In this forthcoming OpenChain Webinar, recent computer science graduate Charlotte Gayton shares her journey of implementing the OpenChain standard during her Year in Industry (ISO/IEC 5230) and her dissertation project (ISO/IEC 18974).
She will discuss the challenges she faced and the solutions she developed to achieve compliance. The session will provide a unique perspective on navigating OpenChain from the viewpoint of someone early in their career.
The OpenChain Taiwan Work Group will hold a meet-up on Monday the 5th of August in collaboration with our colleagues at the Open Culture Foundation. Everyone is invited.
2:00-4:00 pm
Monday, 5 August, 2024
Open Culture Foundation (googlemap link, We are in the Mutix Studio building, entrance on Civic Boulevard and next to Charming City Songshan Hotel)
Shane Coughlan, OpenChain General Manager, will deliver a talk entitle ‘The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Professionals in 2024’ on Day 1 of COSCUP 2024. This talk, part of the legal track managed by long-term collaborator Florence Ko, will help provide practical background on what the ISO standard for open source license compliance and security assurance means to professionals dealing with risk management.
Date:
2024 / 08 / 03
Time:
13:40 ~ 14:10
Session ID:
TR510 Open Licensing Kaleidoscope
Abstract:
This session will present an overview of how OpenChain ISO/IEC 5230:2020 for open source license compliance and OpenChain ISO/IEC 18974:2023 for open source security assurance will impact legal professionals in 2024. It will cover the key points regarding procurement negotiations, mergers and acquisitions, and supply chain management foreseen in the year ahead. This will be informed by recent developments around the CRA and in adjacent standards like SPDX ISO/IEC 5962. The session will also expand on existing and forthcoming reference material, community support and commercial providers available for when help is needed. We will end with an outline of what may come next for the market, highlighting a new OpenChain Study Group around AI Compliance. This session will invite questions from the audience to ensure everyone is up-to-date and ready for internal or client use-cases.
Learn More:
The OpenChain Automotive Work Group will hold a face-to-face workshop on the 10th of September in Stuttgart. Please register if you will be attending, and please help spread the word!
The event page is here:
https://openchain-project.github.io/Automotive-WG/2024-09-10-workshop-agenda.html
The registration link is here:
https://cvent.me/Mg4w9o
Like all OpenChain Automotive activities, this belongs to you. You can contribute to, leave notes on, or make suggestions about the agenda. You will find our work group overview and links to our mailing list here:
https://openchain-project.github.io/Automotive-WG/
If you are feeling technical, you can open an issue or make a pull request on GitHub:
https://github.com/OpenChain-Project/Automotive-WG/blob/gh-pages/2024-09-10-workshop-agenda.md
Let’s make this a great workshop. It has been a while since our last face-to-face meeting, and there are a lot of things to talk about.
We are delighted to announce that the second edition of the OpenChain guide to ‘Managing Your Open Source Software Supply Chain’ is now available. This builds on the excellent contribution from the OpenChain Japan Work Group in 2019 in building the first edition, and takes into account market developments since that time.
This document is designed to help companies in the supply chain understand and manage Open Source Software (open source). The OpenChain Project maintains the OpenChain ISO/IEC 5230:2020 for open source license compliance and OpenChain ISO/IEC 18974:2023 for open source security assurance. These standards can help companies manage open source. You can learn more about the OpenChain Project and its standards at www.openchainproject.org.
Open source has become essential to modern software development and is incorporated into almost every electronic product, from consumer to industrial devices, from cloud to embedded software. Open source is an indispensable part of helping companies to bring products or services to market.
Much open source is developed through the collaboration of expert developers from individuals and organizations throughout the world.
Open source can be used, modified, and distributed by anyone who complies with the associated license conditions. When open source is distributed within the supply chain, the distributor is required to comply with the terms and conditions of the license. There have been cases where suppliers were sued because they failed to satisfy their legal obligations. This document is designed to help introduce the best practices needed to prevent issues occurring and to solve them when they do occur. It leads to further resources available through the OpenChain Project and other Linux Foundation Projects.
Like all other software, security issues sometimes occur with open source. By understanding how open source is created, used, and maintained, it is possible to identify, prevent and address many of these issues before they become a concern. The key thing is for all relevant personnel to understand the basic principles of open source.
Please note that this document is designed to provide insight based on experience shared from our global community. It does not contain legal advice.
(It is provided as MarkDown, which can easily be taken and reformatted as needed. We intend to add more print-ready language versions over time)
(We intend to add more print-ready language versions over time)
We are delighted to announce that the OpenChain Telco SBOM Guide Version is available in English, French, Japanese and Simplified Chinese.
The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs.
Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.
This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”
(These are provided as MarkDown, which can easily be taken and reformatted as needed)
(We intend to add more print-ready language versions over time)
Development of the next generation of the guide will occur via the Telco Work Group, and everyone is welcome to contribute.
The OpenChain Project has required Software Bill of Materials for its compliance and security standards since we started the project in 2026. Over the years, we have contributed to the field in various ways, including the development of SPDX Lite (a simple SBOM for suppliers) to a guide to judging SBOM Quality.
Our new SBOM Study Group brings all our various activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?”
Everyone with an interest in SBOMs, the use of SBOMs in the supply chain, and in increasing trust in the supply chain is invited to be part of our work. Kobota San from Sony is the chair of this study group in 2024. Kobota San, thank you for stepping forward to start this activity!
The OpenChain Japan Work Group had its 31st All Member Meeting on the 27th of June. As always, this event featured a series of talks, case studies and plenty of space for networking. This was a meeting with a lot of international focus, including engagement with activities around the OpenChain AI Study Group, and discussion about the (at the time) forthcoming OpenChain SBOM Study Group.
This week we have the following international meetings:
Tuesday 30th June:
– OpenChain SBOM Study Group Kick-Off Call @ 07:00 UTC
Thursday 1st August:
– OpenChain Telco Work Group Call (European Morning) @ 07:00 UTC
– OpenChain India Work Group @ 10:00 UTC
– OpenChain Telco Work Group Call (European Afternoon) @ 14:00 UTC
Get dial-in details and see all our international meetings here:
https://www.openchainproject.org/participate
On previous OpenChain Education Work Group calls and at recent events, we discussed the emergence of maturity models that included ISO/IEC 5230 or other standards managing open source business processes. We also flagged that there will be reference materially freely available to the community to help everyone benefit from maturity modeling if they choose to go in this direction. This call is a deep-dive on the topic, and helps set expectations and timelines for the release of official OpenChain Project reference material on the topic.
© 2024 OpenChain. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use
