Skip to main content
Category

Featured

OpenChain Newsletter #50

By Featured, Monthly Newsletter, News

Newsletter – Issue 50 – January 2023

After focusing on rolling news in 2022, the OpenChain Newsletter is back to provide a monthly summary of our work. You can expect an overview of what the OpenChain Project is doing to build trust around license compliance and security in the open source supply chain. You will also find other news directly related to our field. We accept suggestions and ideas. Just mail us at any time.

Cool Statistic To Start The Year

20% of German companies with over 2,000 employees have already implemented OpenChain ISO/IEC 5230:2020, the International Standard for open source license compliance.
Source: Bitkom Open Source Monitor 2021

Key Project Governance News

In Q4 2022 the OpenChain Project elected a new Governing Board Chair (Jimmy Ahlberg of Ericsson) as well as new co-chairs of the Specification Work Group (Helio Chissini de Castro, CARIAD + Chris Wood, Lockheed Martin) and a new chair of the Education Work Group (Nathan Kumagai, Qualcomm). This is all part of an initiative to ensure that the project has sustainable, clear and fair processes for leadership transition to ensure long-term sustainability.

Google Announces ISO/IEC 5230:2020 Conformant Program

We ended Q4 2022 with some exciting news. Google, an OpenChain Governing Board member and early adopter of the first generation OpenChain standard for open source license compliance, announced formal adoption of ISO/IEC 5230, the International Standard for open source license compliance.

Meanwhile, Around Security…

We have submitted the OpenChain Security Assurance Specification to the ISO/IEC JTC-1 PAS Transposition Process. We expect it to graduate as an ISO/IEC standard around mid-2023.

Security Assurance Specification Conformance

BlackBerry became the first multinational to go whole entity conformant with the OpenChain Security Assurance Specification. They also set a milestone as the first entity to achieve conformance with both OpenChain ISO5230:2020 and the OpenChain Security Assurance Specification 1.1.

That said, the very first company to announce adoption of the OpenChain Security Assurance Specification was Interneuron in the UK. This builds on their previous adoption of OpenChain ISO/IEC 5230:2020, and underlines their continued mission to seek excellence in open source software governance for the British National Health Service.

Security Assurance Specification Gains Additional Support

At the end of December 2022 we saw some significant announcements regarding support for the OpenChain Security Assurance Specification:

This support continued to grow in January 2023 with an announcement from Bitsea about their new services for customers around adoption.

OpenChain Meetings, Webinars And Events

Our monthly meetings kicked off with next generation specification reviews for North America / Europe and North American / Asia. We are seeing some solid discussion around the open issues on both the license compliance and security specifications. It is recommended to take part in these meetings if you have ideas, suggestions or comments about where you want our standards to go next.

We also held a Telco Special Interest Group meeting on the 12th of January and an Education Work Group meeting on the 19th of January. Telco are working on a meta specification about Software Bill of Materials. The Education Work Group is focused on renewal of core material to help people onboard with our standards. Everyone is welcome to join the calls and help out.

Want to join our calls? Just check out our global calendar.

The global calendar is also a great way to keep track of our webinars. We started the year with a great one: OpenChain Webinar #47 covered OSSelot: The Open Source Curation Database. OSSelot is a new project incubated by OSADL in Germany and promises to be an important part of automation tooling support moving forward.

Continuing our program of external collaboration, the OpenChain Project was also part of an external webinar about Applying OpenChain and SBOMs for InnerSource.

Our Training Material Continues To Support The Market

In 2021 and 2022 the OpenChain Education Work Group released online courses in collaboration with LF Training. During January we received some updates providing context for market impact.

Introduction to Open Source License Compliance Management (LFC193) has had 1,209 enrollments and 398 digital completion badges issued with a satisfaction rating of 4.65 out of 5. Implementing Open Source License Compliance Management (LFC194) has had 579 enrollments and 38 digital completion badges issued with a satisfaction rating of 4.55 out of 5. LFC194 has only been out a few months, so we look forward to continued adoption growth in 2023.

It is also noteworthy that Continental Corporation made LFC193 a required course for their software developers from late Q3 2022. This is a concrete example of a company leveraging free resources provided by OpenChain Project and The Linux Foundation to support their open source governance processes.

Check Out All Our Previous Newsletters:
https://www.openchainproject.org/newsletter

Quick Links

Legal: All trademarks belong to their respective owners. This newsletter is licensed under Creative Commons Attribution-NoDerivatives 4.0 International (CC BY-ND 4.0).

Webinar: OSSelot: The Open Source Curation Database

By automation, Featured, licensing, News, Webinar

This OpenChain Webinar features OSSelot, an open source curation database recently launched by OSADL in Germany. This project addresses one of the most requested features around open source automation for open source compliance: an open, public database supporting SBOM (via SPDX ISO/IEC 5962) for common software packages. This could be a game-changer.

Check Out The Project Website:

Check Out The Rest Of Our Webinars

This is OpenChain Webinar #47, released on 2023-01-25.

BlackBerry Announces First North American OpenChain Security Assurance Specification Conformance

By Featured, News

BlackBerry Limited (NYSE: BB; TSX: BB) announces adoption of the OpenChain Security Assurance Specification 1.1, creating a series of landmarks in doing so. BlackBerry is the first whole entity to announce conformance, the first conformance in the Americas, the first multinational company conformance, and first entity to achieve conformance with both OpenChain/ISO5230:2020 and OpenChain Security Assurance 1.1 with an OpenChain Partner, OSS Consultants. This announcement builds on their previous adoption of OpenChain ISO/IEC 5230:2020, the international standard for open source license compliance. OpenChain Security Assurance Specification 1.1 is the sister standard to ISO/IEC 5230, and is also slated to become an ISO standard later in 2023.

OpenChain has a collaborative global community of companies working to build a more effective and efficient supply chain to create trust between entities around open source; working to increase trust in the open source supply chain. With thousands of people from hundreds of companies actively involved, it is a key part of the governance fabric behind open source technology. BlackBerry is the first company in North America to gain company-wide OpenChain Security Assurance conformance, and the first to collaborate with an official OpenChain Partner Company, OSS Consultants.

“BlackBerry has long been synonymous with excellence in process management, and their engagement with OpenChain standards underlines this,” says Shane Coughlan, OpenChain General Manager. “Their previous whole-entity adoption of ISO/IEC 5230, the international standard for open source license compliance, set an important market example. Their market-leadership is continued today with the world’s first whole entity adoption of the OpenChain Security Assurance Specification, the industry standard for open source security assurance. We look forward to working closely together in continuing to drive sustainable, efficient software supply chains.”

“BlackBerry has one of the deepest commitments in this industry to bringing increased peace of mind to enterprise and governmental organizations,” said Russ Eling, CEO OSS Consultants. “This added certification highlights BlackBerry’s position as a trusted supply chain vendor and serves as an example for others to follow. BlackBerry was able to meet the specification through its existing policies and processes due to its long history and commitments to responsible management of open source. BlackBerry has a team of experts who have developed their practices, tooling, and operational capability to manage the vulnerabilities that arise within open source libraries.”

About BlackBerry

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including 215M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems.  BlackBerry’s vision is clear — to secure a connected future you can trust.

BlackBerry. Intelligent Security. Everywhere. 
For more information, visit BlackBerry.com and follow @BlackBerry.  

Trademarks, including but not limited to BLACKBERRY, EMBLEM Design and QNX are the trademarks or registered trademarks of BlackBerry Limited, its subsidiaries and/or affiliates, used under license, and the exclusive rights to such trademarks are expressly reserved.

About OSS Consultants:

OSS Consultants is a business dedicated to helping organizations of all sizes – from the world’s largest and well-known companies to small businesses and start-ups – design, implement, and manage the most efficient, comprehensive and robust open-source program offices and policies on the planet. Service offerings range from a scan and audit of your third-party and proprietary software to creating a full OSPO within your organization. Find more information at www.ossconsultants.com.

About the OpenChain Project

The OpenChain Project maintains the International Standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.

Linux is a registered trademark of Linus Torvalds.

###

Media Contact:

OSS Consultants Media Relations
info@ossconsultants.com

OpenChain Monthly North America / Asia Meeting 2023-01-17 – Recording

By Featured, News

Our regular monthly call for North America / Asia saw some discussion around two key topics for the next generations of our specifications for license compliance and for security. One related to whether we need to be more prescriptive regarding the content of contribution policies, and another related to whether our existing approach to defining open source worked in both standards. The outcomes are covered in our recording and the slides from the meeting are also available.

OpenChain Automation Case Study #7 – VulnerableCode technical deep dive into VulnTotal

By Featured, News

Philippe Ombredanne from nexB will lead a technical deep dive into VulnTotal on the 7th of February at 09:00 CET (08:00 UTC). Join us in our usual room here:

This deep dive is about an aspect of the AboutCode Project, with VulnerableCode providing tools to collect, aggregate and refine software vulnerability information from more than 20 sources and tools to quickly create new “importers”. VulnTotal is something that came out of Google Summer of Code 2022:

VulnTotal: Cross-validate vulnerability coverage of VulnerableCode (Keshav Priyadarshi)

VulnerableCode is a unique project that collates and cross-references FOSS vulnerability data from multiple sources. Inspired by the VirusTotal multi-scanner virus scanning service, the VulnTotal project will cross-validate the vulnerability coverage of VulnerableCode against other publicly available vulnerability check tools and databases. For instance, a package may be reported as vulnerable by one tool or database but not by another. We can gradually work with these tool providers to keep each other apprised about newly discovered vulnerabilities, making FOSS more secure.

