Skip to main content
Category

News

From Heritage to Hash: SWHID Becomes a Global ISO/IEC Standard

By News

View the original version of this article on LinkedIn

An introduction from Shane Coughlan, General Manager at OpenChain Project:

Our colleagues over at Software Heritage have long worked towards creating a universal archive of all software. Part of this work relates to identifying software effectively, and to accomplish this they developed the SoftWare Hash IDentifier specification, which has now been released an international standard. You will find it as ISO/IEC 18670 via the ISO website.

Because of the potential of this new standard to positively impact the global open source supply chain, and to help address compliance matters of all types, we want to ensure our community is fully aware of the release, its meaning, and how to learn more.

A few words from Roberto Di Cosmo, Director at Software Heritage:

A major milestone has been reached in the landscape of digital infrastructure: the Software Hash Identifier (SWHID) has officially been published on April 23rd 2025 as the ISO/IEC international standard 18670! 🎉 🔗 Official ISO Listing 📘 Free Public Specification

A Universal Identifier for Software

Inspired by well established practice in distributed software development, almost ten years ago Software Heritage created a “Software Heritage Identifier” that is used in its archive to track over 50 billion software artifact. Today, this identifier schema has now grown into a globally recognized, community-driven standard. Rebranded as the Software Hash Identifier, SWHID is designed for universal adoption across archives, regulatory frameworks, research, industry, and beyond.

This name shift reflects a deeper transformation: from an internal archival tool to a public digital infrastructure for all—a way to uniquely and verifiably reference software artifacts across contexts and borders.

Why It Matters

Software is at the core of innovation, but referencing it reliably has always been a challenge. SWHID addresses this by offering:

  • 🧾 Intrinsic, verifiable, and immutable identifiers
  • 🔍 Long-term traceability of code, even if moved or renamed
  • 📚 Reproducibility in science and industry
  • 🛡️ Support for compliance and cybersecurity regulation

With the adoption of ISO/IEC 18670, we now have a globally accepted framework for identifying software—just as we have ISBNs for books or DOIs for papers.

Community at the Core

This success is the result of years of collaboration within the broader software preservation and cybersecurity community. The journey included:

This is a shared major acheivement—for everyone committed to making software a first-class, preservable, and referenceable citizen of our digital ecosystem.

SWHID in Action: Strengthening Cybersecurity

Software traceability is increasingly critical to regulatory compliance and cyber resilience. Our recent whitepaper outlines how SWHIDs contribute to this vision:

📄 Software Identification for Cybersecurity: Survey and Recommendations for Regulators 🖇️ Download PDF 🔍 HAL Repository Version

This work supports efforts like the EU’s Cyber Resilience Act by providing a concrete, open standard for identifying software components.

SWHID in Action: Enabling Reproducibility in Open Science

In scientific research, reproducibility depends on more than just data—it relies on exactly replicating the software used in analyses. SWHIDs provide a rock-solid way to archive and reference the precise version of code used in experiments.

Explore the guidelines on how to archive and cite software with SWHID to support reproducible science: 🔗 How to archive and reference code

And see how the integration with functional package managers like Guix or Nix allows to reach long term reproducible builds.

SWHID in Action: Promoting Transparency in AI

As AI systems become increasingly influential, the demand for transparency in the data and software used to train them is growing. SWHIDs offer a solution by enabling verifiable references to source code, contributing to more accountable and auditable AI.

Read Software Heritage’s position on AI transparency and the importance of proper referencing: 🧠 SWH Statement on Large Language Models for Code

What’s Next?

The SWHID journey doesn’t end here. Now that it’s an international standard, we invite everyone—developers, educators, researchers, policy makers—to adopt it, build on it, and share it.

✅ Explore the spec on swhid.org or in the 🔗 Official ISO Listing 🌐 Visit the official site: swhid.org 📬 Include it in your toolchains and supply chain policy

Together, we’ve transformed a powerful idea into a global asset. Here’s to a future where all software is identifiable, referenceable, and preserved.

#SoftwareHashIdentifier #SWHID #DigitalInfrastructure #Cybersecurity #OpenStandards #ISO #SoftwarePreservation #OpenSource #DigitalSustainability

OpenChain + Software Heritage and Friends – UNESCO Workshop Outcomes

By News

The OpenChain Project took part in the fourth Software Heritage Community Workshop, held in Paris on January 30, 2025.

This poster highlights some of the outcomes from our collaborative workgroup, where a diverse range of stakeholders (OpenChain / CERN / Software Heritage / Academia) discussed how to measure impact when we extract knowledge from software assets:

View the original: https://zenodo.org/records/15230207

What is Software Heritage? It is an international non-profit infrastructure supported by UNESCO and Inria, collects, preserves, and shares all software source code for industry, research, culture, and society. They recently released ISO/IEC 18670, which specifies the identifier used to ensure all software, everywhere, can be tracked.

Webinar: The Future of Insurance for Open Source – Are You Really Covered?

By News, Webinar

What We Covered:

Open source software providers are facing a triple threat: tightening US and EU regulations, rising IP litigation, and the risks introduced by Gen AI. Soon, your board—and your customers and suppliers— might be asking that you have specific insurance that actually covers OSS-related liabilities. But, does such insurance exist? Does it work? And how should it work?

Historically, insurers have struggled to grasp OSS risks, offering inadequate or unclear coverage. Now, a new wave of insurance solutions is emerging, informed by OpenChain standards and best practices.

Watch the Webinar: 

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2025-04-22.

RECORDING: OpenChain Telco Work Group Meeting – 2025-04-03

By News

The OpenChain Telco Work Group has released Version 1.1 of the Telco SBOM Guide, an industry-specific but easily adaptable guide to addressing SBOM quality in the supply chain. Learn more about the release and what it means in their latest meeting.

You may also be interested in seeing the cross-industry guide discussion this has inspired in our SBOM Study Group. A recording of the SBOM Study Group April meeting is also available online.

Watch the Meeting:

Be part of this:

Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/telco

💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/Telco-WG

You are also welcome to participate in any of our other working groups around the world:

RECORDING: OpenChain SBOM Study Group – Monthly Meeting – 2025-04-23

By News

As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?” We are dealing with the reality of supply chains with many participants who have different levels of skill, use different formats, and perhaps follow different regulations or policies.

In this meeting, we looked at the question of how someone could approach building a cross-industry, cross-format guide to SBOM Quality. The mental model was “how would we use the Telco SBOM Quality Guide as a starting point,” and our Japanese sub-group prepared a proof-of-concept.

Learn More About This Study Group:

Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.

Get Involved:

Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/sbom

💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/SBOM-sg

Webinar: DeepSeek – How Open Source AI is unlocking the future

By ai, News, Webinar

What We Covered:

This webinar provided an introduction to DeepSeek, covering its technical highlights, history, the company, and their vision. Our presenter was Jerry Tan, a long-time contributor to the open source ecosystem in China, and Executive Vice Secretary-General of the China Open Source Promotion Union (COPU).

Watch the Webinar: 

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2025-03-28.

Amazon Joins The OpenChain Project As A Platinum Member

By Featured, News

Amazon is the latest company to join the OpenChain Project as a Platinum Member and to take a seat at the Governing Board and Steering Committee. This highlights their unwavering commitment to leadership in open source technology, process management and in building trusted supply chains.

“At Amazon, we believe in strengthening the open source ecosystem through collaboration and shared best practices,” said Nithya Ruff, Director of Amazon’s Open Source Program Office. “By joining the OpenChain Project, we’re committed to contributing our experience across cloud services and consumer devices to support and evolve industry standards. We look forward to working with the OpenChain community to make supply chain collaboration easier and more effective for the industry.”

“Amazon pioneered modern digital management of complex supply chains at massive scale,” says Shane Coughlan, OpenChain General Manager. “Their engagement with the OpenChain Project, and more broadly with all aspect of open source process management, underlines the vital role that open standards and open communities play in building a more trusted supply chain. We look forward to benefiting from their thought-leadership as OpenChain enters the next stage of its evolution.”

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

ZF Group Announces an ISO/IEC 5230 Conformant Program

By Featured, News

Today we are delighted to share the news that ZF Group has implemented an ISO/IEC 5230 conformant program.

This significant achievement underscores their commitment to excellence, innovation, and adherence to the highest standards of compliance and best practices in their open-source initiatives. As noted by Sarah Moser of the ZF Group team, implementing the ISO/IEC 5230 standard represents a crucial step in fostering a culture of transparency, collaboration, and continuous improvement.

ZF Group’s conformance was via third-party certification in collaboration with TIMETOACT. The approach they took, their motivations and their practical solutions will be highlight in a forthcoming OpenChain webinar and case study.

Huge thanks to Sarah, the ZF OSPO team and also Simon Pletschacher at TIMETOACT for not only making this happen, but helping to communicate it widely to inspire others.

About ZF Group

ZF is a global technology company represented with 161 production locations in 30 countries. With some 161,600 employees worldwide, ZF reported sales of €41.4 billion in fiscal year 2024.

Founded in 1915, ZF has evolved from a supplier specializing in aviation technology to a global mobility technology company.

Group shareholders include the Zeppelin Foundation, administered by the City of Friedrichshafen, holding 93.8 percent of shares, and the Dr. JĂźrgen and Irmgard Ulderup Foundation, LemfĂśrde, with 6.2 percent.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

RECORDING: OpenChain AI Work Group – Monthly Workshop for North America and Europe – 2025-04-01

By News

We held our regular workshop for the OpenChain AI Work Group on April 1st. It was a two-hour session focused on finalizing a Guide to AI Bill of Material Compliance in the Supply Chain. The draft is reaching its final stages, and is expected to be ready by June.

The Draft Guide:

Watch the Recording:

Track This Work:

You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:

Attend Future Meetings:

You can find and get the dial-in details for all future AI Work Group meetings from our participate page here:

RECORDING: OpenChain Tooling Work Group Meeting – 2025-03-19

By News

Our Agenda:

  • Update on the Tooling Capability Map (version 1.6.3).
  • A look at mkDocs and Tags as a way to organize our documentation
  • An update on the OpenChain and Friends event in Stuttgart, April 7th, 8th and 9th

Watch the Recording:

Learn More About This Work Group:

Our Tooling Work Group looks at the question of “how do we automate compliance process review, and can we do it using open source solutions?”

Get Involved:

✉️ We have a dedicated mailing list:
https://groups.io/g/oss-based-compliance-tooling

💻 We have a dedicated GitHub Repo:
https://github.com/Open-Source-Compliance/Sharing-creates-value