This meeting featured a special presentation by Jeronimo Ortiz of SCANOSS. It provided an overview of the open source SCA tooling and technologies that SANOSS has open sourced and maintains, and looked at some of the user guides and documentation to reduce the adoption effort.
In addition, Jeronimo demoed how to make use of the osskb.org service from Software Transparency Foundation at scale using GitHub Actions, and how you can leverage scanoss.py to make use of such a service for detecting open source at file and snippet level, getting license and copyright information, or creating simple and quick SBOMs in different formats.
The presentation also included an overview of the work being done to integrate osskb.org with well known tools like ORT or FOSSology.
An introduction to DeepSeek, its technical highlights, its history, its company, and its vision. The main presentation for this webinar will be by Jerry Tan, a long-time contributor to the open source ecosystem in China.
Join using this link up to ten minutes before the official start:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
We held our regular workshop for the OpenChain AI Work Group on March 5th. It was a two-hour session to allow topics related to AI compliance to be discussed, explored and defined. The key focus for the Work Group is to develop and finalize a Guide to AI Bill of Material Compliance in the Supply Chain, and there is active drafting going on during each meeting.
You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
Open source and insurance has long been a topic of interest to commercial providers of products and solutions. This webinar will help unpack the reality of insurance considerations in this space. All welcome.
Abstract:
Open source software providers are facing a triple threat: tightening US and EU regulations, rising IP litigation, and the risks introduced by Gen AI. Soon, your board—and your customers and suppliers— might be asking that you have specific insurance that actually covers OSS-related liabilities. But, does such insurance exist? Does it work? And how should it work?
Historically, insurers have struggled to grasp OSS risks, offering inadequate or unclear coverage. Now, a new wave of insurance solutions is emerging, informed by OpenChain standards and best practices.
Join this session to explore how the insurance industry is evolving, what new OSS-specific coverage looks like, and how you can help shape it to meet the real needs of the open source community.
Meet Your Presenters:
Lewis Parle, Head of Intellectual Property Risks @ Lockton
The 25th Meeting of the OpenChain Korea Work Group is coming soon! Join one of the most energetic, friendly and productive open source communities dedicated to better supply chain management. All welcome, even if you do not speak Korean.
Time and Date: 25th of March (2025-03-25) 14:00 – 17:00
Please note: Format registration will launch soon. You can already express your interest on the OpenChain Korea Work Group mailing list (https://lists.openchainproject.org/g/korea-wg).
The OpenChain Newsletter provides a monthly summary of our work. It contains an overview of what we are doing to build trust around license compliance and security in the open source supply chain. We accept suggestions and ideas. Feel free to mail us at any time.
The OpenChain Japan Community Day #34 was held at Tokyo on March 3rd. Below you can learn more details of the event (Japanese).
OpenChain Japan Community Day #34@トヨタ大手町
OpenChainのメンバーが一堂に介し、OSSの最新情報を共有したり、ネットワーキングしたり、
各業界の課題を議論したりするCommunity Dayの2025年第1弾をトヨタ大手町で実施致します。
日時:3月3日(月)13:30-17:00、3月4日(火)9:30-12:00
会場:トヨタ自動車株式会社大手町オフィス
The OpenChain Japan Work Group held one of its regular community meetings with presentations, case studies and networking on the 3rd of March 2025. The full recording is below.
As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?” We are dealing with the reality of supply chains with many participants who have different levels of skill, use different formats, and perhaps follow different regulations or policies.
This meeting looked at two important pieces of analysis from the OpenChain Japan SBOM Sub-Group. The goal was to find common challenges, and how we can address them when we consider:
Process management as our focus (the management layer)
Previous OpenChain work in this field (e.g. the Telco SBOM Guide)
Other work around the world (e.g. emerging regulation etc.)
Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.
The Elixir Project is pleased to share that the Elixir project now complies with OpenChain ISO/IEC 5230, the international standard for open source license compliance. This step aligns with broader efforts to meet industry standards for supply chain and cybersecurity best practices.
“Today’s announcement around Elixir’s conformance represents another significant example of community maturity,” says Shane Coughlan, OpenChain General Manager: “With projects – the final upstream – using ISO standards for compliance and security with increasing frequency, we are seeing a shift to longer-term improvements to trust in the supply chain.”
Why OpenChain Compliance Helps
By following OpenChain ISO/IEC 5230, we demonstrate clear processes around license compliance. This benefits commercial and community users alike, making Elixir easier to adopt and integrate with confidence.
Changes for Elixir Users
All future Elixir releases will include a Source SBoM in CycloneDX 16 or later and SPDX 2.3 or later formats.
Each release will be attested along with the Source SBoM.
These additions offer greater transparency into the components and licenses of each release, supporting more rigorous supply chain requirements.
Changes for Contributors
Contributions remain under the Apache-2.0 License. Other licenses cannot be accepted.
The project now enforces the Developer Certificate of Origin (DCO), ensuring clarity around contribution ownership.
Contributors will notice minimal procedural changes, as standard practices around licensing remain in place. For more details, see the CONTRIBUTING guidelines
Commitment
These updates were made in collaboration with the Erlang Ecosystem Foundation, reflecting a shared commitment to robust compliance and secure development practices. Thank you to everyone who supported this milestone. We appreciate the community’s ongoing contributions and look forward to continuing the growth of Elixir under these established guidelines.
