The Linux Foundation Projects
Skip to main content
search
Category

News

Dec 10

OpenChain Newsletter #72

By Monthly Newsletter, News
logo

​ Newsletter – Issue 72 – November 2024

The OpenChain Newsletter provides a monthly summary of our work. It contains an overview of what we are doing to build trust around license compliance and security in the open source supply chain. We accept suggestions and ideas. Feel free to mail us at any time.

Headline News

    Outreach

    Our community released the following meeting recordings via our main channel:

    Note: Some community meetings are not recorded or are released through other channels

    Check Out All Our Previous Newsletters:

    Dec 04

    Webinar: Enabling SBOMs Across The Linux Foundation

    By automation, legal, licensing, News, standards, Webinar

    We have been doing source level license scans for Linux Foundation (LF) projects for a long time including generating SPDX formatted files, but what about SBOMs that can meet (and exceed) the government minimum specification? Here at the LF, we are now leveraging our existing scanning capabilities to generate SBOMs for these same critical open source projects.

    In the LF spirit, we are using existing open source tools to scan project dependencies to produce an SBOM that meets the minimum spec. We are also producing dependency level license data to complement our source level scans. In the near future we will be combining these to produce a grand unified SBOM that will meet a newly defined LF minimum specification for SBOMs.

    We will talk about our process to generate these SBOMs, the challenges we faced, our future plans, and share more about how you can make use of these for the projects you care about most.

    Watch The Recording

    About Our Speakers

    Gary O’Neall

    Gary is a contributor to the Software Package Data Exchange® (SPDX™) – an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools. Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.

    Jeff Shapiro

    Jeff Shapiro is the Director of License Scanning for The Linux Foundation. He has over 30 years of experience in the software industry, including 10 years in software auditing, open source scanning, and training developers in OSS license compliance.

    More About Our Webinars:

    This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

    Check Out The Rest Of Our Webinars

    This OpenChain Webinar was broadcast on 2024-12-04.

    Dec 04

    Full Recording: OpenChain SBOM Study Group – 2024-11-27

    By News

    In this SBOM Study Group meeting, Okada San from OWASP Japan lead an overview of ”Vulnerabilities and the Future – Multilayered Software Vulnerabilities and Response Tactics.” This discussion built on a talk he recently delivered at the first Japan SBOM Summit on a similar topic.

    Watch The Recording:

    Learn More About This Study Group:

    Our new SBOM Study Group brings all our various activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.

    Get Involved Through Our Mailing List:

    Dec 04

    Full Recording: OpenChain AI Work Group – Monthly Workshop for North America and Europe – 2024-12-03

    By News

    With its new structure as an official OpenChain Work Group, and a clear mandate to work on an Guide to AI Compliance BOM, this is the first call in a new series to pull thoughts together into a practical guide.

    The document they are working from is here:
    https://docs.google.com/document/d/1g1kdmx1bDlQ0feSeW-ZY5JRFAF-HC30a/edit

    Watch The Recording:

    Track This Work:

    You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:

    Attend Future Meetings:

    You can find and get the dial-in details for all future AI Work Group meetings from our participate page here:

    Dec 04

    Full Recording: OpenChain AI Study Group Call – Asia Sync Call – 2024-11-14

    By News

    The OpenChain AI Study Group held its regular Asia sync on the 14th of November. This focused on a recap of the earlier monthly workshop, which had a discussion around the draft scratchpad for management of AI BOMs, and the conversion of this study group into a formal working group.

    Track This Work

    You can follow and contribute to the work of the OpenChain AI Study Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:

    Attend Future Meetings

    You can find and get the dial-in details for all future AI Study Group meetings from our participate page here:

    Dec 04

    HLB Surlatina Chile Announces An OpenChain ISO/IEC 5230 Conformant Program

    By Featured, News

    HLB Surlatina Chile, a firm established in 1971 and with 50 years of experience in the Chilean market, has announced an OpenChain ISO/IEC 5230 conformant program.

