Shane Coughlan, OpenChain General Manager, delivered a speech entitled ‘Understanding how OpenChain ISO/IEC 5230 and ISO/IEC 18974 support InnerSource’ at the InnerSource Summit 2024.
Abstract:
This talk discussed how OpenChain ISO/IEC 5230 (the international standard for open source license compliance) and ISO/IEC 18974 (the international standard for open source security assurance) support the work of InnerSource program offices. While supply chain management is often seen as external relationships between customers and suppliers, internal supply chain management is just as critical. Using industry standards in this context ensures alignment with broader market expectations, and ensures that remediation, catch-up and process mis-match is minimized.
We have been doing source level license scans for Linux Foundation (LF) projects for a long time including generating SPDX formatted files, but what about SBOMs that can meet (and exceed) the government minimum specification? Here at the LF, we are now leveraging our existing scanning capabilities to generate SBOMs for these same critical open source projects.
In the LF spirit, we are using existing open source tools to scan project dependencies to produce an SBOM that meets the minimum spec. We are also producing dependency level license data to complement our source level scans. In the near future we will be combining these to produce a grand unified SBOM that will meet a newly defined LF minimum specification for SBOMs.
We will talk about our process to generate these SBOMs, the challenges we faced, our future plans, and share more about how you can make use of these for the projects you care about most.
Speakers:
Gary O’Neall
Gary is a contributor to the Software Package Data Exchange® (SPDX™) – an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools. Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.
Jeff Shapiro
Jeff Shapiro is the Director of License Scanning for The Linux Foundation. He has over 30 years of experience in the software industry, including 10 years in software auditing, open source scanning, and training developers in OSS license compliance.
Shane Coughlan, OpenChain General Manager, delivered a speech entitled ‘Understanding how OpenChain ISO/IEC 5230 and ISO/IEC 18974 support InnerSource’ at the InnerSource Summit 2024.
Abstract:
This talk discussed how OpenChain ISO/IEC 5230 (the international standard for open source license compliance) and ISO/IEC 18974 (the international standard for open source security assurance) support the work of InnerSource program offices. While supply chain management is often seen as external relationships between customers and suppliers, internal supply chain management is just as critical. Using industry standards in this context ensures alignment with broader market expectations, and ensures that remediation, catch-up and process mis-match is minimized.
Today the OpenChain Korea Work Group is having its final meeting of the year at the LG AI Research offices in Seoul. Full details of the meeting and the keynote slides can be found below.
In this SBOM Study Group meeting, Okada San from OWASP Japan will lead an overview of ”Vulnerabilities and the Future – Multilayered Software Vulnerabilities and Response Tactics.” This discussion will build on a talk he recently delivered at the first Japan SBOM Summit on a similar topic.
The next OpenChain Webinar will be highlighting the work of a sister project – CHAOSS – which provides a way to apply metrics to open source. Their new practitioner guides are a resource that can help everyone manage projects in a sustainable way. Dr. Dawn Foster will lead the conversation.
Abstract:
Sustaining OSS projects and communities over the long-term can be a challenge. Project leaders, maintainers, and contributors are busy people who don’t always have the time or experience to focus on growing a community and maintaining their software. Using metrics is one way to help OSS projects identify potential issues and identify areas where they can improve their community to make it more sustainable over the long-term. Being proactive about improving sustainability before it becomes a crisis can help make our software more sustainable and reliable for all of us. However, not everyone has the experience or skills required to know how to interpret their metrics and use what they learn to make improvements within their community.
The CHAOSS project has been creating a series of MIT licensed Practitioner Guides focused on improving the sustainability of our software and communities. The guides are designed to make it easier for people to draw meaningful and actionable insights using community metrics, even when those people do not necessarily have a deep background in data analysis or much experience working within OSS communities.
This talk will identify several categories of metrics from the Practitioner Guide Series, including responsiveness, contributor sustainability, organizational participation, and security. This session will cover not just how to interpret the metrics, but will focus on providing ideas for improving in areas identified using the metrics. The audience will walk away with a better understanding of how to use metrics to proactively improve the long-term sustainability of their OSS projects and communities.
Bio:
Dr. Dawn Foster works as the Director of Data Science for CHAOSS where she is also a board member / maintainer. She is co-chair of CNCF TAG Contributor Strategy and an OpenUK board member. She has 20+ years of experience at companies like VMware and Intel with expertise in community, strategy, governance, metrics, and more. She has spoken at over 100 industry events and has a BS in computer science, an MBA, and a PhD. In her spare time she enjoys reading science fiction, running, and traveling.
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
The OpenChain Newsletter provides a monthly summary of our work. It contains an overview of what we are doing to build trust around license compliance and security in the open source supply chain. We accept suggestions and ideas. Feel free to mail us at any time.
It is proposed to have a short work-stream involving co-ordinating the various case studies which the OpenChain Project has collated over time. We had some great examples at the Open Compliance summit and it would be fantastic to be able to incorporate these into the portfolio, and to make the portfolio as a whole more accessible and better structured.
Be part of this:
You can get involved with the OpenChain Education Work Group through their dedicated mailing list. At this link, you will also find connections to other working groups around the world:
