Ulrike Fempel from SAP has a few thoughts to share.
What is the OpenChain Project, and how has SAP adopted the corresponding standard? In my current role in the SAP Open Source Program Office, I was involved in several activities around SAP’s OpenChain certification and would like to share some insights in this blog post.
With numerous open-source licenses available (more than a hundred licenses approved by the OSI) and new ones emerging constantly, it is important for companies that manage open-source software to fulfill all legal requirements and obligations. The OpenChain Project, launched in 2016 under the umbrella of the Linux Foundation, aims to support companies with their license compliance across the open-source software supply chain and has been adopted by a wide range of companies and a broad community. The mission of OpenChain is “a supply chain where open source is delivered with trusted and consistent compliance information” (more). In 2020 it had matured enough to be accepted as an ISO standard, which runs under the name of ISO/IEC 5230 and is considered the International Standard for open-source license compliance. Global and local working groups address the needs of different industries and regional adopters and help to improve and enhance the project continuously. Anybody is invited to freely use the existing OpenChain content, whether training material, policy templates, or developer guidelines. There are more than 1000 reference documents, such as how-to guides available on GitHub including reference guides for software supply chain security.
In March 2022, SAP finished its certification for ISO/IEC 5230 conformance. As mentioned in the related press release this was “the first time an enterprise application software company has undergone whole entity conformance” meaning that SAP as an entire company was certified. What was SAP’s experience with the OpenChain certification? What were the prerequisites and how much effort did it take?