The OpenChain Automotive Work Group held a mini-summit on the 11th of November 2022. This event was focused on outlining the key items of interest for the industry in our sphere, and then discussing how we will address them in 2023. It was a short summit (only one hour) so time was tight, and it is clear that we have plenty to do as we begin regular quarterly meetings circa February 2023.
This was contributed by Feng Wang from SecTrend, and it joins our previous contribution of a self-certification checklist in Simplified Chinese from Zhang Jun Xia at CAICT:
In our 45th OpenChain Webinar, Michael Plagge from Eclipse will introduce the Software Defined Vehicle Project and explain more about what it means to open source in automotive and the broader global community. This has the potential to have a significant impact in a market-sector supply chain and is recommended watching for those operating in the space.
You can join us at 08:00 UTC (09:00 CET) on the 29th of November 2022. We will be using this Zoom room:
NAVER, a global ICT company, today announces the adoption of ISO/IEC 5230, the International Standard for open source license compliance. As a global leader in search, messaging, cloud, contents, metaverse and digital twin, NAVER has significant engagement with open source technology. The adoption of ISO/IEC 5230 underlines their commitment to excellence in open source process management.
“NAVER started investing in the open source field in 2008 and has continued its efforts to contribute to the open source ecosystem, and internally operates an open source governance system,” says Mincheol Song, Executive Officer of Global Platform Strategy. “With this adoption of ISO/IEC 5230, we are willing to contribute more to the open source ecosystem with OpenChain.”
“NAVER has a significant footprint in the type of domains where open source thrives,” says Shane Coughlan, OpenChain General Manager. “Their adoption of OpenChain ISO/IEC 5230, the standard for open source license compliance, has ramifications for a large part of the global open source supply chain. We are delighted by this development, and we look forward to working closely with the NAVER team to help companies in Korea and beyond use open source effectively and efficiently.”
About NAVER
Founded in 1999, NAVER is Korea’s largest Internet company with hundreds of millions of users worldwide. As a global technology company, it operates the No.1 search engine in Korea, NAVER, as well as other online services, such as LINE mobile messenger, Webtoon and Webnovel publishing, SNOW video camera app and ZEPETO metaverse platform. NAVER recorded sales of KRW 6.8 trillion (USD 5.6 billion) in 2021 and is pursuing changes and innovations in technology platforms through continuous research and development of future technologies, such as artificial intelligence, robotics and mobility.
The OpenChain Export Control Work Group will hold its first meeting on the 22nd of November at 15:00 UTC (16:00 CET).
This meeting will have the following agenda:
(1) Introductions (2) Overview of why export control matters from the perspective of open source and compliance (3) Open discussion about how our community can contribute to the field
Nathan has formally been elected Chair of the Education Work Group as per the process outlined below. From November onward he will be leading our work around developing and delivering best in class reference material to support a trusted supply chain.
The Election Process Used
The OpenChain Project has always had a strong focus on sustainability. As the maintainer of two industry standards, and the facilitator of a large supply chain community, our strategic position has always been to look at multi-year horizons.
As part of this, we are aware of the need to ensure our project reflects how people and activities adjust their priorities over time. A key example is the question it how we will address continuity in our work groups as our initial chairpeople reach the natural end of their tenure.
The answer is straightforward (as with most things in this project). We will introduce elections to allow chairs to rotate in a manner that is predictable and accessible.
To begin this process, we will see a transition with our Education Work Group. Balakrisha, after a stellar period of leading the group, has expressed a desire to allow another to carry the leadership torch as the next phase of project reference and training material is developed. This coincides nearly with some work we have been doing to adjust our Outreach Work Group into the more formal Outreach committee outlined in our charter, and the question of how to direct related volunteer energy and activity.
Nathan, chair of Outreach, stepped forward as a candidate for Education Work Group. A window for other parties to nominate was opened until before October 25th 2022. The process was determined to allow that if there were no other contenders, Nathan formally became chair of the Education Work Group with a one year term. He may be re-elected in the next cycle in the same manner as this time.
Throughout this quarter and into 2023 we will gradually introduce more elections, and by 2H 2023 all the primary OpenChain work groups should have completed the introduction of chair elections.
The next generation of our license compliance standard will update ISO/IEC 5230.
Our security assurance standard (generation 1) is scheduled to become an ISO/IEC standard in mid-2023. The update to generation 2 will trigger an update to the new ISO/IEC standard for late 2023~mid-2024.
You will find extensive feedback on our standards already exists on GitHub and you can easily review that before submitting a suggestion for improvement.
Pre-existing submissions for the security assurance standard:
The OpenChain Security Assurance Specification 1.1 self-certification checklist is now available in Simplified Chinese. A big thank you to Zhang Jun Xia from CAICT for making this happen.
This checklist is designed to help organizations adopt the de facto standard for open source security assurance. Organizations using this self-certification process will also meet the requirements of the specification when it graduates the ISO/IEC JTC-1 PAS Transposition process, with an estimated arrival time of that International Standard in mid-2023.
The checklist contains a series of “yes” or “no” statements. If you can answer “yes” to everything, you are self-certified. If you answer “no” to some items, you know where to invest further time to build a quality security assurance program.
This checklist is licensed under CC-0 (effectively public domain), so you can take it, integrate it, and remix it without any restrictions. You do not even have to provide attribution.
The OpenChain Security Assurance Specification 1.1 self-certification checklist is now available. This is designed to help organizations adopt the de facto standard for open source security assurance. Organizations using this self-certification process will also meet the requirements of the specification when it graduates the ISO/IEC JTC-1 PAS Transposition process, with an estimated arrival time of that International Standard in mid-2023.
The checklist contains a series of “yes” or “no” statements. If you can answer “yes” to everything, you are self-certified. If you answer “no” to some items, you know where to invest further time to build a quality program.
This checklist is licensed under CC-0 (effectively public domain), so you can take it, integrate it, and remix it without any restrictions. You do not even have to provide attribution.
The OpenChain Project has been very active since its formal launch in late 2016. Our global community has built an ISO/IEC standard for license compliance, launched a de facto (and soon to be ISO/IEC) standard for security. We have contributed to SBOM, OSPO, training, policy and other discussions. We built the world’s largest library of open source management reference material.
To reflect our growth and to make it easier to navigate the project we are going to make some adjustments to our work groups. Nothing too radical, but definitely something to help people find their way around more quickly, and to get the information they want faster. The image above contains a summary of the evolution approved by our Governing Board at their last meeting in September, and targeted for release during October 2022.
The changes?
The Specification Work Group will split into two parts – a Licensing Work Group for ISO/IEC 5230 and a Security Work Group for the Security Assurance Specification.
The Education Work Group and Outreach Work Group will combine into the Education Work Group.
We will launch a new Export Control Work Group and a new Policy Work Group. The former will help to navigate issues around increasing international trade tensions. The later will help us provide strategic advice around the highest level of planning for open source in legislation and business.
The dormant Conformance Work Group will be wound down and discussions regarding self-certification moved to Education Work Group, with discussions about the nuance of conformance parameters moved to our Steering Committee.
Finally (if there are no objections), we will re-brand the Reference Tooling Work Group to the Automation Work Group to help guide people hearing about automation to the right solutions.
