Featured

dSPACE GmbH, a global leader in simulation and validation, has adopted ISO/IEC 5230:2020 via completed third-party certification provided by TÜV SÜD. TÜV SÜD is an official OpenChain Partner and is a well-known certification provider. 

“This certification is another important building block in dSPACE’s compliance management system,” says Stefan Schukat, Software Compliance Manager at dSPACE, “and the commitment to a sustainable, meaningful and compliant use of Open Source as well as the support of Open Source projects. We chose third-party certification via TÜV SÜD to ensure our adoption had assessment from independent, accredited experts, and to support the highest possible quality in our process management.”

“The adoption of ISO/IEC 5230 by dSPACE GmbH and their choice of third- party certification is a notable milestone in the increasing maturity of the open source supply chain,” says Shane Coughlan, OpenChain General Manager. “Our goal has always been to link more and more companies via trusted, reliable and consistent process management. This is an excellent example. Incidentally, the first OpenChain third-party certification was provided by TUV SUD to Hitachi in 2018. We are delighted to see the continuation of their service provision to the market, and our continued momentum in this domain.”

You can view the TUV SUD certificate for dSpace at this link:

• https://www.tuvsud.com/ps-cert?q=Q4B+071483+0013+Rev.+00

About dSPACE

dSPACE is a leading provider of simulation and validation solutions worldwide for developing connected, autonomous, and electrically powered vehicles. The company’s range of end-to-end solutions are used particularly by automotive manufacturers and their suppliers to test the software and hardware components in their new vehicles long before a new model is allowed on the road. Not only is dSPACE a sought-after partner in vehicle development, but engineers also rely on dSPACE  know-how  when it comes to aerospace and industrial automation. The dSPACE portfolio ranges from end-to-end solutions for simulation and validation to engineering and consulting services as well as training and support. With more than 2,600 employees worldwide, dSPACE is headquartered in Paderborn, Germany; has three project centers in Germany; and serves customers through its regional companies in the USA, the UK, France, Japan, China, Croatia, Korea, India, and Sweden.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenChain SBOM Study Group Kick-Off Call

2024-07-30 at 09:00 CEST / 15:00 CST / 16:00 KST + JST

The OpenChain Governing Board recently approved the creation of a new study group to discuss SBOM use in the supply chain. With a focus on “how to use,” this study group will consider practical ways to increase trust in the supply chain and satisfy regulatory requirements. It builds on previous work by the OpenChain Project around lightweight SBOM profiles (SPDX Lite), defining quality SBOM (Telco SBOM Guide) and local work group activities.

Join here up to ten minutes before we start, no registration required:

• https://zoom-lfx.platform.linuxfoundation.org/meeting/95535290680?password=16d8eba8-c907-421b-bd69-83549b504aca

This kick-off call will:

•  Introduce the practical considerations of using SBOMs in supply chains
•  Discuss who these considerations apply to
•  Talk about existing market solutions: Case Study SPDX Lite
• Have an open discussion on next steps

Everyone with an interest in SBOMs, the use of SBOMs in the supply chain, and in increasing trust in the supply chain is invited. Kobota San from Sony is the chair of this study group in 2024. Kobota San, thank you for stepping forward to start this activity!

We also have a new mailing list for the SBOM Study Group:

• https://lists.openchainproject.org/g/sbom

Please subscribe to stay up-to-date, to take part in, and to contribute to our activities.

IAV GmbH has announced adoption of ISO/IEC 5230:2020 via third-party certification provided by TimeToAct. Adjacent to this, IAV and TimeToAct are collaborating with the OpenChain Project on a webinar and case study about the certification rationale and process.

“The exceptional progress of OpenChain ISO/IEC 5230 in improving trust in the open source supply chain has been felt in many industries,” says Shane Coughlan, OpenChain Project General Manager. “However, automotive is perhaps where we have had the largest and broadest impact. In a sector with a high degree of regulation, our ISO standard for open source license compliance offers a clear, effective and efficient method of containing risk. We are delighted to welcome IAV GmbH to our community of conformance, and to have had the opportunity to collaborate with our official partner TimeToAct on sharing this news with others. Our forthcoming webinar and case study adjacent to the certification provides a useful tool for other companies seeking to align behind international standards for open source business process management.”

The case study will be released and the webinar will take place at 10:00 CEST on the 16th of July. Learn more about this from the OpenChain Global Calendar on our participation page.

---

There is no need to register for this webinar. Simply follow the Zoom link in the OpenChain Global Calendar.

