News

As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?”

This Meeting Discussed:

1. The release of Version 1.1 of the Telco SBOM Quality Guide:
   https://openchainproject.org/featured/2025/05/09/openchain-telco-sbom-guide-version-1-1-now-available
2. The development of a ”thinking” document based on this which considers how a cross-industry, cross-format SBOM quality could be structured:
   https://github.com/OpenChain-Project/SBOM-sg/blob/main/Cross-Industry-SBOM-Quality-Guide/en/Cross-Industry-SBOM-Quality-Guide.md

Watch the Meeting:

Learn More About This Study Group:

Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.

Get Involved:

Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/sbom

💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/SBOM-sg

The OpenAtom Foundation held an Open Source Strategy Session on the 29th of May in Beijing, and the OpenChain Project was represented by the Chair of our China Work Group, Zhenhua Sun of ByteDance. An overview of OpenChain was provided to the audience, and there was an opportunity for questions from the community.

The OpenChain Project will have a keynote and also host an OpenChain China Day at the forthcoming OSPO Summit China on the 12th of June 2025. A big thanks to the organizers of the OSPO Summit and also to our community members, especially the leading contributors to the OpenChain China Work Group.

Thank you for helping to share knowledge and to bring people together!

Learn More About Our Keynote:

Learn More About the OpenChain China Day:

The 3rd OSHeart Legal Salon took place on the 24th of May 2025, and OpenChain was explained by Zhenhua Sun, Chair of the OpenChain China Work Group and leader of the ByteDance open source team. We were delighted to work together with our colleagues from OpenAtom Foundation and elsewhere in sharing more knowledge about the international standards for open source business process management.

On the 22nd of May 2025, the OpenChain Project was featured in a Development Study Course hosted by ByteDance.

The Agenda Covered:

• History of the OpenChain specification
• What the OpenChain specification covers
• Why companies choose to follow the OpenChain specification and the benefits of following the OpenChain specification
• How the OpenChain specification works and what are the key components
• The impact of the OpenChain specification on customer relationships
• Some practical examples of the OpenChain specification
• Overall adoption and industry recognition of the OpenChain specification

Learn More:

We Discussed:

Specification:

Reflections on our lessons learned in making ISO 18974, and our process of drafting proposed updates to the standards, to try and provide a template for other projects looking at making and maintaining standards.

Education:

A review of the updated Reference Library, updated open source policy template and drafting underway for a new OpenChain Adoption Guide + discussion about and call for engagement with updates to our online training.

The Future:

We made some decisions during the call regarding:

• Should we add more work groups to this call?
• Should we have more technical presentations?
• Should we adjust the schedule?

Check out the Meeting Slides:

• https://github.com/OpenChain-Project/Meeting-Minutes/tree/main/Slides/2025

Watch the Recording:

Coming Next:

The monthly calls for the OpenChain Specification and Education Work Groups will have a different format in June. Updates to follow on specifics.

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate

The OSS Review Toolkit (ORT) is a FOSS policy automation and orchestration toolkit that you can use to manage your (open source) software dependencies in a strategic, safe and efficient manner. The next OpenChain webinar will dig into how the Erlang Ecosystem Foundation (EFF) makes use of this tool to address compliance issues.

2025-05-27 @ 08:00 UTC / 09:00 BST / 10:00 CEST / 16:00 CST / 17:00 KST + JST

Join at the start time using this link:

• https://zoom-lfx.platform.linuxfoundation.org/meeting/95937045682?password=b948508e-7223-4016-89de-a54d97465326

This is part of the OpenChain and Friends: Stuttgart – Follow-Up Webinar Series. Learn more on its dedicated page!

Abstract:

Once upon a time, researchers at Ericsson developed Erlang/OTP, a programming language for the telecom industry. 39 years later, Erlang/OTP is used by the telecom, messaging, banking, and even game industry. Not only that, new languages were created and run on top of the Erlang BEAM virtual machine: Elixir, now a well-established language, and Gleam, the newest addition.

