Skip to main content
All Posts By

Shane Coughlan

OpenChain and ChatGPT – New Case Studies

By Featured, News

The OpenChain Project is releasing the first draft case studies created by ChatGPT on our GitHub. These are not intended to replace our community contributions, but to make it fast for people to add ideas and adjustments. This will specifically address one of the greatest challenges in creating new material: the initial time spent for drafting.


Our community feedback shows that people usually enjoy commenting and polishing more than drafting. Check them out and let us know what you think!

It took ChatGPT less than ten minutes to create eight case studies:

External: LG Electronics Talk About Their OpenChain Security Specification Adoption (LG전자, 오픈소스 소프트웨어 보안체계 국제표준 준수)

By News

LG Electronics has published a news item about their recent adoption of OpenChain ISO/IEC DIS 18974, the de facto industry standard for open source security assurance.

An extract from their post:

(서울=연합뉴스) 김아람 기자 = LG전자[066570]는 미국 비영리단체 리눅스재단의 오픈체인 프로젝트가 규정한 ‘오픈소스 소프트웨어 보안 관리체계 국제표준’ 준수 기업으로 인정받았다고 21일 밝혔다.

이 인증 획득은 국내는 물론이고 글로벌 제조업계를 통틀어 LG전자가 유일하다.

소스코드가 공개된 오픈소스 소프트웨어 사용에서 ▲ 내부 보안정책 수립 ▲ 보안정책의 주기적 업데이트 ▲ 보안 테스트를 위한 각종 툴 사용 여부 등 30여개 보안 인증 요건을 모두 충족했다.

Read The Full Article

External: OpenChain Partner Flags Some Interesting AI Hallucinations Around Open Source Licenses

By News

Dr. Andreas Kotulla over at BitSea has flagged some interesting concerns when using ChatGPT to talk about open source licenses. While a conversation about open source licenses in China correctly identified the Mulan Permissive Software License, other Chinese “licences [discussed by ChatGPT] seem to come from ChatGPT’s pure imagination!”

From his research:

China is playing an increasingly important role in the open source world. Especially for globally active companies with their own software development, it is worth taking a look at the Far Eastern market. But caution is advised in research efforts: Those who trust in the help of artificial intelligence should be prepared for misjudgements. In my blog, I show by example what can happen or what should be taken into account when software like ChatGPT is supposed to provide support in this still young field of research.

Read the full article

OpenChain Webinar #51 – An Update On ClearlyDefined

By News, Webinar

OpenChain Webinar #51 featured an update on ClearlyDefined by Nick Vidal at the Open Source Initiative (OSI). A lot has happened since we last covered this project for open source metadata, including the move to a new home at OSI.

About The Project

ClearlyDefined and its parent organization, the Open Source Initiative, are on a mission to help FOSS projects thrive by being clearly defined. Lack of clarity around licenses and security vulnerabilities reduces engagement – that means fewer users, fewer contributors and a smaller community.

As such, the goals of the project are to:

  • Raise awareness about this challenge within FOSS project teams
  • Automatically harvest data from projects
  • Make it easy for anyone to contribute missing information
  • Crowd-source the curation of these contributions
  • Feed curated contributions back to the original projects

Watch The Webinar

Check Out All Our Previous Webinars

OpenChain Legal Work Group – 2023-04-25

By News

The first meeting of the Legal Work Group took place on the 25th of April 2023. We explored model provisions for including OpenChain ISO/IEC 5230 and OpenChain ISO/IEC DIS 18974 (and potentially other standards) in procurement contracts or similar material.

The goal is to ensure people can understand options. We will not be prescriptive and these model provisions will remain part of the OpenChain reference material. They will not be included in the standards themselves.

The call started by looking at model provisions done before via the Risk Grid:

The document, under public domain, has been moved to the OpenChain GitHub for ease of access and editing:

Our outcome was to use this basic format as a way to structure our first round of model provisions, and to have the option of merging the documents in the future.

Full Recording

Some Post-Call Outcomes

Risk Grid Version 11 (last published version) is now fully translated to MarkDown:

Risk Grid Version 12 has been created to help set the template for our adjacent work on model language for ISO/IEC 5230 and ISO/IEC DIS 18974. This document needs review:

This is a continuation of the risk grid that:
– makes a first attempt to reorder the issues based on their granularity – highest first and;
– adds the issue title to the issue number for ease of navigation and;
– merges the Commentary and Comments fields to reduce redundancy.

