The Linux Foundation Projects
Skip to main content
Category

licensing

Webinar – First Steps With ORT – An EEF Experience

By automation, community, licensing, News, Webinar

What We Covered:

The OSS Review Toolkit (ORT) is a FOSS policy automation and orchestration toolkit that you can use to manage your (open source) software dependencies in a strategic, safe and efficient manner. This webinar digs into how the Erlang Ecosystem Foundation (EFF) makes use of this tool to address compliance issues.

Watch the Webinar:

This is part of the OpenChain and Friends: Stuttgart – Follow-Up Webinar Series:

Learn more on its dedicated page.

Full Webinar Abstract:

Once upon a time, researchers at Ericsson developed Erlang/OTP, a programming language for the telecom industry. 39 years later, Erlang/OTP is used by the telecom, messaging, banking, and even game industry. Not only that, new languages were created and run on top of the Erlang BEAM virtual machine: Elixir, now a well-established language, and Gleam, the newest addition.

The proliferation of libraries and languages powering the BEAM ecosystem led to the creation of the Erlang Ecosystem Foundation (EFF),a foundation that caters for the BEAM ecosystem.

Today, 39 years from the creation of Erlang, it is not an easy task to categorise and be compliant with the more than 13000 (total) files that make up Erlang, Elixir, and Gleam. Yet, Erlang and Elixir are OpenChain compliant, and Gleam compliance is work in progress.

What steps took EEF towards making sure that Erlang, Elixir, and Gleam comply with the different licenses and copyrights?

This presentation features the collaboration between the Erlang/OTP team (Ericsson) and the Erlang Ecosystem Foundation (EEF), and the steps taken, and experience of using ORT as a crucial part of the EEF Ecosystem.

Our Speaker:

My name is Kiko Fernandez-Reyes and I work as a software engineer in the OTP team, building and improving the Erlang programming language at Ericsson. Before that, I was a backend software engineer at Klarna.

Before Klarna, (in 2014) I did my Ph.D. at Uppsala University where I developed concurrent and parallel programming languages for our research compiler. Among them, I developed typed-based optimisations for future-based programming languages and a capability-based dynamic language design that maintains data-race freedom and satisfies the gradual guarantee.

Experience:
I have industrial experience with Haskell, Erlang, Python, among others and deployment languages and technologies, ranging from AWS to Ansible. During my research I have used heavily Haskell and C, and some Scala. I was the main lecturer of the course Advanced Software Design, where I taught object-oriented design ~80 master students.

My work has received the following awards:
– Distinguished Artifact Award at Software Language Engineering (SLE), 2019
– Distinguished Artifact Award at European Conference in Object-oriented Programming (ECOOP), 2019
– Best Paper Award at International Federated Conference on Distributed Computing Techniques (DisCoTec), 2018
– Best Paper Award at International Conference on Coordination Models and Languages (COORDINATION), 2018

Interests:
I am interested in type systems, programming languages, functional programming, compilers, and different logics. I promote open source technology, writing regularly in opensource.com. I also promote gender equality through the ACM-W student chapter at Uppsala University.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar will be broadcast on 2025-05-27.

Webinar: Practical Compliance in One Stack – Licensing, Vulnerabilities, and More

By automation, community, licensing, News, security, Webinar

What We Covered:

The Cyber Resiliency Act (CRA) is coming and this European regulation will impact software development worldwide. Organizations (and projects) of all sizes need efficient compliance processes to correctly identify software components and strengthen cybersecurity efforts.

The AboutCode stack of 100% open source tools and open data is engineered to automate compliance, with a practical approach. Tools like ScanCode and DejaCode paired with aggregated open databases like PurlDB and VulnerableCode ensure accurate origin, licensing, vulnerability detection, and comprehensive SBOM management. Newer projects like Massive FOSS Scan, CRAVEX, and AI-Generated Code Search deliver new performance improvements and advanced capabilities to improve the automation of compliance processes.

In this presentation, AboutCode lead maintainer Philippe Ombredanne shared the latest updates on how to use the AboutCode stack for better, faster, and more efficient license and security compliance automation.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2025-01-20.

Webinar: CHAOSS Practitioner Guides for Healthy & Sustainable OSS Projects

By automation, community, legal, licensing, News, security, Webinar

We had an insightful session with Dawn Foster on sustaining OSS projects and communities over the long-term. The CHAOSS project has been creating a series of MIT-licensed Practitioner Guides focused on improving the sustainability of our software and communities. The guides are designed to make it easier for people to draw meaningful and actionable insights using community metrics, even when those people do not necessarily have a deep background in data analysis or much experience working within OSS communities.

This talk identified several categories of metrics from the Practitioner Guide Series, including responsiveness, contributor sustainability, organizational participation, and security. It covered not just how to interpret the metrics, but also on providing ideas for improving in areas identified using the metrics. The audience walks away with a better understanding of how to use metrics to proactively improve the long-term sustainability of their OSS projects and communities.

Watch The Recording

About Our Speaker

Dawn leads the data science initiative for the CHAOSS project where she is also a Governing Board member / maintainer. Dawn is an OpenUK board member and co-chair of the CNCF Contributor Strategy Technical Advisory Group.

Dawn has 20+ years of experience working in open source positions at companies like VMware, Intel and Puppet with expertise in managing people, open source strategy, building new communities, and managing existing communities with a particular emphasis on developer and open source communities. She has held a wide range of roles over the years, including UNIX system administrator, researcher, consultant, strategist, director / manager, and more.

Dawn holds a PhD from the University of Greenwich, an MBA from Ashland University, and a BS in Computer Science from Kent State University. Dawn blogs about online communities as the author of the Fast Wonder Blog, and she’s blogged for The New Stack, Linux.com, GigaOM’s WebWorkerDaily, and in various other places.

She has done over a hundred talks at industry events, including many Linux Foundation events, KubeCon, OSCON, SXSW, FOSDEM and more. In her spare time she enjoys reading science fiction, running, and traveling.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-12-05.

Webinar: Enabling SBOMs Across The Linux Foundation

By automation, legal, licensing, News, standards, Webinar

We have been doing source level license scans for Linux Foundation (LF) projects for a long time including generating SPDX formatted files, but what about SBOMs that can meet (and exceed) the government minimum specification? Here at the LF, we are now leveraging our existing scanning capabilities to generate SBOMs for these same critical open source projects.

In the LF spirit, we are using existing open source tools to scan project dependencies to produce an SBOM that meets the minimum spec. We are also producing dependency level license data to complement our source level scans. In the near future we will be combining these to produce a grand unified SBOM that will meet a newly defined LF minimum specification for SBOMs.

We will talk about our process to generate these SBOMs, the challenges we faced, our future plans, and share more about how you can make use of these for the projects you care about most.

Watch The Recording

About Our Speakers

Gary O’Neall

Gary is a contributor to the Software Package Data Exchange® (SPDX™) – an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools. Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.

Jeff Shapiro

Jeff Shapiro is the Director of License Scanning for The Linux Foundation. He has over 30 years of experience in the software industry, including 10 years in software auditing, open source scanning, and training developers in OSS license compliance.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-12-04.

Webinar: SBOM Visualization – An Alternative Approach to Reviewing SBOMs

By automation, legal, licensing, News, Webinar

When we think about Software Build of Materials, we are looking at what might be a multi-dimensional space consisting of hierarchy, linking, modification, export restrictions, security vulnerabilities, distribution type, versions, etc. Care must be taken when setting up the SBOMs to both list the components used and to show how they are incorporated into your products. This webinar discusses how a visualization of such meta-information was implemented to display the relationships and potential risks in a quick and in easy-to-understand way. It was part of a research project funded by the Federal Ministry for Economic Affairs and Climate Protection (BMWi) and with the Bonn-Rhein-Sieg University of Applied Sciences and Bitsea.

Watch The Recording

About Our Speaker

Dr. Andreas Kotulla is the Founder & CEO of Bitsea GmbH. He is specialized in auditing software systems and identifying hidden risks for companies. We support the technical due diligence and advise operators of critical infrastructure (KRITIS). He advises customers on Open-Source-Strategy, Open-Source-Governance, Open-Source-Processes, toolchains and offers an Open-Source-Program-Office (OSPO) and scanning as a managed service.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-10-23.

Webinar: The Role of Data in the Supply Chain of AI

By ai, legal, licensing, News, Webinar

To help you navigate the complexities of AI, data and the supply chain, Nick Schifano CEO and founder of FastCatalog.ai discussed the intersection of AI innovation and legal frameworks. With years of experience in IP law, standards, and AI/ML legal frameworks, Nick guided us through key considerations for managing the AI supply chain—focusing on how companies can prepare for and comply with new regulatory requirements.

Webinar Highlights:
✔️ Insights into the hidden risks behind model lineage and training data in open-source AI models
✔️ Scenarios where data transparency becomes crucial for AI systems
✔️ Operational strategies to better manage AI and data supply chains
✔️ Preparing for the upcoming EU AI Act and its implications for companies

Watch the Webinar

Review the Slides

About the Speaker:

Nick Schifano is a leading expert in AI and legal frameworks. Before founding FastCatalog.ai, a company dedicated to revolutionizing AI supply chain management, Nick served as Assistant General Counsel at Microsoft, where he led groundbreaking initiatives in open innovation and AI/ML legal practices. With a technical foundation in software engineering and IT consulting, Nick brings a holistic view of both the technical and legal aspects of AI development.

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

https://www.openchainproject.org/webinars

This OpenChain Webinar was broadcast on 2024-10-10.

Webinar: Implementing OpenChain ISO/IEC 5230 at endjin + Further Research on OpenChain ISO/IEC 18974

By community, licensing, News, security, standards, Webinar

Recent computer science graduate Charlotte Gayton shared her journey of implementing the OpenChain standard during her Year in Industry (ISO/IEC 5230) and her dissertation project (ISO/IEC 18974). She discussed the challenges she faced and the solutions she developed to achieve compliance. The session will provide a unique perspective on navigating OpenChain from the viewpoint of someone early in their career. Her work lead to the detailed case study recently published regarding OpenChain ISO/IEC 5230 adoption by endjin.

Watch the Recording:

View the Slides:

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-08-08.

Webinar: IAV, TimeToAct and ISO/IEC 5230 – Third-Party Certification Case Study

By legal, licensing, News, standards, Webinar

IAV GmbH has announced adoption of ISO/IEC 5230:2020 via third-party certification provided by TimeToAct. Adjacent to this, IAV and TimeToAct has collaborated with the OpenChain Project on a webinar and case study about the certification rationale and process. This webinar digs into details on how, why and when decisions were made in the IAV adoption and use of ISO/IEC 5230.

Get the Slides

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-07-16.

OpenChain Webinar: Open Source Due Diligence for M&A

By legal, licensing, News, Webinar

This webinar features a speaker who has “been there” as we discuss best practices before, during, and after the due diligence phase to ensure post-close success. We cover:
(a) Why open source due diligence is key in tech transactions,
(b) Lessons learned on how to perform open source due diligence,
(c) How to leverage diligence findings in post-close integration.

Watch The Recording

Check Out The Slides

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-06-17.

OpenChain Webinar: AboutCode and Beyond – End-to-End SCA

By automation, community, legal, licensing, News, security, Webinar

This OpenChain Webinar digs into open source tooling with open data for open source compliance.

Full Overview From The Presenters

Ensuring software license and security compliance can be difficult. Managing open source components – especially their licensing, provenance, and vulnerability risk – is a critical part of Software Composition Analysis (SCA), which is now a prerequisite for modern organizations to comply with mandated SBOMs and other regulations.

Expensive, proprietary SCA solutions rely on proprietary data that can be outdated or just wrong. To make using open source easier for everyone, we need FOSS tools and open data for FOSS SCA. Philippe Ombredanne will explain how using 100% open source software and open data, the AboutCode stack offers a new approach for the practical management of open source software for licensing and vulnerability risks for organizations of all sizes.

Philippe will share how modular open source projects like ScanCode, VulnerableCode, and DejaCode fit together to identify components and their license, provenance, and known vulnerabilities, and aggregate this and SBOM data across products, teams, and organizations to address security, legal, and regulatory requirements for software license and security compliance in an integrated solution.

Philippe will also discuss exciting updates on new open source projects for better software supply chain integrity and security like CRAVEX, which delivers modern open source tools for developers to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world.

Get The Slides

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2024-05-15.