Apologies to everyone that it took a while to release this recording. Big thanks to PwC for hosting and to all our participants for a lively and useful discussion. You can see the previous outcomes blog post with this video added here:
https://www.openchainproject.org/news/2023/03/31/openchain-germany-work-group-meeting-2023-03-30-outcomes
LG Electronics has published a news item about their recent adoption of OpenChain ISO/IEC DIS 18974, the de facto industry standard for open source security assurance.
An extract from their post:
(서울=연합뉴스) 김아람 기자 = LG전자[066570]는 미국 비영리단체 리눅스재단의 오픈체인 프로젝트가 규정한 ‘오픈소스 소프트웨어 보안 관리체계 국제표준’ 준수 기업으로 인정받았다고 21일 밝혔다.
이 인증 획득은 국내는 물론이고 글로벌 제조업계를 통틀어 LG전자가 유일하다.
소스코드가 공개된 오픈소스 소프트웨어 사용에서 ▲ 내부 보안정책 수립 ▲ 보안정책의 주기적 업데이트 ▲ 보안 테스트를 위한 각종 툴 사용 여부 등 30여개 보안 인증 요건을 모두 충족했다.
Read The Full Article
Dr. Andreas Kotulla over at BitSea has flagged some interesting concerns when using ChatGPT to talk about open source licenses. While a conversation about open source licenses in China correctly identified the Mulan Permissive Software License, other Chinese “licences [discussed by ChatGPT] seem to come from ChatGPT’s pure imagination!”
From his research:
China is playing an increasingly important role in the open source world. Especially for globally active companies with their own software development, it is worth taking a look at the Far Eastern market. But caution is advised in research efforts: Those who trust in the help of artificial intelligence should be prepared for misjudgements. In my blog, I show by example what can happen or what should be taken into account when software like ChatGPT is supposed to provide support in this still young field of research.
Read the full article
This webinar features an update on ClearlyDefined by Nick Vidal at the Open Source Initiative (OSI). A lot has happened since we last covered this project for open source metadata, including the move to a new home at OSI.
About The Project
ClearlyDefined and its parent organization, the Open Source Initiative, are on a mission to help FOSS projects thrive by being clearly defined. Lack of clarity around licenses and security vulnerabilities reduces engagement – that means fewer users, fewer contributors and a smaller community.
As such, the goals of the project are to:
- Raise awareness about this challenge within FOSS project teams
- Automatically harvest data from projects
- Make it easy for anyone to contribute missing information
- Crowd-source the curation of these contributions
- Feed curated contributions back to the original projects
Watch The Webinar
Check Out The Rest Of Our Webinars
This is OpenChain Webinar #51, released on 2023-04-26.
The first meeting of the Legal Work Group took place on the 25th of April 2023. We explored model provisions for including OpenChain ISO/IEC 5230 and OpenChain ISO/IEC DIS 18974 (and potentially other standards) in procurement contracts or similar material.
The goal is to ensure people can understand options. We will not be prescriptive and these model provisions will remain part of the OpenChain reference material. They will not be included in the standards themselves.
The call started by looking at model provisions done before via the Risk Grid:
https://docs.google.com/spreadsheets/d/1yh3wPTRyRZ0NmYh5V5JtXeknlYGYe53BtyLIMSFsoTY/edit#gid=208806775
The document, under public domain, has been moved to the OpenChain GitHub for ease of access and editing:
https://github.com/OpenChain-Project/Reference-Material/tree/master/General-Compliance-Support-Material/Risk-Grid
Our outcome was to use this basic format as a way to structure our first round of model provisions, and to have the option of merging the documents in the future.
Full Recording
Some Post-Call Outcomes
Risk Grid Version 11 (last published version) is now fully translated to MarkDown:
https://github.com/OpenChain-Project/Reference-Material/blob/master/General-Compliance-Support-Material/Risk-Grid/risk-grid-11.md
Risk Grid Version 12 has been created to help set the template for our adjacent work on model language for ISO/IEC 5230 and ISO/IEC DIS 18974. This document needs review:
https://github.com/OpenChain-Project/Reference-Material/blob/master/General-Compliance-Support-Material/Risk-Grid/risk-grid-12.md
This is a continuation of the risk grid that:
– makes a first attempt to reorder the issues based on their granularity – highest first and;
– adds the issue title to the issue number for ease of navigation and;
– merges the Commentary and Comments fields to reduce redundancy.
This version removes issue numbers because the titles replace the numbering, and it avoids long term issues with quotations of different issue numbers across different versions of the risk grid.
Shane Coughlan, OpenChain General Manager, delivered a talk entitled ‘How The Linux Foundation Standards For License Compliance And Security Will Fix Your Supply Chain‘ at FOSS North 2023 on the 25th of April 2023.
Formal Talk Outline
The OpenChain License Compliance (ISO/IEC 5230) and Security Assurance standards provide simple and effective ways for companies in the supply chain to improve open source software management. Organizations around the world have engaged with these standards over the last five years for cost reduction, time optimization and to allow staff to work on tasks directly related to improving products and services. Data suggests significant traction in adoption, with an example being a recent PwC-sponsored survey showing 20% of German companies with more than 2,000 employees using ISO/IEC 5230. This talk will explain how the OpenChain Project is building the support structures needs to accomplish ever broader market adoption, ranging from community activities to reference material to a commercial ecosystem. It will focus on recent developments, especially around expanding work in security, in editing the next generations of the standards, and in lessons learned to revise our supplier education material. Attendees will leave this talk knowing current options for assessment, deployment and – in the case of customer companies – encouraging suppliers to use these standards too.
Check Out Our Slides
NLnet is hosting a series of webinars on Open Software Supply Chain management.
The first episode with Armijn Hemel took place on April 6th, with the topic of Open Source in (Consumer) Electronics Supply Chains:
Next up was Philippe Ombredanne (a.o. https://aboutcode.org), who gave a talk on April 13th 2023 on automated tooling to understand dependencies, handle vulnerabilities in an open and transparent manner:
Forthcoming webinars in the series are:
Thursday May 4th 2023 // 13.00 – 14.30 CEST (Amsterdam, Berlin, Rome)
– Speakers: Carlo Piana & Alberto Pianon.
– Topic: The importance of a Software Bill of Materials in light of the upcoming Cyber Resilience Act and product liability legislation in Europe.
– More info:
Thursday May 11th 2023 // 13.00 – 14.30 CEST (Amsterdam, Berlin, Rome)
– Speaker: Shane Martin Coughlan
– Topic: ISO standards and certification. (This talk was previously scheduled for April 27).
– More info:
About These Webinars (from NLnet)
As the dependency of society on technology continues to increase in every possible direction, it is of the utmost importance to understand the dynamic life cycle of the free and open source building blocks that form the basis of pretty much all technology we use today – and how these can be kept safe and available.
Not only do we need to improve our understanding of how and where software is developed, maintained, built and deprecated at macro scale – but we also need to create mechanisms to ensure that building blocks are kept up to date, that different versions don’t collide, FOSS packages from public repositories have not “bit-rotted” or even worse: have been tampered with by malicious actors as part of a “supply chain attack”. There has been an increasing attention to the fact that with software “eating the world”, a healthy and robust software ecosystem should be a key societal (and thus political) priority. But at the same time, we should do so with full understanding of the highly specific nature of “digital commons” – as the controversy surrounding the upcoming Cyber Resilience Act clearly proves.
In this series of webinars by leading experts such as Armijn Hemel (Tjaldur), Shane Coughlan (OpenChain), Carlo Piana (OSI), Alberto Pianon (Eclipse Compliance Toolchain Project Lead) and Philippe Ombredanne (AboutCode) we look at software supply chains from different angles. What do modern electronics supply chains look like, how is provenance handled – and how *should* it be handled? What mechanisms do we have to verify the integrity of deployed code packages and detect abnormal code changes that may be signs of malicious modifications and possible attacks? Where do “Software Bill of Materials” come into play? And what is being done, and perhaps should be done from a legislative and governance point of view?
The entire webinar series is available free of charge, and will allow you a deep dive into the hidden world behind the software and hardware we use – and will help you get a clear understanding of how open source supply chains work, and a grasp of what the policy challenges are.
Learn More About The Forthcoming OpenChain Webinar:
The OpenChain Project was featured at the FSFE Legal and Licensing Workshop 2023 held in Gothenburg, Sweden during April. This annual event brings together legal experts from around the world to talk about open source and open-related legal matters.
Check Out Our Slides
Learn More On The Official Website:
The OpenChain Project has been featured at the 2nd China Automotive Cyber Security and Data Security Conference 2023 in a talk delivered by Zhang JunXia of CAICT. This is part of our long-running collaboration to help companies of all sizes in the Chinese market to adopt and use ISO/IEC 5230, the international standard for open source license compliance.
Learn More On The Official Website:
- https://m.gasgoo.com/apps/ShareArticleContent/2/70338731.html
(It may not work if access outside of China)
The OpenChain Project was invited to provide a keynote to the Info Event Open Source hosted by Software Allianz in Germany on the 14th of April. You can check out a recording of the talk and our slides below.
