The OpenChain Japan Work Group held its 28th meeting (3rd hybrid) on the 11th of July. This meeting contained an exceptional roster of speakers and topics covered. OpenSSF, SPDX 3.0, OSPO leadership, education material and addressing common licensing misunderstandings. You name it, we covered it. Check out the recording below in Japanese for details:
Everyone is invited to be part of the OpenChain Japan Work Group and contribute to (or simply participate in) future activities.
During July we had two excellent calls covering the next generations of our license compliance and security assurance specifications.
The first call took place on the 11th of July and allowed North American and European contributors to gather:
The second call took place on the 18th of July and allowed North American and Asian contributors to gather:
Two GitHub issues were central to the discussion:
Initially scoped to focus on the Security Assurance specification, the conversations lead to improved material for the License Compliance specification as well.
What is a quality or complete SBOM for licensing or security use cases?
This issue is actively soliciting comments. It is significantly influenced by the forthcoming Telco Spec:
There is a next step to review what the SPDX Lite proposal from the OpenChain Japan community covers:
(See slide 25 and 26)
They have already submitted SPDX Lite for the forthcoming SPDX 3.0 specification via this pull request at the SPDX Project:
Of course, both the next generation License Compliance specification and the next generation Security Assurance specification also have pre-existing open issues for review:
A formal specification for an IT project allows implementers to understand what is required to build an implementation (or create a process) that conforms to that specification, and it allows a conformance test suite (or checklist) to be developed that can be used to check an implementation’s conformance. Users of tools that (partly or fully) conform to that specification can use the specification to learn the potential impact of moving source code, data, or processes between different implementations.
This presentation outlines a number of considerations involved when creating a formal IT specification, in general, and for software, in particular, such as a programming language or library.1
[Note: this will NOT be specific to making an ISO standard; that will be the subject of another webinar.]On a recent InnerSource Commons Community Call there was some informal discussion about outbound processes, and the conversation briefly touched on the Open Source outbound process of SAP.
Here are the public references around SAP’s Outbound Open Source Process:
It is also worth noting that a member of the SAP team is active in TODO Group, so adjacent material like A Guide to Outbound Open Source Software may also be of interest.
On the related topic of compliance tooling, a team at SAP is working on the Open Component Model (https://ocm.software/docs/overview/context/), an open source standard for defining extendable machine-readable Software Component descriptors that could be used in compliance automation. This fits neatly into the type of topic covered by the OpenChain Automation Work Group.
Huge thanks to Guilherme Dellagustin for preparing and sharing these links.
This is from one of our board members, Helio at CARIAD, and is a worthy read on the topic. As per the abstract:
The current software compliance landscape relies strongly on de-facto SBOM standards as the correct relevant documents to attest to all the end needs. One consistent issue in the generation of these documents is the data gathering among multiple sources of information, as none of the tools provide everything, the so-called magic silver bullet.
As a solution, a central placement of unique data shared by all tooling would be ideal, but achieving this with multiple tools that do not communicate with each other is highly unlikely an easily solvable task.
The idea of abstracting the SST ( Single Source of Truth ) is to provide a stable contractual interface where the data connection between tooling and storage could be decoupled and used with the discretion of developers and companies’ choice, preventing polarization and hurdles on the platform engineering architecture.
The OpenChain Telco Work Group is completing their work on a reference Telco SBOM specification.
This specification outlines certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this specification can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs.
https://github.com/OpenChain-Project/Telco-WG/blob/main/OpenChain%20Telco%20SBOM%20Specification.md
(Thank you Masahiro Daikoku from KDDI!)
The OpenChain Germany Work Group will hold its next meeting just after the Bitkom Forum Open Source 2023 in Erfurt, Germany on the 28th of September 2023. As always, everyone is welcome to contribute and participate. PwC will be hosting once again (thank you Marcel and team!), and we will have a series of presentations and discussions relevant to open source delivery in complex supply chains. The event will be under Chatham House Rule to encourage open discussion.
The 28th meeting of the OpenChain Japan Work Group (3rd hybrid) covered a lot of topics. There were presentations and case studies, but also breakouts and plenty of open discussion. The event was under Chatham House Rule, so recordings are not available, but Shane Coughlan (OpenChain General Manager) has released his keynote slides for everyone to review. They include the first insights from our recent OpenChain Industry Survey.
The OpenChain Project will take center stage at Bitkom Forum Open Source 2023 in Erfurt on the 27th of September. Shane Coughlan, OpenChain General Manager, will deliver the closing keynote of the event to a diverse audience of German open source thought leaders.
The OpenChain Project and our standards for licensing compliance and security assurance were featured in a recent InnerSource Commons webinar. Huge thanks to the team for inviting us.
© 2025 OpenChain. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use
