Our community colleagues in Finland are holding an OSPO-related event in late January that will cover OpenChain. Learn more and register here:
Our regular monthly call for North America / Asia saw some discussion around two key topics for the next generations of our specifications for license compliance and for security. One related to whether we need to be more prescriptive regarding the content of contribution policies, and another related to whether our existing approach to defining open source worked in both standards. The outcomes are covered in our recording and the slides from the meeting are also available.
Philippe Ombredanne from nexB will lead a technical deep dive into VulnTotal on the 7th of February at 09:00 CET (08:00 UTC). Join us in our usual room here:
This deep dive is about an aspect of the AboutCode Project, with VulnerableCode providing tools to collect, aggregate and refine software vulnerability information from more than 20 sources and tools to quickly create new “importers”. VulnTotal is something that came out of Google Summer of Code 2022:
VulnTotal: Cross-validate vulnerability coverage of VulnerableCode (Keshav Priyadarshi)
VulnerableCode is a unique project that collates and cross-references FOSS vulnerability data from multiple sources. Inspired by the VirusTotal multi-scanner virus scanning service, the VulnTotal project will cross-validate the vulnerability coverage of VulnerableCode against other publicly available vulnerability check tools and databases. For instance, a package may be reported as vulnerable by one tool or database but not by another. We can gradually work with these tool providers to keep each other apprised about newly discovered vulnerabilities, making FOSS more secure.
From InnerSource Commons: In this session about SBOMs and InnerSource we will look at applying open source industry best practices and standards such as ISO 5230 OpenChain, ISO 5962 SPDX and CycloneDX to InnerSource Programs.
The recent Telco Work Group meeting is here:
https://youtu.be/jhsvPgu7AyQ
The discussion was focused on the open pull requests around the SBOM specification:
https://github.com/OpenChain-Project/Telco-WG/pulls
There are some pretty important decisions to make here, including around SPDX 3.0 or SPDX Lite, so we encourage engagement and review.
Bitsea, a service provider specialized in software auditing and based in Germany, today announces support for the OpenChain Security Assurance Specification 1.1. They can help companies understand and adopt this standard for open source security in Germany and beyond. As a sister standard to OpenChain ISO/IEC 5230 – the international standard for open source license compliance – the OpenChain Security Assurance Specification 1.1 offers the same type of support for building a quality security assurance program.
“For over 10 years Bitsea has provided services to help organizations identifying hidden risks in software systems and managing their open source software supply chain,” says Dr. Andreas Kotulla, Founder and CEO of Bitsea. “Our services guide organizations to adopt and conform to both ISO 5230 OpenChain and OpenChain Security Assurance.”
“Bitsea has long been a provider of excellent reputation in the open source area,” says Shane Coughlan, OpenChain General Manager. “Their new services to support adoption of the OpenChain Security Assurance Specification 1.1 are a timely and useful contribution to the community in Germany and beyond. Open source security is a vital part of the global supply chain, and solid process management is key to addressing the ongoing challenges.”
About Bitsea
Big software systems are like a wild wide ocean of bits – our passion is to analyse and visualize software structure. We are keen to help our customers how to stabilize and optimize their systems. We assess software. We analyze, evaluate and optimize your development processes, software architecture and software design. We perform the technical due diligence for company takeovers. We reduce the economic risk by assessing open source components and ensure license compliance.
Our references include well-known Fortune 500 companies in communications, automotive, logistics, retail and aerospace industries. Highest standard for information security: We are VDA/ISA Tisax-certified since 2020. All data of our customers remain in Germany or, if required, in the territory of our customers. We are involved in the Bitkom Open Source working group. Bitsea is part of the OpenChain Community. We guarantee strictly confidential consulting in the context of technical due diligence for M&A activities.
Learn more:
https://bitsea.de/en/
About the OpenChain Project
The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source. Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.
Learn more:
https://www.openchainproject.org
About The Linux Foundation
The Linux Foundation is the world’s largest non-profit connecting global technical experts, and providing them with a neutral and trusted platform to develop open source projects. Founded in 2000 as the home of the Linux Kernel, the Linux Foundation has grown to host hundreds of open source projects, with a community spanning 2,950+ members, 540,000+ contributing developers, and 19,000+ contributing companies.
Learn more:
https://www.linuxfoundation.org
AboutCode is holding a one day workshop for open source compliance tooling developers and users on the fringe of FOSDEM 2023. You probably know Philippe Ombredanne from ScanCode, who is a key driver behind this. It takes place Friday, February 3, 2023, 9:00 AM – 5:00 PM (UTC+01:00).
Event structure as per their website:
Which tools is this about? FOSS tools for software provenance detection tools, license detection and compliance tools, code scanning tools, package dependency analysis tools, container analysis tools, SBOM creation and consumption tools, and license or vulnerability databases
Basically all the tools you need to figure out which FOSS code you use, where it is from, what is its license, how to comply with the license, and whether it contains vulnerable code. We organized this workshop last in 2020 (pre-COVID) and there were developers from the ORT, ScanCode, ClearlyDefined, FOSSology, Tern, VulnerableCode, SW360, DoubleOpen and OpenChain projects, and users from the finest organizations, technology and industrial companies worldwide. Whether you are a developer or user interested in the Software Supply Chain and SBOMs, a FOSS license-savvy lawyer, a compliance or security analyst, or an OSPO member: you will be warmly welcomed.
The day will be split in two:
• In the morning, the focus is on tool developers: they will announce and share their plans and we will discuss opportunities for collaboration, sharing and joint projects.
• In the afternoon, the focus is on tool users: they will share their concerns, problems and requirements and we will discuss opportunities for collaboration and address these in the represented projects.
Learn more:
The Eventbrite booking form for the next OpenChain UK Workgroup meeting, taking place on 26th January 2023 is now live.
Date: 26th January 2023
Time: 15:00 – 17:00 UTC
Venue: Both virtual and physical. You can select your preference on the booking form.
The physical meeting will take place at the offices of Analog Devices in Hayes, West London (near Heathrow) at the Old Vinyl Factory, 5 Pressing Lane, Hayes UB3 1EP.
Many thanks to Steve Kilbane for making the space available for us at his company’s offices.
To confirm your place either in person or virtually so that we can guage numbers, please complete the Eventbrite booking form.
The next OpenChain Webinar will feature OSSelot, an open source curation database recently launched by OSADL in Germany. This project features one of the most requested features around open source automation for open source compliance: an open, public database supporting SBOM (via SPDX ISO/IEC 5962) for common software packages. This could be a game-changer.
Learn more at 09:00 CET (08:00 UTC) on the 24th of January.
This webinar will be held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799
Check your timezone:
PDT United States Pacific UTC-07:00
UTC Coordinated Universal Time UTC
CET Central European Time UTC+01:00
IST India Standard Time UTC+05:30
CST China Standard Time UTC+08:00
KST Korea Standard Time UTC+09:00
JST Japan Standard Time UTC+09:00
Compare timezones:
https://www.worldtimebuddy.com
Join via one tap mobile:
+86 10 8783 3177,,4377592799# Mainland China
+33 1 8699 5831,,4377592799# France
+49 69 7104 9922,,4377592799# Germany
+81 524 564 439,,4377592799# Japan
+82 2 3143 9612,,4377592799# Korea
+91 80 71 279 440,,4377592799# India
+886 (2) 7741 7473,,4377592799# Taiwan
+44 330 088 5830,,4377592799# UK
+13017158592,,4377592799# USA
Find your local country number:
https://zoom.us/u/awFnORNiA
Meeting ID: 437 759 2799
Nathan kicked off the new cycle of the Education Work Group activities at the end of the year. Here, slightly late, is our recording of that excellent one hour session.
