THE LINUX FOUNDATION PROJECTS
Category

News

Mar 26

ORT Server at Bosch used in One Pipeline/Service for your Compliance – OCaaS

By Featured, News

Bosch’s OCaaS: The “All-in-One” Solution for Streamlined Open Source Compliance and Security

In today’s software development landscape, Open Source Software (OSS) is an indispensable component, integral to nearly every technological advancement. However, its widespread adoption introduces significant complexities, particularly regarding legal compliance and security. Recent data underscores this challenge: according to Synopsys’s Open Source Security and Risk Analysis Report 2025, 97% of all codebases contain OSS, with 56% presenting license conflicts, 86% harboring at least one known vulnerability, and a staggering 91% including OSS components more than 10 versions behind their latest release. These figures paint a clear picture of the inherent risks and compliance burdens facing organizations.

For companies deeply invested in software development, fundamental questions arise:

  • “What is inside my software?”
  • “Can I legally release my product?”
  • “Is my product secure over time?”

Addressing these critical concerns effectively and efficiently has become paramount. This is precisely where Bosch’s OCaaS (Open Source Compliance as a Service) emerges as a transformative solution. Presented at the “OpenChain and Friends 2026: OS Compliance and OSPO” event, OCaaS stands out by consolidating various compliance and security functionalities into a single, unified platform, significantly easing the burden on its users.

OCaaS: Consolidating Complex Processes Under One Umbrella

The true power of Bosch’s OCaaS lies in its integrated approach. Rather than relying on a disparate collection of tools for different aspects of OSS management, OCaaS brings everything together, offering an end-to-end solution that simplifies intricate processes for its clients. This “one-stop-shop” model is crucial for navigating the complexities of modern software development.

Let’s break down the comprehensive workflow offered by OCaaS:

  1. Analyzer: The initial step involves meticulously identifying all dependencies within the software, creating a clear map of every Open Source component.
  2. Scanner: Following dependency identification, the system scans the source code for potential issues, proactively pinpointing both license and security risks.
  3. Advisor: This component then leverages intelligence to identify known vulnerabilities (CVEs) associated with the discovered OSS components.
  4. Evaluator: OCaaS applies pre-defined compliance and security policies, evaluating whether the software adheres to internal standards and external regulations.
  5. Reporter: Finally, detailed and actionable reports are generated, providing a transparent overview of the software’s compliance and security status.

The extensive capabilities of this  workflow are delivered through over 20 integrated plugins, incorporating industry-leading tools like ScanCode, FOSSID, VulnerableCode. These plugins not only enable deep-dive analysis but also ensure that the output is in standardized formats, facilitating interoperability and communication across the supply chain. Once this comprehensive process is complete, OCaaS can further integrate its findings with platforms like Fossology for enhanced dependency tracking and thorough documentation management.

The Unmatched Value Proposition of OCaaS for Clients

Bosch’s OCaaS offers several distinct advantages that are particularly beneficial for organizations grappling with OSS management:

  • Unparalleled Simplification: This is the core benefit. Instead of forcing clients to procure, integrate, and manage a multitude of individual tools for different aspects of OSS compliance and security, OCaaS delivers a single, cohesive platform. This drastically reduces operational complexity, shortens learning curves, and minimizes the overall cost of ownership.
  • Comprehensive Coverage: OCaaS ensures that no stone is left unturned. From initial component discovery to final report generation and ongoing dependency tracking, it provides a full lifecycle management solution, offering peace of mind that all aspects of OSS are being addressed.
  • Enhanced Automation: By automating a significant portion of the analysis and evaluation process, OCaaS not only speeds up compliance checks but also drastically reduces the potential for human error, leading to more consistent and reliable results.
  • Clarity and Transparency: The detailed reports generated by OCaaS provide crystal-clear insights into the software’s composition, potential risks, and compliance posture. This transparency is invaluable for internal stakeholders, legal teams, and external auditors.
  • A Vision for the Future: Bosch’s commitment to OCaaS extends to continuous improvement. Planned next steps include:
    • Package Manager Independence: Further simplifying usage by making OCaaS compatible regardless of the specific package manager employed.
    • ChatBot Integration and AI Optimization: Leveraging artificial intelligence for more intuitive interactions and enhanced analytical capabilities.
    • A More Attractive Community: Fostering a vibrant community of users and contributors to drive collaborative innovation.
    • Curation UI: Developing an improved user interface for manual data curation, offering greater control and flexibility.

Conclusion

Bosch’s OCaaS represents a significant leap forward in addressing the intricate challenges of Open Source Compliance and Security. By ingeniously combining numerous specialized functionalities and powerful tools under a single, user-friendly platform, it doesn’t just answer the fundamental questions for software development teams; it transforms the entire process. OCaaS simplifies complexity, mitigates risks, and empowers organizations to fully harness the benefits of open source, ensuring their products are not only innovative but also legally compliant and secure.

 

Mar 26

Navigating the Open Road: An Enterprise Approach to FOSS Compliance and Collaboration

By Featured, News

At a recent discussion focused on open source compliance and management within large organizations, attendees were given a fascinating glimpse into how a prominent global enterprise is seamlessly integrating Free and Open Source Software (FOSS) into its core operations. The insights shared painted a clear picture of a forward-thinking approach, where FOSS is not just tolerated but actively embraced as a strategic advantage.

The overarching sentiment conveyed was that FOSS is no longer an optional add-on but a standard practice, viewed as a smart business investment. Leadership within the enterprise explicitly states that utilizing and contributing to open source not only helps reduce costs but also cultivates a thriving open-source culture and fulfills a crucial social responsibility. The commitment extends to actively contributing to open source, rather than just consuming it, and sharing internally developed code, positioning the organization as a pioneer in the field.

This commitment is codified in a clear “FOSS Manifest,” guiding both the company’s actions and its employees’ behaviors. For the organization, this means supporting and empowering employees to use, contribute to, and create FOSS projects, dedicating time for FOSS activities, and ensuring visibility within Open Source communities. Employees, in turn, are encouraged to seek out Open and Inner Source alternatives, actively participate in these communities, contribute to relevant projects, and act responsibly, ensuring respectful communication and positive engagement.

A key component of this enterprise’s strategy is establishing robust transparency throughout the software supply chain, primarily through the systematic use of FOSS Software Bill of Materials (SBOMs). The process was described as a well-orchestrated flow: software suppliers deliver their FOSS SBOMs to a dedicated Disclosure Portal. These are then reviewed and approved by product owners and technical governance teams. Once approved, this critical information is used to disclose FOSS components in various products, from applications and mobile apps to the actual vehicles, fostering trust with consumers and users. This meticulous process ensures all FOSS components are properly identified, licensed, and disclosed, effectively mitigating compliance risks.

The discussion further detailed a structured approval process for integrating FOSS, whether from internal teams or external suppliers. It begins in the planning phase, where FOSS policy rules are aligned during purchasing and contractual terms are established. The “Build” phase involves developers generating, reviewing, and refining SBOMs as the software is created, with a final check before release. The “Run” phase marks formal approval and release. For compliant releases, regular review functions are in place, with initial approval being crucial and re-approval required after significant changes or defined periods. This ensures continuous adherence to established policies.

The benefits of this comprehensive system extend to various stakeholders. Product owners gain from standardized SBOM exchange in ISO format, automation through REST APIs and Command Line Interfaces for seamless integration into Continuous Integration/Continuous Delivery pipelines, and access to a comprehensive license database for legal guidance. The system incorporates policy rules and quality checks for obligations management, boasts a user-friendly design, and can automatically generate disclosure notices.

Suppliers also find significant advantages. The Disclosure Portal digitizes the submission of SBOMs, moving away from manual template-filling. They can integrate directly with the portal’s API from their build pipelines. This transparency and policy support allow suppliers to align with their customer’s requirements much earlier in the development lifecycle. Interestingly, the Disclosure Portal and its associated tools are themselves open source, encouraging suppliers to adapt them for their own needs and even contribute back to the project, fostering a truly collaborative ecosystem.

In summary, the insights shared showcased a sophisticated and proactive approach to managing Open Source Software. It demonstrated how a major enterprise can not only leverage the numerous benefits of FOSS but also establish a framework that ensures compliance, promotes transparency, and encourages collaboration across its entire software development and supply chain, setting a compelling example for others in the industry.

 

Mar 25

Basics and background: An introduction to Open Source Compliance

By Featured, News

Imagine you’re building a car. It doesn’t make sense to invent the engine from scratch, right? All cars have engines. But maybe your car’s specific design, color, or fancy gadgets are what make it unique.

This lecture explains exactly that concept for software:

1. Don’t Build Everything Yourself!

  • The Idea: Save time and money by not re-doing things that already exist or aren’t your “secret sauce.”
  • The Pyramid Rule:
    • Bottom (The Common Stuff): Everything that’s generic and doesn’t make your product special – like the basic operating system (Windows, Linux), drivers, or fundamental libraries. This is the perfect place to use “Open Source” things or collaborate with others. Why build your own operating system if that’s not your main goal?
    • Top (The Special Stuff): The things that make your product unique and make people choose it over others – like your unique user interface design, your special features, or your secret algorithms. Keep these things proprietary, just for yourself!
  • In Short: Use ready-made “common” parts so you can focus your energy on your “special” ideas.

2. What Does “Open Source” Mean?

  • More Than Just “Free” (as in beer): It’s not enough to just see the code. For software to be “Open Source,” it needs a special Open Source License.
  • What This License Allows You To Do: It gives you the freedom to:
    • Use it however you want.
    • Study it (look at the code).
    • Modify it (change it).
    • Distribute it (give copies to others).
  • Important: The license gives you these rights, but it might have conditions too (e.g., if you change it and give it to others, you might have to mention the original creator).

3. Why Do We Need Licenses? (A Little About Copyright)

  • Software is Like a Book: Copyright law protects “works” – books, music, photos… and software! It’s understood that someone “writes” code, just like an author writes a book.
  • Who is the Author? Always a human.
  • A License is Permission: By default, the law forbids you from copying or changing someone else’s work without their permission. A license is exactly that permission! It tells you: “Okay, you can do X, Y, and Z, but you have to follow these rules.”
  • What If You Don’t Follow the Rules? If you break the license’s rules, you can lose your rights to use the software.
  • Without license the “default” state occurs, which means copyright law applies and any copying or distributing is prohibited.

To put it simply:

Use “open” things for the common parts of your software to save effort. Keep your unique ideas secret. All of this works because “Open Source” licenses give you clear rules about what you can and can’t do with the software.

 

 

Mar 16

OpenAnolis Announces Adoption of ISO/IEC 18974

By Conformance, Featured, News

OpenAnolis officially announced that it has met the OpenChain ISO/IEC 18974 standard, becoming one of the few open-source operating system communities worldwide to receive this authoritative security accreditation. As an open-source community jointly built by enterprises, academic institutions, research organizations and individual developers, OpenAnolis has long been committed to creating a secure, reliable, and compliant digital infrastructure foundation. This certification marks a significant milestone in the community’s progress in open-source security governance.

ISO/IEC 18974, initiated by the OpenChain Project, defines the core requirements for open-source software security assurance programs, focusing on an organization’s ability to identify, respond to, and manage known security vulnerabilities such as CVEs and dependency issues. By establishing a comprehensive lifecycle security governance framework, OpenAnolis has implemented standardized processes for vulnerability monitoring, incident response, code security auditing, and software supply chain protection, ensuring trustworthiness in critical scenarios such as cloud-native environments and AI computing. The community has also developed SBOM (Software Bill of Materials) capabilities to enable transparent dependency management. With automated toolchains and AI Agents, OpenAnolis continuously performs intelligent vulnerability detection and remediation, providing strong security assurance for downstream OS distributions and industry users.

Long Qin, Chairman of the OpenAnolis Security Alliance, said: “The OpenAnolis Community’s Openchain ISO/IEC 18974 certification is of great significance to the development of the community’s security capability. In the era of integration between AI and cloud-native technologies, the security boundaries of operating systems have evolved beyond traditional patching to a holistic and proactive defense system that addresses heterogeneous computing, complex software supply-chain dependencies, and emerging threats caused by intelligent technologies. OpenAnolis will continue to invest in security innovation and work with global developers to build a trustworthy open-source ecosystem that supports the intelligent computing era.”

Liu Dapeng, Head of the OpenAnolis Standardization SIG, said: “OpenChain ISO/IEC 18974 provides open source communities with an authoritative guideline for software supply chain security governance and compliance management, laying a solid foundation for OpenAnolis to enhance collaboration efficiency and build ecosystem-wide trust. Looking ahead, the OpenAnolis Standardization SIG will continue to actively engage in OpenChain standard development under the Linux Foundation, striving to contribute OpenAnolis’ practical experience to international standards and working hand-in-hand with partners to co-create a secure, transparent, trustworthy, and thriving open source operating system ecosystem.”

About OpenAnolis

Founded in 2020, OpenAnolis is an international open-source root community for Linux server operating systems, focusing on cloud computing, edge computing, and AI computing scenarios. The community has brought together more than 1,000 ecosystem partners and released core distributions such as Anolis OS 23, providing full support for x86, ARM, and RISC‑V architectures. OpenAnolis technologies are widely deployed across cloud-native and intelligent computing fields.

About the OpenChain Project

Led by the Linux Foundation, the OpenChain Project promotes open-source license compliance (ISO/IEC 5230) and security assurance standards (ISO/IEC 18974), helping organizations establish efficient open-source compliance and security management systems. With over 1,000 global enterprise participants, OpenChain is a key international force in securing and standardizing the open-source supply chain.

About the Linux Foundation

The Linux Foundation is the world’s largest open-source collaboration platform, supporting critical infrastructure projects such as Linux, Kubernetes, and Node.js. Through standardization, community operations, and industry collaboration, it drives sustainable development of open-source technologies across software, hardware, and data domains.

 

 

Mar 13

OpenChain and Friends event series

By News

The OpenChain project plans to facilitate regional events with local representatives of diverse Open Source Communities using #openchainandfriends (see e.g. LinkedIn ).

OpenChain and Friends events characteristics

Diversity – OpenChain and Friends events typically have the following characteristics:

  • Common denominator for communities and topics: Open Source and the supply chain
  • OpenChain workgroup and topic-structure as main skeleton of the event/meetup
  • Supported by OpenChain Ambassadors
  • Free event (ideally hosted in venue(s) provided by community members)
  • Typically as fringe event to global community events to join forces
  • Inclusive – everyone is welcome and diversity in the agenda
  • Open Source Community Marketplace as possibility for Community representatives to reach out for new members and contributors

Inclusiveness – The OpenChain project will try to facilitate the events with the following boundaries

  • Schedule should also provide young families the opportunity to participate in networking / socializing activities
  • Local women network inclusion
  • enabling the next generation of Open Source Community members (e.g. new speakers can use stage for first steps, teach Open Source handling basics, …)
  • Local for local (local communities meeting local attendees ideally in the local language, but english as fall-back for international attendees)

Efficiency – As community driven events the OpenChain Project tries to be as efficient as possible

  • In-person (no live-streaming, no recordings as a default)
  • Quality over quantity (no pressure to have huge number of attendees)
  • Webinar-follow-ups as additional online offering for speakers
  • Optional: Accompanying Blog

Upcoming OpenChain and Friends events

Mar 10

CJ OliveYoung Becomes the First in the Korean Beauty Industry to Declare Open Source International Standard Certification

By Featured, News

  • Olive Young becomes the first in the domestic health and beauty (H&B) industry to declare the open source international standard ‘ISO/IEC 5230:2020’ certification.
  • Proves the security and transparency of its open source management system… Lays the foundation for securing reliability for its overseas services.
  • “As the leading K-beauty platform, we will continue to advance our open source management system in accordance with global standards.”

