Featured

The OpenChain Q2 Mini-Summit will be held on the 14th of June at 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST.

This three-hour event will have two live collaboration sessions.

We will open with one hour for the OpenChain education work team. The focus will be on final review of the online course and a discussion of what education work we should do next. This will be lead by Balakrisha, chair of the education work team.

We will continue with a two hour live-editing session for the OpenChain ISO 5230 security usage reference document. The goal will be to have an output that can be immediately used by our community regarding application of OpenChain ISO 5230 in security contexts. This discussion will be lead by Mark, chair of the specification work team.

Everyone is welcome to the event and encouraged to attend. There is no registration or fee to access. Your thoughts and requests for additional activities during the event are also welcome.

Dial in:

• https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

The OpenChain PARTNER Mini-Summit will be held on the 14th of June at 07:00 UTC / 00:00 PST / 08:00 BST / 09:00 CEST / 12:30 IST / 15:00 CST / 16:00 KST / 16:00 JST.
The two-hour Mini-Summit will start with a discussion about the customer journey, followed by presentations from partners, and end with an open discussion about setting client expectations.

Andrew Katz of Orcro will facilitate the customer journey discussion.

Our partner presentations will be:

• Gilles Gravier and Reza Alvavi from WIPRO
• Nicole Pappler from AlektoMetis
• Martin Callinan from Source Code Control

We will end with the roundtable on client expectations moderated by Shane Coughlan of the OpenChain Project.

Join without registration and for free via Zoom:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Synopsys has been announced as a global third-party certifier for OpenChain ISO 5230, the International Standard for open source license compliance. They join PwC and TUV SUD in providing such services.

“Establishing trust in open source is a continual journey with growing obligations,” says Jacob Wilson, Senior Security Consultant with the Synopsys Software Integrity Group. “Becoming an OpenChain 3rd party certifier allows Synopsys to promote the ISO/IEC 5230:2020 Standard and OpenChain community.”

“Welcoming Synopsys as a third-party certifier is an important milestone in two respects for the OpenChain Project,” says Shane Coughlan, OpenChain General Manager. “Firstly, they have exceptional reach to provide certification services to a worldwide customer base, and this will be beneficial for the both the OpenChain community and the broader open source market. Secondly, as the third entity providing such services, the OpenChain community now has significant freedom of choice when seeking vendor support.”

It is time to explore the results of our Q1 survey! At the bottom of this post you can download the full document. Let’s check out the highlights:

1. Engagement and satisfaction is rated as very good or (more frequently) excellent across the board. The vast majority of respondents believe that we are “Very Good” or “Excellent” in putting forward what we are doing and sharing our information – either the business value, conformance, reference materials, and our website. Most importantly, people see us as a community that is easy to engage with and easy to get help from.
2. Our conformance response revealed something interesting. About half of our respondents are primarily interested in something other than a private health of their compliance program or being listed publicly as having an OpenChain conformant program.This is worth digging into more (and we will), but some preliminary notes are:
   1. Feedback indicates that a relatively small percentage are seeking public announcements regarding conformance at this juncture, regardless of internal compliance activities. Their focus is instead on internal (or inter-supply chain) improvements and conformance. 
   2. We additionally have a number of companies engaging with OpenChain ISO 5230 with applications outside of our core scope of conformance for the purpose of license compliance. These include entities engaging for activities related to security, mergers and acquisitions, and other business processes. We knew this from participants on our calls and so on, but it’s interesting how many of our community participants appear to fit into this demographic.
3. About a third of respondents have used our online conformance web app, and those that have found it excellent in its ease of use, while about a third of respondents are not interested in getting more help conforming with OpenChain ISO 5230:2020 in the future. From other sources we have indications that this is due to two factors:
   1. People are using the specification directly for conformance or using our downloadable questionnaire.
   2. People are getting assistance from third parties such as participants in our partner program.
4. We asked broader questions in the survey than those related only to OpenChain. For example, we asked about tooling, software bill of materials and interoperability. The interoperability questions were framed around determining what is important to the community in the context of open source license compliance and interoperability around Software Bill of Materials and/or automation.  Respondents overwhelmingly expressed interest in greater interoperability for all tools and automation. This means supporting ingest and export of SPDX. It means greater interoperability between open source tooling as well as between open source and proprietary tooling.

Now we know what people want, it is time to make it happen.

You can expect the project as a whole to lean into supporting to diverse use-cases for OpenChain ISO 5230. You can expect the tooling group to lean into the interoperability question.

And…you are the community. Let’s get started!

Want To Check Out The Full Survey Results?

As recently noted by Jonas Oberg, Open Source Officer at Scania, OpenChain ISO 5230 and SPDX have been explicitly included in Scania Corporate Standard 4589 (STD 4589). This defines the expectations Scania has towards suppliers when they deliver a solution containing open source software.

Scania has three key considerations defined in STD 4589:

1. Suppliers should conform to OpenChain ISO 5230.
2. Suppliers should ideally contribute modifications to open source components to the originating open source project.
3. Suppliers should provide a software bill of materials in SPDX format and any applicable source code when the software license requires it.

Join the conversation by joining our Telco Work Group:

• https://lists.openchainproject.org/g/telco