Featured

We are delighted to welcome Mercedes-Benz Research and Development India to the OpenChain community of conformance. This is another milestone in the adoption of OpenChain standards by the automotive supply chain, and serves as a reminder of the broad applicability for our solutions around the world.

About Mercedes-Benz Research and Development India:

Mercedes-Benz Research and Development India (MBRDI) is the largest research and development center for Mercedes-Benz Group AG outside of Germany. Started in 1996, the Bengaluru headquartered organisation plays a prominent role in the development of new technologies like connected, autonomous, and electric in the mobility world. MBRDI, known for its engineering innovations, has grown to a team of over 8,500 employees and is one of the earliest technology and innovation center of a global automotive company to set up a strong presence in India.

In line with the global ambitions of the Mercedes-Benz Group, MBRDI plays a prominent role in innovating and accelerating the future of sustainable mobility. Over the last 25 years of its presence in India, MBRDI has established itself as an innovation powerhouse. The engineers at MBRDI are committed to providing an unparalleled experience and comprehensive digital capabilities, with technology at the core. MBRDI harnesses the role of IT in accelerating the future of automotive technology in terms of engineering, digitalisation, testing and simulation, and data science.

MBRDI offices in Bengaluru specialise in end-to-end capabilities in product development and IT services. The satellite office in Pune focuses on interior component designs and IT engineering.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Famisanar EPS was formed as a strategic alliance between Cafam and Colsubsidio to contribute to improving the health of Colombians in 1995. They currently have 2,277 collaborators and are present in 139 municipalities of 16 departments. They have a total of 58 Administrative and User Service Offices nationwide.

“The OpenChain Project, and the standards we maintain, are a contribution to the health and trustability of the software supply chain,” says Shane Coughlan, OpenChain General Manager. “We are delighted to see that our work is supporting the medical industry in Colombia, and we hope their activity in this space inspires others. The OpenChain community is always ready to help organizations from any geography, and in any industry, make use of our standards and guides to improve open source process management.”

OpenAnolis announced that it has met the OpenChain ISO/IEC 5230 standard. The OpenAnolis community is a non-profit open source community formed by enterprises, institutions, universities, scientific research institutions, non-profit organizations, individuals, etc. on the basis of voluntariness, equality, openness, and collaboration.

The OpenAnolis community has always attached great importance to the construction of security and compliance capabilities. In terms of infrastructure, R&D processes and tools, the community has made comprehensive and in-depth investments, including the construction of software supply chain security infrastructure, support for SBOM lists, and the construction of license compliance systems. These capabilities provide solid security guarantees for the community’s open source activities, ensuring that they are carried out smoothly in a safe and compliant environment.

Ma Tao, Chairman of OpenAnolis, said: “We are pleased to announce the OpenChain ISO/IEC 5230 certification. Open source has always been the source of innovation for the OpenAnolis Community. The OpenAnolis Community will firmly embrace open source, contribute to open source, and contribute to the field of operating systems in the AI ​​era. This certification is a very important milestone in the construction of OpenAnolis’s open source compliance capabilities, and it is also a new starting point. The OpenAnolis Community will continue to invest and improve in the direction of security compliance to ensure the community’s security compliance level.”

Liu Dapeng, head of the OpenAnolis Community Standardization SIG, said that the OpenAnolis Community’s OpenChain ISO/IEC 5230 certification is of great significance to the development of the community. Standards and community open source complement each other, promote and enhance each other, and play an important role in building an open, interoperable, prosperous and innovative technology ecosystem. In the future, the Standardization SIG will continue to work with community ecosystem partners to jointly formulate the engineering standards of the OpenAnolis Community and ensure that community products meet relevant standard requirements.

About OpenAnolis

Founded in September 2020, OpenAnolis is an international open-source community and innovation platform for operating systems. It is committed to building a Linux open-source distribution and open-source innovation technology through open community cooperation. Its goal is to promote the prosperity and development of software, hardware, and application ecology, and jointly create new sources and infrastructure for digital development.

The community council consists of 24 leading enterprises from around the world, including Alibaba Cloud, Uniontech, Loongson, Arm, Intel, and more. Nearly 600 partners have participated in ecological co-construction, achieving full coverage of mainstream chip collaborative research and development mechanisms, mainstream middleware/databases, and mainstream OEM manufacturers. Over 100 products have successfully adopted the OpenAnolis operating system (Anolis OS). Currently, OpenAnolis has served over 800,000 users.

OpenAnolis has established about 60 SIG working groups, with an average monthly contribution of 5,000 PR. It has achieved technological innovation in core areas such as chips, kernel, compiler, security, virtualization, and cloud-native, consistently ranking at the top of the Linux community rankings. The community has released several community versions, including Anolis LoongArch GA, Anolis OS 7.9, 8.4, 8.6, and more.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Socionext, a semiconductor and System on a Chip (SOC) company based in Japan, has completed recertification of OpenChain ISO/IEC 5230. This is an important part of the 18 month review cycle required by the specification to ensure processes are current.

“ISO standard periodic recertification is a critical building block in creating trust,” says Shane Coughlan, OpenChain General Manager. “As companies evolve and markets change, it is important to use clear, unambiguous processes like those outlined in OpenChain ISO/IEC 5230, the International Standard for open source license compliance. This is key to managing the open source software supply chain, and Socionext has long been a leader in this area.”

About Socionext Inc.

Socionext Inc., a leading global System-on-Chip (SoC) supplier, is a pioneer of the ‘Solution SoC’ business model. This innovative approach encompasses Socionext’s ‘Entire Design’ capabilities and offering of ‘Complete Service’. As a trusted silicon partner, Socionext fuels global innovation, providing superior features, performance, and quality that set its customers’ products and services apart in diverse domains ranging from automotive and data centers to networking, smart devices, and industrial equipment.

Socionext Inc., based in Yokohama, operates offices across Japan, Asia, the United States, and Europe for development and sales. For more information, visit https://www.socionext.com/en/.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

AbacatePay is a developer-friendly payment gateway designed to simplify payment processing. Built by developers for developers, it offers:

• Simple, intention-based API endpoints
• Idempotent operations for reliable transactions
• Consistent JSON request/response formats
• Native SDK support
• Easy dev mode integration
• PIX payment support
• Streamlined client and billing management

Learn More On Their Website:

• https://www.abacatepay.com

The OpenChain Project maintains a reference library of over 1,000 documents. This library has been built over eight years from our original, first release of a set of a training slides for open source license compliance. The library has now been comprehensively updated to make it easier to find, use and share resources.

Navigation:

To ensure easer of navigation and our ability to adjust and improve the library structure over time, you will find that navigation is primarily guided by the README file, which acts as the starting point for all navigation. You can also get a full preview of the structure of the library later in this post.

The intention is that:

1. You will enter this library at the top level of the archive
2. You will use this README file as your index
3. We will update the README as the library evolves

The library contains:

• Adoption Guidance
• AI Compliance Guidance
• Case Studies
• Compliance Training Slides
• Explainers for Internal Teams
• Maturity Models
• Policy Templates
• SBOM Quality Guidance
• Source Material for Online Training Courses
• Self-Certification Material
• Supplier Education Material
• Templates and Overview Material for OpenChain Project
• + Much, much more.

Licensing:

Most of the material in this repository is available under CC-0 licensing (effectively public domain). You will notice some exceptions with Guides (like the Telco SBOM Guide) and with case studies. These documents are not designed to be freely altered because they provide either guidance developed to consensus in our work groups, or the specific experience of companies in addressing compliance matters.

Navigating the Library:

As of 2025-05-08, the library is structured in the following folders alphabetically:

1. AI-SBOM-Compliance
2. Open-Source-Compliance-Support-Material
3. Open-Source-Policy-Templates
4. OpenChain-Adoption-Guides
5. OpenChain-Case-Studies
6. OpenChain-Explainers-For-Internal-Teams
7. OpenChain-FAQ
8. OpenChain-For-Mergers-and-Acquisitions
9. OpenChain-Maturity-Models
10. OpenChain-Promotion-Material
11. OpenChain-Standards-Self-Certification
12. OpenChain-Supplier-Education
13. OpenChain-Templates
14. OpenChain-Training
15. SBOM-Quality-Management

AI-Compliance

OpenChain has an AI Work Group. This is where you will find our work on AI compliance topics. The current focus is on AI SBOM management in the supply chain, and what type of program process points are required to manage this effectively.

There is a copy of the working document in this folder, and the active version for editing is kept here:https://docs.google.com/document/d/1XHztgMALwnu2D02bmWYyXeW3wE_Jw199/edit?pli=1#heading=h.pzcghykzc46

You are welcome to be part of this work. OpenChain AI Work Group mailing list:https://lists.openchainproject.org/g/ai

Open-Source-Compliance-Support-Material

This folder contains compliance-related material non-specific to OpenChain. You may find these community contributions useful in your work.

Open-Source-Policy-Templates

Having an open source policy is a requirement in our standards. This folder contains some template material to get you started or to help you refine existing policies.

OpenChain-Adoption-Guides

This folder contains guides to adopting the OpenChain standards.

OpenChain-Case-Studies

This folder contains case studies from companies that have adopted OpenChain standards.

OpenChain-Explainers-For-Internal-Teams

Explaining the value of OpenChain approaches to compliance process management is critical to ensure buy-in and support across an organization. We have created a series of quick explainer documents to support this.

OpenChain-FAQ

This folder contains the official OpenChain Project Frequently Asked Questions. These are mirrored on our website.

OpenChain-For-Mergers-and-Acquisitions

This folder contains some material relevant to understanding OpenChain standards in the context of Mergers and Acquisitions.

