Product teams, R&D teams and OSPOs occasionally find themselves in an adversarial situation with IP Departments around open source and how it should be managed in an organization. This is usually due to misunderstandings about how open source provides value and how the risks associated with it can be contained. With open source increasingly necessary for organizations to compete effectively, it is important to ensure all departments understand its strategic importance, and how to manage it in the context of their KPIs and requirements. This talk will explain how to collaborate with IP Departments using the language of external risk containment and internal portfolio management, and help IP Department staff assess open source as part of a diversified IPR strategy.
This talk will explain the process of going from a blank page to an ISO standard using OpenChain ISO/IEC 5230:2020 as a case study. It will explain how the OpenChain specification team came together, how they created the first iterations of what would become ISO/IEC 5230, and how they collaborated with Joint Development Foundation (JDF) to evolve from de-facto industry standard into formal international standard through the JTC-1 PAS Transposition Process. Attendees will learn how to frame, build and deploy their own specifications and standards, with a particular focus on the practical decisions required: should this be a specification, should it be an ISO standard and what do I need to do to make this happen?
Honda is the latest company to join the OpenChain Project as a Platinum Member and to take a seat at the Governing Board and Steering Committee. This builds on their engagement with the OpenChain Project in adopting ISO/IEC 5230 and ISO/IEC 18974.
“Joining the OpenChain Project board is an example of how Honda takes a leadership position in managing open source,” says Yuichi Kusakabe, IVI software PF and OSPO Tech Lead at Honda.
“Honda is an exceptional company in the management of large, complex supply chains,” says Shane Coughlan, OpenChain General Manager. “Today’s announcement underlines their commitment to developing excellence in open source, and in building trusted supply chains. The OpenChain Project Governing Board is delighted to formally welcome them, and looks forward to doing great things together in 2025.”
About Honda
Honda is a mobility company powered by everyone’s dreams, creating mobility that helps and inspires people, in a wide range of fields such including motorcycles, automobiles, power products and aircraft.
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
This session will present an overview of how OpenChain ISO/IEC 5230:2020 for open source license compliance and OpenChain ISO/IEC 18974:2023 for open source security assurance will impact legal professionals in 2024. It will cover the key points regarding procurement negotiations, mergers and acquisitions, and supply chain management foreseen in the year ahead. This will be informed by recent developments around the CRA and in adjacent standards like SPDX ISO/IEC 5962. The session will also expand on existing and forthcoming reference material, community support and commercial providers available for when help is needed. We will end with an outline of what may come next for the market, highlighting a new OpenChain Study Group around AI Compliance.
You can get involved with the OpenChain Telco Work Group through their dedicated mailing list. At this link, you will also find connections to other working groups around the world:
Please note: you do not have to be an expert in telecommunications or work for a telecommunications company to join the group. Work on subjects like the Telco SBOM Quality Guide is intended to also help other market sectors.
We had an insightful session with Dawn Foster on sustaining OSS projects and communities over the long-term. The CHAOSS project has been creating a series of MIT-licensed Practitioner Guides focused on improving the sustainability of our software and communities. The guides are designed to make it easier for people to draw meaningful and actionable insights using community metrics, even when those people do not necessarily have a deep background in data analysis or much experience working within OSS communities.
This talk identified several categories of metrics from the Practitioner Guide Series, including responsiveness, contributor sustainability, organizational participation, and security. It covered not just how to interpret the metrics, but also on providing ideas for improving in areas identified using the metrics. The audience walks away with a better understanding of how to use metrics to proactively improve the long-term sustainability of their OSS projects and communities.
Watch The Recording
About Our Speaker
Dawn leads the data science initiative for the CHAOSS project where she is also a Governing Board member / maintainer. Dawn is an OpenUK board member and co-chair of the CNCF Contributor Strategy Technical Advisory Group.
Dawn has 20+ years of experience working in open source positions at companies like VMware, Intel and Puppet with expertise in managing people, open source strategy, building new communities, and managing existing communities with a particular emphasis on developer and open source communities. She has held a wide range of roles over the years, including UNIX system administrator, researcher, consultant, strategist, director / manager, and more.
Dawn holds a PhD from the University of Greenwich, an MBA from Ashland University, and a BS in Computer Science from Kent State University. Dawn blogs about online communities as the author of the Fast Wonder Blog, and she’s blogged for The New Stack, Linux.com, GigaOM’s WebWorkerDaily, and in various other places.
She has done over a hundred talks at industry events, including many Linux Foundation events, KubeCon, OSCON, SXSW, FOSDEM and more. In her spare time she enjoys reading science fiction, running, and traveling.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
UnionTech Software – known for Deepin Linux – has announced an ISO/IEC 18974 conformant program.
About UnionTech Software
UnionTech Software is a research and development leader in the operating system industry in China, ranking among the top tier in terms of market share and ecological maturity. It has a focus on technical accumulation in research and development, internationalization, industry customization, migration and adaptation, and interactive design. UnionTech Software has established a diverse range of operating system product lines, including desktops, servers, intelligent terminals, and more. Over 6 million installations of UOS operating systems have been deployed in key sectors across 40,000 customers.
We have been doing source level license scans for Linux Foundation (LF) projects for a long time including generating SPDX formatted files, but what about SBOMs that can meet (and exceed) the government minimum specification? Here at the LF, we are now leveraging our existing scanning capabilities to generate SBOMs for these same critical open source projects.
In the LF spirit, we are using existing open source tools to scan project dependencies to produce an SBOM that meets the minimum spec. We are also producing dependency level license data to complement our source level scans. In the near future we will be combining these to produce a grand unified SBOM that will meet a newly defined LF minimum specification for SBOMs.
We will talk about our process to generate these SBOMs, the challenges we faced, our future plans, and share more about how you can make use of these for the projects you care about most.
Watch The Recording
About Our Speakers
Gary O’Neall
Gary is a contributor to the Software Package Data Exchange® (SPDX™) – an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools. Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.
Jeff Shapiro
Jeff Shapiro is the Director of License Scanning for The Linux Foundation. He has over 30 years of experience in the software industry, including 10 years in software auditing, open source scanning, and training developers in OSS license compliance.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
In this SBOM Study Group meeting, Okada San from OWASP Japan lead an overview of ”Vulnerabilities and the Future – Multilayered Software Vulnerabilities and Response Tactics.” This discussion built on a talk he recently delivered at the first Japan SBOM Summit on a similar topic.
Watch The Recording:
Learn More About This Study Group:
Our new SBOM Study Group brings all our various activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.
With its new structure as an official OpenChain Work Group, and a clear mandate to work on an Guide to AI Compliance BOM, this is the first call in a new series to pull thoughts together into a practical guide.
You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
