Featured

OpenAnolis announced that it has met the OpenChain ISO/IEC 5230 standard. The OpenAnolis community is a non-profit open source community formed by enterprises, institutions, universities, scientific research institutions, non-profit organizations, individuals, etc. on the basis of voluntariness, equality, openness, and collaboration.

The OpenAnolis community has always attached great importance to the construction of security and compliance capabilities. In terms of infrastructure, R&D processes and tools, the community has made comprehensive and in-depth investments, including the construction of software supply chain security infrastructure, support for SBOM lists, and the construction of license compliance systems. These capabilities provide solid security guarantees for the community’s open source activities, ensuring that they are carried out smoothly in a safe and compliant environment.

Ma Tao, Chairman of OpenAnolis, said: “We are pleased to announce the OpenChain ISO/IEC 5230 certification. Open source has always been the source of innovation for the OpenAnolis Community. The OpenAnolis Community will firmly embrace open source, contribute to open source, and contribute to the field of operating systems in the AI ​​era. This certification is a very important milestone in the construction of OpenAnolis’s open source compliance capabilities, and it is also a new starting point. The OpenAnolis Community will continue to invest and improve in the direction of security compliance to ensure the community’s security compliance level.”

Liu Dapeng, head of the OpenAnolis Community Standardization SIG, said that the OpenAnolis Community’s OpenChain ISO/IEC 5230 certification is of great significance to the development of the community. Standards and community open source complement each other, promote and enhance each other, and play an important role in building an open, interoperable, prosperous and innovative technology ecosystem. In the future, the Standardization SIG will continue to work with community ecosystem partners to jointly formulate the engineering standards of the OpenAnolis Community and ensure that community products meet relevant standard requirements.

About OpenAnolis

Founded in September 2020, OpenAnolis is an international open-source community and innovation platform for operating systems. It is committed to building a Linux open-source distribution and open-source innovation technology through open community cooperation. Its goal is to promote the prosperity and development of software, hardware, and application ecology, and jointly create new sources and infrastructure for digital development.

The community council consists of 24 leading enterprises from around the world, including Alibaba Cloud, Uniontech, Loongson, Arm, Intel, and more. Nearly 600 partners have participated in ecological co-construction, achieving full coverage of mainstream chip collaborative research and development mechanisms, mainstream middleware/databases, and mainstream OEM manufacturers. Over 100 products have successfully adopted the OpenAnolis operating system (Anolis OS). Currently, OpenAnolis has served over 800,000 users.

OpenAnolis has established about 60 SIG working groups, with an average monthly contribution of 5,000 PR. It has achieved technological innovation in core areas such as chips, kernel, compiler, security, virtualization, and cloud-native, consistently ranking at the top of the Linux community rankings. The community has released several community versions, including Anolis LoongArch GA, Anolis OS 7.9, 8.4, 8.6, and more.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Socionext, a semiconductor and System on a Chip (SOC) company based in Japan, has completed recertification of OpenChain ISO/IEC 5230. This is an important part of the 18 month review cycle required by the specification to ensure processes are current.

“ISO standard periodic recertification is a critical building block in creating trust,” says Shane Coughlan, OpenChain General Manager. “As companies evolve and markets change, it is important to use clear, unambiguous processes like those outlined in OpenChain ISO/IEC 5230, the International Standard for open source license compliance. This is key to managing the open source software supply chain, and Socionext has long been a leader in this area.”

About Socionext Inc.

Socionext Inc., a leading global System-on-Chip (SoC) supplier, is a pioneer of the ‘Solution SoC’ business model. This innovative approach encompasses Socionext’s ‘Entire Design’ capabilities and offering of ‘Complete Service’. As a trusted silicon partner, Socionext fuels global innovation, providing superior features, performance, and quality that set its customers’ products and services apart in diverse domains ranging from automotive and data centers to networking, smart devices, and industrial equipment.

Socionext Inc., based in Yokohama, operates offices across Japan, Asia, the United States, and Europe for development and sales. For more information, visit https://www.socionext.com/en/.

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

AbacatePay is a developer-friendly payment gateway designed to simplify payment processing. Built by developers for developers, it offers:

• Simple, intention-based API endpoints
• Idempotent operations for reliable transactions
• Consistent JSON request/response formats
• Native SDK support
• Easy dev mode integration
• PIX payment support
• Streamlined client and billing management

Learn More On Their Website:

• https://www.abacatepay.com

The OpenChain Project maintains a reference library of over 1,000 documents. This library has been built over eight years from our original, first release of a set of a training slides for open source license compliance. The library has now been comprehensively updated to make it easier to find, use and share resources.

Navigation:

To ensure easer of navigation and our ability to adjust and improve the library structure over time, you will find that navigation is primarily guided by the README file, which acts as the starting point for all navigation. You can also get a full preview of the structure of the library later in this post.

The intention is that:

1. You will enter this library at the top level of the archive
2. You will use this README file as your index
3. We will update the README as the library evolves

The library contains:

• Adoption Guidance
• AI Compliance Guidance
• Case Studies
• Compliance Training Slides
• Explainers for Internal Teams
• Maturity Models
• Policy Templates
• SBOM Quality Guidance
• Source Material for Online Training Courses
• Self-Certification Material
• Supplier Education Material
• Templates and Overview Material for OpenChain Project
• + Much, much more.

Licensing:

Most of the material in this repository is available under CC-0 licensing (effectively public domain). You will notice some exceptions with Guides (like the Telco SBOM Guide) and with case studies. These documents are not designed to be freely altered because they provide either guidance developed to consensus in our work groups, or the specific experience of companies in addressing compliance matters.

Navigating the Library:

As of 2025-05-08, the library is structured in the following folders alphabetically:

1. AI-SBOM-Compliance
2. Open-Source-Compliance-Support-Material
3. Open-Source-Policy-Templates
4. OpenChain-Adoption-Guides
5. OpenChain-Case-Studies
6. OpenChain-Explainers-For-Internal-Teams
7. OpenChain-FAQ
8. OpenChain-For-Mergers-and-Acquisitions
9. OpenChain-Maturity-Models
10. OpenChain-Promotion-Material
11. OpenChain-Standards-Self-Certification
12. OpenChain-Supplier-Education
13. OpenChain-Templates
14. OpenChain-Training
15. SBOM-Quality-Management

AI-Compliance

OpenChain has an AI Work Group. This is where you will find our work on AI compliance topics. The current focus is on AI SBOM management in the supply chain, and what type of program process points are required to manage this effectively.

There is a copy of the working document in this folder, and the active version for editing is kept here:https://docs.google.com/document/d/1XHztgMALwnu2D02bmWYyXeW3wE_Jw199/edit?pli=1#heading=h.pzcghykzc46

You are welcome to be part of this work. OpenChain AI Work Group mailing list:https://lists.openchainproject.org/g/ai

Open-Source-Compliance-Support-Material

This folder contains compliance-related material non-specific to OpenChain. You may find these community contributions useful in your work.

Open-Source-Policy-Templates

Having an open source policy is a requirement in our standards. This folder contains some template material to get you started or to help you refine existing policies.

OpenChain-Adoption-Guides

This folder contains guides to adopting the OpenChain standards.

OpenChain-Case-Studies

This folder contains case studies from companies that have adopted OpenChain standards.

OpenChain-Explainers-For-Internal-Teams

Explaining the value of OpenChain approaches to compliance process management is critical to ensure buy-in and support across an organization. We have created a series of quick explainer documents to support this.

OpenChain-FAQ

This folder contains the official OpenChain Project Frequently Asked Questions. These are mirrored on our website.

OpenChain-For-Mergers-and-Acquisitions

This folder contains some material relevant to understanding OpenChain standards in the context of Mergers and Acquisitions.

OpenChain-Maturity-Models

Once an organization has begun to adopt OpenChain standards, the question arises of how to iterate and improve their compliance program. Maturity models or capability models are a tool to assist with this. We have one to share with you as a reference guide.

OpenChain-Promotion-Material

This folder contains infographics, one-pagers and introductory presentations to help organizations understand the OpenChain Project, its standards, its reference material, and the global community supporting its work.

OpenChain-Standards-Self-Certification

This folder contains self-certification checklists and questionnaires to help companies easily adopt our standards. This material can also be used as a “health check” for organizations not currently using our standards.

OpenChain-Supplier-Education

This folder contains a leaflet designed to give suppliers a single file that takes them from “what is open source” through to the importance of license compliance, and the use of OpenChain standards.

OpenChain-Templates

This folder contains templates so that the community can develop new presentations or documents with the OpenChain trademarks, mascots and other images.

OpenChain-Training

This folder contains our reference training slides and also the source code for our online training courses.

SBOM-Quality-Management

OpenChain has an SBOM Study Group. This is where you will find our work on SBOM-related topics. The current focus is on SBOM Quality in the supply chain, and what type of approach is required to manage this effectively.

You are welcome to be part of this work. OpenChain SBOM Study Group mailing list:https://lists.openchainproject.org/g/sbom

Where To Get Help:

Our website FAQ page contains resources to get help from our project staff:https://openchainproject.org/resources/faq

How To Participate In Development:

We would be delighted to work with you through our Education Work Group. You will find their mailing list here:https://lists.openchainproject.org/g/education

You are encourage to open issues or pull requests online: https://github.com/OpenChain-Project/Reference-Material/issues

In April, the OpenChain Telco Work Group completed work on version 1.1 of the OpenChain Telco SBOM Guide. This document helps to define what is a quality Software Bill of Materials in the context of supply chain management. It uses SPDX, the NTIA Requirements and the experience of the Telco industry to provide a clear, simple and easily adjustable approach. Today, with the release of the updated official validator, we are promoting the guide as generally available to the open source community.

Below you can:

• Learn more about the guide
• Get the guide in Chinese (Traditional), English, French and Japanese
• Get the validator
• Learn how to get involved in future development

What is this Guide?

The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs. 

Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.

This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”

Want more context? We delivered a presentation at FOSDEM:

Updates from Version 1.0 to Version 1.1 of the Guide:

The following updates were made in version 1.1:

• Both PackageChecksum and PackageVerificationCode are allowed as package hash.
• The package hash is RECOMMENDED instead of MANDATORY.
• ExternalRef is RECOMMENDED instead of MANDATORY.
• FilesAnalyzed is no longer MANDATORY.
• Examples are provided for the CISA SBOM Types.
• A RECOMMENDED syntax is given for CISA SBOM Types.
• sbomasm is a better example of SBOM merge tool.
• Add reference to new CISA document.

An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.

Get the Guide

• Chinese (Traditional) Version
• English Version
• French Version
• Japanese Version

Do you want to review the original 1.0 version of the guide? You can learn more and get it in multiple languages via the original Telco SBOM Guide version 1.0 launch announcement. You can also learn more about the version 1.0 validator in its original launch announcement.

Get the Validator

Our official validator for the Telco SBOM Quality Guide has been updated for version 1.1 and is available on the OpenChain Telco Work Group GitHub repo.

To install from PyPI, issue:
pip3 install openchain-telco-sbom-validator 
or 
pipx install openchain-telco-sbom-validator.

Coming Next:

Development of the next generation of the guide will occur via the Telco Work Group, and everyone is welcome to contribute.

The OpenChain Telco Work Group mailing list is here: 

• https://lists.openchainproject.org/g/telco

The OpenChain Telco Work GitHub (for drafting) is here: 

• https://github.com/OpenChain-Project/Telco-WG

Related News:

• The updated official Validator announcement
• External Validation Support announcement

Community Credits:

Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.

Amazon is the latest company to join the OpenChain Project as a Platinum Member and to take a seat at the Governing Board and Steering Committee. This highlights their unwavering commitment to leadership in open source technology, process management and in building trusted supply chains.

“At Amazon, we believe in strengthening the open source ecosystem through collaboration and shared best practices,” said Nithya Ruff, Director of Amazon’s Open Source Program Office. “By joining the OpenChain Project, we’re committed to contributing our experience across cloud services and consumer devices to support and evolve industry standards. We look forward to working with the OpenChain community to make supply chain collaboration easier and more effective for the industry.”

“Amazon pioneered modern digital management of complex supply chains at massive scale,” says Shane Coughlan, OpenChain General Manager. “Their engagement with the OpenChain Project, and more broadly with all aspect of open source process management, underlines the vital role that open standards and open communities play in building a more trusted supply chain. We look forward to benefiting from their thought-leadership as OpenChain enters the next stage of its evolution.”

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Today we are delighted to share the news that ZF Group has implemented an ISO/IEC 5230 conformant program.

This significant achievement underscores their commitment to excellence, innovation, and adherence to the highest standards of compliance and best practices in their open-source initiatives. As noted by Sarah Moser of the ZF Group team, implementing the ISO/IEC 5230 standard represents a crucial step in fostering a culture of transparency, collaboration, and continuous improvement.

ZF Group’s conformance was via third-party certification in collaboration with TIMETOACT. The approach they took, their motivations and their practical solutions will be highlight in a forthcoming OpenChain webinar and case study.

Huge thanks to Sarah, the ZF OSPO team and also Simon Pletschacher at TIMETOACT for not only making this happen, but helping to communicate it widely to inspire others.

About ZF Group

ZF is a global technology company represented with 161 production locations in 30 countries. With some 161,600 employees worldwide, ZF reported sales of €41.4 billion in fiscal year 2024.

Founded in 1915, ZF has evolved from a supplier specializing in aviation technology to a global mobility technology company.

Group shareholders include the Zeppelin Foundation, administered by the City of Friedrichshafen, holding 93.8 percent of shares, and the Dr. Jürgen and Irmgard Ulderup Foundation, Lemförde, with 6.2 percent.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

QNAP Systems, Inc., a leading computing, networking, and storage solutions innovator based in Taipei, has announce and OpenChain ISO/IEC 5230 conformant program.

About QNAP

QNAP (Quality Network Appliance Provider) is devoted to providing comprehensive solutions in software development, hardware design and in-house manufacturing. Focusing on storage, networking and smart video innovations, QNAP now introduce a revolutionary Cloud NAS solution that joins our cutting-edge subscription-based software and diversified service channel ecosystem. QNAP envisions NAS as being more than simple storage and has created a cloud-based networking infrastructure for users to host and develop artificial intelligence analysis, edge computing and data integration on their QNAP solutions.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Elixir Project is pleased to share that the Elixir project now complies with OpenChain ISO/IEC 5230, the international standard for open source license compliance. This step aligns with broader efforts to meet industry standards for supply chain and cybersecurity best practices.

“Today’s announcement around Elixir’s conformance represents another significant example of community maturity,” says Shane Coughlan, OpenChain General Manager: “With projects – the final upstream – using ISO standards for compliance and security with increasing frequency, we are seeing a shift to longer-term improvements to trust in the supply chain.”

Why OpenChain Compliance Helps

By following OpenChain ISO/IEC 5230, we demonstrate clear processes around license compliance. This benefits commercial and community users alike, making Elixir easier to adopt and integrate with confidence.

Changes for Elixir Users

• All future Elixir releases will include a Source SBoM in CycloneDX 16 or later and SPDX 2.3 or later formats.
• Each release will be attested along with the Source SBoM.

These additions offer greater transparency into the components and licenses of each release, supporting more rigorous supply chain requirements.

Changes for Contributors

• Contributions remain under the Apache-2.0 License. Other licenses cannot be accepted.
• The project now enforces the Developer Certificate of Origin (DCO), ensuring clarity around contribution ownership.

Contributors will notice minimal procedural changes, as standard practices around
licensing remain in place. For more details, see the CONTRIBUTING guidelines

Commitment

These updates were made in collaboration with the Erlang Ecosystem Foundation, reflecting a shared commitment to robust compliance and secure development practices. Thank you to everyone who supported this milestone. We appreciate the community’s ongoing contributions and look forward to continuing the growth of Elixir under these established guidelines.

Learn more about Elixir:

• https://elixir-lang.org

CSI Piemonte, an early adopter of OpenChain ISO/IEC 5230, has announced their fourth periodic recertification of the international standard for open source license compliance processes.

“CSI Piemonte has renewed its self-certification to ISO/IEC 5230:2020 for the fourth time, aware of its decades-long aptitude to implement, acquire, and publish open source software,” says Marco Alberto Panepinto, Open Source Subject Matter Expert at CSI Piemonte. “Italian law, in particular, requires public administrations to publish self-produced software on the national Developers Italia catalog, on which CSI Piemonte publishes the products implemented for local Piedmontese bodies, including mainly the Piedmont Region. Our processes are aimed at providing and promoting the creation and control of open source software, aimed at reuse by other public administrations, as our legislation provides. It is therefore since 2020 that we have adhered to the standard and we are proud to continue pursuing the goal of making our software open.”

“In recent months we have highlighted recertification activity around our standards to underline the concept of sustainable approaches to software management,” says Shane Coughlan, OpenChain General Manager. “Continuity in supply chain management is key to ensure that issues are minimized and productivity is maximized. We are delighted to collaborate with CSI Piemonte on yet another reminder of this important point, and the suitability of OpenChain standards for such long-term management.”

About CSI Piemonte

CSI Piemonte has promoted technological innovation and digital transformation for public administrations since 1977. OpenChain is delighted to welcome them to our community of conformance.

Learn More About CSI

• https://www.csipiemonte.it/web/en

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.