Featured

Helio Chissini de Castro, CARIAD

Chris Wood, Lockheed Martin

The OpenChain Project recently held an election for Specification Work Group co-chair. The suggested nominees from the community vote were passed to the OpenChain Governing Board for review and – on the 8th of December – were unanimously accepted by the OpenChain Platinum Members.

Helio Chissini de Castro, CARIAD and Chris Wood, Lockheed Martin are duly announced as the co-chairs of the OpenChain Specification Work Group for a period of one year. Congratulations both!

Join our specification mailing list to keep up to date with our work around ISO/IEC 5230 and the OpenChain Security Assurance Specification:

• https://lists.openchainproject.org/g/specification

Google, an OpenChain Governing Board member and early adopter of the first generation OpenChain standard for open source license compliance, has announced formal adoption of ISO/IEC 5230, the International Standard for open source license compliance.

“Google has been at the forefront of open source development and the compliant use of open source from its earliest days,” says Hilary Richardson,  Open Source Attorney at Google. “The Google Open Source Programs Office prides itself on bringing the best of open source to Google and the best of Google to open source. Responsible use of open source includes respecting developers through compliant use of their code. Google’s participation in the OpenChain project is an important part of supporting industry maturity and predictability in open source compliance.”

“Google has long been a driver of the OpenChain Project, and has been pivotal in the development and granting of ISO/IEC 5230,” says Shane Coughlan, OpenChain General Manager. “Their conformance announcement aligns their OpenChain program with our shared industry norm, and serves as inspiration for the cloud supply chain and beyond.”

About the OpenChain Project

The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source. Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.

Learn more:
https://www.openchainproject.org

About The Linux Foundation

The Linux Foundation is the world’s largest non-profit connecting global technical experts, and providing them with a neutral and trusted platform to develop open source projects. Founded in 2000 as the home of the Linux Kernel, the Linux Foundation has grown to host hundreds of open source projects, with a community spanning 2,950+ members, 540,000+ contributing developers, and 19,000+ contributing companies.

Learn more:
https://www.linuxfoundation.org

The annual OpenChain Advent Calendar is now out! It is the 4th year of our calendar and our 100th article will be published on Christmas Day, the 25th of December 2022. Following advent tradition, the articles will be revealed daily, and then it is time for us to take a break, eat nice food, and watch our favorite movies.

This calendar is maintained by our Japan Work Group and lead by Watanabe San from Hitachi Solutions with help from Fukuchi San of Sony and many more. You can access it at this link:
https://qiita.com/advent-calendar/2022/openchainjapanwg

Do you want to jump to the first article? Sure! It is from Shane Coughlan, OpenChain General Manager, and is available in both English and Japanese. Watanabe San created the Japanese translation:
https://qiita.com/AyumiWatanabe/items/832146867fde6560f2d1

OpenChain JWG Advent Calendar初日のShaneからの
メッセージは大変力強いものでした。
是非多くの方に読んで頂ければと思います。

アドベントカレンダー：
https://qiita.com/advent-calendar/2022/openchainjapanwg

Shaneのメッセージ：
https://qiita.com/AyumiWatanabe/items/832146867fde6560f2d1

「さまざまなオープンソースのプロセス管理の課題を
抱えるすべての組織が、コミュニティによってシェア
されたソリューションを見つけられるようにしたいと
考えています。
多くの参考資料のメンテナンスを継続し、ピアサポート
(仲間同士の助け合い)を提供するため、時にローカル
言語で運営される、大規模なグローバルコミュニティの
活動を継続していきます。」

Fukuchi San of Sony, one of the key people behind the OpenChain Japan Work Group, has received the ‘NAOPF OSS award 2022‘ from the Japan OSS Promotion Forum. This award was announced on the 24th of November 2022 during the 20th Northeast Asia OSS Promotion Forum.

Fukuchi San is one of the founders of the OpenChain Japan Work Group and has been a tireless contributor to both the local and international community for many years. His formal resume is on LinkedIn (https://www.linkedin.com/in/hiroyuki-fukuchi-oss/) but his most important resume is visible across his community contributions on our calls, mailing lists and elsewhere.

The OpenChain Project is driven by the community around it, and figures like Fukuchi San have been critical to building the energy and atmosphere to help people work together. His award is well-deserved and is a welcome example of how contributions are acknowledged by the broader open source ecosystem.

Thank you Fukuchi San!

Learn More (Japanese):

• http://ossforum.jp/index.php/2022/11/18/2022naospf/

The first meeting of the OpenChain Export Control Work Group took place on the 22nd of November 2022. This meeting focused on setting the parameters for future discussion.

In our open discussion, we explored topics firstly by framing the challenges, and then by discussing the types of resources available to support individual organization understanding and workflow.

During this discussion we explored a series of links based on audience contribution.

For example, the US export control overview:

• https://www.trade.gov/us-export-controls

The US Encryption and Export Administration Regulations (EAR):

• https://www.bis.doc.gov/index.php/policy-guidance/encryption

The type of definitions used:

• https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file

The American Conference Institute overview of US EAR encryption controls:

• https://www.americanconference.com/ear-boot-camp-821l16-chi/wp-content/uploads/sites/932/2016/08/Day1_4.45_Sorrentino.Crooks.Hansson.pdf

Exclusions to US cryptographic export control related to financial services:

• https://www.bis.doc.gov/index.php/policy-guidance/encryption/2-items-in-cat-5-part-2/a-5a002-a-and-5d002-c-1/v-decontrol-notes

A recent article regarding open source and export control:

• https://academic.oup.com/book/44727/chapter/378967490

An old but potentially useful (especially if refreshed) list of export controls by country:

• http://www.cryptolaw.org

An example of cryptography detected by the tool SCANOSS Minr:

• https://github.com/scanoss/cryptographic_algorithms

We have decided to reach out to experts to see if there are other resources available that may be useful.

