It is proposed to have a short work-stream involving co-ordinating the various case studies which the OpenChain Project has collated over time. We had some great examples at the Open Compliance summit and it would be fantastic to be able to incorporate these into the portfolio, and to make the portfolio as a whole more accessible and better structured.
Be part of this:
You can get involved with the OpenChain Education Work Group through their dedicated mailing list. At this link, you will also find connections to other working groups around the world:
“It is a pleasure to list HARMAN International in our community of conformance,” says Shane Coughlan, OpenChain General Manager. “Their alignment with ISO/IEC 5230, the international standard for open source license compliance, underscores their commitment to excellence in the use and deployment of open source software. We deeply appreciate their work, and listing them in the OpenChain Community of Conformance.”
About HARMAN
HARMAN (harman.com) designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide, including connected car systems, audio and visual products, enterprise automation solutions; and services supporting the Internet of Things. With leading brands including AKG®, Harman Kardon®, Infinity®, JBL®, Lexicon®, Mark Levinson® and Revel®, HARMAN is admired by audiophiles, musicians and the entertainment venues where they perform around the world. More than 50 million automobiles on the road today are equipped with HARMAN audio and connected car systems. Our software services power billions of mobile devices and systems that are connected, integrated and secure across all platforms, from work and home to car and mobile. HARMAN has a workforce of approximately 30,000 people across the Americas, Europe, and Asia. In March 2017, HARMAN became a wholly-owned subsidiary of Samsung Electronics Co., Ltd.
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
We held our regular Monthly North America and Europe Call on the 5th of November. The focus was on discussing the Public Comment period for our draft proposed updates to the licensing and security specifications, and closing any open comments / issues around the draft documents.
We keep all the slides from our monthly calls online and they can be a useful way to access direct links and more details:
The OpenChain AI Study Group held its regular workshop on the 5th of November. This meeting focused on discussion around the draft scratchpad for management of AI BOMs, and the conversion of this study group into a formal working group.
Watch the Recording
Track This Work
You can follow and contribute to the work of the OpenChain AI Study Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
During the Open Compliance Summit 2024 in Tokyo on the 31st of October, Roberto Di Cosmo (Founder & Director, Software Heritage; Chair of the Software Chapter of the French National Committee for Open Science), presented on the topic of ‘Compliance and Integrity in the Software Supply Chain with Software Heritage: A Call to Action.’
This presentation explored how Software Heritage’s initiatives, including the SWHID (Software Hash Identifier) and the upcoming “Code Commons” project, are poised to enhance compliance across the software supply chain. By integrating with SPDX and contributing to global standards, Software Heritage not only guarantees the availability and integrity of software source code, but also drives forward the business management of open source.
His presentation can be found below:
About Software Heritage
Software Heritage, launched by Inria in 2016 in partnership with UNESCO, is a global non profit long term initiative to collect, preserve and make easily accessible all publicly available source code. As the reference infrastructure for archiving and referencing, it offers unparalleled potential to address these challenges.
During the Open Compliance Summit 2024 in Tokyo on the 30th of October, Tadayuki Osaki (Standards and OSS community Manager, Legal & Intellectual Property Unit) and Yuchang Cheng (Senior Research Manager, Artificial Intelligence Laboratory), presented on the topic of Fujitsu’s OSS Standards Conformance and AI Management System Standardization Participation.
Their presentation can be found below:
About Fujitsu
Fujitsu’s purpose is to make the world more sustainable by building trust in society through innovation. As the digital transformation partner of choice for customers in over 100 countries, our 124,000 employees work to resolve some of the greatest challenges facing humanity. Our range of services and solutions draw on five key technologies: Computing, Networks, AI, Data & Security, and Converging Technologies, which we bring together to deliver sustainability transformation. Fujitsu Limited (TSE:6702) reported consolidated revenues of 3.7 trillion yen (US$26 billion) for the fiscal year ended March 31, 2024 and remains the top digital services company in Japan by market share. Find out more: www.fujitsu.com.
Fujitsu, an OpenChain Platinum Member since 2019, and the first organization to publicly attain four OpenChain ISO/IEC 5230 or equivalent conformant programs, has announced an ISO/IEC 18974 conformant program. Adoption of ISO/IEC 18974, the international standard for open source security assurance, underlines their commitment to leadership in open source governance and management.
“Fujitsu has been a key long-term contributor to the OpenChain Project,” says Shane Coughlan, OpenChain General Manager. “Their adoption of ISO/IEC 18974 is an important milestone in the market adoption of the international standard for open source security assurance, and will have a positive impact across the open source supply chain in Asia and globally.”
About Fujitsu
Fujitsu’s purpose is to make the world more sustainable by building trust in society through innovation. As the digital transformation partner of choice for customers in over 100 countries, our 124,000 employees work to resolve some of the greatest challenges facing humanity. Our range of services and solutions draw on five key technologies: Computing, Networks, AI, Data & Security, and Converging Technologies, which we bring together to deliver sustainability transformation. Fujitsu Limited (TSE:6702) reported consolidated revenues of 3.7 trillion yen (US$26 billion) for the fiscal year ended March 31, 2024 and remains the top digital services company in Japan by market share. Find out more: www.fujitsu.com.
About the OpenChain Project
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
When we think about Software Build of Materials, we are looking at what might be a multi-dimensional space consisting of hierarchy, linking, modification, export restrictions, security vulnerabilities, distribution type, versions, etc. Care must be taken when setting up the SBOMs to both list the components used and to show how they are incorporated into your products. This webinar discusses how a visualization of such meta-information was implemented to display the relationships and potential risks in a quick and in easy-to-understand way. It was part of a research project funded by the Federal Ministry for Economic Affairs and Climate Protection (BMWi) and with the Bonn-Rhein-Sieg University of Applied Sciences and Bitsea.
Watch The Recording
About Our Speaker
Dr. Andreas Kotulla is the Founder & CEO of Bitsea GmbH. He is specialized in auditing software systems and identifying hidden risks for companies. We support the technical due diligence and advise operators of critical infrastructure (KRITIS). He advises customers on Open-Source-Strategy, Open-Source-Governance, Open-Source-Processes, toolchains and offers an Open-Source-Program-Office (OSPO) and scanning as a managed service.
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
In this SBOM Study Group meeting, Ninjouji-san from Toshiba lead an overview of various regulations and guidelines, and drove discussion around what is needed for future meetings.
The OpenChain Education Work Group has been working on developing a simplified capability model to assess a company’s capability in open source license compliance against ISO 5230:2020.
In this session, we presented the simplified model, and invited questions and comments about how to improve it.
You can find the working version of the model here: