Featured

The OpenChain Project has invested resources throughout 2022 towards improving the sustainability and continuity of our project. As part of this, the OpenChain Project Governing Board decided to initiate a chairperson election. This initiative was lead by David Marr of Qualcomm, our founding chairperson, and was designed to introduce processes for a predictable cycle of leadership rotation at the very top of the project management structure.

Jimmy Ahlberg of Ericsson was duly elected OpenChain Project Governing Board Chair on the 8th of December by his peers, the voting members of the OpenChain Project Governing Board. The board is made up of one voting representative from each of the Platinum Member companies. We currently have 24 Platinum Members spread across three continents, providing one of the most geographically diverse boards in our industry.

The OpenChain Board Chair is a pivotal position. As with everything in this project, it is a position that offers influence but not control, though in this case the influence is specifically targeted towards our long-term strategic future. Jimmy has been elected for a period of three years.

As the steward of two industry standards, one of which already has an ISO/IEC grant, the OpenChain Project Governing Board has a responsibility to ensure stability and sustainability. From fiscal decisions to overarching strategy, they meet once a quarter to assess our status and future steps. Because this is an open source project, their decisions are not taken in isolation. Our community has tremendous latitude and influence on this project, and our board has tremendous respect for what that means.

Jimmy is stepping into the role with the continued support of David and the rest of the OpenChain Project Governing Board, and our fundamental strategy remains consistent. This said, we expect and look forward to Jimmy making his mark as new chairperson, and innovating around our top-level strategy based on his insight, experience and corporate background. 

If you have questions, comments or suggestions directed towards Jimmy, don’t hesitate to connect with him on one of our monthly calls, via our mailing lists or by direct mail. The leadership of the OpenChain Project is here to serve you, the community seeking to build trust in the supply chain. 

To end this lengthy post, please note that the OpenChain Project Governing Board formally thanks David Marr for his exceptional work in founding and growing this project. He first brought people together to discuss the concept of standardization around open source license compliance eight years ago, and it takes a special type of determination and community-building to turn that into an executed ISO/IEC standard. It is also thanks to David that we have expanded our activities based on community feedback to other aspects of a trusted supply chain. His impact has been and continues to be immeasurable.

The OpenChain Security Assurance Specification 1.1 is now available in German. Self-certification is also available via checklists and questionnaires. Huge thanks to Katharina and the rest of the the team at PwC for making this happen.

Get the OpenChain Security Assurance Specification 1.1 in German:

---

Self-Certify to the OpenChain Security Assurance Specification 1.1 in German via a checklist:

---

Self-Certify to the OpenChain Security Assurance Specification 1.1 in German via a questionnaire:

---

If you self-certify, you can be listed on the OpenChain Project website alongside your peers. This is optional but recommended as a useful exercise for the supply chain. Contact us to get the free process underway.

Self-certification for the Security Assurance Specification 1.1 is now available in English, Simplified Chinese and German. More languages are expected to be made available soon.

Helio Chissini de Castro, CARIAD

Chris Wood, Lockheed Martin

The OpenChain Project recently held an election for Specification Work Group co-chair. The suggested nominees from the community vote were passed to the OpenChain Governing Board for review and – on the 8th of December – were unanimously accepted by the OpenChain Platinum Members.

Helio Chissini de Castro, CARIAD and Chris Wood, Lockheed Martin are duly announced as the co-chairs of the OpenChain Specification Work Group for a period of one year. Congratulations both!

Join our specification mailing list to keep up to date with our work around ISO/IEC 5230 and the OpenChain Security Assurance Specification:

• https://lists.openchainproject.org/g/specification

Google, an OpenChain Governing Board member and early adopter of the first generation OpenChain standard for open source license compliance, has announced formal adoption of ISO/IEC 5230, the International Standard for open source license compliance.

“Google has been at the forefront of open source development and the compliant use of open source from its earliest days,” says Hilary Richardson,  Open Source Attorney at Google. “The Google Open Source Programs Office prides itself on bringing the best of open source to Google and the best of Google to open source. Responsible use of open source includes respecting developers through compliant use of their code. Google’s participation in the OpenChain project is an important part of supporting industry maturity and predictability in open source compliance.”

“Google has long been a driver of the OpenChain Project, and has been pivotal in the development and granting of ISO/IEC 5230,” says Shane Coughlan, OpenChain General Manager. “Their conformance announcement aligns their OpenChain program with our shared industry norm, and serves as inspiration for the cloud supply chain and beyond.”

About the OpenChain Project

The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source. Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.

Learn more:
https://www.openchainproject.org

About The Linux Foundation

The Linux Foundation is the world’s largest non-profit connecting global technical experts, and providing them with a neutral and trusted platform to develop open source projects. Founded in 2000 as the home of the Linux Kernel, the Linux Foundation has grown to host hundreds of open source projects, with a community spanning 2,950+ members, 540,000+ contributing developers, and 19,000+ contributing companies.

Learn more:
https://www.linuxfoundation.org

The annual OpenChain Advent Calendar is now out! It is the 4th year of our calendar and our 100th article will be published on Christmas Day, the 25th of December 2022. Following advent tradition, the articles will be revealed daily, and then it is time for us to take a break, eat nice food, and watch our favorite movies.

This calendar is maintained by our Japan Work Group and lead by Watanabe San from Hitachi Solutions with help from Fukuchi San of Sony and many more. You can access it at this link:
https://qiita.com/advent-calendar/2022/openchainjapanwg

Do you want to jump to the first article? Sure! It is from Shane Coughlan, OpenChain General Manager, and is available in both English and Japanese. Watanabe San created the Japanese translation:
https://qiita.com/AyumiWatanabe/items/832146867fde6560f2d1

OpenChain JWG Advent Calendar初日のShaneからの
メッセージは大変力強いものでした。
是非多くの方に読んで頂ければと思います。

アドベントカレンダー：
https://qiita.com/advent-calendar/2022/openchainjapanwg

Shaneのメッセージ：
https://qiita.com/AyumiWatanabe/items/832146867fde6560f2d1

「さまざまなオープンソースのプロセス管理の課題を
抱えるすべての組織が、コミュニティによってシェア
されたソリューションを見つけられるようにしたいと
考えています。
多くの参考資料のメンテナンスを継続し、ピアサポート
(仲間同士の助け合い)を提供するため、時にローカル
言語で運営される、大規模なグローバルコミュニティの
活動を継続していきます。」

Fukuchi San of Sony, one of the key people behind the OpenChain Japan Work Group, has received the ‘NAOPF OSS award 2022‘ from the Japan OSS Promotion Forum. This award was announced on the 24th of November 2022 during the 20th Northeast Asia OSS Promotion Forum.

Fukuchi San is one of the founders of the OpenChain Japan Work Group and has been a tireless contributor to both the local and international community for many years. His formal resume is on LinkedIn (https://www.linkedin.com/in/hiroyuki-fukuchi-oss/) but his most important resume is visible across his community contributions on our calls, mailing lists and elsewhere.

The OpenChain Project is driven by the community around it, and figures like Fukuchi San have been critical to building the energy and atmosphere to help people work together. His award is well-deserved and is a welcome example of how contributions are acknowledged by the broader open source ecosystem.

Thank you Fukuchi San!

Learn More (Japanese):

• http://ossforum.jp/index.php/2022/11/18/2022naospf/

The first meeting of the OpenChain Export Control Work Group took place on the 22nd of November 2022. This meeting focused on setting the parameters for future discussion.

In our open discussion, we explored topics firstly by framing the challenges, and then by discussing the types of resources available to support individual organization understanding and workflow.

During this discussion we explored a series of links based on audience contribution.

For example, the US export control overview:

• https://www.trade.gov/us-export-controls

The US Encryption and Export Administration Regulations (EAR):

• https://www.bis.doc.gov/index.php/policy-guidance/encryption

The type of definitions used:

• https://www.bis.doc.gov/index.php/documents/new-encryption/1652-cat-5-part-2-quick-reference-guide/file

The American Conference Institute overview of US EAR encryption controls:

• https://www.americanconference.com/ear-boot-camp-821l16-chi/wp-content/uploads/sites/932/2016/08/Day1_4.45_Sorrentino.Crooks.Hansson.pdf

Exclusions to US cryptographic export control related to financial services:

• https://www.bis.doc.gov/index.php/policy-guidance/encryption/2-items-in-cat-5-part-2/a-5a002-a-and-5d002-c-1/v-decontrol-notes

A recent article regarding open source and export control:

• https://academic.oup.com/book/44727/chapter/378967490

An old but potentially useful (especially if refreshed) list of export controls by country:

• http://www.cryptolaw.org

An example of cryptography detected by the tool SCANOSS Minr:

• https://github.com/scanoss/cryptographic_algorithms

We have decided to reach out to experts to see if there are other resources available that may be useful.

Two future resources flagged as useful are:

1. A list of tools to help detect cryptographic algorithms in open source.
2. A document listing what encryption is strong and what is standard.

Our outcome was to search for resources like this, and also to check the type of parameters that our work group could continue the discussion while ensuring everyone is comfortable and no suggestion of organizational advice or recommendations could be misunderstood as existing.

The OpenChain Export Control Work Group will hold its second meeting on the 13th of December at 09:00 PST (17:00 UTC).

This meeting will have the following agenda:

1. Introductions
2. Open discussion about how our community can contribute to the field

Zoom meeting: 

• https://zoom.us/j/93456802267