The proliferation of libraries and languages powering the BEAM ecosystem led to the creation of the Erlang Ecosystem Foundation (EFF),a foundation that caters for the BEAM ecosystem.

Today, 39 years from the creation of Erlang, it is not an easy task to categorise and be compliant with the more than 13000 (total) files that make up Erlang, Elixir, and Gleam. Yet, Erlang and Elixir are OpenChain compliant, and Gleam compliance is work in progress.

What steps took EEF towards making sure that Erlang, Elixir, and Gleam comply with the different licenses and copyrights?

This presentation features the collaboration between the Erlang/OTP team (Ericsson) and the Erlang Ecosystem Foundation (EEF), and the steps taken, and experience of using ORT as a crucial part of the EEF Ecosystem.

Our Speaker:

My name is Kiko Fernandez-Reyes and I work as a software engineer in the OTP team, building and improving the Erlang programming language at Ericsson. Before that, I was a backend software engineer at Klarna.

Before Klarna, (in 2014) I did my Ph.D. at Uppsala University where I developed concurrent and parallel programming languages for our research compiler. Among them, I developed typed-based optimisations for future-based programming languages and a capability-based dynamic language design that maintains data-race freedom and satisfies the gradual guarantee.

Experience:
I have industrial experience with Haskell, Erlang, Python, among others and deployment languages and technologies, ranging from AWS to Ansible. During my research I have used heavily Haskell and C, and some Scala. I was the main lecturer of the course Advanced Software Design, where I taught object-oriented design ~80 master students.

My work has received the following awards:
– Distinguished Artifact Award at Software Language Engineering (SLE), 2019
– Distinguished Artifact Award at European Conference in Object-oriented Programming (ECOOP), 2019
– Best Paper Award at International Federated Conference on Distributed Computing Techniques (DisCoTec), 2018
– Best Paper Award at International Conference on Coordination Models and Languages (COORDINATION), 2018

Interests:
I am interested in type systems, programming languages, functional programming, compilers, and different logics. I promote open source technology, writing regularly in opensource.com. I also promote gender equality through the ACM-W student chapter at Uppsala University.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

• https://www.openchainproject.org/webinars

This OpenChain Webinar will be broadcast on 2025-05-27.

The OpenChain Project will hold a webinar on the 30th of May 2025 to discuss LLM generated code and the potential risks associated with it from the perspective of open source license compliance.

2025-05-30 @ 07:00 UTC / 08:00 BST / 09:00 CEST / 15:00 CST / 16:00 KST + JST

Join at the start time using this link:
https://zoom-lfx.platform.linuxfoundation.org/meeting/91794322307?password=7d786333-1dcf-4693-8d6b-fbe2dd7d55aa

Abstract:

Oscar Goñi (Quique) has investigated source code similarity detection in Large Language Model (LLM) out-puts using the SCANOSS platform. While recent research has identified concerns regarding LLMs generating code that closely resembles their training data, the full extent of this similarity across the broader open-source ecosystem remained unexplored. Quique will describe during this talk his findings, which indicate that code similarity in LLM outputs may be more prevalent than previously indicated when evaluated against a broader open-source code base. At the same time, Quique will describe how this study contributes to the ongoing discussion of LLM-generated code’s originality and its implications for software licensing compliance, while validating the effectiveness of lightweight similarity detection algorithms as preliminary indicators for more comprehensive analysis. Finally, a Q&A session hopefully will provide participants some light of the implications of the study and to Quique about next steps in his research.

Link to the study: https://shorter.me/_XHcS

Our Speaker:

Oscar Enrique (Quique) Goñi, UNICEN, Professor – STF Head of academic program

Oscar Enrique Goñi is a systems engineer who graduated from the National University of the Center of the Province of Buenos Aires, Faculty of Exact Sciences (Argentina, 2009), and holds a Ph.D. in Computer Science from the National University of La Plata (Argentina, 2015). Since 2004, he has been engaged in teaching and research activities at the National University of the Center of the Province of Buenos Aires. Additionally, he has led the design and management of critical systems projects, as well as in data mining and high-performance systems.