About IAV GmbH

IAV Automotive Engineering is a developer of computer app systems for the automotive industry. The company offers services in the areas of light vehicles, such as chassis, cockpit, combustion engine, E-Traction, exterior, gaseous-fuel vehicle, hybrid, interior, mobility, powertrain concept and integration, powertrain electronic, product life cycle,transmission, vehicle electronic, vehicle function, and vehicle safety services; commercial vehicles and work machines, including cabin, CO2 efficiency, driver assistance, functional architecture, powertrain, transportation and logistics, and work and agricultural machines; energy supply aspects; and methods and test facilities.

About TimeToAct

TIMETOACT GROUP modernises and integrates IT applications for upper midmarket companies, fortune 500 enterprises and the public sector, with the goal of increasing their agility, efficiency, and transparency and to reduce costs and risks. In addition, TIMETOACT GROUP designs and implements digital business models, opening up new market opportunities for its innovative customers. Its services include consulting and cloud transformation as well as data, software and system engineering in the fields of employee experience, business applications, and customer experience.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The OpenChain Project collaborated with LF Training on Introduction to Open Source License Compliance Management (LFC193), a free online training course intended to help people build the basic knowledge needed to get started in open source licensing management. Martin Yagi from the OpenChain UK Work Group has created a series of bite-sized videos to help summarise key points from the course. You can view them all below.

---

---

Chapter 0: Introduction

Chapter 1: Rights and Licensing

Chapter 2 Part 1: Introduction to Open Source Licenses

Chapter 2 Part 2: Introduction to Open Source Licenses

Chapter 3 Part 1: Introduction to Open Source Compliance

Chapter 3 Part 2: Introduction to Open Source Compliance

Chapter 4: Codebuilding and Distribution

Chapter 5: Bringing it all Together

Huge thanks for Martin for all his hard work!

---

---

The OpenChain Project also has a more advanced course created in collaboration with LF Training called Implementing Open Source License Compliance Management (LFC194).

---

The OpenChain AI Study Group held its regular monthly workshop on the 2nd of July. This workshop included an overview of outcomes from the recent OpenChain Governing Board meeting regarding the AI Study Group, a presentation by Laurie Grant @ Qualcomm on ISO/IEC 42001, as well as other discussions to narrow down areas of shared concern and interest regarding AI compliance in the supply chain.

Track This Work

You can follow and contribute to the work of the OpenChain AI Study Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:

• https://lists.openchainproject.org/g/ai

Attend Future Meetings

You can find and get the dial-in details for all future AI Study Group meetings from our participate page here:

• https://www.openchainproject.org/participate

We held our regular Monthly North America and Europe Call this week. The focus was on discussing the Public Comment period for our draft proposed updates to the licensing and security specifications.

Check Out The Recording

We keep all the slides from our monthly calls online and they can be a useful way to access direct links and more details:

• https://github.com/OpenChain-Project/Meeting-Minutes/tree/main/Slides

Overview of the Public Comment Period

OpenChain Project Announces Public Comment Period for Draft Updates to Compliance and Security Specifications

Starting 2024-06-19 ~ Ending 2024-12-19

The OpenChain Project has announced the beginning of its six month Public Comment Period for proposed draft updates to the open source license compliance (ISO/IEC 5230:2020) and open source security assurance (ISO/IEC 18974:2023) specifications.

As per our specification development process outlined in the project FAQ, this Public Comment Period will run for six months, and it will be followed by a three month Freeze Period.

During the Public Comment Period everyone is invited to review and comment on the specifications. As an open project developing open standards, we host the draft documents on our GitHub repositories.

Learn More:

• https://openchainproject.org/featured/2024/06/19/public-comment-period-2024

You can comment on this process by joining our monthly calls or via our Specification Mailing list. You can also leave comments via GitHub issues as detailed below.

• Visit Our Participation Page

Starting 2024-06-19 ~ Ending 2024-12-19

The OpenChain Project has announced the beginning of its six month Public Comment Period for proposed draft updates to the open source license compliance (ISO/IEC 5230:2020) and open source security assurance (ISO/IEC 18974:2023) specifications.

As per our specification development process outlined in the project FAQ, this Public Comment Period will run for six months, and it will be followed by a three month Freeze Period.

During the Public Comment Period everyone is invited to review and comment on the specifications. As an open project developing open standards, we host the draft documents on our GitHub repositories.

You can comment on this process by joining our monthly calls or via our Specification Mailing list. You can also leave comments via GitHub issues as detailed below.