Two future resources flagged as useful are:

1. A list of tools to help detect cryptographic algorithms in open source.
2. A document listing what encryption is strong and what is standard.

Our outcome was to search for resources like this, and also to check the type of parameters that our work group could continue the discussion while ensuring everyone is comfortable and no suggestion of organizational advice or recommendations could be misunderstood as existing.

The OpenChain Export Control Work Group will hold its second meeting on the 13th of December at 09:00 PST (17:00 UTC).

This meeting will have the following agenda:

1. Introductions
2. Open discussion about how our community can contribute to the field

Zoom meeting: 

• https://zoom.us/j/93456802267

The OpenChain Project ran an election for co-chairs of the Specification Work Group. The election period was from 2022-11-16 until 2022-11-22 Close of Business UTC.

The Nominees

• Steve Kilbane, Analog Devices
• Helio Chissini de Castro, CARIAD 
• Jacob Wilson, Gemini
• Chris Wood, Lockheed Martin

The Results

Helio received the majority of votes for the licensing co-chair.
Chris received the majority of votes for the security co-chair.

Conclusion: Helio and Chris will be passed as recommendations to the OpenChain Governing Board, who are meeting on the 8th of December. After this the new Specification Chair(s) will be announced.

Congratulations to everyone who was nominated. Each candidate is a valued member of our community and has played a significant role in our success. We look forward to continuing to work together closely as the project evolves. The results of this vote should not be viewed as a popularity contest, but rather a snapshot of community perspectives at this moment in time. As always, we rely on ALL of you to be the foundation and the driver of our specification work.

Thanks to everyone who voted. Your time was deeply appreciated. We will be holding our next election in one year, and we look forward to your participation at that time as well.

Details of the Election:

We received 13 votes in total.

Licensing

• Helio Chissini de Castro received 7 Votes
• Steve Kilbane received 6 Votes

Security

• Chris Wood received 10 Votes
• Jacob Wilson received 3 Votes

More Details About How The Election Worked

How we are running this election is split into two lengthy descriptions below. We are striving to do two things:

1. Create an open election process
2. Address the potential we have to have multiple domain experts sharing work

Because this is our first major election for Specification Chair, the process may have some rough edges. If there are any critical issues, we will address them.

How We Ran The Elections

The OpenChain Governing Board is formally considering who should be appointed by the board for the position(s) of OpenChain Specification Chairperson, and invites the broader OpenChain community to provide their perspective.

In this process, the broader OpenChain community will have nominees proposed and voted on to provide a recommendation. That recommendation will be passed to the OpenChain Governing Board for review, approval and ratification at their next meeting.

The specific process on behalf of the community is to undertake a voting process after a period of nomination. The community will vote in the following manner:

Votes for chairpeople will be sent by email to operations@openchainproject.org(received by the OpenChain General Manager and Project Manager).

Each member of our specification@ can cast *one* vote. All members of main@ are entitled to join specification@. The requirement to join the specification list is to maintain that list as the “single source of truth” for our specification-editing and other core specification work.

The votes will be tallied by the General Manager and prepared for the OpenChain Governing Board to review.

The tally will be reported to the OpenChain governing board. Their feedback and final decision will be provided to the community-at-large after their next formal governing board meeting.

For the 2022 OpenChain Specification Work Group elections the following notes are provided:
(1) we are operationally splitting the specification work group into two work groups: licensing and security, reflecting our two specifications in-market.
(2) for *this* specific election, we will split the election into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
(3) this means everyone on specification@ should vote for:
(i) their preferred choice for license work group chair;
(I) their preferred choice for security work group chair.
(4) these votes may be cast between the 16th and 22nd of November 2022.
(5) the OpenChain Governing Board will receive the tally of votes expressing community feedback, and will review it formally at their next meeting on the 8th of December 2022.
(6) it is expected that at this juncture the community will receive a response from the OpenChain Governing Board regarding their decision(s) around specification chairperson(s) circa 9th December 2022, and our new specification chairs will begin their term of office prior to 2023.

This process may be adjusted at any time by the governing board, and feedback to improve the process is always welcome, with the optic of ensuring that we continually refine the process as time progresses.

For This Specific Election

For the nomination period, we happen to have two people well versed in license compliance (Steve and Helio) and two people with a security background (Jacob and Chris). This suggest that our co-chair election – for *this* specific election, should break into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.

However, for clarity, the intent is not to split the development of our licensing and security specifications into two different paths. The intent is that both chairs will work on both specifications by helping to collect community feedback and so on, with this feedback being provided to the Steering Committee for formal review and ratification if and when we decide to produce new versions of our standards.

We will meet at 08:00 UTC (09:00 CET) on Monday the 12th of December. Everyone is invited, whether they are from a company, governmental organization, non-governmental organization, academic organization or interested as an individual.

The agenda for our first meeting will be:

1. Introductions
2. An overview of open source public policy concerns in Europe and Asia
3. Open discussion on next steps

Ahead of the meeting you are encouraged to join our public policy work group mailing list:

• https://lists.openchainproject.org/g/public-policy-wg

Our second meeting will be scheduled around one month later at a timezone suitable for our colleagues in North America, and will be designed to capture their policy concerns as we head into 2023.