Featured

Automotive / SDV track (Hosted by Bosch on 26 March, Ludwigsburg, Stuttgart, Germany)

summary by Alin Jerpela

Eclipse Foundation SDV landscape project

https://projects.eclipse.org/proposals/eclipse-sdv-landscape

The visibility matters, communities do not interact if they are not knowing about each other. Open Source value is interaction and cooperation and there was a need for an interactive website where you can browse all projects with data sourced from the Eclipse website. The projects are added automatically and classified by their SDV functionality.

The landscape provides a collection of projects revolving the automotive topic:

• Open Source management
• Automotive Software
• Development tools
• Operating Systems
• Base Software
• Interfaces and APIs
• Data management
• Infotainment
• IDE
• Testing and Validation
• Simulation
• Analysis
• Hoftware heritage
• AI
• Robotic tools

COVESA – Accelerating the future of connected vehicles

https://covesa.global/

it is an open global project hosting over 100 companies and organizations in a collaborative community.

The project is aiming to address the current automotive challenges:

• keep the in-vehicle digital experience up to date
• embracing customers digital life
• integrate into broader mobility experience

Technical focus:

• vehicle data common language for data definition and exchange
• AOSP app framework

Vehicle data and API

• datalake for service implementation and vehicle health
• vehicle API – interaction in vehicle and with vehicle

The project defines also the vehicle signal specification to enable:

• scalability
• faster time to market
• cost saving
• innovation

Data expert pillars of work:

• Cloud
• Native OS
• Hosted OS(Android)
• Mobile
• Charging point
• AI

Implementing COVESA in a commercial vehicle provides simplification and enables mutual benefits

FOSS licenses

For most licenses there is a license termination clause if the license is violated and for some the license is reinstated after compliance is achieved.

The Open Source Software is distributed and the obligations are not fulfilled which results in license is termination

We have 2 license categories:

• Licenses that are permanently revoked if the license is violated (GPL v2, Apache 2.0, MIT, BSD)
• Licenses that are reinstated after the compliance is achieved (GPLv3, MPLv2)

Note:

GPL v2 violator resumes compliance after obtaining forgiveness from all copyright holders which might be impossible. Several legal cases illustrate that forgiveness is not necessary and happens by fulfilling the Open Source Software license requirements.

Working with Open Source communities:

• Open Source is a way of working together across borders, time zones and cultural barriers
• provides sovereignty by ensuring the basic rights to chose, analyze and modify the software
• collaboration between individuals and companies to achieve a common goal
• developers are having fun by developing software that inspires them
• fosters innovation by providing an open framework for different skills and ideas
• influences the technological future

Open Source development is an iterative development model

• wide adoption
• zero license cost
• participants can shape project through contributions
• provides transparency for all the participants and changes

The industrial Open Source can be engineering driven or business driven (ex. the automotive industry)

There are several examples of Open Source projects with

• multi vendor infrastructure which enables cost sharing

Ex. Kubernetes, Open Stack, SW360

• single maintainer houseplant / personal projects fulfilling critical needs

Ex. Curl

• Specialty library projects which provide a shared common solution to a specific essential problem fostering collaboration and reduce development cost

Ex. libressl, ffmpeg

• trusted vendor when a central organization publishes the project as Open Source to generate community trust

Ex. Mongo DB, Grafana

Self organization and decentralization helps Open Source projects grow

Apache Software Foundation NuttX RTOS – Introduction to the RTOS, benefits and current features.

https://nuttx.apache.org/

NuttX RTOS is available on more than 400 boards supporting all current architectures (Ex: ARM, RISC-V, MIPS, X86). The strong standards project focus make it attractive for a wide product area and several product examples and companies using NuttX RTOS were presented.

AGL SoDeV project

AGL (LF foundation) is a non profit organization aiming to build the car of the future by providing Open Source SDV reference platform

Production vehicles using the AGL IVI platform:

• Toyota and Lexus 2018
• Toyota 2026 RAV4 with new UI
• Suzuki eVitara featured Aisin and Yazaki developer IVI

unifying the best Open Source Software in a single shared code base for the whole industry to reduce fragmentation and boost innovation.

Architecture:

• Control domain (RTOS ex Zephyr)
• Driver domain
• Guest domains (virt-io adopted functional domain)

AGL is celebrating the 20th release which provides the following features:

• type 2 hypervisor
• virt-io supported
• AGL guests available for IVI and IC flutter

Future features planned for release 21:

• latest flutter embedded and workspace automation tooling
• initial version of SoDeV allows developers to create a SDV system
• available for Renesas Sparrow Hawk (Xen needs private code quirks) and RPI 5 (Xen without GFX)
• initial version of Xen support
• UHMI features

OSCHINA has officially joined the OpenChain Partner Program, an initiative of OpenChain under the Linux Foundation dedicated to improving trust, security, and compliance in software supply chains worldwide.

As one of China’s leading open-source and developer platform providers, OSCHINA will contribute its expertise in software supply chain security, open-source governance, and developer ecosystems while collaborating with organizations around the world to advance industry best practices and international standards.

OpenChain, established by the Linux Foundation in 2015, brings together companies, industry groups, and public sector organizations to develop practical standards and reference materials that support effective open-source compliance and software supply chain management.

Strengthening Software Supply Chain Security

Over the years, OSCHINA has developed comprehensive software supply chain security capabilities through its developer ecosystem and enterprise R&D platforms. The company has built a full-lifecycle framework that addresses security requirements across source code management, component analysis, build processes, software delivery, and runtime operations.

Its platform integrates technologies such as Static Application Security Testing (SAST), Software Composition Analysis (SCA), reachability analysis, and intelligent auditing to help organizations identify vulnerabilities, manage open-source risks, and improve license compliance. Through deep integration with the Gitee DevOps platform, security checks can be incorporated directly into development workflows, providing continuous feedback throughout the software development lifecycle.

Supporting Global Standards and Industry Collaboration

OSCHINA currently operates two core platforms: the Gitee DevSecOps R&D Efficiency Platform and the Moark AI Platform.

As the designated operator of several national open-source initiatives in China, OSCHINA serves more than 18 million developers and supports organizations across industries including finance, government, manufacturing, and technology. Gitee DevSecOps has established a strong presence in enterprise software development environments, while Moark provides AI engineering capabilities spanning models, datasets, computing resources, and application development.

Participation in the OpenChain Partner Program provides an opportunity to contribute practical implementation experience to international discussions around software supply chain security while aligning with globally recognized approaches to open-source governance, compliance, and risk management.

Building a Trusted Open Source Ecosystem

“Joining the OpenChain Partner Program reflects our commitment to advancing trusted software supply chains and strengthening collaboration across the global open-source ecosystem,” said Ma Yue, Chairman of OSCHINA.

“From our origins as an open-source community and code hosting platform to our current role supporting enterprise software development and AI infrastructure, we have consistently focused on enabling innovation through open technologies. We look forward to working with the OpenChain community to promote best practices in compliance, security governance, and software supply chain management.”

Through its participation in OpenChain, OSCHINA aims to support organizations in establishing standardized and trustworthy software supply chain governance practices while contributing to the continued growth and security of the global open-source ecosystem.

norxs Technology LLC has announced an OpenChain ISO/IEC 5230:2020 and ISO/IEC 18974:2023 conformant program, covering both open source license compliance and open source security assurance.

norxs is a functional safety and cybersecurity engineering firm working on systems where failure is not an option: EV powertrains, power distribution, and industrial controls. Its engagements span the full safety and security lifecycle — from hazard analysis and risk assessment (HARA) and threat analysis and risk assessment (TARA), through safety and security concepts, requirements decomposition, and implementation, to the verification, validation, and assessment evidence required for certification against ISO 26262, ISO/SAE 21434, IEC 61508, ISO 21448 (SOTIF), and the UN R155 / R156 regulations.

Safety-critical software is now built on open source, and the standards norxs’s clients answer to increasingly treat the software supply chain as part of the safety and security case itself. Conformance to ISO/IEC 5230 and ISO/IEC 18974 applies the same engineering discipline norxs brings to hardware and firmware — defined responsibilities, traceability, configuration management, and independent verification — to the open source it uses and ships. In practice this means knowing precisely which components are in a deliverable and the license obligations attached to each, alongside a defined process for identifying and responding to vulnerabilities across the product lifetime.

For norxs, license compliance and security assurance are two halves of a single obligation: providing customers an auditable account of the software they integrate. This maps directly onto the software supply chain expectations of ISO/SAE 21434 and UN R155, and norxs intends to contribute its safety-critical engineering perspective to the OpenChain community.

About norxs

norxs Technology LLC is a functional safety and cybersecurity engineering firm for safety-critical systems. It delivers hardware, firmware, and certification as a single team — built in from the first schematic rather than bolted on at the end — across EV powertrains, power distribution, and industrial controls.

norxs supports OEMs, Tier 1 suppliers, and industrial clients to standards including ISO 26262, IEC 61508, ISO/SAE 21434, ISO 21448 (SOTIF), UN R155 / R156, and ASPICE.

Learn More About norxs

• https://www.norxs.com

The OpenChain Newsletter provides a monthly summary of our work. It contains an overview of what we are doing to build trust around license compliance and security in the open source supply chain. We accept suggestions and ideas. Feel free to mail us at any time.

