Shane Coughlan

12/12 下午2点到4点， 北京百度大厦 开源合规研讨会。

Our event will take place on the 12th of December between 14:00 and 16:00. Our event venue is Beijing Baidu Building Open Source Compliance Seminar @ No.10, Shangdi 10th Street, Haidian, Beijing, China.

我们的议程将集中在现实世界的挑战和解决方案上。
Our agenda will focus on real world challenges and solutions.

简单介绍下：我支持的开源讨论会议，一般都会要求使用 Chatham House Rule。
是为了让大家更充分的交流。
Our meeting will be held under Chatham House Rule to facilitate open discussion.

特别是百度开源律师 张伟玲会带来 开源合规在百度的实践，包括what/why/how，如何联合安全/研发工具/TC等来让合规落地的实践。
Zhang Weiling from Baidu will introduce practical open source compliance and integration with security approaches, development tools etc.

合规，不容易理解，但是如何落地，才是最难的。
Practical deployment is our true challenge and will be addressed.

欢迎大家分享经验。 让我们营造良好的协作氛围。
Everyone is welcome to share their experiences. Let’s build a great atmosphere of collaboration.

你想参加吗？ 电子邮件scoughlan@linuxfoundation.org。

Do you want to participate? Email scoughlan@linuxfoundation.org.

At CES 2020 during early January you can meet some of the key people behind the OpenChain Project. Our demo desk at the Automotive Grade Linux stand will show how open source tooling for open source compliance accelerates time to market and the optimal use of open source code. Our focus will be on the automotive sector but of course the same approach can help any company in any sector adopt and apply the key requirements of a quality open source compliance program.

Check Out Our Demo Overview

Check Out The Full AGL Schedule

• http://bit.ly/CES_Demos_PR

The OpenChain India Work Group had a great inaugural meeting hosted by MCA in Bangalore on the 7th of September. 25 people from 11 companies attended and shared experiences around open source compliance matters. This meeting marked the long-awaited expansion of OpenChain into one of the most significant IT markets in the world.

The second meeting will take place at Lyra Infosystems on the 21st of December 2019. Lyra has been OpenChain conformant for a while and is a pivotal user company supporting the eco-system in India.

Interested in helping shape the future of open source compliance in India? Jump right in!

Our dedicated India Work Group Mailing List

• https://lists.openchainproject.org/g/india-wg

Detailed Overview and Minutes

Mishi Choudhary & Associates partnered with the OpenChain Project in conducting the OpenChain Project’s first India Work-Group meet-up at Hotel Royal Orchid, Bangalore on 7th September. The meetup included professionals, open source enthusiasts, tech-companies building or using products on open source and entities interested in learning more on open source compliance. The meet-up had presence of four OpenChain Conformant companies namely Infosys, Siemens, Lyra Infosystems and Cognizant. Besides, various global service providers using Open Source in different forms were also present.

The meetup was organised to initiate the core India Work-Group of the OpenChain Project which was rolled out by Linux Foundation to simplify compliance. The OpenChain Project builds trust in open source and makes compliance easy, predictable and effective. OpenChain Specification and Conformance form industry standards for open source compliance optimized for internal and external supply chains of any type.

The meet-up was moderated by Prasanth Sugathan, Legal Director, and Gurbir Singh Sidhu, Associate Counsel at Mishi Choudhary & Associates. The session also included presentations by Shuvajit Mitra (Senior Manager – IP Commercialisation, Open Source & Trademarks Practices, Infosys) and Arun Azhakesan (Lead OSS License Compliance, Seimens Healthineers).

Introductory Remarks:

Shane Coughlan, General Manager, OpenChain
Shane joined through video-conference from Japan. He spoke about major achievements for OpenChain Project in community outreach in the current month which include first work-group meet-ups in India, China and continuing activity in Taiwan. Besides, he expected doubling of conformance community this year. Further, he shared OpenChain activities in Japan which contain 68 companies and over 150 people. Besides, OpenChain Project’s Automotive WG in Japan have over 100 people involved.
He mentioned deep connections between companies from China with those in India present at the first work-group. To support this, he referred to Xiaomi which recently sold its 100th million smartphone sold in the Indian subcontinent.
He envisaged bringing together OpenChain Conformant companies like Infosys and others like WIPRO which are not yet. Also, he discussed plans on OpenChain’s readiness to become an ISO standard and consequent support for the same from user companies and developers.

Further, he assured support from international OpenChain community to the India WG at every step.

Gurbir Singh Sidhu, Associate, Mishi Choudhary & Associates
To give insights on the anticipated privacy legislation, Gurbir gave a presentation on Draft Personal Data Protection Bill, 2018 for the attendees. He gave a background on emergence of privacy law and policy in India. This included recommendations given by Justice (Retd.) AP Shah Committee on Privacy, 2011; the SC judgment in KS Puttaswamy & Anr v. UOI & Ors (Aug, 2017) which upheld privacy as a fundamental right and finally, the report released by Justice (Retd.) BN Srikrishna Committee on Data Protection Framework, 2017.
Thereafter, the key provisions of the Draft Protection Bill were shared. It included key terminology like Personal Data, Sensitive Personal Data, Data Principal, Data Fiduciary and Data Processor. Then, data protection obligations on data fiduciaries such as purpose limitation, collection limitation, storage limitation, notice and consent requirements; transparency and accountability measures (data audits, impact assessments, appointment of data protection officers) were presented. This was followed by rights of data principals such as rights to confirmation and access; data portability; correction of information and right to be forgotten. Thereupon, provisions on transfer of personal data outside India were discussed. It included data localization, mirror copy requirements; conditions on data transfer like contracts, intra-groups schemes. Finally, provisions relating to exemptions, Data Protection Authority of India, penalties, criminal offences and remedies under the Draft Bill were discussed.

