The OpenChain Project will hold a special mini-summit covering ‘Open Source Software Supply Chain Security Compliance in the AI Era’ at the 2025 CCF China Open Source Conference on the 3rd of August 2025.
The OpenChain Project held a webinar on the 29th of July 2025 to provide a case study on how ZF – one of the world’s largest automotive suppliers – collaborated with TIMETOACT to obtain third-party certification for OpenChain ISO/IEC 5230.
Abstract:
This case study is suitable for organizations new to the OpenChain standards, organizations in the process of adopting the standards, or organizations reviewing how others met this milestone in open source process management. It will be structured as a series of short section presentations that provide:
- A brief introduction to ISO/IEC 5230
- The importance of ISO/IEC in the automotive industry
- ZF’s certification journey
- Forming an OSPO
- Steps taken to accomplish ISO/IEC 5230 certification
- Challenges faced
- Role of TIMETOACT in the certification process
- Gap analysis with TIMETOACT and ZF
- How ZF used OpenChain and InnerSource Commons resources
- Lessons learned
- Closing thoughts
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Check Out The Rest Of Our Webinars
This OpenChain Webinar was broadcast on 2025-07-29.
The OpenChain Project held a mini-summit during Open Source Summit North America. It featured a series of talks from OpenChain Governing Board members covering SBOM quality, compliance tooling and AI compliance guidance, before ending with a forward-looking talk about quantum encryption-related compliance challenges by our Specification Work Group chair.
View The Full Summit Playlist:
Jump To Individual Talks:
About:
The OpenChain Japan Work Group is holding a two-day event on the 31st July ~ 1st August 2025. Our Japan Community Day #34 is kindly hosted by Mitsubishi Electric at their innovation hub in Yokohama. This event will also be broadcast live on Zoom.
Join Via Zoom:
In-person registration is closed, but you can still join via Zoom.
Day 1, 13:00 to 17:00:
Day 2, 09:30 to 11:45:
Agenda:
【DAY 1 – 7月31日(木)-】
13:00-13:30 (30分) : 三菱電機 Serendie Street(共創空間) ガイドツアー
★希望者のみ。現地参加登録の際に一緒にお申し込みください。
13:30-14:05 (35分) : House Keeping、OpenChain紹介、Shane GMによるKeynote
14:05-14:25 (20分) : 三菱電機のOSPO活動紹介
14:25-15:15 (50分) : オープンソースライセンス研究所 うっかりミス防止研究会の活動紹介
15:15-15:45 (30分) : 休憩&ネットワーキング
15:45-16:20 (35分) : FAQ-sgより、うっかりミス関連FAQ紹介
16:20-16:50 (30分) : イベントリキャップ OSS Summit NA 2025
16:50-17:00 (10分) : クロージング
17:30-19:00 (90分) : 同会場にてネットワーキング(懇親会)
【DAY 2 – 8月1日(金)-】
9:30-11:30 (120分) : Education-sg紹介、初学者向け OSSコンプライアンス教育
11:30-11:45 (15分) : 教育資料オープンレビュー
CJ CGV announces that it has become the first company in the Korean entertainment industry to obtain ‘ISO/IEC 5230:2020’ self-certification, the international standard for open source license compliance. This achievement signifies that CJ CGV’s systematic open source management system has earned global recognition for its effective operation.
The OpenChain Project, which maintains this standard, is an international collaboration initiated by the nonprofit Linux Foundation in the United States. The standard comprehensively evaluates the compliance capabilities of companies, including their open source software policies and processes, organizational expertise, and employee education. The international standard (ISO/IEC 5230:2020) defines key requirements for companies to use open source safely and efficiently, covering obligations for open source license compliance.
Recognizing the growing importance of open source in building next-generation systems, CJ CGV has strengthened its management capabilities. Since 2023, the company has established an open source management system, gradually meeting the core requirements of the international standard.
To achieve this, CJ CGV designated dedicated teams and personnel for open source verification and management, formed an ‘open source council’ including legal and security experts, and set up a system to identify and manage potential risks proactively. The company also introduced its internal open source management regulations, made open source verification mandatory during system development, and implemented an automated open source management system that verifies licenses and checks for security vulnerabilities.
On July 15, during the planning and development of its new next-generation system, CJ CGV rigorously examined the safety and security of all open source components. This effort supported one of the system’s primary goals—strengthening information protection capabilities—and provided critical technical infrastructure for “CineTalk,” CJ CGV’s movie community service.
Son Jong-soo, Head of Digital Innovation at CJ CGV, stated, “As digital transformation accelerates, strategic and secure utilization of open source has become essential in the entertainment industry. Achieving this international standard certification highlights CJ CGV’s technical management capabilities. We will continue to deliver trustworthy services and contribute to the growth of the open source ecosystem.”
About the OpenChain Project:
The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.
About The Linux Foundation:
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
Check Out The Publicly Announced Community of Conformance:
About This Webinar:
CHAOSS is a Linux Foundation project focused on creating metrics, metrics models, and software to better understand open source community health on a global scale. This webinar will delve into how it accomplishes these goals, and how you can get involved.
Join On The 13th August @ 08:00 PDT / 10:00 CDT / 15:00 UTC / 16:00 BST / 17:00 CEST:
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
Check Out The Rest Of Our Webinars
- We held our regular OpenChain AI Work Group meeting for Europe and Asia on the 24th of July.There were two items on the agenda:
- We launched a Public Comment Period for the Artificial Intelligence System Bill of Materials – Compliance Management Guide for the Supply Chain on the 7th of July. The public comment period will run for six weeks, and conclude on the 18th of August at 04:00 PDT / 11:00 UTC / 13:00 CEST / 20:00 JST. The public comment period was discussed.
- Assuming a successful comment period, we had some questions and discussions to plan for the formal release of the guide framed by three questions:
(i) How should the guide be messaged to the supply chain?
(ii) What are the “metrics for success” to measure impact?
(iii) What is the timescale for the next phase of guide development?
Watch the Recording:
Get Involved:
Everyone is welcome to be part of this activity! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.
✉️ We have a dedicated mailing list for the AI Work Group:
https://lists.openchainproject.org/g/ai
Attend Future Meetings:
You can find and get the dial-in details for all future meetings from our participate page here:
https://www.openchainproject.org/participate
As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?”
This Meeting Discussed:
- News – Contributions of New Documents for SBOM Quality
- News – OpenChain @ Debian Conf 25
- Comments on the term “SBOM Document”
- Who should create SBOMs and how they can be created
- Key points regarding security considerations
Watch the Meeting:
Learn More About This Study Group:
Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.
Get Involved:
Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.
✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/sbom
💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/SBOM-sg
Attend Future Meetings:
You can find and get the dial-in details for all future meetings from our participate page here:
https://www.openchainproject.org/participate
We held our regular OpenChain AI Work Group meeting for North America and Europe on the 22nd of July.
There were two items on the agenda:
- We launched a Public Comment Period for the Artificial Intelligence System Bill of Materials – Compliance Management Guide for the Supply Chain on the 7th of July. The public comment period will run for six weeks, and conclude on the 18th of August at 04:00 PDT / 11:00 UTC / 13:00 CEST / 20:00 JST. The public comment period was discussed.
- Assuming a successful comment period, we had some questions and discussions to plan for the formal release of the guide framed by three questions:
(i) How should the guide be messaged to the supply chain?
(ii) What are the “metrics for success” to measure impact?
(iii) What is the timescale for the next phase of guide development?
Watch the Recording:
Get Involved:
Everyone is welcome to be part of this activity! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.
✉️ We have a dedicated mailing list for the AI Work Group:
https://lists.openchainproject.org/g/ai
Attend Future Meetings:
You can find and get the dial-in details for all future meetings from our participate page here:
https://www.openchainproject.org/participate
The OpenChain Korea Work Group has created and published ‘A Handbook for Software Supply Chain Security in the Telco Industry.’ This handbook offers practical, step-by-step guidance for organizations in the telecommunications industry to implement the ‘OpenChain Telco SBOM Guide.’ It provides implementation plans and use-case scenarios tailored to each stakeholder, helping organizations establish effective SBOM management systems and strengthen their software supply chain security.
“It is hard to overstate the importance of this handbook and what it means,” says Shane Coughlan, OpenChain General Manager. “Guides, specifications and training material all link together with the community, and take organizations from uncertainty to understanding. This publication is a huge contribution to help with the adoption and use our SBOM quality work. As global regulatory requirements around security and product liability increase, such resources will be key to the efficient and effective use of open source.”
Huge thanks to Haksung Jang and all the rest of the community for making this happen!
Get it here:
https://openchain-project.github.io/OpenChain-KWG/en/guide/telco_sbom/