This month’s update highlights significant momentum in global adoption, alongside a big ‘Open Chain and Friends’ event with many tracks including Compliance, AI, CRA, Automotive, Education, and so on.

April has been a productive month for the OpenChain Project, with strong engagement across the Linux Foundation ecosystem, new working group activities, and continued progress on key deliverables that support software supply chain trust and compliance.

What happened in April? See the highlights below.

Engagement Across the Linux Foundation Ecosystem

In April, the OpenChain Executive Director participated in the Linux Foundation All Hands meeting alongside other open source projects.

This was a valuable opportunity to align with peer projects, exchange insights, and better understand how different communities are approaching shared challenges.

A key takeaway from the discussions is the growing importance of cross-project collaboration and communication. OpenChain is excited to further strengthen engagement with other initiatives and explore ways to collaborate more effectively across the ecosystem.

New OpenChain Business Operations Work Group

We are pleased to announce the formation of the OpenChain Business Operations Work Group.

The initial focus of the group is the Cyber Resilience Act (CRA), including:

• Researching gaps in CRA compliance across diverse organizations
• Identifying practical solutions to support implementation
• Exploring how OpenChain can help companies prepare for and meet CRA requirements

This group will help connect real-world operational challenges with OpenChain standards and guidance, ensuring practical value for organizations navigating regulatory change. If  you would like to join this study group meeting (Biweekly on Monday), go to https://openchainproject.org/participate

Updated Adoption Resources

We have updated the OpenChain “Get Started” webpage to make it easier for organizations to understand and adopt OpenChain standards.

You can explore the updated resources here:
https://openchainproject.org/get-started

Welcome Renesas to the OpenChain Governing Board.

More information will come soon!

Closing Note

Thank you to all contributors and community members for your continued support and engagement. We look forward to continued collaboration and progress in the months ahead.

Teoresi Group is an international engineering company that supports businesses in developing projects using cutting-edge technologies: from electric and autonomous vehicles to AI applied to medical diagnostics. With strong global expertise in engineering and machine learning, we focus on developing the intelligence layer that enables devices to operate autonomously and efficiently. 

Teoresi Group has been paying close attention to new technologies since 1987. So when open source software became impossible to ignore in products, in client deliverables, and in every layer of the engineering stack, the question was never whether to engage with it, but how to do so responsibly.

The honest answer to “why now?” is that the need became impossible to defer. In recent years, Teoresi’s work has shifted significantly toward turnkey projects. That shift changes the governance equation entirely. A service provider can rely on the client’s open source policies. A solution provider cannot. You need your own house in order.

“If you do not have governance, you carry all the risks we have been describing: legal exposure, security gaps, and compliance failures. The risk does not disappear because you did not look for it.” — Alberto Bertone, Teoresi Group FOSS Manager

A working group was established, including technical leads, legal experts, and project managers. The result, published by the end of 2025, was a Group-wide open source policy and procedure. All Teoresi Group companies are covered. The process runs from pre-sales through to delivery. Licence constraints are evaluated before commitments are made, codebases are scanned and inventoried during development, and a named FOSS Manager is accountable for the programme’s integrity across projects.

Training is already underway across the organisation. The goal is straightforward: every person who works with third-party code understands what that code requires of them, and why. Compliance that rests on understanding is durable. Compliance that rests only on instruction is not.

Teoresi has also declared its openness to contributing back to open source. This is a formal commitment under ISO/IEC 5230, the international standard with which the programme is aligned. Research projects and innovation initiatives offer natural pathways. Open source is not something Teoresi simply consumes; it is something the company intends to be a responsible part of.

The open source community made the tools we build on available to everyone. Managing that inheritance with care is not just a regulatory obligation. It is a professional one.

Public Comment Period – SBOM Document Quality Guide – Ends 31st May 2026

Happening Now:
We are announcing a public comment period for the SBOM Document Quality Guide that has been developed by the OpenChain SBOM Work Group.

Document: SBOM Document Quality Guide

Why This Is Happening:
The OpenChain Project has a formal process for public comment periods related to important releases like the SBOM Document Quality Guide. These public comment periods signify that we have completed work on a topic, and now want to ensure people outside of the OpenChain Project and its work groups can provide additional input as needed. After the public comment period, we formally release the relevant document.

How to write comments:
We are accepting comments via our SBOM Work Group mailing list and through our monthly calls. The recommended way of providing feedback is via the mailing list.
You can read the full process (and our other processes) here: https://lnkd.in/d7D4RmgN

You can find the URL for the mailing list here: https://lnkd.in/dEUf_tzK

You can find our SBOM Work Group calls (and all other OpenChain calls) list here: https://lnkd.in/dcA8pDR9
A big thanks to @Norio Kobota and the whole of the OpenChain Project SBOM Work Group work on this document.