Skip to main content
Category

News

OpenChain Security Assurance Spec – WG-SC27 Comment Review Calls – Recordings

By News

We recently held two calls to review feedback from ISO/IEC WG/SC27 on our recently completed OpenChain Security Assurance Specification. These calls provided feedback ahead of our formal submission into the JTC-1 PAS Transposition Process. Below the video you will find the full guidance provided to our community during this review process. The end result can be found in the OpenChain Security Assurance Specification 1.1, which has now been handed over to Joint Development Foundation (JDF) for entry into the JTC-1 PAS Transposition Process during October.

For reference, here is the full guidance provided to the OpenChain community during these recorded review calls:

ISO/IEC WG/SC27 (security) has provided some feedback on the OpenChain Security Assurance Specification 1.0 for our review. Our review cycle runs from now until October 4th and you can get started on checking their comments via our issue tracker here:
https://github.com/OpenChain-Project/Security-Assurance-Specification/issues
(This review cycle was closed early as all comments were address by the conclusion of the second call on 29th of September)

We are providing some guidance on the review of these comments and suggestions.

(1) Our specification was completed after a multi-month process in March 2022, and it was ratified by our board for ISO/IEC JTC-1 PAS submission on the 14th of September 2022
(2) Therefore OpenChain Security Assurance Specification 1.0 is functionally complete
(3) We should review the ISO/IEC WG comments with this perspective
(4) We are looking for editorial adjusts for clarity and errors
(5) We are not looking to change the scope or function of OpenChain Security Assurance Specification 1.0 or any immediate clarity / error adjusted successor
(6) This is because we want to proceed with our JTC-1 PAS submission as approved by the OpenChain Governing Board
(7) But we can place any comments for scope and function adjustment into a deferred status
(8) And we will return to them for discussion around inclusion in OpenChain Security Assurance Specification 2.0

Webinar: SecTrend and their OpenChain-Related Services

By community, News, Partner Webinar, standards, Webinar

This series highlights offerings from various service providers throughout the global OpenChain eco-system. Each featured partner has an official relationship with the project, whereby they may use our trademark for marketing OpenChain-specific services, and in exchange they help with community outreach, education and other aspects of collaborative (and free) support.




More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2022-10-04.

Small Company Playbook Now Available

By Featured, News

The OpenChain Project is delighted to announce the launch of our latest playbook. Focused on small companies, and created by the Education Work Group over the summer, this playbook helps you to contextualize the tasks involved with OpenChain ISO/IEC 5230 adoption. It is short, simple and directly relevant to things like:

  • Getting management support
  • Creating realistic policy and processes
  • Operating an open source program office (OSPO) with low resources
  • Ensuring you have the key requirements of a quality license compliance program

While targeted towards small companies, the concepts used in this document are useful for medium and large companies as well. This of this as a “minimum viable product” when it comes to considering compliance programs and open source program offices.

As with all our reference material, this playbook is available free of charge and under CC-0 licensing (effectively public domain). It is currently published as a PDF, Word Document and in Open Document Format. More formats will be coming in the future.


Want to check out our other playbooks? We current have a medium company playbook available:


Want to help with our future work? Please join our education work group to help with new material.

OpenChain Reference Tooling Work Group Meetings – New Regular Schedule

By Featured, News

The OpenChain Reference Tooling Work Group holds meetings on a bi-weekly schedule. These are designed to allow anyone with an interest in open source tooling for open source compliance to learn more, share ideas, and contribute knowledge. All levels of experience are welcome.

Our new regular schedule is:

First Wednesday @ 08:00 UTC
Third Wednesday @ 16:00 UTC

At the scheduled time click to join the voice, video or screen sharing session:  
https://conf.fsfe.org/b/compliance-tooling
Access Code: 199143

You will also find our events in the OpenChain Global Calendar.

OpenChain Partner Webinars Continue Throughout October

By Featured, News

The OpenChain Partner webinars are pre-recorded broadcasts intended to help educate and inform our global community about commercial services available around ISO/IEC 5230. Each webinar is geo-tagged so you can see which primary location it covers.

Learn about SecTrend (China) on the 4th of October @ 15:00 UTC.

Learn more about Bitsea (Germany) on the 18th of October @ 15:00 UTC.

Learn more about PwC (Worldwide) on the 29th of November @ 15:30 UTC.

Each webinar is held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799

Check Our Our Past Webinars


Check your timezone:
PDT United States Pacific UTC-07:00
UTC Coordinated Universal Time UTC
CET Central European Time UTC+01:00
IST India Standard Time UTC+05:30
CST China Standard Time UTC+08:00
KST Korea Standard Time UTC+09:00
JST Japan Standard Time UTC+09:00

Compare timezones:
https://www.worldtimebuddy.com

Join via one tap mobile:
+86 10 8783 3177,,4377592799# Mainland China
+33 1 8699 5831,,4377592799# France
+49 69 7104 9922,,4377592799# Germany
+81 524 564 439,,4377592799# Japan
+82 2 3143 9612,,4377592799# Korea
+91 80 71 279 440,,4377592799# India
+886 (2) 7741 7473,,4377592799# Taiwan
+44 330 088 5830,,4377592799# UK
+13017158592,,4377592799# USA

Find your local country number: 
https://zoom.us/u/awFnORNiA
Meeting ID: 437 759 2799

OpenChain Germany Work Group – 2022-11-16 in Cologne

By Featured, News

The OpenChain Germany Work Group will hold its next meeting in collaboration with PwC in Cologne, Germany on the 16th of November 2022. This meeting is open to all and will have plenty of time for networking and sharing knowledge. Find out more by contacting us.

Agenda:

  • 11:00 – 11:15 Welcome (all)
  • 11:15 – 12:00 Introduction to OpenChain Project, news and way forward (Shane)
  • 12:00 – 12:30 Overview SBOM, Security & License Compliance (PwC)
  • 12:30 – 13:00 Self-Certification, Independent Assessment and Third Party Certification (PwC)

13:00 – 14:00 Lunch

  • 14:00 – 14:30 Discussion of focus topics of the German work group (Shane/all)
  • 14:30 – 15:00 Review and issue submission for ISO/IEC 5230 and the Security Assurance specification (Shane/all)
  • 15:30 – 16:00 Review and issue submission for the new playbooks for small, medium and large company adoption (Shane/all)

16:00 – 16:15 Bio Break

  • 16:15 – 16:45 Review and issue submission on automation based on the tooling landscape map (Shane/all)
  • 16:45 – 17:00 Wrap up & Next steps (PwC/Shane)

This event is recommended for project managers, legal personnel, strategy-makers and executives with execution responsibility. 

Register here:

https://www.pwc-events.com/openchain-germany-work-group-meeting (German)

https://www.pwc-events.com/openchain-germany-work-group-meeting-en (English)

OpenChain UK Work Group Meeting – 2022-10-13 in London

By Featured, News

Moorcrofts LLP and its sister compliance company Orcro Limited, as OpenChain partners invite you to join us at the next meeting of the OpenChain UK Work Group, taking place both virtually and physically (Beck Greener, London) on Thursday 13 October, 11:00 – 13:00.

The keynote speaker for the event will be Liz Rice, Chief Open Source Officer with eBPF specialists, creators of the Cilium cloud native networking, security and observability project. 

Liz is a member of the Open UK Board and was chair of the CNCF’s Technical Oversight Committee 2019-2022, and co-chaired the KubeCon / CloudNativeCon 2018 events in Copenhagen, Shanghai and Seattle. She is also the author of Container Security, published by O’Reilly.

She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, competing in virtual races on Zwift, and making music under the pseudonym Insider Nine.

Agenda

11:00: Welcome and introduction by Andrew Katz (Orcro) & Sami Atabani (Arm)

11:10: News and Updates by Shane Coughlan (Linux Foundation)

11:25: OpenChain UK Work Group: Plans by Andrew Katz (Orcro) & Sami Atabani (Arm)

11:45: Liz Rice Key Note

12:45:  AOB

13:00: Thank you and goodbye!

OpenChain, a project of the Linux Foundation, brings established governance principles to the software supply chain. It adopts best-practice from other compliance areas and maps them to software procurement, giving businesses a clear path to minimising infringement risk in procuring, developing and deploying software, with particular emphasis on use and re-use of free and open source software (“FOSS”) components. The result is that open source licence compliance becomes more predictable, understandable and efficient for all participants in the software supply chain.

Why Join?
With a stellar roster of international businesses adopting the OpenChain framework for Open Source compliance and seeing the benefits of adopting best-practice – helping business teams work together towards a common goal, making Free and Open-Source Software (FOSS) more accessible to developers and reducing overall compliance effort, saving time, legal and engineering resources, it makes sense to unify and freely share this work, and help to embed it into the UK’s software development culture. 

With this in mind, the OpenChain UK Work Group was born. It is free to join, and open to anyone (whether in the UK or otherwise) interested in finding out more about why companies as diverse as Arm, Google, Scania, Hitachi Data Systems, Toyota, Facebook, Uber and Microsoft are embracing OpenChain, as well as smaller companies like B2M Solutions and NewRoCo. The group also aims to help developers’ and organisations’ journey through open source compliance by providing a practical and accessible platform for anyone in the UK to quickly sync, share information and save time across all aspects of open source compliance.

Book Now
To reserve your free place at either the physical or virtual meeting, on 13 October from 11:00 – 13:00, please complete the online booking form.

OpenChain Summit 2022 – Full Recording

By Featured, News

The OpenChain Project held its annual an all-day summit adjacent to Open Source Summit Europe (OSS EU) on the 14th of September. This event featured news from our latest board meeting (including the decision to launch our new security specification), a deep dive into a significant new automation landscape to assist with license, security and export control compliance, SBOM discussions and more.

Check out the full recording below alongside copies of our excellent keynote presentation from Andrew Katz of Orcro and the automation landscape capability map presentation delivered by Jan Thielscher of EACG on behalf of the OpenChain Reference Tooling Work Group.

Here are the key takeaways:

  • The OpenChain Project now maintains a family of specifications to build trust in the supply chain. We started with license compliance and now we have a sister standard for security.
  • Open source automation for open source license, security and export control compliance is getting a clear capability map to guide investment of resources and save time.
  • Software Bill of Materials (SBOM) has seen great progress in the last year or two, and the OpenChain Telco Work Group is working on very practical items related to market adoption.
  • Open source licensing discussions have become somewhat stale and there is scope for considering the future of open source licensing approaches.

Andrew’s Keynote Slides

The Automation Capability Map Presentation Slides

OpenChain Security Assurance Specification 1.0 Now Available

By Featured, News

The OpenChain Security Assurance Specification 1.0 is now available. This is the result of over one year of work throughout the global OpenChain community. It is applicable to an open source management activity related to security compliance. We regard this as adjacent but different to license compliance.


The OpenChain Project’s core mission is to build trust in the supply chain. Our flagship specification, ISO/IEC 5230:2020, is International Standard for Open Source Compliance and builds trust in that domain. It defines the key requirements of a quality open source compliance program. The natural next step is to identify the key requirements of a quality open source security assurance program.

Initially the scope of this specification is limited to ensuring that an organization vets open source with regards to known publicly available security vulnerability issues (e.g., CVEs, GitHub dependency alerts, package manager alerts and so on). The security assurance specification’s scope may expand over time based on community feedback.

This specification is built from the Security Assurance Reference Guide 2.0 (Release Candidate 1) published on 2022-03-28. That completed reference specification document went through a final approval process via editing on our specification list and calls, before graduating to a governing board vote to transform into this published security specification on 2022-09-14.

Next Steps

We will proceed to ISO/IEC JTC-1 PAS submission with an estimated completion date of circa mid-2023. In the meantime, our security assurance specification is ready for market adoption as a de facto standard.

Prior to the ISO/IEC JTC-1 PAS submission, we have some time for sanity-checks and minor adjustments. We begin that process today and will complete it on October 4th 2022 (2022-10-04). There are two tasks for the community ahead of that date:

  1. Check our Security Assurance Specification 1.0 against the Security Assurance Reference Guide 2.0 (Release Candidate 1) to ensure Sections 1, 2 and 3 match. You can find the Security Assurance Reference Guide 2.0 (Release Candidate 1) here:
    https://github.com/OpenChain-Project/Security-Assurance-Specification/tree/main/Security-Assurance-Guide-Depreciated/2.0
  2. Check the OpenChain Security Assurance Specification 1.0 for any typographical errors that have snuck through our existing editing process. You can find the document linked at the start of this email or here:
    https://github.com/OpenChain-Project/Security-Assurance-Specification/blob/main/Security-Assurance-Specification/1.0/en/openchain-security-specification-1.0.md

You can submit issues highlighting areas you would like review on our GitHub repository. Please note, due to this being a specification, we will only accept issues for discussion. We will not accept pull requests or remixes.


In the coming days we will have broader distribution of the specification launch, including on social media and via blog posts. However, you can begin sharing it immediately with your teams and peers. 

Please note:

The scope of this reference specification may expand over time based on community feedback. However, comments and notes should be confined to the existing scope at this juncture. Our specification is complete barring minor adjustments for readability, editing and clarity. 

Please note:

This specification is licensed under Creative Commons Attribution License 4.0 (CC-BY-4.0). You can submit issues highlighting areas you would like review on our GitHub repository. Due to this being a specification, we will only accept issues for discussion. We will not accept pull requests or remixes. You can get more involved with our work beyond submitting issues via our community calls, mailing lists and events: https://www.openchainproject.org/community