News

Today marks a significant step forward for both the field of Third-Party Certification and the Chinese market in the context of OpenChain ISO/IEC 5230, the International Standard for open source license compliance. The China Academy of Information and Communications Technology (CAICT) has helped three companies establish OpenChain conformant programs scoped to cover one key product from each. This type of program is a common method of helping companies to “onboard” to broader programs over time.

The products going through the new OpenChain conformant programs are:

• GBase 8a from General Data Technology Co., Ltd. (GBASE) [1]
• KingbaseES V8 from CETC Kingbase [2]
• Tidb enterprise v4.0 from PingCap [3]

CAICT has a Third-Party Certification Program that draws on their domain experience in legal compliance consulting and which lasts between four and six weeks. In words of Zhang Jun Xia, who is leading the program for CAICT, the process looks like this:

1. Agreement is reached on how to approach certification: “we talk about the importance of open source compliance with the key staffs of the companies, including their managers or vice managers of commercial ，developing and legal departments（from last year my team discussed with about 10 companies). Then some of them reach the agreement to set the opensource compliance management process.”
2. Kick off meeting to estimate the scope of work: “my team will hold a starting meeting with the company who decided to go through the OpenChain program. We invited almost every manager or vice manager whose responsibilities related to open source upstreaming and down-streaming. We talked about their understanding opensource compliance and the basic requirements of opensource compliance, and introduce the procedures that we will performance to help them meet the requirement.”
3. Training to share knowledge and increase cohesion between the company and CAICT teams: “we start the training step. according to the understanding and basic estimate at the kick-off meeting, we design the training courses which last to 6 hours to 12 hours, depending on the basis of different companies( Half of the training resources are from OpenChain training resource). By the course, we lead to the agreement what is opensource compliance and what should have to be done to meet it.”
4. The interview process: “we start a 2-3 days interviews with the key individuals who is involved in opensource compliance management，like the legal officer，the development manager，the product manager，the commercial officer….we dug out the specific procedures how the product is developed，how they manage the upgrade versions，and how to ensure the function and performance indexes such as availability ， reliability and security.”
5. Setting the compliance procedure to documents: “Next week we will write the documents which set the management processes, based on  their original ones, trying to make the least change and make sure to meet the 6 fields of OpenChain standard. We discussed the documents with the key staffs to reach another agreement (in this step we wrote a lot of documents, even described every steps procedure).”
6. Inspection period: “Once we both agreed, the product line will execute the management processes, and make the records，logs，and discuss every thing that should be cleared or should be changed. We will inspect the new process for 2 to 4 weeks, until we believe it is OK.”

“We are delighted to announce three new companies entering the OpenChain community of conformance today, ands we applaud CAICT on this exceptional certification accomplishment,” says Shane Coughlan, OpenChain General Manager. “The conformance of entities around the world falls into three categories. Self-certification, independent assessment and third-party certification. The availability of the latter is of critical important to ensure freedom of choice, and to ensure critical products in demanding industries are fully supported. The words largest technology production environment is reaching a new stage of maturity.”

[1]

Founded in 2004, GBASE adheres to the independent research and development and promotion of database, and provides users with full stack database products and services. As a state-level high-tech enterprise, GBASE has been rated as a leading domestic database enterprise for many years.

GBase 8a MPP Cluster is a leading product of massive parallel processing database management system, have entered the core business system of more than 80 large banks. The sales of GBase 8a have covered all provinces in China (except Hong Kong and Taiwan) and 34 countries, including the United States, Mexico, Pakistan, Japan, the United Kingdom, Russia and South Africa.

In recent years Gbase 8A adopts more and more open source components in version upgrading, and gradually realizes the importance of open source compliance. Through the Openchain compliance guidance provided by caict, the product has established a standardized open source management process, which greatly improved the transparency of SBOM transmission within the company and improved the reliability of open source compliance.

[2]

CETC Kingbase is a company specializing in database research and development and product services. It has mastered a number of database core technologies, developed large-scale general database products with international advanced level, and is widely used in high information security fields such as government, national defense, military industry, energy, finance and medical treatment, with a total installation and deployment of more than 1 million sets. Kingbases, its independently developed database management system, has passed a number of national security certifications and won the “second prize of national science and Technology Progress Award” in 2018.

In the process of product development, it took the  applying of ISO/IEC 5230:OpenChain standard and built a set of open source compliance management mechanism, which greatly reduced the risk of open source reference and effectively ensured the quality and safety of products.

[3]

Founded in 2015, Pingkai Xingchen (Beijing) Technology Co., Ltd (hereinafter referred to as PingCAP) is an enterprise-grade distributed database provider committed to delivering a modern data infrastructure for growth-oriented users that is efficient, reliable, open and compatible, unleashing  productivity, and accelerating digital transformation for enterprises.

PingCAP’s flagship project, TiDB, is an open-source, distributed Hybrid Transactional/Analytical Processing (HTAP) database that features horizontal scalability, strong consistency, and high availability with MySQL compatibility. TiDB 4.0 was designed for enterprise core business scenarios with requirements such as high availability, strong consistency, and large data scale, and has been adopted at scale in Finance, Internet, New economy, Public services, High-tech manufacturing and other industries in China.

As an open source company, PingCAP has been dedicated to driving forward autonomous  open source communities that honor contribution and participation as key credits. To date, TiDB as an open source project has received 30200+ stars on GitHub,  and has been adopted by over 2000 companies in production world wide, covering multiple industries such as Finance, Telecommunication, Manufacturing, Internet, and Public Service.

Learn About OpenSSF In The Current Landscape From Brian Behlendorf, General Manager Open Source Security Foundation

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Learn About SPDX In The Current Landscape From Kate Stewart, VP, Dependable Embedded Systems At The Linux Foundation

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information.

And Learn More About Industry Responses To Log4J With A Practical Case Study About How Things Unfolded “On The Ground”

The Security Summit will take place on February 17th 2022 at 18:00 PST / February 18th 2022 02:00 UTC / 10:00 CST / 11:00 KST+JST. It will be hosted on Zoom and it will be free to attend. It will also be recorded. Join the event here:

• https://zoom.us/my/openchain

You can expect to come away with a clear understanding of market conditions, how the Linux Foundation is addressing them, and where OpenChain fits into the picture. The goal – as always – is to ensure you have the information necessary to make informed, effective decisions around the open source supply chain.

We seek to build trust in the quality of programs used by you, your customers and your suppliers. We are proud to have taken significant strides in our field throughout 2021. We expect to push the boundaries of what is possible once again in 2022. You can learn more about what we are doing around security – including our reference assurance guide – here:

• https://www.openchainproject.org/news/2022/01/19/openchain-on-security

We are turning this into a Reference Security Specification via our bi-weekly global work team calls. You can via the current draft on GitHub and open issues here: 

• https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide/2.0

Tokyo, February 10, 2022 – NEC Corporation (NEC; TSE: 6701), a leading global provider of IT and network technologies, has joined the OpenChain Project as a Platinum Member and will assume a governing board seat. The OpenChain Project builds trust in the supply chain by making open source license compliance simpler and more consistent, and maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance.

“NEC has played a significant role in the development of the global OpenChain community,” says Shane Coughlan, OpenChain General Manager. “As we welcome NEC to the OpenChain governing board we look forward to deepening our collaboration. We share a vision of a supply chain with greater trust and effectiveness. Today we have taken another important step towards that goal.”

“NEC is well aware of the importance of security and compliance in the open source supply chain and we respect OpenChain’s leadership in this field.” says Kimio Suganuma, Head of the OSS Promotion Center and Emerging SI Technology Development Division, Digital Business Platform Unit, NEC. “We have decided to join as a platinum member to show our approval and support of the open source ecosystem.”

About NEC Corporation

NEC Corporation has established itself as a leader in the integration of IT and network technologies while promoting the brand statement of “Orchestrating a brighter world.” NEC enables businesses and communities to adapt to rapid changes taking place in both society and the market as it provides for the social values of safety, security, fairness and efficiency to promote a more sustainable world where everyone has the chance to reach their full potential. For more information, visit NEC at https://www.nec.com.

About the OpenChain Project

The OpenChain Project maintains the international standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.

Linux is a registered trademark of Linus Torvalds.