Bitsea Announces OpenChain Security Assurance Services

By Featured, News

Bitsea, a service provider specialized in software auditing and based in Germany, today announces support for the OpenChain Security Assurance Specification 1.1. They can help companies understand and adopt this standard for open source security in Germany and beyond. As a sister standard to OpenChain ISO/IEC 5230 – the international standard for open source license compliance – the OpenChain Security Assurance Specification 1.1 offers the same type of support for building a quality security assurance program.

“For over 10 years Bitsea has provided services to help organizations identifying hidden risks in software systems and managing their open source software supply chain,” says Dr. Andreas Kotulla, Founder and CEO of Bitsea. “Our services guide organizations to adopt and conform to both ISO 5230 OpenChain and OpenChain Security Assurance.”

“Bitsea has long been a provider of excellent reputation in the open source area,” says Shane Coughlan, OpenChain General Manager. “Their new services to support adoption of the OpenChain Security Assurance Specification 1.1 are a timely and useful contribution to the community in Germany and beyond. Open source security is a vital part of the global supply chain, and solid process management is key to addressing the ongoing challenges.”

About Bitsea

Big software systems are like a wild wide ocean of bits – our passion is to analyse and visualize software structure. We are keen to help our customers how to stabilize and optimize their systems. We assess software. We analyze, evaluate and optimize your development processes, software architecture and software design. We perform the technical due diligence for company takeovers. We reduce the economic risk by assessing open source components and ensure license compliance.

Our references include well-known Fortune 500 companies in communications, automotive, logistics, retail and aerospace industries. Highest standard for information security: We are VDA/ISA Tisax-certified since 2020. All data of our customers remain in Germany or, if required, in the territory of our customers. We are involved in the Bitkom Open Source working group. Bitsea is part of the OpenChain Community. We guarantee strictly confidential consulting in the context of technical due diligence for M&A activities. 

Learn more:
https://bitsea.de/en/

About the OpenChain Project

The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source. Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.

Learn more:
https://www.openchainproject.org

About The Linux Foundation

The Linux Foundation is the world’s largest non-profit connecting global technical experts, and providing them with a neutral and trusted platform to develop open source projects. Founded in 2000 as the home of the Linux Kernel, the Linux Foundation has grown to host hundreds of open source projects, with a community spanning 2,950+ members, 540,000+ contributing developers, and 19,000+ contributing companies.

Learn more:
https://www.linuxfoundation.org

OpenChain Webinar #47 – OSSelot: The Open Source Curation Database – Coming on 24th January 2023

By Featured, News

The next OpenChain Webinar will feature OSSelot, an open source curation database recently launched by OSADL in Germany. This project features one of the most requested features around open source automation for open source compliance: an open, public database supporting SBOM (via SPDX ISO/IEC 5962) for common software packages. This could be a game-changer.

Learn more at 09:00 CET (08:00 UTC) on the 24th of January.

This webinar will be held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799

Check your timezone:
PDT United States Pacific UTC-07:00
UTC Coordinated Universal Time UTC
CET Central European Time UTC+01:00
IST India Standard Time UTC+05:30
CST China Standard Time UTC+08:00
KST Korea Standard Time UTC+09:00
JST Japan Standard Time UTC+09:00

Compare timezones:
https://www.worldtimebuddy.com

Join via one tap mobile:
+86 10 8783 3177,,4377592799# Mainland China
+33 1 8699 5831,,4377592799# France
+49 69 7104 9922,,4377592799# Germany
+81 524 564 439,,4377592799# Japan
+82 2 3143 9612,,4377592799# Korea
+91 80 71 279 440,,4377592799# India
+886 (2) 7741 7473,,4377592799# Taiwan
+44 330 088 5830,,4377592799# UK
+13017158592,,4377592799# USA

Find your local country number: 
https://zoom.us/u/awFnORNiA
Meeting ID: 437 759 2799

OpenChain Monthly Meeting (US / Europe) 2023-01-03 – Recording

By Featured, News

Our first monthly meeting of the year contained some great discussion about the spec with oversight by Co-Chair Helio (we worked on issues as usual) and Nathan also set the tone for future plans around the Education Work Group. It was a relatively small group due to the new year vacation ending unevenly around the world, but some substantive material was covered.

Please note that we also had a ton of interesting news to cover. Check out the slides for the details and the links to each item.

Watch The Recording

Check Out The Slides

Interneuron Announces First OpenChain Security Assurance Specification Conformance

By Featured, News

Interneuron, a UK-based service provider to the British National Health Service (NHS), is the first company to formally announce an OpenChain Security Assurance Specification conformant program. This continues their history of engagement with open source standards – including previous adoption of OpenChain ISO/IEC 5230, the International Standard for open source license compliance.

“We have worked with Interneuron from when they were a start-up,” says Martin Callinan, Director at Source Code Control Limited. “From the outset we implemented a secure by design approach to the management of open source components used in their software development. It is hugely beneficial that OpenChain have created the Security Assurance Specification to provide guidance and benchmark the processes that have been implemented.”

“Interneuron has a long-term, focused approach on ensuring solutions provided to the NHS demonstrate excellence in sustainable, manageable ways as well as through providing technological solutions,” says Shane Coughlan, OpenChain General Manager. “Their previous adoption of OpenChain ISO/IEC 5230 aligned their company behind reproducible, standard processes. Their newly announced adoption of the OpenChain Security Assurance Specification continues this path, and covers one of the most critical domains in information technology. Their conformance, accomplished in conjunction with their support partner Source Code Control, is an important milestone for the global community as well. With the OpenChain Security Assurance Specification disseminating worldwide, companies like Interneuron provide a clear example of how and why to leverage this standard today.”

About Interneuron

Interneuron is a different kind of healthcare IT organization. We are a purpose driven company, Community Interest Company (CIC) that exists primarily for the benefit of those in need of health and social care. Interneuron projects aim to help NHS organizations replace their legacy technology with world-class clinical software that will revolutionize the way in which data is integrated, stored and used.
Interneuron’s open source philosophy is to make this new technology freely available. NHS Trusts will be able to download, test and implement the software, or receive support from Interneuron if that is preferred

Learn more:
https://www.interneuron.org

About Source Code Control

Founded in 2014 by Martin Callinan, Source Code Control has established itself as one of the only Open Source and Cloud Transformation consultancy businesses. We help organizations who have software at the core of their company value, build trust in software supply chains and simplify the cloud transformation process. With this in mind, our main aim is to minimize an organization’s risk when dealing with open source and cloud software.

Learn more:
https://sourcecodecontrol.co

About the OpenChain Project

The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source. Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.

Learn more:
https://www.openchainproject.org

About The Linux Foundation

The Linux Foundation is the world’s largest non-profit connecting global technical experts, and providing them with a neutral and trusted platform to develop open source projects. Founded in 2000 as the home of the Linux Kernel, the Linux Foundation has grown to host hundreds of open source projects, with a community spanning 2,950+ members, 540,000+ contributing developers, and 19,000+ contributing companies.

Learn more:
https://www.linuxfoundation.org

OpenChain Security Assurance Specification 1.1 – Global Support

By Featured, News

The OpenChain Security Assurance Specification 1.1 has been building momentum as a sister specification to ISO/IEC 5230:2020, the International Standard for open source license compliance. With an identical approach to high level process management, the OpenChain Security Assurance Specification is designed to help companies adopt the key requirements of a quality open source security assurance program.

Self-certification is available in English, German and Simplified Chinese. In addition, the following companies have announced services to support adoption of this specification. Three of these organizations are OpenChain Project official third-party certifiers, and all of these companies provide onboarding, adoption and review services across the global supply chain.

CAICT (Mainland China)

CAICT is an official OpenChain Project partner and one of our third-party certifiers with a regional service offering.

Bureau Veritas (Taiwan, Worldwide)

Bureau Veritas is an official OpenChain Project partner and one of our third-party certifiers with a global service offering.

PwC (Germany, Worldwide)

PwC is an official OpenChain Project partner and one of our solution providers and third-party certifiers with a global service offering.

  • PwC OpenChain Security Assurance Specification services in English:
    https://www.pwc.de/en/opensource
    (Under ‘Consulting & Implementation’ and ‘Audit & Certification’)

Orcro (UK, Worldwide)

Orcro is an official OpenChain Project partner and one of our solution providers and third-party certifiers with a global service offering.

Source Code Control (UK, Worldwide)

Source Code Control is an official OpenChain Project partner and one of our solution providers with a global service offering.

OSS Consultants (USA, Worldwide)

OSS Consultants is an official OpenChain Project partner and one of our solution providers with a global service offering.