Featured

This week we have a special AI workshop instead of the regular AI call. It will provide an opportunity to deep dive into the topic with experts from Qualcomm and Arm, and a chance to ask questions or share ideas. This event will fold in all the ideas shared thus far and seek a single coherent narrative. 

The workshop takes place at:

14:00-17:00 UTC, 2024-03-06

You can join here:

• https://zoom-lfx.platform.linuxfoundation.org/meeting/93266805668?password=9bcb7240-0403-48a6-86af-4c80266ab877

One tap mobile:

US: +12532158782,,93266805668#

Meeting ID: 93266805668
Meeting Passcode: 581201

Agenda:

Opening comments (Dave and Matthew)

AI Model supply chain issues (Brian)

• Use cases in context of regulatory backdrop
• Open vs. Proprietary
• War stories
• Roundtable

Dataset supply chain issues (Jeff)

• Use cases and pragmatic practices
• Open vs. Proprietary
• War stories
• Roundtable

Possible Solutions – how can OpenChain best provide value to the ecosystem (All)

Closing (Dave and Matthew)

Circle, a leading global financial technology firm and the issuer of USDC, the world’s largest, regulated U.S. dollar-backed stablecoin, has announced an OpenChain ISO/IEC 5230 conformant program. ISO/IEC 5230 is the international standard for open source license compliance, and provides a clear, globally recognized way to run a quality program to ensure effective, trustable supply chain management.

Circle enables businesses of all sizes to harness the power of digital currencies, public blockchains and open-source technologies for payments, commerce and financial applications worldwide. Circle’s payment stablecoins – USDC and EURC – and platforms are helping to build a new financial system that moves at internet speed, scale and cost.

 “Circle is at the forefront of bringing open internet software into the world of money,” said Trevor Baker, VP Technical Operations. “A digital dollar like USDC is a key technology that supports businesses, developers, and the future of payments. The OpenChain certification represents Circle’s commitment to maintaining the highest compliance standards for open source technology in the financial arena.” 

“The OpenChain certification journey was an incredible return on investment by streamlining our open source processes,” stated Jeff Tang, Circle’s Chief Intellectual Property Counsel. “Circle is excited to help raise the bar in blockchain development.” 

“Adopting ISO/IEC 5230 is fast becoming a litmus test for commitment to industry best practices around open source,” says Shane Coughlan, OpenChain General Manager. “I am delighted to see Circle take leadership in this area, and to provide a strong signal to the FinTech market regarding effective management of open technology. They join companies like KakaoBank in working with our standards, and I look forward to collaborating with the Circle team on next steps for the financial supply chain.”

About Circle Internet Financial, LLC

Circle is a global financial technology firm that enables businesses of all sizes to harness the power of digital currencies and public blockchains for payments, commerce and financial applications worldwide. Circle is the issuer of USDC and EURC – highly liquid, interoperable and trusted money protocols on the internet. Circle’s open and programmable platform and APIs make it easy for organizations to run their internet-scale business, whether it is making international payments, building globally-accessible Web3 apps or managing their internal treasury. Learn more at https://circle.com.

BlackBerry, an early adopter of ISO/IEC 5230:2020 and OpenChain Security Assurance Specification 1.1 (later ISO/IEC 18974:2023), has completed regular recertification for both standards. The recertification was completed in partnership with OSS Consultants, an official OpenChain Partner, and long-term collaborator in the open source governance space.

ISO/IEC 5230 and ISO/IEC 18974 have a regular recertification process to ensure that open source programs are up-to-date and match current organizational strategy and staffing. Recertification can be done through self-certification, independent assessment or third-party certification on a regular 18 month cycle. The OpenChain Project provides extensive certification support via its website: https://www.openchainproject.org/get-started

“BlackBerry has a long history of cataloging, tracking, and securing its open source components that are bundled as part of its software supply chain. OpenChain has helped us bring together these capabilities and license compliance to have a more holistic open source management process. Having standards like OpenChain is a powerful tool that assures our customers that we take the security and integrity of our software supply chain seriously. As the security community continues to push forward with initiatives like the Software Bill of Materials, companies will need to implement standards like OpenChain to meet the demands of the growing list of customers who prioritize security.”- Christine Gadsby, VP of Product Security at BlackBerry.

“The use of standards like ISO/IEC 5230 and ISO/IEC 18974 provide a strong foundation for companies to manage their open source supply chain. The recertification process is a key part in ensuring processes are current and match products, services and strategy. BlackBerry, as a leader in the field of providing enterprise solutions, is also a leader in software governance and management. Their recertification to our standards for open source license compliance and open source security assurance underlines their stance at the forefront of sustainable, reliable software asset management.” – Shane Coughlan, OpenChain General Manager.

“OSS Consultants is pleased to have partnered with BlackBerry to attain the first whole-entity ISO/IEC 5230 conformance in North America in 2022, the first whole-entity ISO/IEC 18974 conformance in early 2023, and again now to perform the recertification of both standards. This recertification for BlackBerry demonstrates their unwavering dedication to the security and integrity of their software supply chain.” – Russ Eling, Founder & CEO at OSS Consultants

About the OpenChain Project

The OpenChain Project has been building Trust in the Supply Chain Since 2016. Our vision is a supply chain where open source is delivered with trusted and consistent process management information. Our mission is to make that happen. The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. Learn more at https://www.openchainproject.org/

About BlackBerry

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company’s software powers over 235M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy, and is a leader in the areas of endpoint security management, encryption, and embedded systems. BlackBerry’s vision is clear – to secure a connected future you can trust.

BlackBerry. Intelligent Security. Everywhere. 

For more information, visit BlackBerry.com and follow @BlackBerry.

About OSS Consultants

OSS Consultants is a business dedicated to helping organizations of all sizes – from the world’s largest and well-known companies to small businesses and start-ups – design, implement, and manage the most efficient, comprehensive and robust open-source program offices and policies on the planet. Service offerings range from a scan and audit of your third-party and proprietary software to creating a full OSPO within your organization. Find more information at www.ossconsultants.com and follow @OSSConsultants.

This meeting focused on closing two open issues around the Licensing Specification (ISO/IEC 5230) as we prepare a proposed update for the Steering Committee:

• Content of ‘2.2 Effectively Resourced’ #57
  https://github.com/OpenChain-Project/License-Compliance-Specification/issues/57
• Content and Sorting of ‘1.0 Program Foundation’ #56
  https://github.com/OpenChain-Project/License-Compliance-Specification/issues/56

Check out the full recording below:

Want to join our calls?

• https://www.openchainproject.org/participate

Want to be part of the mailing list for specification development?

• https://lists.openchainproject.org/g/specification/messages

The latest OpenChain AI Study Group meeting was hosted by our co-chair, Matthew Crawford of Arm. Check out the full recording and get the slides below.

Get the Slides:

• https://www.slideshare.net/slideshows/openchain-ai-study-group-north-america-and-europe-20240220/266417200

Learn more about the activities of this study group via their dedicated mailing list:

• https://lists.openchainproject.org/g/ai/messages

We covered a lot of ground:

• Elections
• ISO Standards
• Contribution Spec Proposal
• Maturity Models
• and more…

Get The Slides

• https://www.slideshare.net/slideshows/openchain-monthly-north-america-europe-call-20240206/266191727

Agenda:

   • Recap of discussion so far
   • Scope – how to build trust in the open source AI supply chain
       • What are the “compliance artifacts”?
       • How do we know they can be trusted?
   • Discuss use cases
       • Inbound
       • Deployment internally
       • Hosting externally
       • Distributing externally

Get The Slides

• https://www.slideshare.net/slideshows/ai-study-group-north-america-europe-20240206/266191769

Learn more about the activities of this study group via their dedicated mailing list:

• https://lists.openchainproject.org/g/ai/messages

Thank you to everyone who attended the meeting. We had some great feedback. Check out the recording here:

Most Important Outcome

We adjusted the review / renewal period for the Security and Licensing specifications from 18 months to 12 months to align with ISO 17021 for certification of management systems. You can see the details as follows:

Security Specification (potential future ISO 18974 update):

• https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/35

Licensing Specification (potential future ISO 5230 update):

• https://github.com/OpenChain-Project/License-Compliance-Specification/issues/69

Next Monthly North America / Europe Call Focus Items

Maturity Model consideration for ISO 18974:

• https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/11

+ GM Addition

Scope – for next iteration of ISO 5230:

• https://github.com/OpenChain-Project/License-Compliance-Specification/issues/33

Review The Past

You can download the slides from this meeting and all previous meetings since we started the specification update cycle here:

• https://github.com/OpenChain-Project/Meeting-Minutes/tree/main/Slides

Please note: this post initially contained some material related to editing the specification editing that occurred on the North America / Asia call. You can find that material on the North America / Asia call for January 2024 blog post.

We kicked off the year with a call to review the 2023 Annual Report and the 2024 “Where We Go Next” statement. This was also an opportunity to discuss the outcomes of the Steering Committee meeting in December 2023.

Get The Slides For This Meeting (and all the others) On GitHub:

• https://github.com/OpenChain-Project/Meeting-Minutes/tree/main/Slides

As you can read in our Annual Report, the OpenChain Project had an exceptional year in 2023. The biggest accomplishment was our ISO submission and publication of OpenChain ISO/IEC 18974:2023, the new International Standard for open source security assurance. More broadly, our market impact was positive in every direction. In 2024 we will build on our community success guided by the vision and mission in our project charter.

Our vision is a trusted supply chain and our mission is to make that happen.

---

The OpenChain Project exists to build trust in the supply chain. We unite industries around standard approaches to process management that reduce risk, reduce costs and increase speed. Our focus until now has been improving open source license compliance and security assurance. A lot of our activity is around normalization (community) and embedding (procurement). Everything we have created – standards, community and reference material – serves our purpose and our mission.

In collaboration with our extensive global community of over 1,000 companies, we will continue to build a trusted supply chain throughout 2024.

