We had a fantastic meeting focused on editing previously submitted scope suggestions from ISO/IEC WG/SC 27 (Information Technology Security). This time we went over issues submitted by reviewer CERT. In addition to this, we closed an open issue syncing the definition of Open Source between the licensing (ISO 5230) and security specifications.
Co-chairs Helio and Chris lead the discussion, and we had some great contributions from the audience. It is clear that there is significant interest in reviewing the draft 3rd generation licensing standard and 2nd generation security standard. You are reminded that everyone is invited to participate on the monthly calls and via our main or specification mailing lists.
The first face-to-face OpenChain Japan Work Group meeting in three years is being hosted by Hitachi Solutions and will feature our usual exceptional schedule of case studies and discussion. Big thank you to Ayumi and team for providing a great place to bring the community together. Virtual attendees are also being supported via Zoom.
IT company deepens partnership with OpenChain Project and expands open source software offering.
TIMETOACT GROUP is now an official third-party certifier for the ISO/IEC 5230 standard managed by OpenChain, enabling it to offer official certifications in addition to consulting services on open source license compliance. With the deepening of the partnership between OpenChain and TIMETOACT, customers have even more choice around services available for open source software.
The use of open source software – just like proprietary software – is based on various license terms. It is important to maintain these requirements in order to ensure smooth business operations and avoid conflicts with third parties. The OpenChain ISO/IEC 5230 international standard aims to identify the key requirements for a high-quality open source license compliance program. It enables companies to reduce their risk potential by adapting the standard through self-certification, independent assessment or third-party certification such as TIMETOACT GROUP. Within TIMETOACT GROUP, ARS software engineering specialists provide the certifications.
“We are happy to join OpenChain’s certifier network, thus providing companies of all sizes and industries with the critical components for successful open source compliance programs. This partnership grants our customers added value through the opportunity to obtain the OpenChain ISO/IEC 5230 certification seal,“ says Simon Pletschacher, Manager IT Performance Strategy at TIMETOACT GROUP.
“We are delighted to welcome TIMETOACT GROUP to our comprehensive network of certifiers, allowing us to provide companies of all sizes and industries with easy access to the essential components of superior open source compliance programs,“ says Shane Coughlan, General Manager OpenChain.
About TIMETOACT GROUP
TIMETOACT GROUP modernizes and integrates IT applications for upper mid-sized companies and corporations in order to increase their agility, efficiency and transparency. For innovative customers, TIMETOACT GROUP also develops and implements digital business models and opens up new market opportunities.
Services include: Consulting, Cloud Transformation, Data, Software and Systems Engineering in the area of Employee Experience, Business Applications and Customer Experience.
The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.
About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage
Linux is a registered trademark of Linus Torvalds.
OSPOCO and Taylor English are the latest participants in the OpenChain Project official partner program. OSPOCO provides on-demand, scalable open source program office support across community, technical and communication areas. Taylor English provides attorney oversight for all compliance matters and legal advice integrated with OSPOCO technical findings.
“We are delighted to work with OSPOCO on expanding the professional service ecosystem dedicated to OpenChain ISO/IEC 5230 and the OpenChain Security Assurance Specification,” says Shane Coughlan, OpenChain General Manager. “The increased awareness of predictable, sustainable open source process management in the supply chain is matched by an increased need for experienced providers. We look forward to investing time into ensuring growth in the North American market throughout 2023 matches the traction we have seen in Asia and Europe in 2022.”
“Following the OpenChain specifications is the best way for companies to understand and have control over their open source processes,” says Van Lindberg, CEO of OSPOCO and partner at Taylor English. “The OpenChain specifications are our blueprint for helping our clients mitigate supply chain risk and improve their open source ROI. We look forward to helping many more organizations achieve and maintain full compliance.”
Nathan will host an OpenChain Education Work Group meeting at 09:00 PST on the 9th of February with a focus on determining the key documents to present to people on the OpenChain Website, and the key documents we need to review and improve to help with onboarding and use of the standards.
The OpenChain Project has developed a set of overview slides to help you understand and explain our work across the supply chain. Please feel free to download and use these slides, and we also welcome suggestions for improvement.
Special event today: OSS Compliance in 2022 / 2023 – a Japanese and International Market Briefing in collaboration with FossID AB. We are looking forward to a full schedule with a strong focus on practical business intelligence.
After focusing on rolling news in 2022, the OpenChain Newsletter is back to provide a monthly summary of our work. You can expect an overview of what the OpenChain Project is doing to build trust around license compliance and security in the open source supply chain. You will also find other news directly related to our field. We accept suggestions and ideas. Just mail us at any time.
Cool Statistic To Start The Year
20% of German companies with over 2,000 employees have already implemented OpenChain ISO/IEC 5230:2020, the International Standard for open source license compliance. Source: Bitkom Open Source Monitor 2021
Google Announces ISO/IEC 5230:2020 Conformant Program
We ended Q4 2022 with some exciting news. Google, an OpenChain Governing Board member and early adopter of the first generation OpenChain standard for open source license compliance, announced formal adoption of ISO/IEC 5230, the International Standard for open source license compliance.
Meanwhile, Around Security…
We have submitted the OpenChain Security Assurance Specification to the ISO/IEC JTC-1 PAS Transposition Process. We expect it to graduate as an ISO/IEC standard around mid-2023.
Security Assurance Specification Gains Additional Support
At the end of December 2022 we saw some significant announcements regarding support for the OpenChain Security Assurance Specification:
This support continued to grow in January 2023 with an announcement from Bitsea about their new services for customers around adoption.
OpenChain Meetings, Webinars And Events
Our monthly meetings kicked off with next generation specification reviews for North America / Europe and North American / Asia. We are seeing some solid discussion around the open issues on both the license compliance and security specifications. It is recommended to take part in these meetings if you have ideas, suggestions or comments about where you want our standards to go next.
The global calendar is also a great way to keep track of our webinars. We started the year with a great one: OpenChain Webinar #47 covered OSSelot: The Open Source Curation Database. OSSelot is a new project incubated by OSADL in Germany and promises to be an important part of automation tooling support moving forward.
Our Training Material Continues To Support The Market
In 2021 and 2022 the OpenChain Education Work Group released online courses in collaboration with LF Training. During January we received some updates providing context for market impact.
It is also noteworthy that Continental Corporation made LFC193 a required course for their software developers from late Q3 2022. This is a concrete example of a company leveraging free resources provided by OpenChain Project and The Linux Foundation to support their open source governance processes.
This OpenChain Webinar features OSSelot, an open source curation database recently launched by OSADL in Germany. This project addresses one of the most requested features around open source automation for open source compliance: an open, public database supporting SBOM (via SPDX ISO/IEC 5962) for common software packages. This could be a game-changer.