This version removes issue numbers because the titles replace the numbering, and it avoids long term issues with quotations of different issue numbers across different versions of the risk grid.

OpenChain @ FOSS North 2023

By News

Shane Coughlan, OpenChain General Manager, delivered a talk entitled ‘How The Linux Foundation Standards For License Compliance And Security Will Fix Your Supply Chain‘ at FOSS North 2023 on the 25th of April 2023.

Formal Talk Outline

The OpenChain License Compliance (ISO/IEC 5230) and Security Assurance standards provide simple and effective ways for companies in the supply chain to improve open source software management. Organizations around the world have engaged with these standards over the last five years for cost reduction, time optimization and to allow staff to work on tasks directly related to improving products and services. Data suggests significant traction in adoption, with an example being a recent PwC-sponsored survey showing 20% of German companies with more than 2,000 employees using ISO/IEC 5230. This talk will explain how the OpenChain Project is building the support structures needs to accomplish ever broader market adoption, ranging from community activities to reference material to a commercial ecosystem. It will focus on recent developments, especially around expanding work in security, in editing the next generations of the standards, and in lessons learned to revise our supplier education material. Attendees will leave this talk knowing current options for assessment, deployment and – in the case of customer companies – encouraging suppliers to use these standards too.

Check Out Our Slides

OpenChain @ NLnet Supply Chain Webinars

By News

NLnet is hosting a series of webinars on Open Software Supply Chain management.

The first episode with Armijn Hemel took place on April 6th, with the topic of Open Source in (Consumer) Electronics Supply Chains:

Next up was Philippe Ombredanne (a.o., who gave a talk on April 13th 2023 on automated tooling to understand dependencies, handle vulnerabilities in an open and transparent manner:

Forthcoming webinars in the series are:

Thursday May 4th 2023 // 13.00 – 14.30 CEST (Amsterdam, Berlin, Rome)

 – Speakers: Carlo Piana & Alberto Pianon.
 – Topic: The importance of a Software Bill of Materials in light of the upcoming Cyber Resilience Act and product liability legislation in Europe.
 – More info:

Thursday May 11th 2023 // 13.00 – 14.30 CEST (Amsterdam, Berlin, Rome)

 – Speaker: Shane Martin Coughlan
 – Topic: ISO standards and certification. (This talk was previously scheduled for April 27).
 – More info:

About These Webinars (from NLnet)

As the dependency of society on technology continues to increase in every possible direction, it is of the utmost importance to understand the dynamic life cycle of the free and open source building blocks that form the basis of pretty much all technology we use today – and how these can be kept safe and available.

Not only do we need to improve our understanding of how and where software is developed, maintained, built and deprecated at macro scale – but we also need to create mechanisms to ensure that building blocks are kept up to date, that different versions don’t collide, FOSS packages from public repositories have not “bit-rotted” or even worse: have been tampered with by malicious actors as part of a “supply chain attack”. There has been an increasing attention to the fact that with software “eating the world”, a healthy and robust software ecosystem should be a key societal (and thus political) priority. But at the same time, we should do so with full understanding of the highly specific nature of “digital commons” – as the controversy surrounding the upcoming Cyber Resilience Act clearly proves.

In this series of webinars by leading experts such as Armijn Hemel (Tjaldur), Shane Coughlan (OpenChain), Carlo Piana (OSI), Alberto Pianon (Eclipse Compliance Toolchain Project Lead) and Philippe Ombredanne (AboutCode) we look at software supply chains from different angles. What do modern electronics supply chains look like, how is provenance handled – and how *should* it be handled? What mechanisms do we have to verify the integrity of deployed code packages and detect abnormal code changes that may be signs of malicious modifications and possible attacks? Where do “Software Bill of Materials” come into play? And what is being done, and perhaps should be done from a legislative and governance point of view?

The entire webinar series is available free of charge, and will allow you a deep dive into the hidden world behind the software and hardware we use – and will help you get a clear understanding of how open source supply chains work, and a grasp of what the policy challenges are.

Learn More About The Forthcoming OpenChain Webinar:

OpenChain @ Legal and Licensing Workshop 2023 – Gothenburg, Sweden – 2023-04-21

By News

The OpenChain Project was featured at the FSFE Legal and Licensing Workshop 2023 held in Gothenburg, Sweden during April. This annual event brings together legal experts from around the world to talk about open source and open-related legal matters.

Check Out Our Slides

Learn More On The Official Website: