THE LINUX FOUNDATION PROJECTS
Category

Featured

Mar 30

Stronger Together: Networking for Cybersecurity Impact

By Featured

In today’s digital landscape, the threat surface is ever-expanding. We face an increasing tide of sophisticated attacks and data breaches, often perpetrated by well-organized adversaries who operate with the efficiency of a company. This reality highlights a critical truth: isolation is no longer an option for defense. The solution is clear: networking instead of silos – said by Christian Billmann. Creating communities and exchange ideas are getting more and more important that is the reason why Cybersecurity Region Stuttgart Meetup was created. Regional and local collaborations have a real impact on cybersecurity defense strategies. This initiative is dedicated to bringing people together, fostering connections, and sharing knowledge. Anyone interested can join their community, easily found on LinkedIn.

Another great initiative is the Automotive Security Research Group (ASRG) which was presented by Dirk Targoni. ASRG was born from the recognition that across the automotive industry, professionals facing similar problems related to cybersecurity. The increasing dependence on external data sources means shared challenges, and the logical response is to work together to solve them. ASRG currently boasts a dedicated network of over 100 volunteers working on different projects and researches.

In an era where attackers pool their resources and knowledge, it’s more critical than ever for defenders to do the same. We are not competitors; we are stronger together.

 

Mar 26

Using Apache Airflow to Automate Autonomous Driving Tests

By Featured

This presentation, “Using Apache Airflow to Automate Autonomous Driving Tests” by Bosch, details the significant challenges of testing software for autonomous vehicles and how Apache Airflow provides a robust solution.

The core problem lies in the sheer scale of testing required: to statistically prove that autonomous vehicles are safer than human drivers (e.g., 20% lower fatality rate with 95% confidence), an astronomical 14 billion kilometers of testing is needed. Physical testing alone would take 400 years with a fleet of 100 vehicles operating non-stop, making it impractical and statistically impossible for ensuring safety. Moreover, the “chaos of reality” (as illustrated by a chaotic street scene) demands testing across an immense number of complex scenarios. Standard CI/CD tools fall short here, as they are designed for short-lived code builds, not the massive test volumes, dynamic workflows, complex dependencies, and specialized hardware environments inherent to autonomous driving development.

Bosch, in collaboration with Cariad through the “Automated Driving Alliance,” adopted Apache Airflow as their orchestrator to manage thousands of parallel test executions. Airflow was chosen for its large community, Python-based workflow-as-code approach, enterprise-readiness, scalability, vendor/tech neutrality (Kubernetes, Spark/Hadoop, Docker), and Apache license, avoiding vendor lock-in. They even leverage Airflow for “Edge Worker” deployments to manage testing on remote sites with specialized hardware.

Key lessons learned include the importance of building on mature products rather than developing in-house solutions, leveraging the community for support, and prioritizing upstream contributions to minimize custom code. Bosch actively contributes to Airflow, helping shape its development in a direction that meets their critical safety needs.

Indeed, Bosch has been an extremely active contributor to the Apache Airflow project, making over 900 contributions, including new features, bug fixes, and improvements. They are deeply involved in the Airflow community through conferences, podcasts, and discussions, demonstrating a strong commitment to open-source collaboration and development. This extensive contribution highlights how they not only use Airflow but also actively help evolve it to meet the demanding requirements of autonomous driving test automation.

 

 

Mar 26

AI Systems Engineering: The New Discipline to Rescue AI from the “Valley of Death”

By Featured

AI is everywhere, yet true, reliable AI innovation often feels out of reach. With only 9% of organizations achieving AI maturity (Gartner 2024) and 95% of GenAI projects expected to fail (MIT 2025), it’s clear: AI needs a disciplined approach to move from hype to real-world impact.

Dr. Thomas Usländer from Fraunhofer IOSB highlighted a critical solution at OpenChain and Friends 2026: AI Systems Engineering.

Why You Need AI Systems Engineering

Simply put, AI only becomes an innovation when it’s reliably, securely, and efficiently applied. We’re currently in the “Trough of Disillusionment” on the Gartner Hype Cycle for AI – where initial excitement fades as projects hit roadblocks. AI Systems Engineering is our map out of this trough.

It’s about treating AI not as magic, but as complex systems that need proper engineering.

What Is It? (The Core Idea)

AI Systems Engineering is a new discipline focused on:

  1. Methodology: Structured ways to build and deploy AI. Think of PAISE® (Process Model for AI Systems Engineering) – it even treats data as “sub-systems” with their own development cycles.
  2. Data Management (Data Spaces): AI needs data! Open, secure data-sharing platforms like Catena-X are crucial for industrial AI to scale and work together.
  3. Responsible AI: With regulations like the European AI Act, building AI responsibly (considering roles, risks, and ethics) isn’t optional – it’s integrated into the engineering process.
  4. System-Wide View: AI isn’t just an algorithm; it’s part of a larger system. This discipline ensures AI integrates smoothly and safely into broader operations.

AI Systems Engineering + Data Spaces: The Perfect Pair

These two concepts are inseparable. AI Systems Engineering gives you the “how-to” (the engineering process), while Data Spaces provide the “what-to-use” (the secure, shared data). Together, they enable the efficient development, deployment, and operation of AI systems, especially for industrial uses.

The Bottom Line

AI is powerful, but its true value is unlocked through discipline. AI Systems Engineering is crucial for making AI reliable, compliant, and genuinely innovative. Without it, many AI projects risk getting stuck in the “Valley of Death.” It’s the engineering foundation AI needs to thrive.

 

 

Mar 26

The Last Mile Problem: Turning Executive Support into Real Open Repo Contributions

By Featured

The following information was explain in this event:

  • What is AGL? Automotive Grade Linux is a non-profit, open-source Linux-based collaborative project hosted at the Linux Foundation. Its goal is to build the car of the future through rapid innovation by uniting the automotive and software industries. It covers areas like infotainment, instrument clusters, Head-up Displays (HUD), telematics/connectivity, functional safety, and Advanced Driver Assistance Systems (ADAS).
  • AGL at a Glance: It’s a Linux Foundation collaborative project with members including automakers, Tier 1 suppliers, and technology companies. It started in 2015 as the Unified Code Base (UCB) – an open platform for Software-Defined Vehicles (SDVs). It has been in production in Toyota and Lexus vehicles since 2018, with a refresh in 2026, and will be integrated into Subaru, Mazda, and Mercedes-Benz Vans. Its scope has expanded from infotainment to instrument clusters, telematics, ADAS, and beyond.
  • 10+ Years of Tier 1/OEM Collaboration: AGL has proven that competitors can collaborate on shared software. It provides a neutral ground where OEMS and Tier 1s work side-by-side on a common platform. Code contributions come from automotive companies such as Toyota, Honda, Panasonic, Aisin, Denso, Jaguar Land Rover, Denso Ten, Mitsubishi, Daimler, and Subaru. This shared investment reduces duplication and accelerates innovation, resulting in production-ready open-source software in millions of vehicles.
  • “The Last Mile Problem”: Lack of Senior Management Buy-In: The primary organizational barrier to open-source contribution is that leadership often fails to see the business value of contributing. Open source is not perceived as a strategic asset, and there are concerns about competitive advantage and intellectual property leakage. Without executive sponsorship, Open Source Program Offices (OSPOs) and contribution efforts stall, preventing developers from posting code to open repositories.
  • AGL OSPO Expert Group: Launched in November 2024, this group is led by Toyota, with key members including Panasonic and Honda. Its objectives are to encourage companies to establish their own OSPOs, share pain points and collaborate on solutions, develop best practices for open source in the automotive industry, and address business restrictions (e.g., export control, anti-trust). The group meets monthly and is open to everyone which shows that everyone is welcome to participate and to support the team.
  • AGL OSPO Expert Group – Executive Support: The group recognized the need for open-source sponsorship at the highest levels within companies. They created an “Executive Slide Deck,” available for anyone to use, to promote the value and usage of open source to executives. This deck includes case studies from Honda, Toyota, Bosch, and an unnamed Tier One supplier.
  • Deployment Example: Suzuki e Vitara: New Suzuki EVs feature AGL and QT, developed by Aisin and Yazaki.

As summary I would take this as one good example how many different car manufacture can use one base and how everyone can participate in order to make this project better and better.

 

 

Mar 26

Open Source based SupplyChain Management at scale

By Featured

In this lecture I was able to understand what the Open Source Tooling Group’s mission is – to simplify and standardize how companies manage open source software compliance throughout their development and supply chains. The core challenge which was addressed is the difficulty in truly knowing if various compliance and security tools are working correctly, integrating smoothly, and consistently producing reliable data like Software Bill of Materials (SBOMs). Traditional “plugfests” or superficial comparisons often don’t provide the deep insights needed.

At the heart of recommended tooling solution in this lecture is the Open Review Toolkit (ORT). This isn’t just a single-purpose tool; it’s designed as a comprehensive “virtual conveyor belt” for open source compliance. ORT can automatically analyze a software project’s dependencies, download its source code, scan it for license and copyright information (often using tools like ScanCode), consult vulnerability databases (like VulnerableCode) for security risks, evaluate all these findings against an organization’s specific policies, and then generate detailed reports, including SBOMs in industry-standard formats like SPDX and CycloneDX. It acts as an orchestrator, integrating various specialized open-source tools into a cohesive workflow.

A major advantage and a key differentiator highlighted by the OpenChain project is ORT’s robust and readily available testing infrastructure.

Currently ORT-Server have OCCTET Test Instance. This instance allows companies to easily create and run full, end-to-end simulations of their entire software supply chain. The most effective way to test is by taking an identical “dummy repository”—which are publicly available online, designed to be more complex than a simple “Hello World” and contain realistic dependencies—and running it through various compliance tools. By processing the same dummy repository through ORT’s full pipeline, users can then compare the results generated by different tools, verify ORT’s accuracy, and confirm that their entire compliance workflow is functioning as expected. This allows for clear benchmarking, showcasing, and collaborative testing of compliance processes.

You can also manage the output of ORT and show results in a tools like Grafana which can be very helpful for the management so they can easily identify when some red flag is shown on their platform.

 

 

 

 

Mar 26

AGL Assessment Automation – Overview and Insights

By Featured

The discussion revolved around how to effectively manage Software Bill of Materials (SBOMs) in the automotive and embedded software industries, which are complex and critical. The core challenge is that without automated SBOMs, managing risks across many software parts is extremely difficult, especially given regulatory requirements and complex supply chains.

A key focus was on leveraging existing open-source tools and frameworks to streamline this process. Automotive Grade Linux (AGL), a non-profit open-source Linux project for automotive systems, was highlighted as a strong starting point. By combining AGL with Yocto (a build toolchain), the presenters proposed a robust foundation for embedded SBOM operations. During the session it was also mentioned that no certification is required for AGL even for production used which is huge advantage.

The main idea was to build an automated system for assessing SBOMs, called AGL Assessment Automation (AAA). Its purpose is to create a reference system and share best practices for SBOMs in these industries. This involves:

  • Validating policy-based assessment automation within the AGL Continuous Integration (CI) system.
  • Adopting cybersecurity best practices from organizations like OpenSSF and CNCF, covering aspects like SBOM lifecycles and SLSA (Supply-chain Levels for Software Artifacts).
  • Targeting SPDX 3.0 JSON as the preferred SBOM format (which is Yocto-compatible).
  • Collaborating with various open-source communities like Yocto, OpenSSF, OpenChain, and SPDX.
  • Utilizing open-source, reusable toolchains.

The presentation showed a best-case implementation flow for SBOMs, involving steps like generating, verifying, analyzing, enriching, and sharing SBOMs, with a continuous focus on risk management and vulnerability monitoring. A crucial pipeline example demonstrated building an SBOM from AGL, verifying it, analyzing risks, enriching it with more data, attesting its validity, and finally publishing it.

For risk analysis, the proposed system would normalize SBOM data from various sources (like Yocto environments generating SPDX 2 or 3) and then use a policy engine, such as OPA (Open Policy Agent), to perform policy-based risk analysis against defined policies.

Initial proof-of-concept work showed promising results, particularly in validating Yocto SPDX 3 SBOMs generated from AGL. While tools for SPDX 3.0 validation are still emerging, a simple validator was implemented as a proof-of-concept.

Looking ahead, the next steps include exploring different policy engines like OPA or OSS Review Toolkit (ORT), enhancing CVE/VEX operations within the Yocto ecosystem, and further integrating SLSA for improved software supply chain security.

 

 

 

Mar 26

CRA tooling for SMEs by the OCCTET project

By Featured

The goals of the OCCTET project are:

  1. Help SMEs understand and apply the CRA: Make it simpler for SMEs(Small and Medium-sized Enterprises) to know what the rules are and how to follow them, which will improve their overall cybersecurity.
  2. Automate handling of Open Source Software (OSS) components: Develop tools that can automatically check open source parts of software for compliance.
  3. Increase visibility and impact: Make these tools widely available and promote a shared approach to data, using open source solutions themselves.

How OCCTET plans to achieve this (the Toolkit):

The project offers a step-by-step process:

  1. Input: SMEs or developers upload their project and its open source parts for analysis.
  2. Eclipse Apoapsis (Security and Compliance Automation Platform): This platform manages the scanning process and collects information from various tools, like ORT (Open-Source Review Toolkit).
  3. OSS Review Toolkit (ORT): This is the core tool that scans software, identifies dependencies, licenses, and vulnerabilities.
  4. OCCTET Tools: Additional tools within OCCTET include a Compliance Checklist, a Conformity Evaluation Tool, and a Reporting Tool.
  5. Output: Finally, a CRA Readiness Report is generated, giving an overview of compliance and suggesting next steps.

Key components and standards discussed:

  • ORT-SERVER: This seems to be a central hub for compliance, connecting to various package management systems (like Java, Node, Python), pulling data on vulnerabilities, community metadata, and different report formats (SPDX, CycloneDX). It also includes an “Evaluator rule engine” and tools like ScanCode for code analysis.
  • Standards are crucial: The presentation emphasized that good data is useless without good standards. They highlighted the use of:
    • PURL (Package-URL) for identifying software packages.
    • SPDX License expressions for licenses.
    • SBOMs (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange), using formats like CycloneDX and SPDX for SBOMs, and CSAF/CycloneDX for VEX/VDR.
  • OCCTET Curator: This is a web application with AI integration to help manage security vulnerabilities, generate reports (SBOM, VEX/VDR), and support users in managing their open source components.

CRA Self-Assessment and Timeline:

The project includes an OCCTET CRA Self-Assessment Platform (cra.occet.eu), which is a free web tool. It guides users through three questionnaires:

  1. Applicability & Role: “Does CRA apply to me?” – Helps identify if the regulations apply, based on company role (manufacturer, importer, distributor) and product type, and clarifies exclusions.
  2. Classification & Conformity Route: “What level of assurance do I need?” – Helps classify the product (Default, Important, Critical) and determine the required conformity assessment (self-assessment, third-party, or certification).
  3. Readiness & Maturity Checklist: “How prepared am I?” – Evaluates current practices against CRA security requirements, assessing maturity (Basic, Intermediate, Advanced) and providing tailored improvement recommendations. This generates a visual readiness score, highlighting areas needing attention.

Overall, the OCCTET project is a European initiative, co-funded by the EU, aiming to create comprehensive tools and resources to simplify open source compliance and cybersecurity for SMEs, especially in light of upcoming regulations like the CRA. It focuses on practical, automated solutions and clear guidance to help businesses navigate these complex requirements. During the presentation it was also mentioned that OCCTET can be even installed on local machine which definitely can make it popular and more people can decide to try it.

Mar 26

ORT Server at Bosch used in One Pipeline/Service for your Compliance – OCaaS

By Featured, News

Bosch’s OCaaS: The “All-in-One” Solution for Streamlined Open Source Compliance and Security

In today’s software development landscape, Open Source Software (OSS) is an indispensable component, integral to nearly every technological advancement. However, its widespread adoption introduces significant complexities, particularly regarding legal compliance and security. Recent data underscores this challenge: according to Synopsys’s Open Source Security and Risk Analysis Report 2025, 97% of all codebases contain OSS, with 56% presenting license conflicts, 86% harboring at least one known vulnerability, and a staggering 91% including OSS components more than 10 versions behind their latest release. These figures paint a clear picture of the inherent risks and compliance burdens facing organizations.

For companies deeply invested in software development, fundamental questions arise:

  • “What is inside my software?”
  • “Can I legally release my product?”
  • “Is my product secure over time?”

Addressing these critical concerns effectively and efficiently has become paramount. This is precisely where Bosch’s OCaaS (Open Source Compliance as a Service) emerges as a transformative solution. Presented at the “OpenChain and Friends 2026: OS Compliance and OSPO” event, OCaaS stands out by consolidating various compliance and security functionalities into a single, unified platform, significantly easing the burden on its users.

OCaaS: Consolidating Complex Processes Under One Umbrella

The true power of Bosch’s OCaaS lies in its integrated approach. Rather than relying on a disparate collection of tools for different aspects of OSS management, OCaaS brings everything together, offering an end-to-end solution that simplifies intricate processes for its clients. This “one-stop-shop” model is crucial for navigating the complexities of modern software development.

Let’s break down the comprehensive workflow offered by OCaaS:

  1. Analyzer: The initial step involves meticulously identifying all dependencies within the software, creating a clear map of every Open Source component.
  2. Scanner: Following dependency identification, the system scans the source code for potential issues, proactively pinpointing both license and security risks.
  3. Advisor: This component then leverages intelligence to identify known vulnerabilities (CVEs) associated with the discovered OSS components.
  4. Evaluator: OCaaS applies pre-defined compliance and security policies, evaluating whether the software adheres to internal standards and external regulations.
  5. Reporter: Finally, detailed and actionable reports are generated, providing a transparent overview of the software’s compliance and security status.

The extensive capabilities of this  workflow are delivered through over 20 integrated plugins, incorporating industry-leading tools like ScanCode, FOSSID, VulnerableCode. These plugins not only enable deep-dive analysis but also ensure that the output is in standardized formats, facilitating interoperability and communication across the supply chain. Once this comprehensive process is complete, OCaaS can further integrate its findings with platforms like Fossology for enhanced dependency tracking and thorough documentation management.

The Unmatched Value Proposition of OCaaS for Clients

Bosch’s OCaaS offers several distinct advantages that are particularly beneficial for organizations grappling with OSS management:

  • Unparalleled Simplification: This is the core benefit. Instead of forcing clients to procure, integrate, and manage a multitude of individual tools for different aspects of OSS compliance and security, OCaaS delivers a single, cohesive platform. This drastically reduces operational complexity, shortens learning curves, and minimizes the overall cost of ownership.
  • Comprehensive Coverage: OCaaS ensures that no stone is left unturned. From initial component discovery to final report generation and ongoing dependency tracking, it provides a full lifecycle management solution, offering peace of mind that all aspects of OSS are being addressed.
  • Enhanced Automation: By automating a significant portion of the analysis and evaluation process, OCaaS not only speeds up compliance checks but also drastically reduces the potential for human error, leading to more consistent and reliable results.
  • Clarity and Transparency: The detailed reports generated by OCaaS provide crystal-clear insights into the software’s composition, potential risks, and compliance posture. This transparency is invaluable for internal stakeholders, legal teams, and external auditors.
  • A Vision for the Future: Bosch’s commitment to OCaaS extends to continuous improvement. Planned next steps include:
    • Package Manager Independence: Further simplifying usage by making OCaaS compatible regardless of the specific package manager employed.
    • ChatBot Integration and AI Optimization: Leveraging artificial intelligence for more intuitive interactions and enhanced analytical capabilities.
    • A More Attractive Community: Fostering a vibrant community of users and contributors to drive collaborative innovation.
    • Curation UI: Developing an improved user interface for manual data curation, offering greater control and flexibility.

