News

We have our monthly Europe / Asia call tomorrow (2025-07-16) @ 08:30 UTC / 09:30 BST / 10:30 CEST / 16:30 CST / 17:30 JST + KST

• We will cover activity in the Education Work Group
• We will cover formal outcomes in the Specification Work Group
• We will check out the AI Compliance Guide Public Comment Period
• We will hear about what’s happening with the SPDX Operations Profile

In other words, lots of standards, processes and reference material. This goes beyond news, and into impactful action items underway across our community.

Be part of this. 🙂

Join here:

https://zoom-lfx.platform.linuxfoundation.org/meeting/98605614769?password=dd739f3e-5991-4c87-b428-39a7b550ca0d

About Our Work Group:

The OpenChain Tooling Work Group holds meetings on a bi-weekly schedule. They allow anyone with an interest in open source tooling for license, security or other compliance matters to learn, share and collaborate. All levels of experience are welcome.

Next Meeting:

Our next meeting takes place on the 16th of July 2025 at 17:00 CEST (15:00 UTC).

Dial-In:

• https://conf.fsfe.org/b/compliance-tooling
• Access Code: 199143

Join Our Mailing List:

• https://groups.io/g/oss-based-compliance-tooling

The OpenChain Project will hold a webinar on the 29th of July 2025 to provide a case study on how ZF – one of the world’s largest automotive suppliers – collaborated with TIMETOACT to obtain third-party certification for OpenChain ISO/IEC 5230.

2025-07-29 @ 07:00 UTC / 08:00 BST / 09:00 CEST / 15:00 CST / 16:00 KST + JST

Join at the start time using this link:
https://zoom-lfx.platform.linuxfoundation.org/meeting/91433079580?password=a677a4f4-2af5-4453-8ec9-07dcc28f9656

Abstract:

This case study is suitable for organizations new to the OpenChain standards, organizations in the process of adopting the standards, or organizations reviewing how others met this milestone in open source process management. It will be structured as a series of short section presentations that provide:

• A brief introduction to ISO/IEC 5230
• The importance of ISO/IEC in the automotive industry
• ZF’s certification journey
• Forming an OSPO
• Steps taken to accomplish ISO/IEC 5230 certification
• Challenges faced
• Role of TIMETOACT in the certification process
• Gap analysis with TIMETOACT and ZF
• How ZF used OpenChain and InnerSource Commons resources
• Lessons learned
• Closing thoughts

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

• https://www.openchainproject.org/webinars

This OpenChain Webinar will be broadcast on 2025-07-29.

We Held A Meeting To Discuss Three Things:

1. To identify what is happening in the country around open source process management
2.  What we can usefully contribute to increase value in this area for local businesses, projects and government
3. Any areas of concern that might need global community assistance

Watch the Meeting:

Identified Challenges Faced for the OpenChain Germany Work Group:

Our current challenge is a lack of momentum in our meeting schedule and discussions. The challenge appears to be caused by two things:

• Lack of time on everyone’s part
• A wide variety of activities making it difficult to focus energy

Identified Priorities for the German Market:

• Enable small and medium sized businesses (and large) to deal with license compliance
  • What is OpenChain’s specific value proposition for them
• Supply Chain Risk Management:
  • License compliance – ISO/IEC 5230 value proposition
  • Security assurance – ISO/IEC 18974 value proposition
    (value with or apart from IEC 62443)
  • Japanese market solution(s) – why they made SPDX Lite
  • SBOM Quality (Ericsson + Nokia, interest from US government)
• Regulation:
  • Cyber Resilience Act (CRA):
    https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
    Does ISO/IEC 18974 cover all of this – especially reporting
  • Product Liability Directive:
    https://single-market-economy.ec.europa.eu/single-market/goods/free-movement-sectors/liability-defective-products_en 
  • AI Act:
    https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence 
  • Digital Operational Resilience Act (DORA):
    https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

Suggested Next Steps: 

• Liaise with Bitkom to collaborate / contribute to their work (Marcel will be the contact):
  https://www.bitkom.org 
• Liaise with Open Business Alliance to collaborate / contribute to their work (Jan will be the contact):
  https://osb-alliance.de
  +
  https://eacg-gmbh.github.io/osba-regulatory-monitor/ 
• Liaise with OSADL to collaborate / contribute to their work (Shane will reach out):
  https://www.osadl.org

Discussion Document:

We have created a document to help everyone share ideas (and refine other ideas) about next steps in the country. You can find and add comments to the document here:

• https://docs.google.com/document/d/1LM9ml2d84oGZUD1lWjD48b-writh4ZswdK85PDy-mtk/edit?tab=t.0#heading=h.9lirpo76pyrg

We Held A Meeting To Discuss Three Things:

1. To identify what is happening in the country around open source process management
2.  What we can usefully contribute to increase value in this area for local businesses, projects and government
3. Any areas of concern that might need global community assistance

Watch the Meeting:

Identified Challenges Faced for the OpenChain India Work Group:

Our current challenge is a lack of momentum in our meeting schedule and discussions. The challenge appears to be caused by two things:

• Lack of time on everyone’s part
• A wide variety of activities making it difficult to focus energy

Identified Priorities for the Indian Market:

• CERT-IN Guidelines (SBOM):
  https://www.cert-in.org.in/PDF/SBOM_Guidelines.pdf 
• SEBI Cybersecurity and Cyber Resilience Framework:
  https://www.sebi.gov.in/legal/circulars/aug-2024/cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_85964.htm

Suggested Next Steps:

• Identify where ISO/IEC 5230 and ISO/IEC 18974 can assist
• Identify where OpenChain reference material can assist
• Discuss if we can create new reference material to assist

Discussion Document:

We have created a document to help everyone share ideas (and refine other ideas) about next steps in the country. You can find and add comments to the document here:

• https://docs.google.com/document/d/1rcTKVkwlEybUQMV9Agcs7MoRiCGcp07GqIAXvpA4_cs/edit?tab=t.0#heading=h.jmco3749i6v

We Discussed:

This was a busy meeting. Lead by Chris Wood (Chair, Specification Work Group), and featuring discussions from Martin Yagi (Chair Education Work Group) and Dave Marr (Co-Chair AI Work Group), we worked through the following agenda:

1. Introducing new Work Group Chairs
2. Education Work Group next steps
3. AI Work Group – Draft AI Compliance Guide public comment period
4. Specification Work Group – Approvals for updates to standards
5. and more

Watch the Recording:

Check out the Meeting Slides:

• https://github.com/OpenChain-Project/Meeting-Minutes/tree/main/Slides/2025

Coming Next:

• With concrete targets for implementing agreed updates to the existing standards;
• A new outreach beginning to triage further updates to the existing standards;
• A provisional roadmap for further developing our education material;
• And a six week window before finalizing a new AI compliance guide;

We have full but focused activity ahead.

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate