News

The OpenChain Project GPLv2 Compliance Flowcharts have been updated. Originally published in the book Practical GPL Compliance, these flowcharts are intended to help address some common compliance workflows. Thanks to Jacob Wilson, they have been moved into MarkDown format, and can now be easily added to websites, elearning platforms and more.

Example: Flowchart #0 – How Do I Distribute

You can access and download these flowcharts in our Reference Library. Like the rest of our material, they are released under CC-0 licensing.

Get The Flowcharts Now

• https://github.com/OpenChain-Project/Reference-Material/tree/master/General-Compliance-Support-Material/Flowcharts/GPLv2-Compliance-Flowchats/2.0/en

The Tool We Used

These flowcharts were created using the Mermaid Live Editor.

This time around we focused on editing the OpenChain license compliance specification. This is the potential future update of ISO/IEC 5230. Helio lead the discussion with support from Chris as co-chairs.

We covered two issues during the call:

• Consider adding definition of ‘bill of materials’ – OUTCOME: ISSUE STILL NEEDS WORK
  https://github.com/OpenChain-Project/License-Compliance-Specification/issues/35
• Move “Access” to be part of “Compliance Artifact Delivery” – OUTCOME: ISSUE CLOSED
  https://github.com/OpenChain-Project/License-Compliance-Specification/issues/53

Check out the full recording and our slides below. On the next call (3rd Tuesday, North America and Asia) we will cover some of the open issues around the potential future update of the OpenChain security specification (ISO/IEC DIS 18974).

OpenChain North America and Europe Meeting – 2023-04-04 from Shane Coughlan

Summary of Meetings from the Chair (Marc-Etienne)

Meeting 2023-04-06 morning

Attendees:

• Stephen Kilbane, Analog Devices Inc.
• Nikola Babadzhanov, Bosch
• Anton Bashlykov, MBition
• Marc-Etienne Vargenau, Nokia

We reviewed the pull requests and merged them:

• added the definition of “SBOM Type” from CISA and used it in section 3.7 “SBOM Build information”
• updated section “3.13 SBOM Verification”, added recommendation to provide a digital signature of the SBOM
• updated section 3.5.2, added rationale for the tag:value format, indicating it is the most human-readable format
• updated several “Verification and reference material” and “Rationale” sections
• added “5. References” section, providing references for SPDX, OpenChain and “NTIA minimum elements”

Meeting 2023-04-06 afternoon

Attendees:

• Alfred Strauch, SmartTalk Security Inc.
• Chris
• Marc-Etienne Vargenau, Nokia

We review the pull requests that were merged in the morning meeting.

Alfred points out the use case of a software that has its name changed and asks how this should be handled.

Alfred suggests that I join the SBOM Forum. He will introduce me to Tom Alrich. The forum groups several companies including Red Hat, Oracle, Microsoft and companies producing medical devices. One of the creators of CycloneDX is a member.

Outcome

The draft document is now complete. Please review it and share you comments and suggestions in the mailing list or on GitHub by creating issues or pull requests.

• https://github.com/OpenChain-Project/Telco-WG

Morning Meeting Recording

Afternoon Meeting Recording

The OpenChain Project will host an afternoon mini-summit with a focus on:

• How OpenChain process standards support business optimization and sustainability. 
• Open source tooling for open source compliance
• Open source tooling for security assurance
• Software Bill of Materials

Expect a packed session with plenty of networking opportunities. This event will help OSPO, IP, product development and management teams deal with trust management in the open source supply chain.

Agenda

• 14:30 – Introduction: The OpenChain License Compliance and Security Assurance Standards in 2023
• 14:50 – Keynote: Moving Down The Pyramid – SBOMs in 2023; Speaker TBD
• 15:10 – Break
• 15:20 – Keynote: Moving Down The Pyramid – “State of the Tooling” in Open Source Automation; Helio Chissini de Castro, CARIAD
• 15:40 – Special Keynote: FOSSLight – Next Generation Open Source Automation for Compliance and Security; Kyoungae Kim and Soim Kim, LG Electronics
• 16:00 – Break
• 16:10 – Roundtable Session – Process Standards
• 16:25 – Roundtable Session – SBOMs
• 16:45 – Roundtable Session – Automation
• 17:00 – Close

How to Register: Pre-registration is required. To register for the OpenChain Project Mini Summit, add it to your Open Source Summit North America registration.

Learn More

• https://ossna2023.sched.com/event/1LB7s

Cloudera’s Chinese subsidiary announced an ISO/IEC 5230 conformant program at the recent OSCAR Open Source Supply Chain Salon (OSCAR开源供应链沙龙) co-hosted by CAICT and the OpenChain Project. The ISO/IEC 5230 conformant program was third-party certified by CAICT.

Learn More About The Event

• https://www.openchainproject.org/news/2023/04/04/oscar-2023

CAICT and OpenChain held an OSCAR Open Source Supply Chain Salon on the 3rd of April 2023 with ISO/IEC 5230 third-party conformance announcements from:

• Alibaba Cloud Computing Ltd.
• China Mobile (Suzhou) Software Technology Co., Ltd.
• Cloudera

Speakers covered topics around process management and other critical business affairs. You can learn more in Chinese below. Representatives from CAICT are also available to provide more information on request.

Main Event News

追本逐源丨OSCAR开源供应链沙龙圆满举办
近年来，在企业数字化转型进程逐步深入的过程中，开源保持高速增长态势，开源软件被各行业企业广泛使用和推广。国家层面，我国相关主管部门陆续出台开源相关政策，积极推动开源以开放、透明、协作的方式加速国家数字化转型步伐。行业层面，随着越来越多的企业加入到开源社区中，在享受开源软件带来的“红利”的同时，开源软件供应链风险治理的重要性也在不断的增强。
https://mp.weixin.qq.com/s/gOHer7ASzAdwniE5zVoNQA

Secondary Reporting:

信通院与OpenChain联合发布“2023年上半年可信开源供应链-OpenChain成果”
为进一步探讨开源供应链安全合规发展方向，4月3日下午，由中国信息通信研究院云计算与大数据研究所、OpenChain联合主办的“OSCAR开源供应链沙龙”活动在北京举办。
https://m.sohu.com/a/662781051_100302690/?trans=010005_pcwzywxewmsm