The OpenChain AI Work Group has been considering how to manage AI compliance in the supply chain for over a year. During this time the community has collaboratively produced a draft guide to identify key process points for a quality AI compliance program:
With approval from the OpenChain Governing Board, the draft ‘The Artificial Intelligence System Bill of Materials: Compliance Management Guide for the Supply Chain’ is now entering a Public Comment Period.
Participate:
This Public Comment period will follow the OpenChain Project process outlined on our website:
THE DEADLINE FOR SUBMISSION OF PUBLIC COMMENTS IS 2025-08-18 AT 04:00 PDT / 11:00 UTC / 13:00 CEST / 20:00 JST.
—
Please note: THE DRAFT GUIDE IS NOT A PRODUCTION RELEASE OR OFFICIAL RELEASE DOCUMENT FROM THE OPENCHAIN PROJECT. AT THIS JUNCTURE, IT IS WORKING DOCUMENT DESIGNED TO ALLOW INTERESTED PARTIES TO SHARE IDEAS.
ECARX is a global automotive technology provider partnering with OEMs to accelerate the future of software-defined vehicles. As OEMs develop new vehicle platforms from the ground up, ECARX is developing a full-stack solutions to enhance the user experience, while reducing complexity and cost.
To date ECARX products have been integrated into more than 8.7 million cars worldwide. Founded in 2017, and listed on the Nasdaq in 2022, it has more than 1,800 team members across Europe, Asia and the Americas working towards one ambition: to redefine the driving experience by making it safer and more enjoyable for everyone.
We had the OpenChain Governing Board meeting last week, and our community-elected chairs for the OpenChain Specification, Education and Telco Work Groups were formally approved. Their terms begin today, July 1st 2025.
Please welcome:
– Specification: Chris Wood, Lockheed Martin (4th term)
– Education: Martin Yagi, First Light Fusion (1st term)
– Telco: Marc-Etienne Vargenau, Nokia (3rd term)
It is wonderful to have their help, contributions and experience applied to making a more trusted open source supply chain.
We are looking forward to the year ahead! There is a lot to do.
We are delighted to welcome Mercedes-Benz Research and Development India to the OpenChain community of conformance. This is another milestone in the adoption of OpenChain standards by the automotive supply chain, and serves as a reminder of the broad applicability for our solutions around the world.
About Mercedes-Benz Research and Development India:
Mercedes-Benz Research and Development India (MBRDI) is the largest research and development center for Mercedes-Benz Group AG outside of Germany. Started in 1996, the Bengaluru headquartered organisation plays a prominent role in the development of new technologies like connected, autonomous, and electric in the mobility world. MBRDI, known for its engineering innovations, has grown to a team of over 8,500 employees and is one of the earliest technology and innovation center of a global automotive company to set up a strong presence in India.
In line with the global ambitions of the Mercedes-Benz Group, MBRDI plays a prominent role in innovating and accelerating the future of sustainable mobility. Over the last 25 years of its presence in India, MBRDI has established itself as an innovation powerhouse. The engineers at MBRDI are committed to providing an unparalleled experience and comprehensive digital capabilities, with technology at the core. MBRDI harnesses the role of IT in accelerating the future of automotive technology in terms of engineering, digitalisation, testing and simulation, and data science.
MBRDI offices in Bengaluru specialise in end-to-end capabilities in product development and IT services. The satellite office in Pune focuses on interior component designs and IT engineering.
About the OpenChain Project:
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
S-core, Self-Certified for OpenChain ISO/IEC 18974 International Standard
S-core, an open source specialist with extensive experience in open source-based infrastructure development, has adopted OpenChain ISO/IEC 18974, an international standard for open source security assurance. This achievement builds upon the company’s existing OpenChain ISO/IEC 5230 certification for license compliance and extends their commitment to robust security across the open source supply chain.
With this certification, S-core has been able to strengthen open source security management and establish a more systematic approach and management system.
Sunghan Suh, Head of the Open Source Business Division at S-core, stated, said “ISO /IEC 18974 certification has established a systematic process and culture for open source management, enabling us to accelerate innovation and enhance quality and security.” With the OpenChain ISO/IEC 18974 certification, S-core has proven its leadership in open source utilization and consulting. We have been actively utilizing open source and contributing to the community for a long time, and we are leading the creation of value from open source by sharing and collaborating with various companies with our accumulated open source expertise.
About S-core:
S-core specializes in open source services with extensive experience across various technology fields. The company provides comprehensive solutions including open source adoption & migration, technical support and governance consulting, and governance consulting. Through these services, S-core enables customers to safely and efficiently utilize open source technologies within robust management frameworks.
About the OpenChain Project:
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The OpenChain Project will host a mini-summit to explore how standards and process management are driving the next phase of sustainable, efficient open source use in organizations. We will discuss emerging trends or concerns in areas like AI and SBOM quality, and we will also discuss the future development of our existing standards (ISO/IEC 5230 for license compliance and ISO/IEC 18974 for security assurance). Attendees will come away with increased knowledge of OpenChain activities, more generally of open source business process management, and with the ability to apply that learning to their own companies and projects.
Agenda:
Current Compliance
OpenChain Standards for Process Management and Risk Reduction
Industry Specific and Cross-Industry SBOM Quality Management
Understand Automation – Open Source Tools for Open Source Compliance
Future Compliance
AI BOM Compliance in the Supply Chain
Mitigating Risk for Securing Information in a Post Quantum Computing (PQC) World
Famisanar EPS was formed as a strategic alliance between Cafam and Colsubsidio to contribute to improving the health of Colombians in 1995. They currently have 2,277 collaborators and are present in 139 municipalities of 16 departments. They have a total of 58 Administrative and User Service Offices nationwide.
“The OpenChain Project, and the standards we maintain, are a contribution to the health and trustability of the software supply chain,” says Shane Coughlan, OpenChain General Manager. “We are delighted to see that our work is supporting the medical industry in Colombia, and we hope their activity in this space inspires others. The OpenChain community is always ready to help organizations from any geography, and in any industry, make use of our standards and guides to improve open source process management.”
OpenAnolis announced that it has met the OpenChain ISO/IEC 5230 standard. The OpenAnolis community is a non-profit open source community formed by enterprises, institutions, universities, scientific research institutions, non-profit organizations, individuals, etc. on the basis of voluntariness, equality, openness, and collaboration.
The OpenAnolis community has always attached great importance to the construction of security and compliance capabilities. In terms of infrastructure, R&D processes and tools, the community has made comprehensive and in-depth investments, including the construction of software supply chain security infrastructure, support for SBOM lists, and the construction of license compliance systems. These capabilities provide solid security guarantees for the community’s open source activities, ensuring that they are carried out smoothly in a safe and compliant environment.
Ma Tao, Chairman of OpenAnolis, said: “We are pleased to announce the OpenChain ISO/IEC 5230 certification. Open source has always been the source of innovation for the OpenAnolis Community. The OpenAnolis Community will firmly embrace open source, contribute to open source, and contribute to the field of operating systems in the AI era. This certification is a very important milestone in the construction of OpenAnolis’s open source compliance capabilities, and it is also a new starting point. The OpenAnolis Community will continue to invest and improve in the direction of security compliance to ensure the community’s security compliance level.”
Liu Dapeng, head of the OpenAnolis Community Standardization SIG, said that the OpenAnolis Community’s OpenChain ISO/IEC 5230 certification is of great significance to the development of the community. Standards and community open source complement each other, promote and enhance each other, and play an important role in building an open, interoperable, prosperous and innovative technology ecosystem. In the future, the Standardization SIG will continue to work with community ecosystem partners to jointly formulate the engineering standards of the OpenAnolis Community and ensure that community products meet relevant standard requirements.
About OpenAnolis
Founded in September 2020, OpenAnolis is an international open-source community and innovation platform for operating systems. It is committed to building a Linux open-source distribution and open-source innovation technology through open community cooperation. Its goal is to promote the prosperity and development of software, hardware, and application ecology, and jointly create new sources and infrastructure for digital development.
The community council consists of 24 leading enterprises from around the world, including Alibaba Cloud, Uniontech, Loongson, Arm, Intel, and more. Nearly 600 partners have participated in ecological co-construction, achieving full coverage of mainstream chip collaborative research and development mechanisms, mainstream middleware/databases, and mainstream OEM manufacturers. Over 100 products have successfully adopted the OpenAnolis operating system (Anolis OS). Currently, OpenAnolis has served over 800,000 users.
OpenAnolis has established about 60 SIG working groups, with an average monthly contribution of 5,000 PR. It has achieved technological innovation in core areas such as chips, kernel, compiler, security, virtualization, and cloud-native, consistently ranking at the top of the Linux community rankings. The community has released several community versions, including Anolis LoongArch GA, Anolis OS 7.9, 8.4, 8.6, and more.
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
Socionext, a semiconductor and System on a Chip (SOC) company based in Japan, has completed recertification of OpenChain ISO/IEC 5230. This is an important part of the 18 month review cycle required by the specification to ensure processes are current.
“ISO standard periodic recertification is a critical building block in creating trust,” says Shane Coughlan, OpenChain General Manager. “As companies evolve and markets change, it is important to use clear, unambiguous processes like those outlined in OpenChain ISO/IEC 5230, the International Standard for open source license compliance. This is key to managing the open source software supply chain, and Socionext has long been a leader in this area.”
About Socionext Inc.
Socionext Inc., a leading global System-on-Chip (SoC) supplier, is a pioneer of the ‘Solution SoC’ business model. This innovative approach encompasses Socionext’s ‘Entire Design’ capabilities and offering of ‘Complete Service’. As a trusted silicon partner, Socionext fuels global innovation, providing superior features, performance, and quality that set its customers’ products and services apart in diverse domains ranging from automotive and data centers to networking, smart devices, and industrial equipment.
Socionext Inc., based in Yokohama, operates offices across Japan, Asia, the United States, and Europe for development and sales. For more information, visit https://www.socionext.com/en/.
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
-1.png)
