News

Strengthening Trust, Transparency, and Compliance in the Software Supply Chain

Ibrahim Haddad has written a great article discussing the OpenChain Project, our standards, and why our work has impact over on LinkedIn. We encourage everyone to take a moment and read his overview. Short preview below:

Over the past decade, the software supply chain has moved from a technical implementation concern to a strategic enterprise risk. Software has become central to every product and service, raising the responsibility bar for organizations to ensure that the software they ship is secure, compliant, and transparently governed.

This is where the OpenChain Project, hosted by the Linux Foundation, enters the picture.

For those unfamiliar, OpenChain defines industry standards for managing open source license compliance and security assurance across complex software supply chains. It provides a shared language for companies to communicate expectations and verify open source due diligence internally and with partners.

Yet, many organizations are still sitting on the sidelines.

After helping build and advise dozens of OSPOs over the past 15 years, from startups to multinationals, I can say this with confidence:

If your organization consumes or distributes open source software (hint: you do), OpenChain is not optional. It’s inevitable.

> Read the full article on LinkedIn.

After our meeting at Samsung yesterday (thank you Samsung team!), I wanted to add a short essay about what we have done and why it has helped people. Sometimes a history lesson helps us realize how far we have come, and how much we have accomplished.

When OpenChain started in 2016 there was a lot of uncertainty around open source compliance. We knew there were licenses, and we all had various ways to interpret them and make decisions around them, but apart from sharing notes there was no unified approach.

The OpenChain Project set out to change that, and it was designed to be open, collaborative and useful from the beginning. The founding members and the founding community felt strongly about a few things:
– Everything we build should be open and freely accessible
– The community – even the smallest company – should have a voice
– We would contribute “holistically” to making the supply chain more trusted

In other words, we would be open, we would have a problem to solve, but we would not become trapped in one topic or one period of the market. We were here to increase trust in the supply chain around compliance (starting with license compliance, but also including security and other compliance in the future).

As a side effect of what we were doing, we also wanted to help individuals. We wanted the professionals working in our field to get new skills and to have new long-term opportunities in their companies. A few years ago, one of the OpenChain community asked me “what career opportunities does someone working in open source compliance have?”

I said “it is important to remember that what we are doing is not making one implementation of one solution. For example, many people accomplish using our standards in an Open Source Program Office (OSPO), but OpenChain is not focused on OSPO, or SBOM formats, or metrics, or other things our sister projects do. Our work is complimentary but different. OpenChain is focused on business process management for supply chains, and the use of international standards. When someone works around OpenChain, they are not only being an open source expert, but also:
– Building proven experience in change management
– Building proven experience in using standards
– Building proven experience in adoption and applying business process management best practices
– And developing skills for cross-team collaboration inside and outside the company”

This is not by accident. We wanted to help the existing and the next generation of people in open source go further and have more opportunities. Our community would build new networks, and our activity would build new opportunities.

To date we have done a lot:
– Built ISO/IEC 5230 and ISO/IEC 18974 as international standards for open source business process management
– Guides around other areas of business process management (SBOM Quality, AI Compliance in the Supply Chain)
– We have introduced the first freely accessible maturity modeling for open source
– We have created the process to build totally open standards and to maintain them
– We have created the world’s largest library of business tools to help
– Policy
– Training
– Checklists
– Supplier education
– and so much more
– And our community has brought new people in contact with their future peers again and again in Korea, in Japan, in China and elsewhere.

In other words, thanks to you, we have completely transformed open source business management in the supply chain. And we have transformed how professional our field is. Open source is no longer a unique corner in a company. It is the same type of Software Asset Management as everything else, and that secures its future.

In Korea, we owe so much to so many people. I want to give special thanks to Haksung Jang, who has been at the center of the Korean Work Group from the beginning. Haksung has done more than organize the community. He has inspired it, and he has given it a blueprint for how to interact and share. The laughter, the open discussion, and the welcoming atmosphere was inspired by him. Haksung is a unique leader, and a precious part of the global open source community.

Many other people deserve praise too. For example, Soim for her playful but sincere help with community images, Seoyeon for her contributions to organizing and encouraging, and… you deserve praise too. If you have come to a meeting, or helped organize a meeting, or shared one of the many excellent presentations, to have helped build a true open source community.

It is very rare to see these things emerge. Most communities are frozen in one moment on one implementation. Very few communities transform a market, and still grown in new ways. We have never put barriers up (everything is free), we have never looked at commercial growth (we have a limit of 25 board members), and instead we have focused entirely on you – on what you, and I and our colleagues can do together.

Thank you so much for being part of that, and for reminding ourselves of how pure, useful and special freely sharing knowledge can be. True open community is kindness, and walking together to make everything better for all our benefit.

Regards
Shane Coughlan
General Manager, OpenChain

Download It Now:

https://github.com/OpenChain-Project/Reference-Material/tree/master/Open-Source-Policy-Templates/ISO-IEC-5230-(OpenChain%202.1)/en

Credit:

Help Make This Better:

• https://lists.openchainproject.org/g/education

As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?”

This Meeting Discussed:

1. The release of Version 1.1 of the Telco SBOM Quality Guide:
   https://openchainproject.org/featured/2025/05/09/openchain-telco-sbom-guide-version-1-1-now-available
2. The development of a ”thinking” document based on this which considers how a cross-industry, cross-format SBOM quality could be structured:
   https://github.com/OpenChain-Project/SBOM-sg/blob/main/Cross-Industry-SBOM-Quality-Guide/en/Cross-Industry-SBOM-Quality-Guide.md

Watch the Meeting:

Learn More About This Study Group:

Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.

Get Involved:

Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/sbom

💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/SBOM-sg

The OpenAtom Foundation held an Open Source Strategy Session on the 29th of May in Beijing, and the OpenChain Project was represented by the Chair of our China Work Group, Zhenhua Sun of ByteDance. An overview of OpenChain was provided to the audience, and there was an opportunity for questions from the community.