CJ Olive Young (hereinafter “Olive Young”) announced on the 9th that it has declared the open source international standard ‘ISO/IEC 5230:2020’ certification, marking a first in the domestic health and beauty (H&B) industry.

‘ISO/IEC 5230:2020’ is the sole international standard that evaluates a company’s open source license compliance system and management capabilities. Open source refers to publicly available source code that anyone can use freely. While it offers the advantage of reducing development costs and time, its transparent nature can also expose security vulnerabilities, making it crucial to strictly adhere to relevant license regulations. Accordingly, the certification is awarded only to companies that meet the criteria through a comprehensive evaluation of their compliance capabilities, including open source software policies and processes, the expertise of dedicated organizations and personnel, and relevant training.

This certification is highly significant as it officially recognizes that the security and transparency of Olive Young’s open source management system—as the company leaps forward as a ‘global beauty-tech platform’—fully meet international standards. As Olive Young accelerates its global expansion, including the opening of its first offline store in the U.S. this coming May, this achievement is expected to serve as a pivotal momentum in enhancing the stability and reliability of its services overseas.

Olive Young has been meeting the criteria for this international standard by establishing a robust open source management system since 2023. The company designated a dedicated organization and personnel for open source verification and management, and formed an ‘Open Source Council’ to establish a systematic approach for identifying and managing potential risk factors. Furthermore, it implemented internal open source management regulations and a strict process that mandates open source verification during system development. It also currently operates an automated system for verifying open source licenses and inspecting security vulnerabilities.

An official from Olive Young stated, “This certification is an acknowledgment of Olive Young’s proactive efforts, including the nurturing of IT talent and the establishment of an internal management system.” The official added, “As the representative platform for K-beauty, we will continue to advance our open source management system in strict alignment with global standards.”

 

Mar 05

Our New Executive Director for OpenChain

By Featured, News

New Executive Director of OpenChain Project

We are pleased to announce that Mary Meixia Wang has joined the OpenChain Project as our new Executive Director.

We extend our sincere gratitude to our board members and contributors for their continued dedication and support. We would also like to recognize the pioneering leadership of Shane Coughlan whose vision and commitment have been instrumental in establishing OpenChain’s global success.

Mary Wang brings extensive experience in software development and open source governance, with particular expertise in the telecommunications and automotive sectors. Her leadership will be vital as we continue to advance our mission: to build a supply chain in which open source is delivered with trusted and consistent process management information.

Under Mary’s guidance, we are confident that OpenChain will further strengthen its global impact, expand cross-industry adoption, and drive practical innovation aligned with the evolving open source ecosystem.

Please join us in welcoming Mary to her new role. We look forward to the next chapter of OpenChain’s journey and will share further updates in the months ahead.

Mar 03

OpenChain and Friends Stuttgart 2026

By Featured, News

“OpenChain and Friends” is an in-person community event focused on open source software supply chain management, compliance, and collaboration. It’s organized by the OpenChain Project in partnership with local and international communities, such as The FOSS-LÄND Community. The event takes place in Stuttgart, Germany and gathers people working with open source across different industries.

A preliminary schedule is available on the event website: OpenChain and Friends in Stuttgart 2026

Please register for this free in-person event on the 24th , 25th and 26th of march 2026 in Stuttgart and regularly visit our event website to monitor the progress or even get involved yourself!

Jan 27

Hitachi Energy achieves OpenChain (ISO 5230) Certification, reinforcing commitment to Open Source excellence

By Featured, News

Hitachi Energy is proud to announce that it has achieved OpenChain (ISO 5230) certification, the leading global standard for open source compliance. This milestone underscores our dedication to delivering products that meet the highest standards of quality, security, and transparency.

By attaining ISO 5230 certification, Hitachi Energy demonstrates a mature and reliable open source compliance program that partners and customers can trust. This achievement reduces legal and operational risks, streamlines documentation, and ensures consistent, well-governed use of open source technologies across our organization. It also strengthens our position in global supply chains, where ISO 5230 certification is increasingly recognized as a mark of professionalism and readiness for evolving regulatory requirements such as the Cyber Resilience Act. The certification brings tangible benefits to our customers and partners. It enables faster collaboration and onboarding, minimizes audit requirements, and ensures predictable, high-quality products through standardized and repeatable compliance processes. Ultimately, it reflects our commitment to building trust and fostering strong relationships throughout the technology ecosystem.

Achieving OpenChain certification is more than a milestone, it is a statement of our ongoing dedication to responsible open source use, industry best practices, and continuous improvement. Hitachi Energy remains focused on driving innovation while maintaining the highest standards of governance and security across all our products and services.

About the Bureau Veritas:

Bureau Veritas is a globally recognized leader in inspection, conformity assessment, and certification services, with a presence in countries worldwide.

Founded in 1828, it supports clients in improving performance through innovative solutions and services aimed at verifying that products, assets and processes meet mandatory and voluntary standards in quality, health and safety, environment and social responsibility (QHSE-SA).

Bureau Veritas offers a comprehensive cybersecurity services portfolio, leveraging global expertise to ensure a consistent customer experience across all areas of cybersecurity.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Check Out The Publicly Announced Community of Conformance:
https://openchainproject.org/community-of-conformance

Dec 22

Panasonic Automotive Systems Announces OpenChain ISO/IEC 5230 Conformance

By Featured, News

Today Panasonic Automotive Systems has announced an OpenChain ISO/IEC 5230 conferment program. As a leading Tier 1 automotive supplier, Panasonic Automotive Systems is at the forefront of both using and effectively managing open source technology.

“During the certification process, we worked to improve the reliability of our OSS usage and products by structuring OSS utilization processes and building a highly secure management system.” said Masashige Mizuyama, Executive Vice President and Chief Technology Officer at Panasonic Automotive Systems. “We have actively contributed to the industry by promoting the standardization and open-sourcing of VirtIO, an open-source virtualization technology. Taking this certification as an opportunity, we will continue to provide high-quality and highly reliable solutions leveraging OSS, and contribute to the expansion and sustainable growth of the open source ecosystem in the in-vehicle device industry.”

“We are delighted to welcome Panasonic Automotive Systems into our community of conformance,” says Shane Coughlan, OpenChain General Manager. “Adoption of OpenChain ISO/IEC 5230 has been exceptional across the automotive supply chain, and the influence and inspiration provided by Tier 1 adoption cannot be overstated. We look forward to working with the Panasonic Automotive Systems team in the months and years ahead.”

About Panasonic Automotive Systems Co., Ltd.:

Panasonic Automotive Systems Co., Ltd., (PAS) was launched on April 1, 2022 as an operating company responsible for the automotive systems business in line with the start of the Panasonic Group’s operating company system, and on December 2, 2024 the company moved to a management structure in which 80% of its shares are held by the funds managed by an affiliate of Apollo Global Management, Inc. and 20% by Panasonic Holdings Corporation.

Headquartered in Japan, PAS is a global company with subsidiaries in eight other countries and, as a Tier 1 company, it provides advanced proprietary technologies such as infotainment systems to automakers in Japan and overseas, helping to create comfortable, safe, and secure automobiles. PAS is committed to meeting the expectations of its customers around the world with technologies that stand by people in pursuit of its corporate vision of becoming the “Joy in Motion” design company. To learn more about our company, please visit https://automotive.panasonic.com/en

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Check Out The Publicly Announced Community of Conformance:
https://openchainproject.org/community-of-conformance