Conclusion

Bosch’s OCaaS represents a significant leap forward in addressing the intricate challenges of Open Source Compliance and Security. By ingeniously combining numerous specialized functionalities and powerful tools under a single, user-friendly platform, it doesn’t just answer the fundamental questions for software development teams; it transforms the entire process. OCaaS simplifies complexity, mitigates risks, and empowers organizations to fully harness the benefits of open source, ensuring their products are not only innovative but also legally compliant and secure.

 

Mar 26

How to distribute containers FOSS compliantly

By Featured

There was a discussion regarding the legal and technical challenges surrounding open-source license compliance when distributing container images. The discussion highlighted the growing importance of understanding the layered structure of containers and the responsibilities associated with their distribution.

The Anatomy of a Container Image

Container images are essentially stacked layers. A typical image starts with a base layer containing fundamental system requirements like a C library, package manager, and shell. Subsequent layers add applications and libraries, and the top layer often involves customizations, including removing or modifying components. While a container’s runtime view might show a consolidated result, all underlying components remain present within it.

The Compliance Conundrum in Containers

The core challenge from a legal compliance standpoint is that it’s often unclear what software is actually distributed within a container. Most containers heavily rely on Free and Open Source Software (FOSS), and with FOSS, come license obligations. These obligations include providing license texts, legal notices, and sometimes even the source code and build instructions. Public container repositories frequently lack this crucial compliance information, yet the responsibility for fulfilling these obligations ultimately rests with the distributor, not necessarily the repository owner.

Who is the Distributor?

A key point emphasized was the legal interpretation of “distributor.” When a recipient executes a Containerfile (a script to assemble a container image), software is downloaded directly. The entity that “controls the distribution” is considered the distributor. This means that merely distributing a Containerfile can be legally equivalent to distributing software, triggering all associated license compliance duties.

OSADL’s Approach to Compliant Base Images

To address these complexities, the presentation introduced the concept of an OSADL Base Image. This is a minimal image built upon a Linux distribution, providing essential GNU tools, shell, C-lib, package manager, and networking functionalities. Crucially, it’s designed with license compliance in mind, including:

  • Source code of all packages
  • License texts and copyright notices
  • Legal notices

OSSelot and FOSSology: Tools for Streamlined Compliance

The presentation highlighted the roles of OSSelot and FOSSology in achieving compliance:

  • OSSelot is a publicly available, trusted database providing curated compliance information for frequently used FOSS components. It significantly reduces the time needed to “clear” a software package by allowing the reuse of pre-vetted licensing and copyright data.
  • FOSSology is used in conjunction with OSSelot. The process involves:
    1. Using the OSSelot REST API to identify available OSSelot data for a container’s source packages.
    2. Uploading the OSSelot versions of packages into FOSSology, which then automatically clears the entire package.
    3. Uploading container source packages into FOSSology, running scanners, and reusing relevant OSSelot uploads to clear remaining files and copyrights.

Immediate vs. Delayed Source Code Disclosure

The OSADL Base Image offers two main approaches for source code disclosure:

  • Immediate disclosure: All source code and legal information are included directly within the image. This approach simplifies access but can significantly increase the image size.
  • Delayed disclosure: Only extracted compliance material, legal notices, and a written offer are included in the image. The full source packages with rebuild instructions are provided separately for later delivery. This method results in smaller container images but requires a separate mechanism for source code provision.

Both approaches ensure that instructions on how the base image is created and how it can be used are consistently provided.

As recommendation it was also mentioned that best practice would be FOSS compliance to be made layer by layer, meaning once you take for example OSADL Base Image then in order to make your own app you need to add few layers so its better to handle FOSS compliance after each layer instead of keep adding them until you reach the final product and handling this huge container with several layers in total in regards to FOSS compliance which would be harder and more time consuming.

 

Mar 26

Navigating the Open Road: An Enterprise Approach to FOSS Compliance and Collaboration

By Featured, News

At a recent discussion focused on open source compliance and management within large organizations, attendees were given a fascinating glimpse into how a prominent global enterprise is seamlessly integrating Free and Open Source Software (FOSS) into its core operations. The insights shared painted a clear picture of a forward-thinking approach, where FOSS is not just tolerated but actively embraced as a strategic advantage.

The overarching sentiment conveyed was that FOSS is no longer an optional add-on but a standard practice, viewed as a smart business investment. Leadership within the enterprise explicitly states that utilizing and contributing to open source not only helps reduce costs but also cultivates a thriving open-source culture and fulfills a crucial social responsibility. The commitment extends to actively contributing to open source, rather than just consuming it, and sharing internally developed code, positioning the organization as a pioneer in the field.

This commitment is codified in a clear “FOSS Manifest,” guiding both the company’s actions and its employees’ behaviors. For the organization, this means supporting and empowering employees to use, contribute to, and create FOSS projects, dedicating time for FOSS activities, and ensuring visibility within Open Source communities. Employees, in turn, are encouraged to seek out Open and Inner Source alternatives, actively participate in these communities, contribute to relevant projects, and act responsibly, ensuring respectful communication and positive engagement.

A key component of this enterprise’s strategy is establishing robust transparency throughout the software supply chain, primarily through the systematic use of FOSS Software Bill of Materials (SBOMs). The process was described as a well-orchestrated flow: software suppliers deliver their FOSS SBOMs to a dedicated Disclosure Portal. These are then reviewed and approved by product owners and technical governance teams. Once approved, this critical information is used to disclose FOSS components in various products, from applications and mobile apps to the actual vehicles, fostering trust with consumers and users. This meticulous process ensures all FOSS components are properly identified, licensed, and disclosed, effectively mitigating compliance risks.

The discussion further detailed a structured approval process for integrating FOSS, whether from internal teams or external suppliers. It begins in the planning phase, where FOSS policy rules are aligned during purchasing and contractual terms are established. The “Build” phase involves developers generating, reviewing, and refining SBOMs as the software is created, with a final check before release. The “Run” phase marks formal approval and release. For compliant releases, regular review functions are in place, with initial approval being crucial and re-approval required after significant changes or defined periods. This ensures continuous adherence to established policies.

The benefits of this comprehensive system extend to various stakeholders. Product owners gain from standardized SBOM exchange in ISO format, automation through REST APIs and Command Line Interfaces for seamless integration into Continuous Integration/Continuous Delivery pipelines, and access to a comprehensive license database for legal guidance. The system incorporates policy rules and quality checks for obligations management, boasts a user-friendly design, and can automatically generate disclosure notices.

Suppliers also find significant advantages. The Disclosure Portal digitizes the submission of SBOMs, moving away from manual template-filling. They can integrate directly with the portal’s API from their build pipelines. This transparency and policy support allow suppliers to align with their customer’s requirements much earlier in the development lifecycle. Interestingly, the Disclosure Portal and its associated tools are themselves open source, encouraging suppliers to adapt them for their own needs and even contribute back to the project, fostering a truly collaborative ecosystem.

In summary, the insights shared showcased a sophisticated and proactive approach to managing Open Source Software. It demonstrated how a major enterprise can not only leverage the numerous benefits of FOSS but also establish a framework that ensures compliance, promotes transparency, and encourages collaboration across its entire software development and supply chain, setting a compelling example for others in the industry.