We held our regular Monthly North America and Europe Call this week. The focus was on discussing the Public Comment period for our draft proposed updates to the licensing and security specifications.
Check Out The Recording
We keep all the slides from our monthly calls online and they can be a useful way to access direct links and more details:
OpenChain Project Announces Public Comment Period for Draft Updates to Compliance and Security Specifications
Starting 2024-06-19 ~ Ending 2024-12-19
The OpenChain Project has announced the beginning of its six month Public Comment Period for proposed draft updates to the open source license compliance (ISO/IEC 5230:2020) and open source security assurance (ISO/IEC 18974:2023) specifications.
During the Public Comment Period everyone is invited to review and comment on the specifications. As an open project developing open standards, we host the draft documents on our GitHub repositories.
You can comment on this process by joining our monthly calls or via our Specification Mailing list. You can also leave comments via GitHub issues as detailed below.
The OpenChain Project has announced the beginning of its six month Public Comment Period for proposed draft updates to the open source license compliance (ISO/IEC 5230:2020) and open source security assurance (ISO/IEC 18974:2023) specifications.
During the Public Comment Period everyone is invited to review and comment on the specifications. As an open project developing open standards, we host the draft documents on our GitHub repositories.
You can comment on this process by joining our monthly calls or via our Specification Mailing list. You can also leave comments via GitHub issues as detailed below.
A brief outline of our current steps is that the project will:
Open a Public Comments Period nine months before our target completion date. This runs for 6 months and only accepts minor updates such as typos or grammar corrections that do not change the requirements of the content. We do not accept any material changes during this period. All other feedback and recommendations are queue for consideration during the next version release cycle.
Open a Freeze Period three months before our target completion date to allow a 3 month review of any changes made during the Public Comments Period.
If a consensus expresses concerns over any changes made during the Public Comments period we would
i) make changes to accommodate those concerns followed by
ii) an additional 14 day Public Comments period; followed by
iii) another 14 day Freeze period. Anyone with significant reservations on the final draft should state their position/concerns via the spec mailing list. The changes will be accepted once we achieve consensus for the final draft.
In the event we do not have consensus on the final version – we would repeat the following cycle until we have consensus:
i) accommodate changes to address majority concerns;
ii) 14 day Public Comments period; followed by
iii) a 14 day Freeze period cycle.
Send the completed draft specification to the OpenChain Steering Committee for formal review and a vote on whether to accept the community recommendations for an updated or new specification.
In principle, we target updates to our ISO standards once every five years
Please Note: the final decision on content and release of OpenChain Project specifications lies with the OpenChain Steering Committee.
The OpenChain Project collaborated with OpenForum Europe (OFE) on a three-part series of webinars covering European policy matters that impact open source, business processes and risk management. These webinars took place between May and June 2024, and are intended to provide a simple, clear and unbiased look at the impact recent European Union policy will have on companies in the open source supply chain.
Our Speaker is Ciarán O’Riordan, Senior Policy Advisor at OFE. His background is as a free software / open source software policy and communications expert.
The EU Cyber Resilience Act
More Details
“The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products. Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.” https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
The EU AI Act
More Details
“The AI Act is the first-ever legal framework on AI, which addresses the risks of AI and positions Europe to play a leading role globally. The AI Act aims to provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens for business, in particular small and medium-sized enterprises (SMEs).” https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
The EU Product Liability Directive
More Details
“European Union reached provisional (political) agreement on the text for the proposed revision of the EU’s Product Liability Directive 85/374/EEC (PLD). The PLD establishes a strict liability (i.e., no fault) regime to enable claimants to seek compensation for defective products across the EU, meaning claimants do not need to establish fault to claim successfully. As a result, it is the preferred way of making product liability claims in the EU. The revision is a significant development, as the PLD dates back to 1985 and has been virtually unchanged for nearly 40 years – with only very minor amendments in 1999.” https://products.cooley.com/2023/12/21/new-product-liability-laws-one-step-closer-in-europe/
About OpenForum Europe (OFE), Our Partners in this Series
OFE is a not-for-profit, Brussels-based independent think tank which explains the merits of openness in computing to policy makers and communities across Europe. Originally launched in 2002 to accelerate and broaden the use of Open Source Software (OSS) among businesses, consumers and governments, OFE’s focus has since evolved to also cover issues related to Open standards, Cybersecurity, Digital Government, Public Procurement, Intellectual Property, Cloud Computing and Internet Policy. https://openforumeurope.org/
More About Our Webinar Series
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Today at the launch event for openEuler 24.03 LTS it was announced that openEuler has adopted OpenChain ISO/IEC 18974, the international standard for open source security assurance. This announcement from the OpenAtom Foundation and the openEuler community builds on previous collaboration with the OpenChain Project and peers in the technology industry to promote effective, efficient supply chain management. The OpenChain Project, part of The Linux Foundation ecosystem, builds ISO standards, creates reference material for their adoption, and facilitates a diverse global community of organizations collaborating to improve open source process management.
“It’s a proud moment to announce the release of openEuler 24.03 LTS. This journey has been all about building a secure, compliant, and sustainable operating system community,” says Xiong Wei, Executive Director of openEuler. “Achieving ISO 18974 self-certification from OpenChain Project is a testament to our unwavering commitment to security and excellence. This certification recognizes our top-tier standards in development processes, software supply chain, risk assessment, management, and developer security capabilities. This milestone is not just a badge; it’s a reflection of the hard work, dedication, and collaboration within our community. I want to extend my heartfelt thanks to everyone involved in this journey. Your efforts have made this achievement possible.”