---

Current Published Specifications

• Licensing (ISO/IEC 5230:2020):
  https://github.com/OpenChain-Project/License-Compliance-Specification/blob/master/ISO-5230-2020/en/ISO-5230-2020.md

---

---

• Security (ISO/IEC 18974:2023):
  https://github.com/OpenChain-Project/Security-Assurance-Specification/blob/main/Security-Assurance-Specification/ISO-18974/en/ISO-18974.md

---

Proposed Draft Updates to the Specifications

• Open Source License Compliance (ISO/IEC 5230:?):
  https://github.com/OpenChain-Project/License-Compliance-Specification/blob/master/3.0/en/openchain-license-compliance-3.0.md
• You can leave comments by opening an issue:
  https://github.com/OpenChain-Project/License-Compliance-Specification/issues

---

• Open Source Security Assurance (ISO/IEC 18974:?):
  https://github.com/OpenChain-Project/Security-Assurance-Specification/blob/main/Security-Assurance-Specification/2.0/en/openchain-security-specification-2.0.md
• You can leave comments by opening an issue:
  https://github.com/OpenChain-Project/Security-Assurance-Specification/issues

More Details On The Process

Full details can be found in the specification development process outlined in the project FAQ.

A brief outline of our current steps is that the project will:

• Open a Public Comments Period nine months before our target completion date. This runs for 6 months and only accepts minor updates such as typos or grammar corrections that do not change the requirements of the content. We do not accept any material changes during this period. All other feedback and recommendations are queue for consideration during the next version release cycle.
• Open a Freeze Period three months before our target completion date to allow a 3 month review of any changes made during the Public Comments Period.
• If a consensus expresses concerns over any changes made during the Public Comments period we would
  • i) make changes to accommodate those concerns followed by
  • ii) an additional 14 day Public Comments period; followed by
  • iii) another 14 day Freeze period. Anyone with significant reservations on the final draft should state their position/concerns via the spec mailing list. The changes will be accepted once we achieve consensus for the final draft.
• In the event we do not have consensus on the final version – we would repeat the following cycle until we have consensus:
  • i) accommodate changes to address majority concerns;
  • ii) 14 day Public Comments period; followed by
  • iii) a 14 day Freeze period cycle.
• Send the completed draft specification to the OpenChain Steering Committee for formal review and a vote on whether to accept the community recommendations for an updated or new specification.
• In principle, we target updates to our ISO standards once every five years

Please Note: the final decision on content and release of OpenChain Project specifications lies with the OpenChain Steering Committee.

The OpenChain Project collaborated with OpenForum Europe (OFE) on a three-part series of webinars covering European policy matters that impact open source, business processes and risk management. These webinars took place between May and June 2024, and are intended to provide a simple, clear and unbiased look at the impact recent European Union policy will have on companies in the open source supply chain.

Our Speaker is Ciarán O’Riordan, Senior Policy Advisor at OFE. His background is as a free software / open source software policy and communications expert.

The EU Cyber Resilience Act

More Details

“The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products. Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.”
https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

The EU AI Act

More Details

“The AI Act is the first-ever legal framework on AI, which addresses the risks of AI and positions Europe to play a leading role globally. The AI Act aims to provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens for business, in particular small and medium-sized enterprises (SMEs).” 
https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

The EU Product Liability Directive

More Details

“European Union reached provisional (political) agreement on the text for the proposed revision of the EU’s Product Liability Directive 85/374/EEC (PLD). The PLD establishes a strict liability (i.e., no fault) regime to enable claimants to seek compensation for defective products across the EU, meaning claimants do not need to establish fault to claim successfully. As a result, it is the preferred way of making product liability claims in the EU. The revision is a significant development, as the PLD dates back to 1985 and has been virtually unchanged for nearly 40 years – with only very minor amendments in 1999.”
https://products.cooley.com/2023/12/21/new-product-liability-laws-one-step-closer-in-europe/

About OpenForum Europe (OFE), Our Partners in this Series

OFE is a not-for-profit, Brussels-based independent think tank which explains the merits of openness in computing to policy makers and communities across Europe. Originally launched in 2002 to accelerate and broaden the use of Open Source Software (OSS) among businesses, consumers and governments, OFE’s focus has since evolved to also cover issues related to Open standards, Cybersecurity, Digital Government, Public Procurement, Intellectual Property, Cloud Computing and Internet Policy.
https://openforumeurope.org/

More About Our Webinar Series

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

• https://www.openchainproject.org/webinars

Today at the launch event for openEuler 24.03 LTS it was announced that openEuler has adopted OpenChain ISO/IEC 18974, the international standard for open source security assurance. This announcement from the OpenAtom Foundation and the openEuler community builds on previous collaboration with the OpenChain Project and peers in the technology industry to promote effective, efficient supply chain management. The OpenChain Project, part of The Linux Foundation ecosystem, builds ISO standards, creates reference material for their adoption, and facilitates a diverse global community of organizations collaborating to improve open source process management.

