The Linux Foundation Projects
Skip to main content
Category

News

RECORDING: OpenChain Monthly Specification and Education Call (North America – Europe) – 2025-05-14

By News

We Discussed:

Specification:

Reflections on our lessons learned in making ISO 18974, and our process of drafting proposed updates to the standards, to try and provide a template for other projects looking at making and maintaining standards.

Education:

A review of the updated Reference Library, updated open source policy template and drafting underway for a new OpenChain Adoption Guide + discussion about and call for engagement with updates to our online training.

And…

The Future:

The OpenChain Project has been very busy with various things in recent months. AI Compliance in the supply chain. SBOM Quality (Telco and Cross-Industry). Country meetings (Germany, Korea, Japan), and so on. However, attendance on the main monthly call has been modest. We discussed how to change that, and also how to address the issue of timezones.

The second point was front-of-mind for our Specification Chair, Chris Wood. When drafting a specification, or considering an update to a presentation, the majority of the work tends to be live-editing on calls. However, with the geographic split between North America, Europe and Asia, our retrospective on the ISO/IEC 5230 and ISO/IEC 18974 proposed updates revealed this to be a concern.

Starting next month, we will explore options to boost interest, engagement and attendance with this primary call, and to improve the ability of people from around the world to live edit, rather than needing to catch-up via mailing lists or on GitHub.

The first step will be adjusted scheduling (watch this space) and the second step will be to invite the various work groups and study groups to join the main call, and to provide briefings and Q&A around their work.

Check out the Meeting Slides:

Watch the Recording:

Coming Next:

We will be following up on the activities outlined above on the mailing lists, and we will continue our regular series of calls and meetings throughout the year.

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate

OpenChain @ Bristows – An In-Person and Virtual Event on 20th May, 2025

By News

To round off a successful run of Open Source Software Masterclasses, Bristows are pleased to announce that the final session, ‘Tech in focus: navigating legal and commercial challenges in an increasingly open source world’, has been expanded to include additional topics, offering even greater value. Please find the full programme below.

Register now to secure your in-person place. Attendance is available for the full day, or for either the morning or afternoon sessions. Don’t miss this excellent opportunity to discuss the latest Open Source insights and network with peers in the tech law community.

OpenChain will feature prominently, and many familiar faces from our UK community will be present. 

In-Person Registration:

Remote Attendance Registration:

Meet the Speakers:

Agenda:

Tuesday 20 May 2025
10:00 amRegistration and coffee
10:30 amOpenChain – an introduction
Andrew Katz, Consultant, Bristows & CEO, Orcro
12:30 pmRegistration and lunch
1:30 pmOpen Source and the Cyber Resilience Act
Andrew Katz, Consultant, Bristows & CEO, OrcroAnneke Pol, Associate, Bristows
2:15 pmRefreshment break
2:30 pmOpen Source and AI
Vik Khurana, Partner, Bristows, Nicola Okereke, Associate, Bristows
3:15 pmRefreshment break
3:30 pmOpen Source in transactions: M&A and commercial agreements
Toby Crick, Partner, Bristows
4:15 pmPanel discussion: open source and risk management
Lewis Parle, Head of Intellectual Property Risk, Lockton, Stephen Pollard, Director Open Source Advisory, Orcro, Andrew Katz, Consultant, Bristows & CEO, Orcro, Toby Crick, Partner, Bristows
5:00 pmClose followed by networking, drinks and nibbles

Next Generation OpenChain Adoption Guide – Drafting Underway

By News

The OpenChain Project has begun a new guide designed to expand on options for small, medium and large companies adopting one or the other of our existing ISO standards. The goal is to outline some of the implementation choices an organization can make when filling out process points for open source business management. It is also going to link more deeply into our Reference Library for further examples and resources.

This guide is in early days, and we are putting out a call for ideas, suggestions and contributions.

View the Current Draft:

Next Steps:

For next steps, we would like to:

  1. Expand on the options available for each topic covered
  2. Include better references to open source tooling for open source compliance matters

Note:

One thing that is noteworthy is that this guide is human-drafted but it is being developed in conjunction with a locally-installed LLM (Gemma3 12b). The LLM prompts and original output are at the bottom of the guide itself. There is no intention to replace human review and development, but rather to test to what extent current LLMs are providing accurate or useful information around our standards. This will help us develop guidance on LLM use for OpenChain and other compliance initiatives later in the year.

OpenChain Policy Template Updated

By News

The OpenChain Project publishes a template for making open source policies. This is a non-prescriptive document that provides plenty of options for policy development for organizations of all sizes.

With huge thanks to Gary Armstrong over at FOSSID (and to Andrew Katz, Education Chair, for the merge), please find below a new version of the OpenChain open source policy template:

(You can also find the old version at the same link)

The updated policy template improves the content, formatting and fixes bugs, and it a recommended upgrade for anyone using our template to help develop or refine open source policy in organizations. 

Interested in Helping?

The OpenChain Policy Template is a living document (just like all our reference library). We activity welcome feedback and suggestions for improvement from everyone involved in open source and open innovation.

You can be part of the process by joining our Education Work Group mailing list:

You can also open issues on our Reference Library on GitHub if you prefer:

OpenChain Reference Library Updated

By Featured, News

The OpenChain Project maintains a reference library of over 1,000 documents. This library has been built over eight years from our original, first release of a set of a training slides for open source license compliance. The library has now been comprehensively updated to make it easier to find, use and share resources.

Navigation:

To ensure easer of navigation and our ability to adjust and improve the library structure over time, you will find that navigation is primarily guided by the README file, which acts as the starting point for all navigation. You can also get a full preview of the structure of the library later in this post.

The intention is that:

  1. You will enter this library at the top level of the archive
  2. You will use this README file as your index
  3. We will update the README as the library evolves

The library contains:

  • Adoption Guidance
  • AI Compliance Guidance
  • Case Studies
  • Compliance Training Slides
  • Explainers for Internal Teams
  • Maturity Models
  • Policy Templates
  • SBOM Quality Guidance
  • Source Material for Online Training Courses
  • Self-Certification Material
  • Supplier Education Material
  • Templates and Overview Material for OpenChain Project
  • + Much, much more.

Licensing:

Most of the material in this repository is available under CC-0 licensing (effectively public domain). You will notice some exceptions with Guides (like the Telco SBOM Guide) and with case studies. These documents are not designed to be freely altered because they provide either guidance developed to consensus in our work groups, or the specific experience of companies in addressing compliance matters.

Navigating the Library:

As of 2025-05-08, the library is structured in the following folders alphabetically:

  1. AI-SBOM-Compliance
  2. Open-Source-Compliance-Support-Material
  3. Open-Source-Policy-Templates
  4. OpenChain-Adoption-Guides
  5. OpenChain-Case-Studies
  6. OpenChain-Explainers-For-Internal-Teams
  7. OpenChain-FAQ
  8. OpenChain-For-Mergers-and-Acquisitions
  9. OpenChain-Maturity-Models
  10. OpenChain-Promotion-Material
  11. OpenChain-Standards-Self-Certification
  12. OpenChain-Supplier-Education
  13. OpenChain-Templates
  14. OpenChain-Training
  15. SBOM-Quality-Management

AI-Compliance

OpenChain has an AI Work Group. This is where you will find our work on AI compliance topics. The current focus is on AI SBOM management in the supply chain, and what type of program process points are required to manage this effectively.

There is a copy of the working document in this folder, and the active version for editing is kept here:https://docs.google.com/document/d/1XHztgMALwnu2D02bmWYyXeW3wE_Jw199/edit?pli=1#heading=h.pzcghykzc46

You are welcome to be part of this work. OpenChain AI Work Group mailing list:https://lists.openchainproject.org/g/ai

Open-Source-Compliance-Support-Material

This folder contains compliance-related material non-specific to OpenChain. You may find these community contributions useful in your work.

Open-Source-Policy-Templates

Having an open source policy is a requirement in our standards. This folder contains some template material to get you started or to help you refine existing policies.

OpenChain-Adoption-Guides

This folder contains guides to adopting the OpenChain standards.

OpenChain-Case-Studies

This folder contains case studies from companies that have adopted OpenChain standards.

OpenChain-Explainers-For-Internal-Teams

Explaining the value of OpenChain approaches to compliance process management is critical to ensure buy-in and support across an organization. We have created a series of quick explainer documents to support this.

OpenChain-FAQ

This folder contains the official OpenChain Project Frequently Asked Questions. These are mirrored on our website.

OpenChain-For-Mergers-and-Acquisitions

This folder contains some material relevant to understanding OpenChain standards in the context of Mergers and Acquisitions.

OpenChain-Maturity-Models

Once an organization has begun to adopt OpenChain standards, the question arises of how to iterate and improve their compliance program. Maturity models or capability models are a tool to assist with this. We have one to share with you as a reference guide.

OpenChain-Promotion-Material

This folder contains infographics, one-pagers and introductory presentations to help organizations understand the OpenChain Project, its standards, its reference material, and the global community supporting its work.

OpenChain-Standards-Self-Certification

This folder contains self-certification checklists and questionnaires to help companies easily adopt our standards. This material can also be used as a “health check” for organizations not currently using our standards.

OpenChain-Supplier-Education

This folder contains a leaflet designed to give suppliers a single file that takes them from “what is open source” through to the importance of license compliance, and the use of OpenChain standards.

OpenChain-Templates

This folder contains templates so that the community can develop new presentations or documents with the OpenChain trademarks, mascots and other images.

OpenChain-Training

This folder contains our reference training slides and also the source code for our online training courses.

SBOM-Quality-Management

OpenChain has an SBOM Study Group. This is where you will find our work on SBOM-related topics. The current focus is on SBOM Quality in the supply chain, and what type of approach is required to manage this effectively.

You are welcome to be part of this work. OpenChain SBOM Study Group mailing list:https://lists.openchainproject.org/g/sbom

Where To Get Help:

Our website FAQ page contains resources to get help from our project staff:https://openchainproject.org/resources/faq

How To Participate In Development:

We would be delighted to work with you through our Education Work Group. You will find their mailing list here:https://lists.openchainproject.org/g/education

You are encourage to open issues or pull requests online: https://github.com/OpenChain-Project/Reference-Material/issues

Expanded Support for the OpenChain Telco SBOM Guide – External Validation Support – SCANOSS

By News

Background

In the last year and a half the OpenChain Project has developed, published and seen adoption around the OpenChain Telco SBOM Guide. It helps define what is needed for a quality SBOM in practical supply chain use.

We just released Version 1.1 of the Guide, and you can learn more about that in our launch announcement:

Automation

The guide is supported by automation to make things more scalable. This matters for saving time, saving money and enabling sustainability. We started the automation journey around SBOM quality management with a validator for the OpenChain Telco SBOM Guide contributed by Nokia:

Expanded Automation Support – SCANOSS

This week SCANOSS announced their automation support for the OpenChain Telco SBOM Guide, the first commercial tooling provider formally aligning with our work on SBOM quality. You can get all the details on the SCANOSS blog post dedicated to this development.

The OpenChain Telco SBOM Guide does a remarkable job in providing to the industry a shared direction,” said Julian Coccia, CTO at SCANOSS. “It represents an outstanding complement to the OpenChain 2.1, ISO/IEC 5230:2020 that provides a simple, clear and effective process management standard for open source license compliance. By integrating support to the schema described in this Guide directly into our tools, SCANOSS makes it easy for organizations to adopt these guidelines efficiently.

Community Credits

Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.

Naturally we also want to extend our thanks to Julian and the rest of the SCANOSS team for their adoption and support of the OpenChain Telco SBOM Guide.

New Version of the OpenChain Telco SBOM Guide Validator Available

By News

In April, the OpenChain Telco Work Group completed work on version 1.1 of the OpenChain Telco SBOM Guide. This document helps to define what is a quality Software Bill of Materials in the context of supply chain management. It uses SPDX, the NTIA Requirements and the experience of the Telco industry to provide a clear, simple and easily adjustable approach.

The following updates were made in version 1.1:

  • Both PackageChecksum and PackageVerificationCode are allowed as package hash.
  • The package hash is RECOMMENDED instead of MANDATORY.
  • ExternalRef is RECOMMENDED instead of MANDATORY.
  • FilesAnalyzed is no longer MANDATORY.
  • Examples are provided for the CISA SBOM Types.
  • A RECOMMENDED syntax is given for CISA SBOM Types.
  • sbomasm is a better example of SBOM merge tool.
  • Add reference to new CISA document.

An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.

Get the Validator:

Our official validator for the Telco SBOM Quality Guide has been updated for version 1.1 and is available on the OpenChain Telco Work Group GitHub repo.

To install from PyPI, issue:
pip3 install openchain-telco-sbom-validator 
or 
pipx install openchain-telco-sbom-validator.

Coming Next:

Development of the next generation of the guide will occur via the Telco Work Group, and everyone is welcome to contribute.

The OpenChain Telco Work Group mailing list is here: 

The OpenChain Telco Work GitHub (for drafting) is here: 

Related News:

Community Credits:

Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.

And… a big thank you to all of the Nokia team who have created and supported this validator!

OpenChain Telco SBOM Guide – Version 1.1 Now Available

By Featured, News

In April, the OpenChain Telco Work Group completed work on version 1.1 of the OpenChain Telco SBOM Guide. This document helps to define what is a quality Software Bill of Materials in the context of supply chain management. It uses SPDX, the NTIA Requirements and the experience of the Telco industry to provide a clear, simple and easily adjustable approach. Today, with the release of the updated official validator, we are promoting the guide as generally available to the open source community.

Below you can:

  • Learn more about the guide
  • Get the guide in Chinese (Traditional), English, French and Japanese
  • Get the validator
  • Learn how to get involved in future development

What is this Guide?

The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs. 

Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.

This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”

Want more context? We delivered a presentation at FOSDEM:

Updates from Version 1.0 to Version 1.1 of the Guide:

The following updates were made in version 1.1:

  • Both PackageChecksum and PackageVerificationCode are allowed as package hash.
  • The package hash is RECOMMENDED instead of MANDATORY.
  • ExternalRef is RECOMMENDED instead of MANDATORY.
  • FilesAnalyzed is no longer MANDATORY.
  • Examples are provided for the CISA SBOM Types.
  • A RECOMMENDED syntax is given for CISA SBOM Types.
  • sbomasm is a better example of SBOM merge tool.
  • Add reference to new CISA document.

An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.

Get the Guide

Do you want to review the original 1.0 version of the guide? You can learn more and get it in multiple languages via the original Telco SBOM Guide version 1.0 launch announcement. You can also learn more about the version 1.0 validator in its original launch announcement.

Get the Validator

Our official validator for the Telco SBOM Quality Guide has been updated for version 1.1 and is available on the OpenChain Telco Work Group GitHub repo.

To install from PyPI, issue:
pip3 install openchain-telco-sbom-validator 
or 
pipx install openchain-telco-sbom-validator.

Coming Next:

Development of the next generation of the guide will occur via the Telco Work Group, and everyone is welcome to contribute.

The OpenChain Telco Work Group mailing list is here: 

The OpenChain Telco Work GitHub (for drafting) is here: 

Related News:

Community Credits:

Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.

RECORDING: OpenChain Telco Work Group Meeting – 2025-05-07

By News

The OpenChain Telco Work Group has released an updated OpenChain Telco SBOM Guide Validator to support Version 1.1 of the Telco SBOM Guide. The guide is an industry-specific but easily adaptable guide to addressing SBOM quality in the supply chain. The validator allows you to automate checks of conformance to the guide.

Learn more about the updated validator in the latest meeting below.

You may also be interested in seeing the cross-industry guide discussion this has inspired in our SBOM Study Group. A recording of the SBOM Study Group April meeting is also available online.

Watch the Meeting:

Be part of this:

Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.

✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/telco

💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/Telco-WG

You are also welcome to participate in any of our other working groups around the world:

RECORDING: OpenChain AI Work Group – Monthly Workshop for North America and Europe – 2025-05-06

By News

We held our regular workshop for the OpenChain AI Work Group on May 6th. During this meeting some important decisions were made. The Work Group attendees agreed that initial drafting on the AI SBOM Compliance Guide is now substantially complete, and there will be two next steps:

  1. The work will be taken to the OpenChain Governing Board Q2 meeting (25th June) for formal approval to start a public comment period.
  2. If approval is given, the guide will go into a six week public comment period, and after that period will move into a publication process.

The Draft AI SBOM Compliance Guide:

This replaces the previous scratchpad located here:

Watch the Recording:

Track This Work:

You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:

Attend Future Meetings:

You can find and get the dial-in details for all future AI Work Group meetings from our participate page here: