We held our regular workshop for the OpenChain AI Work Group on March 5th. It was a two-hour session to allow topics related to AI compliance to be discussed, explored and defined. The key focus for the Work Group is to develop and finalize a Guide to AI Bill of Material Compliance in the Supply Chain, and there is active drafting going on during each meeting.
You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
Open source and insurance has long been a topic of interest to commercial providers of products and solutions. This webinar will help unpack the reality of insurance considerations in this space. All welcome.
Abstract:
Open source software providers are facing a triple threat: tightening US and EU regulations, rising IP litigation, and the risks introduced by Gen AI. Soon, your board—and your customers and suppliers— might be asking that you have specific insurance that actually covers OSS-related liabilities. But, does such insurance exist? Does it work? And how should it work?
Historically, insurers have struggled to grasp OSS risks, offering inadequate or unclear coverage. Now, a new wave of insurance solutions is emerging, informed by OpenChain standards and best practices.
Join this session to explore how the insurance industry is evolving, what new OSS-specific coverage looks like, and how you can help shape it to meet the real needs of the open source community.
Meet Your Presenters:
Lewis Parle, Head of Intellectual Property Risks @ Lockton
The 25th Meeting of the OpenChain Korea Work Group is coming soon! Join one of the most energetic, friendly and productive open source communities dedicated to better supply chain management. All welcome, even if you do not speak Korean.
Time and Date: 25th of March (2025-03-25) 14:00 – 17:00
Please note: Format registration will launch soon. You can already express your interest on the OpenChain Korea Work Group mailing list (https://lists.openchainproject.org/g/korea-wg).
The OpenChain Newsletter provides a monthly summary of our work. It contains an overview of what we are doing to build trust around license compliance and security in the open source supply chain. We accept suggestions and ideas. Feel free to mail us at any time.
The OpenChain Japan Community Day #34 was held at Tokyo on March 3rd. Below you can learn more details of the event (Japanese).
OpenChain Japan Community Day #34@トヨタ大手町
OpenChainのメンバーが一堂に介し、OSSの最新情報を共有したり、ネットワーキングしたり、
各業界の課題を議論したりするCommunity Dayの2025年第1弾をトヨタ大手町で実施致します。
日時:3月3日(月)13:30-17:00、3月4日(火)9:30-12:00
会場:トヨタ自動車株式会社大手町オフィス
The OpenChain Japan Work Group held one of its regular community meetings with presentations, case studies and networking on the 3rd of March 2025. The full recording is below.
As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?” We are dealing with the reality of supply chains with many participants who have different levels of skill, use different formats, and perhaps follow different regulations or policies.
This meeting looked at two important pieces of analysis from the OpenChain Japan SBOM Sub-Group. The goal was to find common challenges, and how we can address them when we consider:
Process management as our focus (the management layer)
Previous OpenChain work in this field (e.g. the Telco SBOM Guide)
Other work around the world (e.g. emerging regulation etc.)
Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.
The Elixir Project is pleased to share that the Elixir project now complies with OpenChain ISO/IEC 5230, the international standard for open source license compliance. This step aligns with broader efforts to meet industry standards for supply chain and cybersecurity best practices.
“Today’s announcement around Elixir’s conformance represents another significant example of community maturity,” says Shane Coughlan, OpenChain General Manager: “With projects – the final upstream – using ISO standards for compliance and security with increasing frequency, we are seeing a shift to longer-term improvements to trust in the supply chain.”
Why OpenChain Compliance Helps
By following OpenChain ISO/IEC 5230, we demonstrate clear processes around license compliance. This benefits commercial and community users alike, making Elixir easier to adopt and integrate with confidence.
Changes for Elixir Users
All future Elixir releases will include a Source SBoM in CycloneDX 16 or later and SPDX 2.3 or later formats.
Each release will be attested along with the Source SBoM.
These additions offer greater transparency into the components and licenses of each release, supporting more rigorous supply chain requirements.
Changes for Contributors
Contributions remain under the Apache-2.0 License. Other licenses cannot be accepted.
The project now enforces the Developer Certificate of Origin (DCO), ensuring clarity around contribution ownership.
Contributors will notice minimal procedural changes, as standard practices around licensing remain in place. For more details, see the CONTRIBUTING guidelines
Commitment
These updates were made in collaboration with the Erlang Ecosystem Foundation, reflecting a shared commitment to robust compliance and secure development practices. Thank you to everyone who supported this milestone. We appreciate the community’s ongoing contributions and look forward to continuing the growth of Elixir under these established guidelines.
CSI Piemonte, an early adopter of OpenChain ISO/IEC 5230, has announced their fourth periodic recertification of the international standard for open source license compliance processes.
“CSI Piemonte has renewed its self-certification to ISO/IEC 5230:2020 for the fourth time, aware of its decades-long aptitude to implement, acquire, and publish open source software,” says Marco Alberto Panepinto, Open Source Subject Matter Expert at CSI Piemonte. “Italian law, in particular, requires public administrations to publish self-produced software on the national Developers Italia catalog, on which CSI Piemonte publishes the products implemented for local Piedmontese bodies, including mainly the Piedmont Region. Our processes are aimed at providing and promoting the creation and control of open source software, aimed at reuse by other public administrations, as our legislation provides. It is therefore since 2020 that we have adhered to the standard and we are proud to continue pursuing the goal of making our software open.”
“In recent months we have highlighted recertification activity around our standards to underline the concept of sustainable approaches to software management,” says Shane Coughlan, OpenChain General Manager. “Continuity in supply chain management is key to ensure that issues are minimized and productivity is maximized. We are delighted to collaborate with CSI Piemonte on yet another reminder of this important point, and the suitability of OpenChain standards for such long-term management.”
About CSI Piemonte
CSI Piemonte has promoted technological innovation and digital transformation for public administrations since 1977. OpenChain is delighted to welcome them to our community of conformance.
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
Collabora has recently completed its regular 18 month renewal of ISO/IEC 5230 conformance via self-certification, and is highlighting this activity for the benefit of the wider community. This underlines an important principle of standard adoption and use: sustainability through periodically checking processes to ensure their integrity.
“Our renewed ISO/IEC 5230 certification demonstrates Collabora’s unwavering commitment to maintaining the highest standards of compliance to open-source licenses,” says Olivier Potin, Chief Operating Officer at Collabora. “Through OpenChain, we ensure our customers have complete visibility into their software supply chain while guaranteeing compliance with open source licensing requirements. This certification reinforces our position as a trusted partner in delivering open source solutions.”
“The principle of ensuring continued conformance to a standard is a key part of genuine sustainability,” says Shane Coughlan, OpenChain General Manager. “We appreciate Collabora’s decision to publicly highlight their example in double-checking process integrity, and helping to inspire similar long-term approaches in the supply chain.
About Collabora:
Collabora is a global consultancy specializing in delivering the benefits of Open Source software to the commercial world. Whether it’s the Linux kernel, graphics, multimedia or machine learning, Collabora’s expertise spans across all key areas of Open Source software development. By harnessing the potential of community-driven projects, and re-using existing components, Collabora helps its clients focus on creating product differentiation, enabling them to develop the best solutions. From tailoring the latest Open Source technologies to your projects, to integrating Open Source methodologies into your organization, Collabora can help you navigate the ever-evolving world of Open Source. Learn more at collabora.com.
About the OpenChain Project:
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