Shuvajit Mitra (Senior Manager – IP Commercialisation, Open Source & Trademarks Practices, Infosys)

Shuvajit started his presentation on how Infosys has adopted usage and deployment of OSS in their solutions; and how it has saved costs, resources while meeting customers’ expectations. Discussing challenges, he mentioned that being a diversified and large organization, there could be misunderstandings on OS usage due to inadequate licensing experience, compliance complications and related risks of IP infringement. Besides, requirement of methodical compliance checks, license validation, establishing roles, accountability in supervisory level were also discussed.

In order to address the challenges, Infosys IP team engaged with OpenChain Project to assess its compliance practices and identify gaps to come in consonance with industry standard practices. For capacity development Infosys organized trainings on OSS licensing, governance models & contribution processes.

Infosys did a Conformance Analysis which included assessment of its Open Source Policy, IP check & certification process, establishing an accountability system and attaining key requirements of OpenChain Specification to make its compliance program predictable, understandable and efficient. While discussing benefits, he mentioned that by being an OpenChain Conformant company, Infosys was able to demonstrate a transparent OSS compliance process in development and procurement. Being OpenChain Conformant would help Infosys in building trust among its customers and stakeholders while showcasing its global standards.

Arun Azhakesan (Lead OSS License Compliance, Seimens Healthineers

Arun represented the formal tooling work group of OpenChain and explained how some of these tools were adopted later by Linux. The idea behind tooling group is reducing the resource cost and enhancing output. Also, OpenChain bringing Conformance for the entire supply chain necessitated that these tools be streamlined.

He started his presentation discussing efforts led by OpenChain in developing tools to assist OS compliance and making it more predictable. Arun shared the entire Integrated Compliance Toolchain Instance with specific compliance tools for each layer. Thereafter, he covered specific tools useful for the entire compliance chain.
First being Fossology which allows license, copyright and export control scans from the command line. It can generate an SPDX file, or a ReadMe with the copyrights notices from the software. Scanners include Monk, Nomos and Ninka. Next tool, Eclipse SW360 is an OSS project which allows cataloguing of software components, assessing security vulnerabilities, maintaining license obligations among others. It is licensed under EPL- 2.0. Besides, Eclipse SW360 Antenna is again an OSS tool which automates open source license compliance process. It collects compliance related data, processes it and warns in case of compliance related issues. Other tools suggested by Arun for the entire software supply chain included:

1. OSS Review Toolkit: To download and scan the source code of the dependencies for license information and summarize the results.
2. Software Heritage: To collect, preserve and share all software that is publicly available in source code form.
3. BANG – Binary Analysis- NG: To find out the provenance of the unpacked files and classify/label files, making them available for further analysis.
4. SPDX: For communicating the components, licenses and copyrights associated with a software package.
5. Open Source Automation Development Lab (OSADL): To promote and coordinate the development of open source software for the machine, machine tool, and automation industry.

Informal Discussions

Attendees discussed that lately, more companies are developing projects on open source including Google, FB, LinkedIn and Microsoft. Also, there are instances over past decade, where companies using open-source made downstream improvements to convert products into proprietary. This led to changes in license regime namely MongoDB and few others. Further, global movement towards streamlining compliance activities, led by Linux Foundation were discussed; OpenChain Project being one of the products.
High profile patent litigations were also mentioned including Apple-Qualcomm, Apple-Samsung. Open Innovation Network’s work in resolving such disputes and patent non-aggression particularly for Linux based products was referred.

Attendee companies discussed challenges they face while contributing in open source pool specifically in degree to which it can allow their developers to contribute and parts to retain after due diligence checks (against 3rd party patent infringements).

Also, there were suggestions on focusing on smaller companies and start-ups in their transition towards open source. Secondly, awareness being a major part of OpenChain Project should also be leveraged.

Mr. Sugathan encouraged sharing tools and compliance practices between WG members, as most companies use the same components but in different domains. He expressed utility of developing knowledge transfer between companies.

There were queries which ranged from basic questions like overview of OpenChain, the expectations from Indian companies and implementations required. Core requirements of OpenChain specifications were shown which included standards required to be met in terms of documentation, processes and accountability. OpenChain gives self-certification flexibility to the organization; but being Conformant would require due diligence checks from third parties. Further, benefits of OpenChain in keeping the software supply chain predictable and consistent were shared. This also helps companies to identify gaps in their compliance process and correcting them.

It was reiterated that these meet-ups would allow companies to share their best experiences, especially addressing challenges they faced in their compliance programs.

The audio minutes from our recent First Monday call are now available.

You Can Also Check Out The Meeting Agenda + All Previous Calls

• https://wiki.linuxfoundation.org/openchain/minutes

The OpenChain Japan Work Group will hold its last meeting of the year on the 19th of December. It seems like a good time to reflect on growth and next steps. You can see how our mailing list has expanded over time and the audience trend of the physical meetings.

One interesting data-point is that we have reached a stage of maturity in the number of companies participating. We have a lot of the principles (largest companies in Japan) and a representative collection of their suppliers. The next phase is increased OpenChain adoption, something we are seeing with things like the Fujitsu conformance announcement last week.

Our physical meetings have also followed an interesting trend. The “dips” in the chart show ad-hoc meetings, usually a planning session for a larger meeting ahead, or addressing a matter related to one of our seven Japan Sub-Groups that work on FAQs, supplier education, tooling and so on. We are still waiting for the final numbers from our December meeting but the trend is expected to continue.

The most interesting development was probably the evolution of activities around August 2019. At this meeting the OpenChain Japan Sub-Work Groups began their work, with seven teams holding their own meetings throughout the remainder of 2018 and into 2019.

Our July 2019 meeting was a major intersection of sub-group outcomes and the wider audience. The next such event is actually the Open Compliance Summit on the 17th and 18th December, and the final OpenChain Japan meeting on the 19th, an opportunity to provide the international audience with a strong overview of developments.

We are looking forward to a productive 2020 and increased collaboration between China, Japan, Korea, India and forthcoming European and American Work Groups. As OpenChain becomes an ISO standard we will seek to make sure all the best knowledge, everywhere, is easy to access.

The OpenChain Japan Work Group and its seven sub-groups are some of the most active parts of the OpenChain Project. Starting this month we are sharing their event schedule in English. We hope to show our local structure and encourage others to replicate it when appropriate around the world.

Check Out What Is Happening With OpenChain In Japan

• https://wiki.linuxfoundation.org/openchain/openchain-japanese-working-group

SAN FRANCISCO, NOVEMBER 29 – The OpenChain Project is delighted to announce that Fujitsu, a Platinum Member of the OpenChain Project, is the latest OpenChain 2.0 Conformant company. This activity is a continuation of Fujitsu’s long-standing commitment to excellent in open source governance and represents one of the larger OpenChain conformant programs. Fujitsu is the first company in Japan and the eighth globally to achieve OpenChain 2.0 conformance.

The OpenChain Project establishes trust in the open source from which software solutions are built. It accomplishes this by making open source license compliance simpler and more consistent. The OpenChain Specification defines inflection points in business workflows where a compliance process, policy or training should exist to minimize the potential for errors and maximize the efficiency of bringing solutions to market. The companies involved in the OpenChain community number in the hundreds. The OpenChain Specification is being prepared for submission to ISO and evolution from a growing de facto standard into a formal standard.

“Fujitsu has been a long supporter of open source communities and valued open source compliance. OpenChain Conformance demonstrates our commitment to open source compliance”, says Fujiwara Takashi, SVP, Head of Software Business Unit, Fujitsu Limited. “We have worked for the conformance for part of the Software Business Unit together with developers in Software Business Unit, which has more than 1,000 developers, licensing compliance specialists in intellectual property department, and open source specialists in OSS technology department. We will extend OpenChain Conformance throughout the company and strengthen Fujitsu’s open source governance. Now we are transforming our business into a technology consulting and service implementing company with open source technologies. We will keep contributing open source communities”

“Fujitsu has been a pivotal member of the OpenChain Project as we head into formal standardization via the ISO PAS process,” says Shane Coughlan, OpenChain General Manager. “Our collaboration has ranged from editorial work on the specification itself through to community building via the OpenChain Japan Work Group. I am delighted to take this next step in our relationship and to mark a milestone in the global roll-out of the OpenChain industry standard.”

About the OpenChain Project

The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. 

Linux is a registered trademark of Linus Torvalds.

Media Contacts

Shane Coughlan
+818040358083
coughlan@linux.com

The OpenChain Project is delighted to announce our latest case study. This time we are exploring how the OpenChain industry standard helps create efficiencies in health tech. You can view the case study online or download it as a PDF. As with all our case studies this release is intended both to highlight the diversity of adopters and to provide practical examples of how companies approach compliance in real world deployment.

View the Case Study

• https://www.openchainproject.org/resources/openchain-case-study-interneuron

Download the Case Study

• https://www.openchainproject.org/wp-content/uploads/sites/15/2019/11/OpenChain_CaseStudy_Interneuron.pdf

The OpenChain Project provides extensive reference material to help companies of all sizes adopt the key requirements of a quality open source compliance program. Our mission is to help improve compliance across the global supply chain. As part of this initiative, and thanks to the hard work of our exceptional volunteer community in Japan, the OpenChain Project has released supplier education leaflets in Chinese (Simplified), Chinese (Traditional), English and Japanese. Please get your copies below and use them freely. As with all our reference material these are provided under CC-0 licensing, effectively public domain.

Get these guides and many more documents in the OpenChain Reference Library.