The OpenChain Project held its annual an all-day summit adjacent to Open Source Summit Europe (OSS EU) on the 14th of September. This event featured news from our latest board meeting (including the decision to launch our new security specification), a deep dive into a significant new automation landscape to assist with license, security and export control compliance, SBOM discussions and more.
Check out the full recording below alongside copies of our excellent keynote presentation from Andrew Katz of Orcro and the automation landscape capability map presentation delivered by Jan Thielscher of EACG on behalf of the OpenChain Reference Tooling Work Group.
Here are the key takeaways:
The OpenChain Project now maintains a family of specifications to build trust in the supply chain. We started with license compliance and now we have a sister standard for security.
Open source automation for open source license, security and export control compliance is getting a clear capability map to guide investment of resources and save time.
Software Bill of Materials (SBOM) has seen great progress in the last year or two, and the OpenChain Telco Work Group is working on very practical items related to market adoption.
Open source licensing discussions have become somewhat stale and there is scope for considering the future of open source licensing approaches.
The OpenChain Security Assurance Specification 1.0 is now available. This is the result of over one year of work throughout the global OpenChain community. It is applicable to an open source management activity related to security compliance. We regard this as adjacent but different to license compliance.
The OpenChain Project’s core mission is to build trust in the supply chain. Our flagship specification, ISO/IEC 5230:2020, is International Standard for Open Source Compliance and builds trust in that domain. It defines the key requirements of a quality open source compliance program. The natural next step is to identify the key requirements of a quality open source security assurance program.
Initially the scope of this specification is limited to ensuring that an organization vets open source with regards to known publicly available security vulnerability issues (e.g., CVEs, GitHub dependency alerts, package manager alerts and so on). The security assurance specification’s scope may expand over time based on community feedback.
This specification is built from the Security Assurance Reference Guide 2.0 (Release Candidate 1) published on 2022-03-28. That completed reference specification document went through a final approval process via editing on our specification list and calls, before graduating to a governing board vote to transform into this published security specification on 2022-09-14.
Next Steps
We will proceed to ISO/IEC JTC-1 PAS submission with an estimated completion date of circa mid-2023. In the meantime, our security assurance specification is ready for market adoption as a de facto standard.
Prior to the ISO/IEC JTC-1 PAS submission, we have some time for sanity-checks and minor adjustments. We begin that process today and will complete it on October 4th2022 (2022-10-04). There are two tasks for the community ahead of that date:
You can submit issues highlighting areas you would like review on our GitHub repository. Please note, due to this being a specification, we will only accept issues for discussion. We will not accept pull requests or remixes.
In the coming days we will have broader distribution of the specification launch, including on social media and via blog posts. However, you can begin sharing it immediately with your teams and peers.
Please note:
The scope of this reference specification may expand over time based on community feedback. However, comments and notes should be confined to the existing scope at this juncture. Our specification is complete barring minor adjustments for readability, editing and clarity.
Please note:
This specification is licensed under Creative Commons Attribution License 4.0 (CC-BY-4.0). You can submit issues highlighting areas you would like review on our GitHub repository. Due to this being a specification, we will only accept issues for discussion. We will not accept pull requests or remixes. You can get more involved with our work beyond submitting issues via our community calls, mailing lists and events: https://www.openchainproject.org/community
The OpenChain Project will be featured at the Open Source2022 | OSCAR event in Mainland China. This marks another collaboration with our friends at CAICT.
Learn more and catch us at 14:00 on the 16th of September:
The OpenChain Project will hold an all-day summit adjacent to Open Source Summit Europe (OSS EU) on the 14th of September. This event will take place 3 minutes walk from the OSS EU venue. It is open to all parties regardless of LF Membership.
Location
Orion Room 1 @ Spencer Hotel, Excise Walk, International Financial Services Centre, Dublin 1, D01 X4C9, Ireland
3 minutes from Dublin Convention Center (OSS EU venue).
The OpenChain Project had the pleasure of working with the FOSSA team for another webinar explaining aspects of open source license compliance. This time, the practical way you actually adopt ISO/IEC 5230, the international standard for compliance.
While you are reviewing FOSSA webinars you may also want to check out ‘The Lawyer’s Guide to OSS License Compliance Tools, Featuring Heather Meeker.’ Heather has long been one of the main lawyers providing useful, practical insight into industry optimization around open source. You will find it here:
The work we did on this playbook substantially refined the approach in the early parts of the document and will be merged into the other documents (for medium and large companies) ahead of our next meeting in around a week.
Your contributions and comments are most welcome. This is a great opportunity to brief and encourage strategic management understanding and support of effective, efficient compliance.
Four Hyundai Motor Group companies, joint certification of the ISO international standard for open source compliance – Acquired ISO certifications of four companies simultaneously through collaboration of Hyundai Motor Company, Kia, Hyundai Mobis, and Hyundai Autoever … The industry’s first the international standard for open source compliance(ISO/IEC 5230:2020) joint certification … Securing public confidence in software and increasing utilization through systematic management of the entire supply chain – Provides a comprehensive portal and user guide to support developers in the mobility field and expand the ecosystem – “Beyond the group, we will lead the expansion and development of the open source ecosystem throughout the automobile industry”
The four Hyundai Motor Group companies were internationally recognized for having a systematic management system (compliance) for the use of open source.
Hyundai Motor Group announced on the 17th that it has simultaneously acquired the open source compliance-related standard certification(ISO/IEC 5230) from the International Organization for Standardization(ISO) through collaboration with four group companies(Hyundai Motor Company, Kia, Hyundai Mobis, and Hyundai Autoever) that make up the automotive supply chain.
In the last 20 years, the International Organization for Standardization and the International Electrotechnical Commission (IEC) adopted the standard of the ‘Open Chain Project’ led by the Linux Foundation, a non-profit organization in the United States, as the only international standard related to open source software compliance (ISO/IEC 5230). The International Organization for Standardization evaluates whether the certification is achieved by examining the appropriateness of establishing open source policies and processes, establishing a compliance system, and meeting the standards for developer education and evaluation.
When using open source for software development, there are advantages such as shortening the development period and reducing costs, but it is important to systematically manage the use of open source because problems such as security vulnerabilities and copyright disputes may occur.
Hyundai Motor Group’s open source software compliance international standard certification is characterized by the cooperation of four companies, Hyundai Motor, Kia, Hyundai Mobis, and Hyundai Autoever, that make up the automotive supply chain.
The group companies specialized in software development, component packaging, and mass production obtained ISO certification through collaboration, securing public confidence in open source software across the automotive industry for the first time in the industry.
Through a business agreement with National IT Industry Promotion Agency (NIPA), Hyundai Motor Group has expanded its open source management scope to the supply chain while providing (1) establishment of open source management system and education for experts training and (2) open source license verification service to supporting suppliers. The Hyundai Motor Group open source compliance system will be provided in the form of a comprehensive portal at the end of this month.
In addition, Hyundai Motor Group will strengthen its support by providing a guide to users who want to utilize it, and will continue to expand the open source ecosystem and promote win-win cooperation with partners in the future.
“As the importance of open source in the future mobility field is increasing day by day, we will take the lead in expanding and developing the open source ecosystem across the supply chain in automotive industry beyond the group,” said Yonghwa Kim, vice president of Hyundai Motor Company and Kia R&D Division.
Meanwhile, the Hyundai Motor Group is continuously expanding its software support activities throughout the mobility industry by providing open APIs through the Hyundai Motor Company, Kia, and Genesis Developers platforms.
We discussed one of the most critical aspects of our project outside of the ISO/IEC 5230 standard: how do we onboard people? It covered outreach, what happens when people arrive on our site, and how we arrange community support.
We looked for input around: (1) How should we “market” OpenChain? (2) How can entry to our website and community work best for new participants? (3) How can we do great community support regionally and globally? (4) How should the Onboarding Committee of the project work in the future?
Nathan Kumagai, our onboarding chair, lead the discussion.
The OpenChain Education Mini-Summit covered: • Our recent online courses • The future of our playbooks • The evolution of our reference library • And future work group leadership
The work we did on this playbook substantially refined the approach in the early parts of the document and will be merged into the other documents (for medium and large companies) ahead of our next meeting in around a week.
Your contributions and comments are most welcome. This is a great opportunity to brief and encourage strategic management understanding and support of effective, efficient compliance.
