This webinar features an update on ClearlyDefined by Nick Vidal at the Open Source Initiative (OSI). A lot has happened since we last covered this project for open source metadata, including the move to a new home at OSI.
About The Project
ClearlyDefined and its parent organization, the Open Source Initiative, are on a mission to help FOSS projects thrive by being clearly defined. Lack of clarity around licenses and security vulnerabilities reduces engagement – that means fewer users, fewer contributors and a smaller community.
As such, the goals of the project are to:
Raise awareness about this challenge within FOSS project teams
Automatically harvest data from projects
Make it easy for anyone to contribute missing information
Crowd-source the curation of these contributions
Feed curated contributions back to the original projects
The first meeting of the Legal Work Group took place on the 25th of April 2023. We explored model provisions for including OpenChain ISO/IEC 5230 and OpenChain ISO/IEC DIS 18974 (and potentially other standards) in procurement contracts or similar material.
The goal is to ensure people can understand options. We will not be prescriptive and these model provisions will remain part of the OpenChain reference material. They will not be included in the standards themselves.
Our outcome was to use this basic format as a way to structure our first round of model provisions, and to have the option of merging the documents in the future.
This is a continuation of the risk grid that: – makes a first attempt to reorder the issues based on their granularity – highest first and; – adds the issue title to the issue number for ease of navigation and; – merges the Commentary and Comments fields to reduce redundancy.
This version removes issue numbers because the titles replace the numbering, and it avoids long term issues with quotations of different issue numbers across different versions of the risk grid.
The OpenChain License Compliance (ISO/IEC 5230) and Security Assurance standards provide simple and effective ways for companies in the supply chain to improve open source software management. Organizations around the world have engaged with these standards over the last five years for cost reduction, time optimization and to allow staff to work on tasks directly related to improving products and services. Data suggests significant traction in adoption, with an example being a recent PwC-sponsored survey showing 20% of German companies with more than 2,000 employees using ISO/IEC 5230. This talk will explain how the OpenChain Project is building the support structures needs to accomplish ever broader market adoption, ranging from community activities to reference material to a commercial ecosystem. It will focus on recent developments, especially around expanding work in security, in editing the next generations of the standards, and in lessons learned to revise our supplier education material. Attendees will leave this talk knowing current options for assessment, deployment and – in the case of customer companies – encouraging suppliers to use these standards too.
Next up was Philippe Ombredanne (a.o. https://aboutcode.org), who gave a talk on April 13th 2023 on automated tooling to understand dependencies, handle vulnerabilities in an open and transparent manner:
Thursday May 4th 2023 // 13.00 – 14.30 CEST (Amsterdam, Berlin, Rome)
– Speakers: Carlo Piana & Alberto Pianon. – Topic: The importance of a Software Bill of Materials in light of the upcoming Cyber Resilience Act and product liability legislation in Europe. – More info:
As the dependency of society on technology continues to increase in every possible direction, it is of the utmost importance to understand the dynamic life cycle of the free and open source building blocks that form the basis of pretty much all technology we use today – and how these can be kept safe and available.
Not only do we need to improve our understanding of how and where software is developed, maintained, built and deprecated at macro scale – but we also need to create mechanisms to ensure that building blocks are kept up to date, that different versions don’t collide, FOSS packages from public repositories have not “bit-rotted” or even worse: have been tampered with by malicious actors as part of a “supply chain attack”. There has been an increasing attention to the fact that with software “eating the world”, a healthy and robust software ecosystem should be a key societal (and thus political) priority. But at the same time, we should do so with full understanding of the highly specific nature of “digital commons” – as the controversy surrounding the upcoming Cyber Resilience Act clearly proves.
In this series of webinars by leading experts such as Armijn Hemel (Tjaldur), Shane Coughlan (OpenChain), Carlo Piana (OSI), Alberto Pianon (Eclipse Compliance Toolchain Project Lead) and Philippe Ombredanne (AboutCode) we look at software supply chains from different angles. What do modern electronics supply chains look like, how is provenance handled – and how *should* it be handled? What mechanisms do we have to verify the integrity of deployed code packages and detect abnormal code changes that may be signs of malicious modifications and possible attacks? Where do “Software Bill of Materials” come into play? And what is being done, and perhaps should be done from a legislative and governance point of view?
The entire webinar series is available free of charge, and will allow you a deep dive into the hidden world behind the software and hardware we use – and will help you get a clear understanding of how open source supply chains work, and a grasp of what the policy challenges are.
Learn More About The Forthcoming OpenChain Webinar:
The OpenChain Project was featured at the FSFE Legal and Licensing Workshop 2023 held in Gothenburg, Sweden during April. This annual event brings together legal experts from around the world to talk about open source and open-related legal matters.
The OpenChain Project has been featured at the 2nd China Automotive Cyber Security and Data Security Conference 2023 in a talk delivered by Zhang JunXia of CAICT. This is part of our long-running collaboration to help companies of all sizes in the Chinese market to adopt and use ISO/IEC 5230, the international standard for open source license compliance.
The OpenChain Project was invited to provide a keynote to the Info Event Open Source hosted by Software Allianz in Germany on the 14th of April. You can check out a recording of the talk and our slides below.
LG Electronics (LG) now has an OpenChain Security Assurance Specification 1.1 (ISO/IEC DIS 18974) conformant program. This standard defines the key requirements of a quality open source security assurance program, and helps to both reduce errors and increase efficiency across the global supply chain. This builds on their previous adoption of ISO/IEC 5230, the International Standard for open source license compliance.
“LG Electronics has a long history in open source and a well-known open source office,” says Shane Coughlan, OpenChain General Manager. “Their governance contributions like the FOSSLight tooling to help other companies has been an inspiration in South Korea and beyond. The conformance announcement today comes from the LG Cybersecurity Governance Team and underscores a company-wide commitment to excellence. As LG joins BlackBerry and Interneuron in driving the future of open source security assurance, we both welcome this announcement, and look forward to close collaboration in the future.”
Adoption of ISO/IEC DIS 18974 was driven by the LG Cybersecurity Governance Team. They are responsible for:
Establishing LG’s software development process (LG-SDL: Secure Development Lifecycle) to develop secure software for all LG Electronics products
Reflecting the latest Global Standards (ETSI, ENISA, NIST, etc.) and adapting them for the LG development ecosystem
Operating LG VulDOC (Vulnerability Detection Of Code) DevSecOps to Identify and resolve potential security vulnerabilities through various software verification methods
Managing the LG Product Security Response Team (PSRT) to minimize security damage to our customers through authentic communication with security registrants and external stakeholders
Managing Third-Party developed software supply chain risk management
About LG Electronics
LG Electronics is a global innovator in technology and consumer electronics with a presence in almost every country and an international workforce of more than 74,000. LG’s four companies – Home Appliance & Air Solution, Home Entertainment, Vehicle component Solutions and Business Solutions – combined for global revenue of over KRW 80 trillion in 2022. LG is a leading manufacturer of consumer and commercial products ranging from TVs, home appliances, air solutions, monitors, service robots, automotive components and its premium LG SIGNATURE and intelligent LG ThinQ brands are familiar names world over.
About the OpenChain Project
The OpenChain Project maintains the International Standard for open source license compliance and the de-facto standard for open source security assurance. These allow companies of all sizes and in all sectors to adopt the key requirements of quality open source compliance or security assurance programs. They are open standards. All parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standards.
About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.
Linux is a registered trademark of Linus Torvalds.
ByteDance, a leading social media company, and the innovator behind TikTok, has announced an OpenChain ISO/IEC 5230 conformant program. Their adoption of the international standard for open source license compliance underlines their commitment to engagement and excellence around open source projects, platforms and solutions.
“We are delighted to welcome ByteDance to the OpenChain ISO/IEC 5230 community of conformance,” says Shane Coughlan, OpenChain General Manager. “Their team has created social networks with stunning speed of scaling in Douyin (抖音) and TikTok. This innovation has been powered by open source, and their work around building an Open Source Program Office (OSPO), communicating their work, and now using international standards speaks to a bright future. We are looking forward to next steps in our collaboration.”
Read Their Full Announcement In Simplified Chinese
ByteDance was founded in 2012 by a team led by Yiming Zhang and Rubo Liang, who saw opportunities in the then-nascent mobile internet market, and aspired to build platforms that could enrich people’s lives. The company launched Toutiao, one of its flagship products, in August 2012. It followed that success with the launch of Douyin in September 2016. Approximately a year later, ByteDance accelerated globalization with the launch of its global short video product, TikTok. It quickly took off in markets like Southeast Asia, signaling a new opportunity for the company. ByteDance acquired Musical.ly in November 2017 and subsequently merged it with TikTok. Today, the TikTok platform, which is available outside of China, has become the leading destination for short-form mobile videos worldwide.
In support of its mission to Inspire Creativity and Enrich Life, ByteDance has made it easy and fun for people to connect with, create and consume content. People are also able to discover and transact with a suite of more than a dozen products and services such as TikTok, CapCut, TikTok Shop, Lark, Pico and Mobile Legends: Bang Bang, as well as products and services specific to the China market, including Toutiao, Douyin, Fanqie, Xigua, Feishu and Douyin E-commerce.
ByteDance has over 150,000 employees based out of nearly 120 cities globally, including Austin, Barcelona, Beijing, Berlin, Dubai, Dublin, Hong Kong, Jakarta, London, Los Angeles, New York, Paris, Seattle, Seoul, Shanghai, Shenzhen, Singapore, and Tokyo.
About the OpenChain Project
The OpenChain Project maintains the International Standard for open source license compliance and the de-facto standard for open source security assurance. These allow companies of all sizes and in all sectors to adopt the key requirements of quality open source compliance or security assurance programs. They are open standards. All parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standards.
About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.
Linux is a registered trademark of Linus Torvalds.
We had a really busy and productive OpenChain Education Work Group call last week. The focus was on our Wikipedia page and on a new, smart and easy way to recreate flowcharts and other material in MarkDown.
