Skip to main content
Category

News

External Event Coming Soon: The Path to a Sustainable Software Supply Chain

By Featured, News

Shane Coughlan, OpenChain General Manager, will take the lead in a FOSSA webinar on the 16th of March.

From their site:

Software supply chain security has dominated the headlines in recent months following a series of events (including the SolarWinds hack and the Biden Administration’s executive order). But maintaining the integrity of your software supply chain is about more than just traditional vulnerability remediation. Our modern threat landscape has elevated the importance of supply chain sustainability, which includes areas like software provenance and lifecycle management in addition to known vulnerability mitigation.

Join Shane Coughlan, GM of OpenChain (a Linux Foundation project) for a conversation on the importance of supply chain sustainability and practical steps your organization can take to strengthen supply chain integrity.

We’ll discuss:

  • The evolution of software supply chain threats
  • The importance of software provenance, such as package origin, maintainers, and quality
  • Questions to ask vendors to gauge the sustainability of proprietary software
  • Indicators of sustainable open source software

Register here:

Webinar: The Mulan License

By community, Featured, legal, licensing, News, Webinar

This webinar unpacked the Mulan license family, an emerging activity from China with implications regarding the governance of open source as it expands around the world. Providing licenses designed in non-English languages is a topic that will be increasingly important, and is something companies will benefit from being aware of.

Check Out The Rest Of Our Webinars

This is OpenChain Webinar #37, released on 2022-02-23.

OpenChain Security Summit 2022 – Recording

By Featured, News

Learn About OpenSSF In The Current Landscape From Brian Behlendorf, General Manager Open Source Security Foundation

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Learn About SPDX In The Current Landscape From Kate Stewart, VP, Dependable Embedded Systems At The Linux Foundation

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information.

And Learn More About Industry Responses To Log4J With A Practical Case Study About How Things Unfolded “On The Ground”

You can expect to come away with a clear understanding of market conditions, how the Linux Foundation is addressing them, and where OpenChain fits into the picture. The goal – as always – is to ensure you have the information necessary to make informed, effective decisions around the open source supply chain.

We seek to build trust in the quality of programs used by you, your customers and your suppliers. We are proud to have taken significant strides in our field throughout 2021. We expect to push the boundaries of what is possible once again in 2022. You can learn more about what we are doing around security – including our reference assurance guide – here:

We are turning this into a Reference Security Specification via our bi-weekly global work team calls. You can via the current draft on GitHub and open issues here: 

Open Source Policy Template – Now in Japanese

By Featured, News

The OpenChain Open Source Policy Template helps apply the key requirements for a quality open source compliance program. It provides sample policy text that helps organisations select, classify, incorporate and publish open source code with a focus on legal compliance of open source.

This template has been available in English for several years thanks to the hard work of Andrew Katz, the teams at Moorcrofts and Orcro, and the broader OpenChain community. Now, thanks to Masahiko Hayashi and the team at NEC, this policy template is available in Japanese.

This is an excellent resource to help you conform to OpenChain ISO/IEC 5230:2020 or to simply improve your internal process management for open source.

Download the Japanese version here:

Download the English version here:

Contribute to this work on GitHub:

OpenChain Event In Beijing: CAICT Hosts 37 Companies

By News

The China Academy of Information and Communications Technology (CAICT) hosted an OpenChain event today at their HQ in Beijing. Thirty-seven representatives from various companies attended in-person. As the world opens, the OpenChain community hopes to hold similar events across Asia, Europe and North America.

This event highlighted the recent Third-Party Certification by General Data Technology Co., Ltd., CETC Kingbase and PingCap while providing attendees with extensive information on OpenChain ISO/IEC 5230, conformance options, and support for conformance in the Chinese market.

The event featured an introduction by Shane Coughlan, OpenChain General Manager, before switching fully into Mandarin and providing attendees with a chance to discuss matters in a frank, open and productive manner.

We would invite all interested parties to take part in the OpenChain China activities. Everyone is invited. We keep the discussion informal, focused and helpful.

You can learn more about the work CAICT is doing around OpenChain through a recent news item in English and Chinese:

HONOR Joins The Governing Board Of The OpenChain Project

By Featured, News

HONOR, a leading global provider of smart devices, officially joined the OpenChain Project as a Platinum Member. HONOR will continue to devote efforts to help maintain OpenChain ISO/IEC 5230, the International Standard for open source license compliance.

中文版: 荣耀加入 OpenChain项目理事会 

“HONOR is delighted to join the OpenChain Project. HONOR has consistently taken compliance management as the basis of business process. HONOR adheres to the principle of open innovation to provide high quality smart devices that exceeds the expectations of customers around the world,” said Samuel Deng, President of Research & Development Mgmt Dept, HONOR Device Co., Ltd. “HONOR will actively participate in the OpenChain project to work with global partners to build a more secure and efficient open source software management system. ”

“HONOR will playing an essential role in the OpenChain Project in 2022 and beyond,” says Shane Coughlan, OpenChain General Manager. “Chloe and the rest of the team will be providing strategic guidance on our governing board, building on their existing engagement across our global community. Our shared mission is to build greater trust in the supply chain, and this represents another significant milestone in our ability to execute effectively.”

About HONOR

HONOR is a leading global provider of smart devices. It is dedicated to becoming a global iconic technology brand and creating a new intelligent world for everyone through its powerful products and services. With an unwavering focus on R&D, it is committed to developing technology that empowers people around the globe to go beyond, giving them the freedom to achieve and do more. Offering a range of high-quality smartphones, tablets, laptops and wearables to suit every budget, HONOR’s portfolio of innovative, premium and reliable products enable people to become a better version of themselves.

For more information, please visit HONOR online at www.hihonor.com.
https://community.hihonor.com/
https://www.facebook.com/honorglobal/
https://twitter.com/Honorglobal
https://www.instagram.com/honorglobal/
https://www.youtube.com/c/HonorOfficial

About the OpenChain Project

The OpenChain Project maintains the International Standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.

Linux is a registered trademark of Linus Torvalds.

荣耀加入 OpenChain项目理事会

By News

荣耀,全球领先的智能终端提供商,正式加入OpenChain项目理事会。荣耀将持续努力,共同维护开源许可证合规领域的国际标准,OpenChain ISO/IEC 5230。

“荣耀很高兴加入OpenChain项目。一直以来,荣耀将合规管理作为业务流程的基础,始终坚持开放创新的理念,打造超越消费者期待的高品质智能设备。” 荣耀终端有限公司研发管理部总裁邓斌表示:“荣耀将积极参与OpenChain项目,与全球合作伙伴一起建立更为安全高效的开源软件管理体系。”

“荣耀在2022年及以后将在OpenChain项目中扮演重要角色”,OpenChain的总经理Shane Coughlan说到:“荣耀的开源团队将基于在全球社区的现有合作,为我们的理事会提供战略指导。我们的共同使命是在供应链中进一步增强信任,这也将是我们执行力建设的另一个重要的里程碑。”

关于荣耀
HONOR荣耀,于2013年诞生,是全球领先的智能终端提供商。我们致力于成为构建全场景、 面向全渠道、服务全人群的全球标志性科技品牌,荣耀以创新、品质和服务作为三大战略控制点,坚持研发及前瞻性技术的持续投入,为全球消费者带来不断创新的智能设备, 创造属于每个人的智慧新世界。

Third-Party Certification in China – Three Entities Announce Today

By Featured, News

Today marks a significant step forward for both the field of Third-Party Certification and the Chinese market in the context of OpenChain ISO/IEC 5230, the International Standard for open source license compliance. The China Academy of Information and Communications Technology (CAICT) has helped three companies establish OpenChain conformant programs scoped to cover one key product from each. This type of program is a common method of helping companies to “onboard” to broader programs over time.

The products going through the new OpenChain conformant programs are:

  • GBase 8a from General Data Technology Co., Ltd. (GBASE) [1]
  • KingbaseES V8 from CETC Kingbase [2]
  • Tidb enterprise v4.0 from PingCap [3]

CAICT has a Third-Party Certification Program that draws on their domain experience in legal compliance consulting and which lasts between four and six weeks. In words of Zhang Jun Xia, who is leading the program for CAICT, the process looks like this:

  1. Agreement is reached on how to approach certification: “we talk about the importance of open source compliance with the key staffs of the companies, including their managers or vice managers of commercial ,developing and legal departments(from last year my team discussed with about 10 companies). Then some of them reach the agreement to set the opensource compliance management process.”
  2. Kick off meeting to estimate the scope of work: “my team will hold a starting meeting with the company who decided to go through the OpenChain program. We invited almost every manager or vice manager whose responsibilities related to open source upstreaming and down-streaming. We talked about their understanding opensource compliance and the basic requirements of opensource compliance, and introduce the procedures that we will performance to help them meet the requirement.”
  3. Training to share knowledge and increase cohesion between the company and CAICT teams: “we start the training step. according to the understanding and basic estimate at the kick-off meeting, we design the training courses which last to 6 hours to 12 hours, depending on the basis of different companies( Half of the training resources are from OpenChain training resource). By the course, we lead to the agreement what is opensource compliance and what should have to be done to meet it.”
  4. The interview process: “we start a 2-3 days interviews with the key individuals who is involved in opensource compliance management,like the legal officer,the development manager,the product manager,the commercial officer….we dug out the specific procedures how the product is developed,how they manage the upgrade versions,and how to ensure the function and performance indexes such as availability , reliability and security.”
  5. Setting the compliance procedure to documents: “Next week we will write the documents which set the management processes, based on  their original ones, trying to make the least change and make sure to meet the 6 fields of OpenChain standard. We discussed the documents with the key staffs to reach another agreement (in this step we wrote a lot of documents, even described every steps procedure).”
  6. Inspection period: “Once we both agreed, the product line will execute the management processes, and make the records,logs,and discuss every thing that should be cleared or should be changed. We will inspect the new process for 2 to 4 weeks, until we believe it is OK.”

“We are delighted to announce three new companies entering the OpenChain community of conformance today, ands we applaud CAICT on this exceptional certification accomplishment,” says Shane Coughlan, OpenChain General Manager. “The conformance of entities around the world falls into three categories. Self-certification, independent assessment and third-party certification. The availability of the latter is of critical important to ensure freedom of choice, and to ensure critical products in demanding industries are fully supported. The words largest technology production environment is reaching a new stage of maturity.”

[1]

Founded in 2004, GBASE adheres to the independent research and development and promotion of database, and provides users with full stack database products and services. As a state-level high-tech enterprise, GBASE has been rated as a leading domestic database enterprise for many years.

GBase 8a MPP Cluster is a leading product of massive parallel processing database management system, have entered the core business system of more than 80 large banks. The sales of GBase 8a have covered all provinces in China (except Hong Kong and Taiwan) and 34 countries, including the United States, Mexico, Pakistan, Japan, the United Kingdom, Russia and South Africa.

In recent years Gbase 8A adopts more and more open source components in version upgrading, and gradually realizes the importance of open source compliance. Through the Openchain compliance guidance provided by caict, the product has established a standardized open source management process, which greatly improved the transparency of SBOM transmission within the company and improved the reliability of open source compliance.

[2]

CETC Kingbase is a company specializing in database research and development and product services. It has mastered a number of database core technologies, developed large-scale general database products with international advanced level, and is widely used in high information security fields such as government, national defense, military industry, energy, finance and medical treatment, with a total installation and deployment of more than 1 million sets. Kingbases, its independently developed database management system, has passed a number of national security certifications and won the “second prize of national science and Technology Progress Award” in 2018.

In the process of product development, it took the  applying of ISO/IEC 5230:OpenChain standard and built a set of open source compliance management mechanism, which greatly reduced the risk of open source reference and effectively ensured the quality and safety of products.

[3]

Founded in 2015, Pingkai Xingchen (Beijing) Technology Co., Ltd (hereinafter referred to as PingCAP) is an enterprise-grade distributed database provider committed to delivering a modern data infrastructure for growth-oriented users that is efficient, reliable, open and compatible, unleashing  productivity, and accelerating digital transformation for enterprises.

PingCAP’s flagship project, TiDB, is an open-source, distributed Hybrid Transactional/Analytical Processing (HTAP) database that features horizontal scalability, strong consistency, and high availability with MySQL compatibility. TiDB 4.0 was designed for enterprise core business scenarios with requirements such as high availability, strong consistency, and large data scale, and has been adopted at scale in Finance, Internet, New economy, Public services, High-tech manufacturing and other industries in China.

As an open source company, PingCAP has been dedicated to driving forward autonomous  open source communities that honor contribution and participation as key credits. To date, TiDB as an open source project has received 30200+ stars on GitHub,  and has been adopted by over 2000 companies in production world wide, covering multiple industries such as Finance, Telecommunication, Manufacturing, Internet, and Public Service.