The Eventbrite booking form for the next OpenChain UK Workgroup meeting, taking place on 26th January 2023 is now live.
Date: 26th January 2023
Time: 15:00 – 17:00 UTC
Venue: Both virtual and physical. You can select your preference on the booking form.
The physical meeting will take place at the offices of Analog Devices in Hayes, West London (near Heathrow) at the Old Vinyl Factory, 5 Pressing Lane, Hayes UB3 1EP.
Many thanks to Steve Kilbane for making the space available for us at his company’s offices.
To confirm your place either in person or virtually so that we can guage numbers, please complete the Eventbrite booking form.
The next OpenChain Webinar will feature OSSelot, an open source curation database recently launched by OSADL in Germany. This project features one of the most requested features around open source automation for open source compliance: an open, public database supporting SBOM (via SPDX ISO/IEC 5962) for common software packages. This could be a game-changer.
Learn more at 09:00 CET (08:00 UTC) on the 24th of January.
Check your timezone: PDT United States Pacific UTC-07:00 UTC Coordinated Universal Time UTC CET Central European Time UTC+01:00 IST India Standard Time UTC+05:30 CST China Standard Time UTC+08:00 KST Korea Standard Time UTC+09:00 JST Japan Standard Time UTC+09:00
Join via one tap mobile: +86 10 8783 3177,,4377592799# Mainland China +33 1 8699 5831,,4377592799# France +49 69 7104 9922,,4377592799# Germany +81 524 564 439,,4377592799# Japan +82 2 3143 9612,,4377592799# Korea +91 80 71 279 440,,4377592799# India +886 (2) 7741 7473,,4377592799# Taiwan +44 330 088 5830,,4377592799# UK +13017158592,,4377592799# USA
Nathan kicked off the new cycle of the Education Work Group activities at the end of the year. Here, slightly late, is our recording of that excellent one hour session.
Our first monthly meeting of the year contained some great discussion about the spec with oversight by Co-Chair Helio (we worked on issues as usual) and Nathan also set the tone for future plans around the Education Work Group. It was a relatively small group due to the new year vacation ending unevenly around the world, but some substantive material was covered.
Please note that we also had a ton of interesting news to cover. Check out the slides for the details and the links to each item.
Interneuron, a UK-based service provider to the British National Health Service (NHS), is the first company to formally announce an OpenChain Security Assurance Specification conformant program. This continues their history of engagement with open source standards – including previous adoption of OpenChain ISO/IEC 5230, the International Standard for open source license compliance.
“We have worked with Interneuron from when they were a start-up,” says Martin Callinan, Director at Source Code Control Limited. “From the outset we implemented a secure by design approach to the management of open source components used in their software development. It is hugely beneficial that OpenChain have created the Security Assurance Specification to provide guidance and benchmark the processes that have been implemented.”
“Interneuron has a long-term, focused approach on ensuring solutions provided to the NHS demonstrate excellence in sustainable, manageable ways as well as through providing technological solutions,” says Shane Coughlan, OpenChain General Manager. “Their previous adoption of OpenChain ISO/IEC 5230 aligned their company behind reproducible, standard processes. Their newly announced adoption of the OpenChain Security Assurance Specification continues this path, and covers one of the most critical domains in information technology. Their conformance, accomplished in conjunction with their support partner Source Code Control, is an important milestone for the global community as well. With the OpenChain Security Assurance Specification disseminating worldwide, companies like Interneuron provide a clear example of how and why to leverage this standard today.”
About Interneuron
Interneuron is a different kind of healthcare IT organization. We are a purpose driven company, Community Interest Company (CIC) that exists primarily for the benefit of those in need of health and social care. Interneuron projects aim to help NHS organizations replace their legacy technology with world-class clinical software that will revolutionize the way in which data is integrated, stored and used. Interneuron’s open source philosophy is to make this new technology freely available. NHS Trusts will be able to download, test and implement the software, or receive support from Interneuron if that is preferred
Founded in 2014 by Martin Callinan, Source Code Control has established itself as one of the only Open Source and Cloud Transformation consultancy businesses. We help organizations who have software at the core of their company value, build trust in software supply chains and simplify the cloud transformation process. With this in mind, our main aim is to minimize an organization’s risk when dealing with open source and cloud software.
The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source. Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.
The Linux Foundation is the world’s largest non-profit connecting global technical experts, and providing them with a neutral and trusted platform to develop open source projects. Founded in 2000 as the home of the Linux Kernel, the Linux Foundation has grown to host hundreds of open source projects, with a community spanning 2,950+ members, 540,000+ contributing developers, and 19,000+ contributing companies.
The OpenChain Security Assurance Specification 1.1 has been building momentum as a sister specification to ISO/IEC 5230:2020, the International Standard for open source license compliance. With an identical approach to high level process management, the OpenChain Security Assurance Specification is designed to help companies adopt the key requirements of a quality open source security assurance program.
Self-certification is available in English, German and Simplified Chinese. In addition, the following companies have announced services to support adoption of this specification. Three of these organizations are OpenChain Project official third-party certifiers, and all of these companies provide onboarding, adoption and review services across the global supply chain.
CAICT (Mainland China)
CAICT is an official OpenChain Project partner and one of our third-party certifiers with a regional service offering.
If you’re not already aware of it, OpenChain ISO/IEC 5230:2020 is the International Standard for open-source license compliance and is designed to build trust in the supply chain. The standard allows companies of all sizes and in all sectors to adopt the key requirements of a quality open-source compliance program. This is an open standard, and all parties are welcome to engage with the community to share their knowledge and contribute to the future of the standard. BlackBerry recently became the first company based in North America to adopt and conform to OpenChain across its entire product portfolio. The company saw the need to lead in this space and joined other technology-leading companies to adopt a higher standard for its software supply chain.
The OpenChain Export Control Work Group held its second meeting in December 2022. This meeting is providing an informal, exploratory platform for discussion around open source, export control, and the type of community resources people have found in the ecosystem.
We are working on a landscape spreadsheet. Everyone is invited to contribute:
The OpenChain Security Assurance Specification 1.1 is now available in Simplified Chinese. This translation was created by Zhang Jun Xia from the China Academy of Information and Communications Technology (翻译人:张俊霞,中国信息通信研究院). Zhang Jun Xia previously contributed the Simplified Chinese self-certification checklist for this specification.
Please note that we are always glad to have review for any errors in the translations we provide, and we are always glad to receive new translations. We work via GitHub and you can find the OpenChain Security Assurance Specification repository here:
Part 10 (!) of a long-running open source compliance series on the Japanese website @IT covers some of the differences between SPDX and CycloneDX, two SBOM formats with growing mindshare across the supply chain. Ninjouji San from Toshiba is the author of this article and is well-known for his contributions as an OpenChain Japan Work Group member and a board representative for Toshiba as a Platinum of the OpenChain Project.
