Today the OpenChain Korea Work Group is having its final meeting of the year at the LG AI Research offices in Seoul. Full details of the meeting and the keynote slides can be found below.

Today the OpenChain Korea Work Group is having its final meeting of the year at the LG AI Research offices in Seoul. Full details of the meeting and the keynote slides can be found below.
In this SBOM Study Group meeting, Okada San from OWASP Japan will lead an overview of ”Vulnerabilities and the Future – Multilayered Software Vulnerabilities and Response Tactics.” This discussion will build on a talk he recently delivered at the first Japan SBOM Summit on a similar topic.
杭州市西湖区西溪路569号蚂蚁A空间
2024-11-29 14:00 ~ 17:30
The next OpenChain Webinar will be highlighting the work of a sister project – CHAOSS – which provides a way to apply metrics to open source. Their new practitioner guides are a resource that can help everyone manage projects in a sustainable way. Dr. Dawn Foster will lead the conversation.
Sustaining OSS projects and communities over the long-term can be a challenge. Project leaders, maintainers, and contributors are busy people who don’t always have the time or experience to focus on growing a community and maintaining their software. Using metrics is one way to help OSS projects identify potential issues and identify areas where they can improve their community to make it more sustainable over the long-term. Being proactive about improving sustainability before it becomes a crisis can help make our software more sustainable and reliable for all of us. However, not everyone has the experience or skills required to know how to interpret their metrics and use what they learn to make improvements within their community.
The CHAOSS project has been creating a series of MIT licensed Practitioner Guides focused on improving the sustainability of our software and communities. The guides are designed to make it easier for people to draw meaningful and actionable insights using community metrics, even when those people do not necessarily have a deep background in data analysis or much experience working within OSS communities.
This talk will identify several categories of metrics from the Practitioner Guide Series, including responsiveness, contributor sustainability, organizational participation, and security. This session will cover not just how to interpret the metrics, but will focus on providing ideas for improving in areas identified using the metrics. The audience will walk away with a better understanding of how to use metrics to proactively improve the long-term sustainability of their OSS projects and communities.
Dr. Dawn Foster works as the Director of Data Science for CHAOSS where she is also a board member / maintainer. She is co-chair of CNCF TAG Contributor Strategy and an OpenUK board member. She has 20+ years of experience at companies like VMware and Intel with expertise in community, strategy, governance, metrics, and more. She has spoken at over 100 industry events and has a BS in computer science, an MBA, and a PhD. In her spare time she enjoys reading science fiction, running, and traveling.
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Newsletter – Issue 71 – October 2024
The OpenChain Newsletter provides a monthly summary of our work. It contains an overview of what we are doing to build trust around license compliance and security in the open source supply chain. We accept suggestions and ideas. Feel free to mail us at any time.
Our community released the following meeting recordings via our main channel:
Note: Some community meetings are not recorded or are released through other channels
After a great trip to Tokyo (for the Open Compliance Summit) and Beijing, there was a lot to report on the Capability Model, and Martin Yagi has (as ever) done a great job on the explainers. See https://github.com/OpenChain-Project/Reference-Material/tree/myagi2019-explainer-drafts1/Education-For-Internal-Teams for his work on these. We are also proposing an explainer for the Capability Model.
It is proposed to have a short work-stream involving co-ordinating the various case studies which the OpenChain Project has collated over time. We had some great examples at the Open Compliance summit and it would be fantastic to be able to incorporate these into the portfolio, and to make the portfolio as a whole more accessible and better structured.
You can get involved with the OpenChain Education Work Group through their dedicated mailing list. At this link, you will also find connections to other working groups around the world:
“It is a pleasure to list HARMAN International in our community of conformance,” says Shane Coughlan, OpenChain General Manager. “Their alignment with ISO/IEC 5230, the international standard for open source license compliance, underscores their commitment to excellence in the use and deployment of open source software. We deeply appreciate their work, and listing them in the OpenChain Community of Conformance.”
HARMAN (harman.com) designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide, including connected car systems, audio and visual products, enterprise automation solutions; and services supporting the Internet of Things. With leading brands including AKG®, Harman Kardon®, Infinity®, JBL®, Lexicon®, Mark Levinson® and Revel®, HARMAN is admired by audiophiles, musicians and the entertainment venues where they perform around the world. More than 50 million automobiles on the road today are equipped with HARMAN audio and connected car systems. Our software services power billions of mobile devices and systems that are connected, integrated and secure across all platforms, from work and home to car and mobile. HARMAN has a workforce of approximately 30,000 people across the Americas, Europe, and Asia. In March 2017, HARMAN became a wholly-owned subsidiary of Samsung Electronics Co., Ltd.
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
We held our regular Monthly North America and Europe Call on the 5th of November. The focus was on discussing the Public Comment period for our draft proposed updates to the licensing and security specifications, and closing any open comments / issues around the draft documents.
We keep all the slides from our monthly calls online and they can be a useful way to access direct links and more details:
Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/
You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate
The OpenChain AI Study Group held its regular workshop on the 5th of November. This meeting focused on discussion around the draft scratchpad for management of AI BOMs, and the conversion of this study group into a formal working group.
You can follow and contribute to the work of the OpenChain AI Study Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
You can find and get the dial-in details for all future AI Study Group meetings from our participate page here:
During the Open Compliance Summit 2024 in Tokyo on the 31st of October, Roberto Di Cosmo (Founder & Director, Software Heritage; Chair of the Software Chapter of the French National Committee for Open Science), presented on the topic of ‘Compliance and Integrity in the Software Supply Chain with Software Heritage: A Call to Action.’
This presentation explored how Software Heritage’s initiatives, including the SWHID (Software Hash Identifier) and the upcoming “Code Commons” project, are poised to enhance compliance across the software supply chain. By integrating with SPDX and contributing to global standards, Software Heritage not only guarantees the availability and integrity of software source code, but also drives forward the business management of open source.
Software Heritage, launched by Inria in 2016 in partnership with UNESCO, is a global non profit long term initiative to collect, preserve and make easily accessible all publicly available source code. As the reference infrastructure for archiving and referencing, it offers unparalleled potential to address these challenges.