The OpenChain Security Assurance Specification 1.1 self-certification checklist is now available. This is designed to help organizations adopt the de facto standard for open source security assurance. Organizations using this self-certification process will also meet the requirements of the specification when it graduates the ISO/IEC JTC-1 PAS Transposition process, with an estimated arrival time of that International Standard in mid-2023.
The checklist contains a series of “yes” or “no” statements. If you can answer “yes” to everything, you are self-certified. If you answer “no” to some items, you know where to invest further time to build a quality program.
This checklist is licensed under CC-0 (effectively public domain), so you can take it, integrate it, and remix it without any restrictions. You do not even have to provide attribution.
The OpenChain Project has been very active since its formal launch in late 2016. Our global community has built an ISO/IEC standard for license compliance, launched a de facto (and soon to be ISO/IEC) standard for security. We have contributed to SBOM, OSPO, training, policy and other discussions. We built the world’s largest library of open source management reference material.
To reflect our growth and to make it easier to navigate the project we are going to make some adjustments to our work groups. Nothing too radical, but definitely something to help people find their way around more quickly, and to get the information they want faster. The image above contains a summary of the evolution approved by our Governing Board at their last meeting in September, and targeted for release during October 2022.
The changes?
The Specification Work Group will split into two parts – a Licensing Work Group for ISO/IEC 5230 and a Security Work Group for the Security Assurance Specification.
The Education Work Group and Outreach Work Group will combine into the Education Work Group.
We will launch a new Export Control Work Group and a new Policy Work Group. The former will help to navigate issues around increasing international trade tensions. The later will help us provide strategic advice around the highest level of planning for open source in legislation and business.
The dormant Conformance Work Group will be wound down and discussions regarding self-certification moved to Education Work Group, with discussions about the nuance of conformance parameters moved to our Steering Committee.
Finally (if there are no objections), we will re-brand the Reference Tooling Work Group to the Automation Work Group to help guide people hearing about automation to the right solutions.
The OpenChain Automotive Work Group will host its next meeting as a virtual event on the 11th of November between 16:00-17:00 JST (2022-11-11 07:00 UTC). Everyone is welcome and there is no need to register. We will host the meeting in our usual Zoom room: https://zoom.us/j/4377592799
Draft Agenda
(1) Introductions (2) Automotive news in 2022 (3) IP news relevant to industry (4) Developments in OpenChain – Security Assurance Spec enters ISO in October – License Compliance Spec entering review in October – Company Playbooks (Small, Medium, Big) – New conformance support (online, checklists) (5) Discussion: What is missing to support the industry (6) Discussion: Make plan to fill industry support gaps (7) Discussion: Schedule for next steps (8) Close of meeting
The OpenChain Project kicked off its new monthly community call series with the latest news around our specification, SBOMs, OSPOs and automation, before proceeding to a behind-the-scenes on our security specification ISO/IEC submission and an interactive session on updating key website materials like the FAQ and path to conformance. Ana from TODO dropped by to share the OSPO news this time around.
We always follow this agenda:
1 Introductions 2 Specification (process standards) news 3 SBOM news 4 OSPO news 5 Automation news 6 Community feedback and comments – issues for standards and core supporting material 7 Community feedback and comments – issues for reference and supporting material 8 Community feedback and comments – issues to support other projects 9 Any other business 10 Close of meeting
You can join our monthly calls (and all our other calls and events) via the OpenChain calendar. The monthly calls take place on the first Tuesday at 16:00 UTC (US/Europe) and the third Tuesday at 01:00 UTC (US/Asia):
The OpenChain Security Assurance Specification 1.1 is being prepared by the Joint Development Foundation for submission to ISO/IEC JTC-1 via the PAS Transposition Process. We expect the specification to graduate as an ISO/IEC International Standard in mid-2023. Meanwhile, it is ready for market adoption as a de facto industry standard.
And how to ensure sustainability of their approach
Like OpenChain ISO/IEC 5230, the International Standard for open source license compliance, the OpenChain Security Assurance Specification 1.1 is lightweight, easy to read and will be extensively supported by our global community with free reference material and conformance resources.
The OpenChain Project is delighted to announce the launch of our latest playbook. Focused on small companies, and created by the Education Work Group over the summer, this playbook helps you to contextualize the tasks involved with OpenChain ISO/IEC 5230 adoption. It is short, simple and directly relevant to things like:
Getting management support
Creating realistic policy and processes
Operating an open source program office (OSPO) with low resources
Ensuring you have the key requirements of a quality license compliance program
While targeted towards small companies, the concepts used in this document are useful for medium and large companies as well. This of this as a “minimum viable product” when it comes to considering compliance programs and open source program offices.
As with all our reference material, this playbook is available free of charge and under CC-0 licensing (effectively public domain). It is currently published as a PDF, Word Document and in Open Document Format. More formats will be coming in the future.
The OpenChain Reference Tooling Work Group holds meetings on a bi-weekly schedule. These are designed to allow anyone with an interest in open source tooling for open source compliance to learn more, share ideas, and contribute knowledge. All levels of experience are welcome.
Our new regular schedule is:
First Wednesday @ 08:00 UTC Third Wednesday @ 16:00 UTC
The OpenChain Partner webinars are pre-recorded broadcasts intended to help educate and inform our global community about commercial services available around ISO/IEC 5230. Each webinar is geo-tagged so you can see which primary location it covers.
Learn about SecTrend (China) on the 4th of October @ 15:00 UTC.
Learn more about Bitsea (Germany) on the 18th of October @ 15:00 UTC.
Learn more about PwC (Worldwide) on the 29th of November @ 15:30 UTC.
Check your timezone: PDT United States Pacific UTC-07:00 UTC Coordinated Universal Time UTC CET Central European Time UTC+01:00 IST India Standard Time UTC+05:30 CST China Standard Time UTC+08:00 KST Korea Standard Time UTC+09:00 JST Japan Standard Time UTC+09:00
Join via one tap mobile: +86 10 8783 3177,,4377592799# Mainland China +33 1 8699 5831,,4377592799# France +49 69 7104 9922,,4377592799# Germany +81 524 564 439,,4377592799# Japan +82 2 3143 9612,,4377592799# Korea +91 80 71 279 440,,4377592799# India +886 (2) 7741 7473,,4377592799# Taiwan +44 330 088 5830,,4377592799# UK +13017158592,,4377592799# USA
The OpenChain Germany Work Group will hold its next meeting in collaboration with PwC in Cologne, Germany on the 16th of November 2022. This meeting is open to all and will have plenty of time for networking and sharing knowledge. Find out more by contacting us.
Agenda:
11:00 – 11:15 Welcome (all)
11:15 – 12:00 Introduction to OpenChain Project, news and way forward (Shane)
Moorcrofts LLP and its sister compliance company Orcro Limited, as OpenChain partners invite you to join us at the next meeting of the OpenChain UK Work Group, taking place both virtually and physically (Beck Greener, London) on Thursday 13 October, 11:00 – 13:00.
The keynote speaker for the event will be Liz Rice, Chief Open Source Officer with eBPF specialists, creators of the Cilium cloud native networking, security and observability project.
Liz is a member of the Open UK Board and was chair of the CNCF’s Technical Oversight Committee 2019-2022, and co-chaired the KubeCon / CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle. She is also the author of Container Security, published by O’Reilly.
She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, competing in virtual races on Zwift, and making music under the pseudonym Insider Nine.
Agenda
11:00: Welcome and introduction by Andrew Katz (Orcro) & Sami Atabani (Arm)
11:10: News and Updates by Shane Coughlan (Linux Foundation)
11:25: OpenChain UK Work Group: Plans by Andrew Katz (Orcro) & Sami Atabani (Arm)
11:45: Liz Rice Key Note
12:45: AOB
13:00: Thank you and goodbye!
OpenChain, a project of the Linux Foundation, brings established governance principles to the software supply chain. It adopts best-practice from other compliance areas and maps them to software procurement, giving businesses a clear path to minimising infringement risk in procuring, developing and deploying software, with particular emphasis on use and re-use of free and open source software (“FOSS”) components. The result is that open source licence compliance becomes more predictable, understandable and efficient for all participants in the software supply chain.
Why Join? With a stellar roster of international businesses adopting the OpenChain framework for Open Source compliance and seeing the benefits of adopting best-practice – helping business teams work together towards a common goal, making Free and Open-Source Software (FOSS) more accessible to developers and reducing overall compliance effort, saving time, legal and engineering resources, it makes sense to unify and freely share this work, and help to embed it into the UK’s software development culture.
With this in mind, the OpenChain UK Work Group was born. It is free to join, and open to anyone (whether in the UK or otherwise) interested in finding out more about why companies as diverse as Arm, Google, Scania, Hitachi Data Systems, Toyota, Facebook, Uber and Microsoft are embracing OpenChain, as well as smaller companies like B2M Solutions and NewRoCo. The group also aims to help developers’ and organisations’ journey through open source compliance by providing a practical and accessible platform for anyone in the UK to quickly sync, share information and save time across all aspects of open source compliance.
Book Now To reserve your free place at either the physical or virtual meeting, on 13 October from 11:00 – 13:00, please complete the online booking form.