---

You are invited to be part of this, and your contributions would be extremely valuable to ensure we provide targeted, timely and useful solutions for tens of thousands of companies using open source in the global supply chain. There are three main areas that we expect to be important in the year ahead.

Promoting Adoption Of Our Standards

The OpenChain Project will continue to build awareness and ease adoption of our published standards for open source license compliance and security assurance. The key resource is our website, including our free self-certification resources, our reference material and quick access to our official partner ecosystem. Easy access to our meetings, events and mailing lists will continue to be at the center of our work.

We will continue to communicate our work at events related to open source in the business sphere, but in 2024 we will also seek to broaden our engagement with the risk management, procurement and insurance areas. Just as open source has become the core of software, we want to make sure ISO standards for open source business process management are clearly understood as critical.

The OpenChain community will continue to play a central role in the adoption of our standards. After all, the OpenChain Project is run by companies using open source for the benefit of the supply chain. Our regional work groups in locations like Mainland China, Japan, Korea, Taiwan, India, Germany and the UK will be important to our continued success. A good place to start if you want to help is our participation page.

Ensuring Our Standards And Supporting Material Are Relevant

In 2024 we will continue to invite all parties to collaborate around future updates to our existing business process standards for open source license compliance and security assurance, and to help with developing new reference material or case studies.

When it comes to our existing standards, there are ongoing editing cycles for ISO/IEC 5230 (license compliance) and ISO/IEC 18974 (security assurance). The OpenChain Steering Committee reviewed the community work in December 2023 and provided guidance that:

• The community-developed update proposals seem reasonable
• We will extend our Public Comment and Freeze Periods significantly to ensure the supply chain has time to consider the proposed changes
• The Public Comment period will change from 30 days to 6 months
• The Freeze Period will change from 14 days to 3 months
• This will be communicated in an update to FAQ and to our Specification Work Team.
• In principle, it is suggested that we target updates to our ISO standards once every five years
• This would suggest the update for ISO/IEC 5230 is likely to be ready for 2025
• ISO/IEC 18974 may be updated sooner due to a rapidly-moving market, but not at a speed that would hinder adoption of the existing and newly published version

You can get started, track developments and contribute by subscribing to our Specification Work Group mailing list. We also edit the standards via our monthly North America / Europe and North America / Asia calls.

As for our reference material, you can track active editing and get involved via our Education Work Group mailing list. In 2024 you can expect work around updating our reference training material, new case studies, and the development of more material to support our new ISO standard for open source security assurance, ISO/IEC 18974:2023.

Providing A Space For Potential Future Market Solutions

The OpenChain Project is not static and our work has always been designed to evolve with the market. This is why we give our community space to explore the potential for new material, specifications and solutions that support our mission. For example, in the next few weeks we will launch an AI Study Group to assess the key metrics needed for compliance in this domain in the context of the supply chain. You can keep an eye out for that via our newly created AI Study Group mailing list and by reviewing the recording of their first planning meeting.

There are other activities underway in the OpenChain Project to lend support to a more trusted supply chain, like our Automation Work Group, our Export Control Work Group and our Legal Work Group. Addressing specific industry segments, we have our Automotive Work Group and our Telco Work Group. In 2024 the OpenChain Project will continue to foster a space for such discussions, and we will seek to provide a more structured way to propose, manage and evolve work groups or special interest groups.

It should be noted that there are ongoing discussions around the potential for an SBOM Quality assessment specification and a contribution process specification. The former is being managed by our Telco Work Group, and you can discuss it with the maintainers over at the Telco Work Group mailing list. The latter is in a far earlier stage of discussion that you can track and participate via GitHub Issues and – where raised by members of the Specification Work Group – our monthly North America / Europe and North America / Asia calls.

Of course, ideas for new specifications or other market solutions are simply discussions until reviewed and ratified by the OpenChain Steering Committee as official work products of the OpenChain Project. For something like building a new specification (or updating an existing one), we have a formal process for the community to follow.

Conclusion

The OpenChain Project is purposeful and thoughtful in execution. In 2024, we will continue to be an “oil tanker,” with reliable, long-term progress in a predictable direction. This ensures our work in building standards can be trusted for the long cycles of procurement that are needed for industries as diverse as automotive, infrastructure and consumer electronics.

An exciting year for the OpenChain Project is a year where market adoption is trending upwards, we provide continued relevance for our stakeholders, and we make sure our open standards are developed in a way that is truly open for everyone. We expect 2024 will see this continue with strong promotional activity for our existing standards, measured work around future update to these standards, and space for discussion about potential new market solutions.

You are a vital part of this process. The OpenChain Project is powered by its community, with user companies solving shared market challenges together, and service providers investing in working alongside us. That means contribution. It means mentorship. It means collaborative solutions. Our continued success relies on supporting realistic supply chain solutions, with everyone being a beneficiary of the efficiency this realizes.

If you are already part of our community, welcome back for 2024. If you are new, welcome to one of the best communities in open innovation. We are here to help.

Shane Coughlan
OpenChain General Manager
5th January 2024