OpenChain-Maturity-Models

Once an organization has begun to adopt OpenChain standards, the question arises of how to iterate and improve their compliance program. Maturity models or capability models are a tool to assist with this. We have one to share with you as a reference guide.

OpenChain-Promotion-Material

This folder contains infographics, one-pagers and introductory presentations to help organizations understand the OpenChain Project, its standards, its reference material, and the global community supporting its work.

OpenChain-Standards-Self-Certification

This folder contains self-certification checklists and questionnaires to help companies easily adopt our standards. This material can also be used as a “health check” for organizations not currently using our standards.

OpenChain-Supplier-Education

This folder contains a leaflet designed to give suppliers a single file that takes them from “what is open source” through to the importance of license compliance, and the use of OpenChain standards.

OpenChain-Templates

This folder contains templates so that the community can develop new presentations or documents with the OpenChain trademarks, mascots and other images.

OpenChain-Training

This folder contains our reference training slides and also the source code for our online training courses.

SBOM-Quality-Management

OpenChain has an SBOM Study Group. This is where you will find our work on SBOM-related topics. The current focus is on SBOM Quality in the supply chain, and what type of approach is required to manage this effectively.

You are welcome to be part of this work. OpenChain SBOM Study Group mailing list:https://lists.openchainproject.org/g/sbom

Where To Get Help:

Our website FAQ page contains resources to get help from our project staff:https://openchainproject.org/resources/faq

How To Participate In Development:

We would be delighted to work with you through our Education Work Group. You will find their mailing list here:https://lists.openchainproject.org/g/education

You are encourage to open issues or pull requests online: https://github.com/OpenChain-Project/Reference-Material/issues

In April, the OpenChain Telco Work Group completed work on version 1.1 of the OpenChain Telco SBOM Guide. This document helps to define what is a quality Software Bill of Materials in the context of supply chain management. It uses SPDX, the NTIA Requirements and the experience of the Telco industry to provide a clear, simple and easily adjustable approach. Today, with the release of the updated official validator, we are promoting the guide as generally available to the open source community.

Below you can:

• Learn more about the guide
• Get the guide in Chinese (Traditional), English, French and Japanese
• Get the validator
• Learn how to get involved in future development

What is this Guide?

The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs. 

Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.

This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”

Want more context? We delivered a presentation at FOSDEM:

Updates from Version 1.0 to Version 1.1 of the Guide:

The following updates were made in version 1.1:

• Both PackageChecksum and PackageVerificationCode are allowed as package hash.
• The package hash is RECOMMENDED instead of MANDATORY.
• ExternalRef is RECOMMENDED instead of MANDATORY.
• FilesAnalyzed is no longer MANDATORY.
• Examples are provided for the CISA SBOM Types.
• A RECOMMENDED syntax is given for CISA SBOM Types.
• sbomasm is a better example of SBOM merge tool.
• Add reference to new CISA document.

An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.

Get the Guide

• Chinese (Traditional) Version
• English Version
• French Version
• Japanese Version

Do you want to review the original 1.0 version of the guide? You can learn more and get it in multiple languages via the original Telco SBOM Guide version 1.0 launch announcement. You can also learn more about the version 1.0 validator in its original launch announcement.

Get the Validator

Our official validator for the Telco SBOM Quality Guide has been updated for version 1.1 and is available on the OpenChain Telco Work Group GitHub repo.

To install from PyPI, issue:
pip3 install openchain-telco-sbom-validator 
or 
pipx install openchain-telco-sbom-validator.

Coming Next:

Development of the next generation of the guide will occur via the Telco Work Group, and everyone is welcome to contribute.

The OpenChain Telco Work Group mailing list is here: 

• https://lists.openchainproject.org/g/telco

The OpenChain Telco Work GitHub (for drafting) is here: 

• https://github.com/OpenChain-Project/Telco-WG

Related News:

• The updated official Validator announcement
• External Validation Support announcement

Community Credits:

Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.

Amazon is the latest company to join the OpenChain Project as a Platinum Member and to take a seat at the Governing Board and Steering Committee. This highlights their unwavering commitment to leadership in open source technology, process management and in building trusted supply chains.

“At Amazon, we believe in strengthening the open source ecosystem through collaboration and shared best practices,” said Nithya Ruff, Director of Amazon’s Open Source Program Office. “By joining the OpenChain Project, we’re committed to contributing our experience across cloud services and consumer devices to support and evolve industry standards. We look forward to working with the OpenChain community to make supply chain collaboration easier and more effective for the industry.”

“Amazon pioneered modern digital management of complex supply chains at massive scale,” says Shane Coughlan, OpenChain General Manager. “Their engagement with the OpenChain Project, and more broadly with all aspect of open source process management, underlines the vital role that open standards and open communities play in building a more trusted supply chain. We look forward to benefiting from their thought-leadership as OpenChain enters the next stage of its evolution.”

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.