Specification version 2.1 will be adopted by the International Organization for Standardization and certified as an ISO standard. Many suppliers are familiar with the experience of responding to customer requests for proposals or quotes. These requests are often multi-part questionnaires requiring the supplier to report on various elements of the supplier’s business concerning such aspects as privacy, security and compliance-related matters.

Given the time pressure often associated with closing deals, making the open source management and compliance discussion short is highly valuable. The ability to reply affirmatively to open source compliance questions and confirm compliance with the pending ISO standard will, in the words of one observer, “take the issue off the table.”

OpenChain Webinars # 5 & 6 – Survey Results

By Featured

We had five speakers over two events covering a range of global and regional topics:

Let’s start with overall satisfaction, 1 being satisfied and 5 being extremely satisfied:

Let’s dive into how people felt about the relevance of the talks, 1 being low relevance and 5 being extremely relevant:

Let’s get more specific on relevance per topic, which shows global talks having global relevance, and regional talks have substantial but not blanket relevance:

This results map to our expectations and will help shape future events. We also asked for general written feedback as an option and got some encouraging messages:

OpenChain Korea Work Group – 6th Meeting – Recording

By Featured

The OpenChain Korea Work Group will hold its 6th meeting via UberConference on the 16th of June at 2pm Seoul time. This event will be held in the Korean language and will provide an excellent opportunity to learn what companies like Kakao and SK Telecom are doing around open source compliance.

  • How to join on PC
    (1) PC에서 https://uberconference.com/openchainproject 접속
    (2) Settings 에서 마이크와 스피커 설정 확인
    (3) Name 입력 후, “Join Now” 클릭하여 입장 
  • How to join on Phone
    (1) 핸드폰에서 02-6022-2388로 전화
    (2) 855 889 3011 # 입력

Learn More

Webinar: OpenChain China, Japan, Korea – a discussion on community building

By community, Featured, licensing, News, standards, Webinar

In this webinar we covered “OpenChain China, Japan, Korea – a discussion on community building” featuring short interviews with Jerry (China), Haksung (Korea) and Fukuchi San (Japan) about local community activity. Our goal was to share knowledge on what has worked, what has not, and how momentum can be kept in these unusual times. We hope these lessons will assist our fellows in Europe and North America while also illustrating some of the key successes in Asia.

This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations.

Check Out The Rest Of Our Webinars

This is OpenChain Webinar #6, released on 2020-06-22.

OpenChain Japan Work Group – 15th Meeting (2nd Virtual) – Recording

By Featured

The OpenChain Japan Work Group hosted its 15th meeting (2nd virtual) at 2pm local time on the 18th of June. The majority of the meeting was held in Japanese but as always foreign guests were welcome to join and ask questions or share news in English.

Review the Slides

Learn More About Japan Work Group Activities

OpenChain China Work Group – 4th Meeting – Recording

By Featured

The OpenChain China Work Group held its fourth meeting on the 17th of June. This meeting covered two topics

Agenda

  • A briefing on Patrick McHardy and related activities in 2020 (Chatham House Rule, not part of the recording).
  • Production use of software bill of materials and an update on US Government activity around software bill of materials.

OpenChain Webinar 6: OpenChain China, Japan, Korea – a discussion on community building – 5pm Pacific, Monday 15th June

By Featured

This Monday at 5pm Pacific (Tuesday 8am Beijing, 9am Seoul, Tokyo) we will hold our sixth webinar. The topic will be “OpenChain China, Japan, Korea – a discussion on community building” featuring short interviews with Jerry (China), Haksung (Korea) and Fukuchi San (Japan) about local community activity. Our goal is to share knowledge on what has worked, what has not, and how momentum can be kept in these unusual times. We hope these lessons will assist our fellows in Europe and North America while also illustrating some of the key successes in Asia.

This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations.

You can learn more about this series here : https://www.openchainproject.org/webinars-interviews

Join Our Zoom Meeting

* https://zoom.us/j/9990120120

Password

* 123456

One Tap Telephone (no screensharing)

* +358 9 4245 1488,,9990120120# Finland
* +33 7 5678 4048,,9990120120# France
* +49 69 7104 9922,,9990120120# Germany
* +852 5808 6088,,9990120120# Hong Kong
* +39 069 480 6488,,9990120120# Italy
* +353 6 163 9031,,9990120120# Ireland
* +81 524 564 439,,9990120120# Japan
* +82 2 6105 4111,,9990120120# Korea
* +34 917 873 431,,9990120120# Spain
* +46 850 539 728,,9990120120# Sweden
* +41 43 210 71 08,,9990120120# Switzerland
* +44 330 088 5830,,9990120120# UK
* +16699006833,,9990120120# US (San Jose)
* +12532158782,,9990120120# US

Find your local number: https://zoom.us/u/abeUqy3kYQ
Not all countries have available numbers.

After dialing the local number enter 9990120120#

OpenChain Japan Work Group – 15th Meeting (2nd Virtual) – June 18th @ 2pm Local Time

By Featured

The OpenChain Japan Work Group will host its 15th meeting (2nd virtual) at 2pm local time on the 18th of June. Everyone is welcome to attend. The majority of the meeting will be held in Japanese but foreign guests can ask questions or share news in English.

Review the Slides

Join the Meeting via Zoom

Learn More About Japan Work Group Activities