“It’s a proud moment to announce the release of openEuler 24.03 LTS. This journey has been all about building a secure, compliant, and sustainable operating system community,” says Xiong Wei, Executive Director of openEuler. “Achieving ISO 18974 self-certification from OpenChain Project is a testament to our unwavering commitment to security and excellence. This certification recognizes our top-tier standards in development processes, software supply chain, risk assessment, management, and developer security capabilities. This milestone is not just a badge; it’s a reflection of the hard work, dedication, and collaboration within our community. I want to extend my heartfelt thanks to everyone involved in this journey. Your efforts have made this achievement possible.”

“openEuler’s adoption of OpenChain ISO/IEC 18974 is a significant milestone for the professionalization of open source software,” says Shane Coughlan, OpenChain General Manager. “The OpenChain standards are designed to support process management across organizations or communities of any scale, and the growing community of conformance around ISO 5230 for license compliance and ISO 18974 for security assurance validates that model. We are delighted to work closely with our partners in openEuler in building a more professional, sustainable and accountable supply chain.”

OpenAtom and openEuler have also released a case study explaining the benefit and impact of OpenChain ISO/IEC 18974 adoption.

---

About the openEuler Project

openEuler is an open source, free Linux distribution platform. The platform provides an open community for global developers to build an open, diversified, and architecture-inclusive software ecosystem. 

About the OpenAtom Foundation

The OpenAtom Foundation is a non-profit organization dedicated to promoting the development of the global open source community. It was founded in Beijing in June 2020.

The OpenAtom Foundation is committed to being a developer-oriented open source project incubation platform as well as a technology public welfare service organization. It follows the principles of co-construction, co-governance, and sharing, systematically builds an open and collaborative framework, establishes an international open source community, facilitates industry collaboration, and empowers various industries.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

We are delighted to announce a new case study from OpenAtom and openEuler explaining the benefit and impact of OpenChain ISO/IEC 18974 adoption.

Read the Case Study on SlideShare

Download from the OpenChain Reference Library

• https://github.com/OpenChain-Project/Reference-Material/blob/master/Case-Studies/openEuler-Case-Study-ISO-18974-Conformance.pdf

---

This case study has been published alongside the formal announcement that openEuler has adopted OpenChain ISO/IEC 18974, the international standard for open source security assurance at the openEuler 24.3 LTS launch event.

---

“It’s a proud moment to announce the release of openEuler 24.03 LTS. This journey has been all about building a secure, compliant, and sustainable operating system community,” says Xiong Wei, Executive Director of openEuler. “Achieving ISO 18974 self-certification from OpenChain Project is a testament to our unwavering commitment to security and excellence. This certification recognizes our top-tier standards in development processes, software supply chain, risk assessment, management, and developer security capabilities. This milestone is not just a badge; it’s a reflection of the hard work, dedication, and collaboration within our community. I want to extend my heartfelt thanks to everyone involved in this journey. Your efforts have made this achievement possible.”

“openEuler’s adoption of OpenChain ISO/IEC 18974 is a significant milestone for the professionalization of open source software,” says Shane Coughlan, OpenChain General Manager. “The OpenChain standards are designed to support process management across organizations or communities of any scale, and the growing community of conformance around ISO 5230 for license compliance and ISO 18974 for security assurance validates that model. We are delighted to work closely with our partners in openEuler in building a more professional, sustainable and accountable supply chain.”

About the openEuler Project

openEuler is an open source, free Linux distribution platform. The platform provides an open community for global developers to build an open, diversified, and architecture-inclusive software ecosystem. 

About the OpenAtom Foundation

The OpenAtom Foundation is a non-profit organization dedicated to promoting the development of the global open source community. It was founded in Beijing in June 2020.

The OpenAtom Foundation is committed to being a developer-oriented open source project incubation platform as well as a technology public welfare service organization. It follows the principles of co-construction, co-governance, and sharing, systematically builds an open and collaborative framework, establishes an international open source community, facilitates industry collaboration, and empowers various industries.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.