“openEuler’s adoption of OpenChain ISO/IEC 18974 is a significant milestone for the professionalization of open source software,” says Shane Coughlan, OpenChain General Manager. “The OpenChain standards are designed to support process management across organizations or communities of any scale, and the growing community of conformance around ISO 5230 for license compliance and ISO 18974 for security assurance validates that model. We are delighted to work closely with our partners in openEuler in building a more professional, sustainable and accountable supply chain.”
OpenAtom and openEuler have also released a case study explaining the benefit and impact of OpenChain ISO/IEC 18974 adoption.
openEuler is an open source, free Linux distribution platform. The platform provides an open community for global developers to build an open, diversified, and architecture-inclusive software ecosystem.
About the OpenAtom Foundation
The OpenAtom Foundation is a non-profit organization dedicated to promoting the development of the global open source community. It was founded in Beijing in June 2020.
The OpenAtom Foundation is committed to being a developer-oriented open source project incubation platform as well as a technology public welfare service organization. It follows the principles of co-construction, co-governance, and sharing, systematically builds an open and collaborative framework, establishes an international open source community, facilitates industry collaboration, and empowers various industries.
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
This case study has been published alongside the formal announcement that openEuler has adopted OpenChain ISO/IEC 18974, the international standard for open source security assurance at the openEuler 24.3 LTS launch event.
“It’s a proud moment to announce the release of openEuler 24.03 LTS. This journey has been all about building a secure, compliant, and sustainable operating system community,” says Xiong Wei, Executive Director of openEuler. “Achieving ISO 18974 self-certification from OpenChain Project is a testament to our unwavering commitment to security and excellence. This certification recognizes our top-tier standards in development processes, software supply chain, risk assessment, management, and developer security capabilities. This milestone is not just a badge; it’s a reflection of the hard work, dedication, and collaboration within our community. I want to extend my heartfelt thanks to everyone involved in this journey. Your efforts have made this achievement possible.”
“openEuler’s adoption of OpenChain ISO/IEC 18974 is a significant milestone for the professionalization of open source software,” says Shane Coughlan, OpenChain General Manager. “The OpenChain standards are designed to support process management across organizations or communities of any scale, and the growing community of conformance around ISO 5230 for license compliance and ISO 18974 for security assurance validates that model. We are delighted to work closely with our partners in openEuler in building a more professional, sustainable and accountable supply chain.”
About the openEuler Project
openEuler is an open source, free Linux distribution platform. The platform provides an open community for global developers to build an open, diversified, and architecture-inclusive software ecosystem.
About the OpenAtom Foundation
The OpenAtom Foundation is a non-profit organization dedicated to promoting the development of the global open source community. It was founded in Beijing in June 2020.
The OpenAtom Foundation is committed to being a developer-oriented open source project incubation platform as well as a technology public welfare service organization. It follows the principles of co-construction, co-governance, and sharing, systematically builds an open and collaborative framework, establishes an international open source community, facilitates industry collaboration, and empowers various industries.
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
On the 28th of May 2024, 07:00 UTC there was a special briefing from OpenForum Europe (OFE) on the EU AI Act. It is part of a series provided by OFE on European policy matters that impact open source, business processes and risk management.
More Details
“The AI Act is the first-ever legal framework on AI, which addresses the risks of AI and positions Europe to play a leading role globally. The AI Act aims to provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens for business, in particular small and medium-sized enterprises (SMEs).” https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
Our Speaker is Ciarán O’Riordan, Senior Policy Advisor at OpenForum Europe. His background is as a free software / open source software policy and communications expert.
OFE is a not-for-profit, Brussels-based independent think tank which explains the merits of openness in computing to policy makers and communities across Europe. Originally launched in 2002 to accelerate and broaden the use of Open Source Software (OSS) among businesses, consumers and governments, OFE’s focus has since evolved to also cover issues related to Open standards, Cybersecurity, Digital Government, Public Procurement, Intellectual Property, Cloud Computing and Internet Policy. https://openforumeurope.org/
More in the OFE Series
We held three special briefings from OFE for the OpenChain community from May to June 2024.
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Socionext, a semiconductor and System on a Chip (SOC) company based in Japan, has completed recertification of OpenChain ISO/IEC 5230:2020 as per the 18 month cycle required by the specification. This recertification process helps to review processes and ensure they are current.
“The adoption of OpenChain standards is one important step in managing the supply chain,” says Shane Coughlan, OpenChain General Manager. “However, periodic recertification is another critical building block in creating trust. As companies evolve and markets change, the best companies adapt against clear, unambiguous measures like OpenChain ISO/IEC 5230:2020, the International Standard for open source license compliance.”
The OpenChain AI Study Group held its regular monthly workshop on the 7th of May. This workshop covered a lot of ground, including new contributions from participants like Fujitsu, and an overview of the latest new about the OSI Open Source AI Definition from their Executive Director.
Track This Work
You can follow and contribute to the work of the OpenChain AI Study Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
Both issue are read to close pending any objections, and therefore there is a two-week period – before the forthcoming North America / Asia call – to review and add any notes.
We also opened one new issue for review in future calls:
May is coming fast, and ahead of that it is time to catch up on the recording of the most recent North America / Asia call, where we edited proposed next generation versions of our licensing and security specifications.