    About HLB Surlatina Chile:

    HLB Surlatina Chile is part of HLB International, a global audit and advisory organization headquartered in London, and has a long-standing history of advising clients and priding itself on being an organization based on values, committed to delivering the highest quality standards. HLB International employees over 30 thousand professionals in 160 countries from across the world to help clients grow across borders.

    Visit Their Website:

    Dec 04

    Full Recording: Understanding How OpenChain ISO/IEC 5230 and ISO/IEC 18974 Support InnerSource (InnerSource Commons Summit 2024)

    By News

    Shane Coughlan, OpenChain General Manager, delivered a speech entitled ‘Understanding how OpenChain ISO/IEC 5230 and ISO/IEC 18974 support InnerSource’ at the InnerSource Summit 2024.

    Abstract:

    This talk discussed how OpenChain ISO/IEC 5230 (the international standard for open source license compliance) and ISO/IEC 18974 (the international standard for open source security assurance) support the work of InnerSource program offices. While supply chain management is often seen as external relationships between customers and suppliers, internal supply chain management is just as critical. Using industry standards in this context ensures alignment with broader market expectations, and ensures that remediation, catch-up and process mis-match is minimized.

    Dec 03

    Coming Soon: OpenChain Webinar – Enabling SBOMs Across The Linux Foundation – 2024-12-04 @ 00:00 UTC

    By News

    The latest OpenChain Webinar will feature Jeff Shapiro and Gary O’Neall.

    At the time of the event you can join us at:
    https://zoom-lfx.platform.linuxfoundation.org/meeting/98013366941?password=02a35380-0692-497d-b5a9-05e650965da4

    Abstract:

    We have been doing source level license scans for Linux Foundation (LF) projects for a long time including generating SPDX formatted files, but what about SBOMs that can meet (and exceed) the government minimum specification? Here at the LF, we are now leveraging our existing scanning capabilities to generate SBOMs for these same critical open source projects.

    In the LF spirit, we are using existing open source tools to scan project dependencies to produce an SBOM that meets the minimum spec. We are also producing dependency level license data to complement our source level scans. In the near future we will be combining these to produce a grand unified SBOM that will meet a newly defined LF minimum specification for SBOMs.

    We will talk about our process to generate these SBOMs, the challenges we faced, our future plans, and share more about how you can make use of these for the projects you care about most.

    Speakers:

    Gary O’Neall

    Gary is a contributor to the Software Package Data Exchange® (SPDX™) – an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools. Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.

    Jeff Shapiro

    Jeff Shapiro is the Director of License Scanning for The Linux Foundation. He has over 30 years of experience in the software industry, including 10 years in software auditing, open source scanning, and training developers in OSS license compliance.

    Nov 29

    Happening Today: OpenChain China Work Group – Regular Meeting 3 – 2024-11-29 @ 14:00 to 17:30

    By News

    Keynote Slides

    Agenda:

    1. “Warmly Welcome” – 胡灵灵, Ant group counsel
    2. “Global News Update for OpenChain” – Shane Coughlan, OpenChain
    3. “We Connect Now in OpenChain” – Zhenhua Sun, ByteDance
    4. “How the OSPO (or other departments) manages open source” – Richard Bian, Ant
    5. “King of SPDX Journey / The Untold Stories of SPDX” – King Gao, SecTrend
    6. “What I saw and heard at the Open Compliance Summit 2024 & A Philosophy of GPL” – Tao Ye, Grandall Law Firm
    Nov 26

    OpenChain @ InnerSource Summit 2024 – 2024-11-20 – Slides

    By News

    Shane Coughlan, OpenChain General Manager, delivered a speech entitled ‘Understanding how OpenChain ISO/IEC 5230 and ISO/IEC 18974 support InnerSource’ at the InnerSource Summit 2024.

    Abstract:

    This talk discussed how OpenChain ISO/IEC 5230 (the international standard for open source license compliance) and ISO/IEC 18974 (the international standard for open source security assurance) support the work of InnerSource program offices. While supply chain management is often seen as external relationships between customers and suppliers, internal supply chain management is just as critical. Using industry standards in this context ensures alignment with broader market expectations, and ensures that remediation, catch-up and process mis-match is minimized.

    Slides:

    Learn More On The Event Website: