Reflections on our lessons learned in making ISO 18974, and our process of drafting proposed updates to the standards, to try and provide a template for other projects looking at making and maintaining standards.
Education:
A review of the updated Reference Library, updated open source policy template and drafting underway for a new OpenChain Adoption Guide + discussion about and call for engagement with updates to our online training.
And…
The Future:
The OpenChain Project has been very busy with various things in recent months. AI Compliance in the supply chain. SBOM Quality (Telco and Cross-Industry). Country meetings (Germany, Korea, Japan), and so on. However, attendance on the main monthly call has been modest. We discussed how to change that, and also how to address the issue of timezones.
The second point was front-of-mind for our Specification Chair, Chris Wood. When drafting a specification, or considering an update to a presentation, the majority of the work tends to be live-editing on calls. However, with the geographic split between North America, Europe and Asia, our retrospective on the ISO/IEC 5230 and ISO/IEC 18974 proposed updates revealed this to be a concern.
Starting next month, we will explore options to boost interest, engagement and attendance with this primary call, and to improve the ability of people from around the world to live edit, rather than needing to catch-up via mailing lists or on GitHub.
The first step will be adjusted scheduling (watch this space) and the second step will be to invite the various work groups and study groups to join the main call, and to provide briefings and Q&A around their work.
We will be following up on the activities outlined above on the mailing lists, and we will continue our regular series of calls and meetings throughout the year.
To round off a successful run of Open Source Software Masterclasses, Bristows are pleased to announce that the final session, ‘Tech in focus: navigating legal and commercial challenges in an increasingly open source world’,has been expanded to include additional topics, offering even greater value. Please find the full programme below.
Register now to secure your in-person place. Attendance is available for the full day, or for either the morning or afternoon sessions. Don’t miss this excellent opportunity to discuss the latest Open Source insights and network with peers in the tech law community.
OpenChain will feature prominently, and many familiar faces from our UK community will be present.
Open Source in transactions: M&A and commercial agreements Toby Crick, Partner, Bristows
4:15 pm
Panel discussion: open source and risk management Lewis Parle, Head of Intellectual Property Risk, Lockton, Stephen Pollard, Director Open Source Advisory, Orcro, Andrew Katz, Consultant, Bristows & CEO, Orcro, Toby Crick, Partner, Bristows
The OpenChain Project has begun a new guide designed to expand on options for small, medium and large companies adopting one or the other of our existing ISO standards. The goal is to outline some of the implementation choices an organization can make when filling out process points for open source business management. It is also going to link more deeply into our Reference Library for further examples and resources.
This guide is in early days, and we are putting out a call for ideas, suggestions and contributions.
Expand on the options available for each topic covered
Include better references to open source tooling for open source compliance matters
Note:
One thing that is noteworthy is that this guide is human-drafted but it is being developed in conjunction with a locally-installed LLM (Gemma3 12b). The LLM prompts and original output are at the bottom of the guide itself. There is no intention to replace human review and development, but rather to test to what extent current LLMs are providing accurate or useful information around our standards. This will help us develop guidance on LLM use for OpenChain and other compliance initiatives later in the year.
The OpenChain Project publishes a template for making open source policies. This is a non-prescriptive document that provides plenty of options for policy development for organizations of all sizes.
With huge thanks to Gary Armstrong over at FOSSID (and to Andrew Katz, Education Chair, for the merge), please find below a new version of the OpenChain open source policy template:
(You can also find the old version at the same link)
The updated policy template improves the content, formatting and fixes bugs, and it a recommended upgrade for anyone using our template to help develop or refine open source policy in organizations.
Interested in Helping?
The OpenChain Policy Template is a living document (just like all our reference library). We activity welcome feedback and suggestions for improvement from everyone involved in open source and open innovation.
You can be part of the process by joining our Education Work Group mailing list:
The OpenChain Project maintains a reference library of over 1,000 documents. This library has been built over eight years from our original, first release of a set of a training slides for open source license compliance. The library has now been comprehensively updated to make it easier to find, use and share resources.
To ensure easer of navigation and our ability to adjust and improve the library structure over time, you will find that navigation is primarily guided by the README file, which acts as the starting point for all navigation. You can also get a full preview of the structure of the library later in this post.
The intention is that:
You will enter this library at the top level of the archive
You will use this README file as your index
We will update the README as the library evolves
The library contains:
Adoption Guidance
AI Compliance Guidance
Case Studies
Compliance Training Slides
Explainers for Internal Teams
Maturity Models
Policy Templates
SBOM Quality Guidance
Source Material for Online Training Courses
Self-Certification Material
Supplier Education Material
Templates and Overview Material for OpenChain Project
+ Much, much more.
Licensing:
Most of the material in this repository is available under CC-0 licensing (effectively public domain). You will notice some exceptions with Guides (like the Telco SBOM Guide) and with case studies. These documents are not designed to be freely altered because they provide either guidance developed to consensus in our work groups, or the specific experience of companies in addressing compliance matters.
Navigating the Library:
As of 2025-05-08, the library is structured in the following folders alphabetically:
AI-SBOM-Compliance
Open-Source-Compliance-Support-Material
Open-Source-Policy-Templates
OpenChain-Adoption-Guides
OpenChain-Case-Studies
OpenChain-Explainers-For-Internal-Teams
OpenChain-FAQ
OpenChain-For-Mergers-and-Acquisitions
OpenChain-Maturity-Models
OpenChain-Promotion-Material
OpenChain-Standards-Self-Certification
OpenChain-Supplier-Education
OpenChain-Templates
OpenChain-Training
SBOM-Quality-Management
AI-Compliance
OpenChain has an AI Work Group. This is where you will find our work on AI compliance topics. The current focus is on AI SBOM management in the supply chain, and what type of program process points are required to manage this effectively.
This folder contains compliance-related material non-specific to OpenChain. You may find these community contributions useful in your work.
Open-Source-Policy-Templates
Having an open source policy is a requirement in our standards. This folder contains some template material to get you started or to help you refine existing policies.
OpenChain-Adoption-Guides
This folder contains guides to adopting the OpenChain standards.
OpenChain-Case-Studies
This folder contains case studies from companies that have adopted OpenChain standards.
OpenChain-Explainers-For-Internal-Teams
Explaining the value of OpenChain approaches to compliance process management is critical to ensure buy-in and support across an organization. We have created a series of quick explainer documents to support this.
OpenChain-FAQ
This folder contains the official OpenChain Project Frequently Asked Questions. These are mirrored on our website.
OpenChain-For-Mergers-and-Acquisitions
This folder contains some material relevant to understanding OpenChain standards in the context of Mergers and Acquisitions.
OpenChain-Maturity-Models
Once an organization has begun to adopt OpenChain standards, the question arises of how to iterate and improve their compliance program. Maturity models or capability models are a tool to assist with this. We have one to share with you as a reference guide.
OpenChain-Promotion-Material
This folder contains infographics, one-pagers and introductory presentations to help organizations understand the OpenChain Project, its standards, its reference material, and the global community supporting its work.
OpenChain-Standards-Self-Certification
This folder contains self-certification checklists and questionnaires to help companies easily adopt our standards. This material can also be used as a “health check” for organizations not currently using our standards.
OpenChain-Supplier-Education
This folder contains a leaflet designed to give suppliers a single file that takes them from “what is open source” through to the importance of license compliance, and the use of OpenChain standards.
OpenChain-Templates
This folder contains templates so that the community can develop new presentations or documents with the OpenChain trademarks, mascots and other images.
OpenChain-Training
This folder contains our reference training slides and also the source code for our online training courses.
SBOM-Quality-Management
OpenChain has an SBOM Study Group. This is where you will find our work on SBOM-related topics. The current focus is on SBOM Quality in the supply chain, and what type of approach is required to manage this effectively.
In the last year and a half the OpenChain Project has developed, published and seen adoption around the OpenChain Telco SBOM Guide. It helps define what is needed for a quality SBOM in practical supply chain use.
We just released Version 1.1 of the Guide, and you can learn more about that in our launch announcement:
The guide is supported by automation to make things more scalable. This matters for saving time, saving money and enabling sustainability. We started the automation journey around SBOM quality management with a validator for the OpenChain Telco SBOM Guide contributed by Nokia:
This week SCANOSS announced their automation support for the OpenChain Telco SBOM Guide, the first commercial tooling provider formally aligning with our work on SBOM quality. You can get all the details on the SCANOSS blog post dedicated to this development.
“The OpenChain Telco SBOM Guide does a remarkable job in providing to the industry a shared direction,” said Julian Coccia, CTO at SCANOSS. “It represents an outstanding complement to the OpenChain 2.1, ISO/IEC 5230:2020 that provides a simple, clear and effective process management standard for open source license compliance. By integrating support to the schema described in this Guide directly into our tools, SCANOSS makes it easy for organizations to adopt these guidelines efficiently.”
Community Credits
Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.
Naturally we also want to extend our thanks to Julian and the rest of the SCANOSS team for their adoption and support of the OpenChain Telco SBOM Guide.
Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.
And… a big thank you to all of the Nokia team who have created and supported this validator!
Get the guide in Chinese (Traditional), English, French and Japanese
Get the validator
Learn how to get involved in future development
What is this Guide?
The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs.
Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.
This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”
Want more context? We delivered a presentation at FOSDEM:
Updates from Version 1.0 to Version 1.1 of the Guide:
The following updates were made in version 1.1:
Both PackageChecksum and PackageVerificationCode are allowed as package hash.
The package hash is RECOMMENDED instead of MANDATORY.
ExternalRef is RECOMMENDED instead of MANDATORY.
FilesAnalyzed is no longer MANDATORY.
Examples are provided for the CISA SBOM Types.
A RECOMMENDED syntax is given for CISA SBOM Types.
sbomasm is a better example of SBOM merge tool.
Add reference to new CISA document.
An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.
Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.
The OpenChain Telco Work Group has released an updated OpenChain Telco SBOM Guide Validator to support Version 1.1 of the Telco SBOM Guide. The guide is an industry-specific but easily adaptable guide to addressing SBOM quality in the supply chain. The validator allows you to automate checks of conformance to the guide.
Learn more about the updated validator in the latest meeting below.
Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.
We held our regular workshop for the OpenChain AI Work Group on May 6th. During this meeting some important decisions were made. The Work Group attendees agreed that initial drafting on the AI SBOM Compliance Guide is now substantially complete, and there will be two next steps:
The work will be taken to the OpenChain Governing Board Q2 meeting (25th June) for formal approval to start a public comment period.
If approval is given, the guide will go into a six week public comment period, and after that period will move into a publication process.
You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
