Shane Coughlan

Open source, security, supply chain, sustainability. In this informal discussion we had a chance to cover it all.

Learn About OpenSSF In The Current Landscape From Brian Behlendorf, General Manager Open Source Security Foundation

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Learn About SPDX In The Current Landscape From Kate Stewart, VP, Dependable Embedded Systems At The Linux Foundation

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information.

And Learn More About Industry Responses To Log4J With A Practical Case Study About How Things Unfolded “On The Ground”

You can expect to come away with a clear understanding of market conditions, how the Linux Foundation is addressing them, and where OpenChain fits into the picture. The goal – as always – is to ensure you have the information necessary to make informed, effective decisions around the open source supply chain.

We seek to build trust in the quality of programs used by you, your customers and your suppliers. We are proud to have taken significant strides in our field throughout 2021. We expect to push the boundaries of what is possible once again in 2022. You can learn more about what we are doing around security – including our reference assurance guide – here:

• https://www.openchainproject.org/news/2022/01/19/openchain-on-security

We are turning this into a Reference Security Specification via our bi-weekly global work team calls. You can via the current draft on GitHub and open issues here: 

• https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide/2.0

The OpenChain Open Source Policy Template helps apply the key requirements for a quality open source compliance program. It provides sample policy text that helps organisations select, classify, incorporate and publish open source code with a focus on legal compliance of open source.

This template has been available in English for several years thanks to the hard work of Andrew Katz, the teams at Moorcrofts and Orcro, and the broader OpenChain community. Now, thanks to Masahiko Hayashi and the team at NEC, this policy template is available in Japanese.

This is an excellent resource to help you conform to OpenChain ISO/IEC 5230:2020 or to simply improve your internal process management for open source.

Download the Japanese version here:

• https://github.com/OpenChain-Project/Reference-Material/blob/master/Open-Source-Policy/Official/2.1/ja/Open-Source-Policy-Template-ja-OpenChain2.1-ISO5230-JA.docx

Download the English version here:

• https://github.com/OpenChain-Project/Reference-Material/blob/master/Open-Source-Policy/Official/2.1/en/Open-Source-Policy-Template-en-OpenChain2.1-ISO5230.xlsx

Contribute to this work on GitHub:

• https://github.com/OpenChain-Project/Reference-Material/tree/master/Open-Source-Policy/Official

HONOR, a leading global provider of smart devices, officially joined the OpenChain Project as a Platinum Member. HONOR will continue to devote efforts to help maintain OpenChain ISO/IEC 5230, the International Standard for open source license compliance.

中文版: 荣耀加入 OpenChain项目理事会 

“HONOR is delighted to join the OpenChain Project. HONOR has consistently taken compliance management as the basis of business process. HONOR adheres to the principle of open innovation to provide high quality smart devices that exceeds the expectations of customers around the world,” said Samuel Deng, President of Research & Development Mgmt Dept, HONOR Device Co., Ltd. “HONOR will actively participate in the OpenChain project to work with global partners to build a more secure and efficient open source software management system. ”

“HONOR will playing an essential role in the OpenChain Project in 2022 and beyond,” says Shane Coughlan, OpenChain General Manager. “Chloe and the rest of the team will be providing strategic guidance on our governing board, building on their existing engagement across our global community. Our shared mission is to build greater trust in the supply chain, and this represents another significant milestone in our ability to execute effectively.”

About HONOR

HONOR is a leading global provider of smart devices. It is dedicated to becoming a global iconic technology brand and creating a new intelligent world for everyone through its powerful products and services. With an unwavering focus on R&D, it is committed to developing technology that empowers people around the globe to go beyond, giving them the freedom to achieve and do more. Offering a range of high-quality smartphones, tablets, laptops and wearables to suit every budget, HONOR’s portfolio of innovative, premium and reliable products enable people to become a better version of themselves.

For more information, please visit HONOR online at www.hihonor.com.
https://community.hihonor.com/
https://www.facebook.com/honorglobal/
https://twitter.com/Honorglobal
https://www.instagram.com/honorglobal/
https://www.youtube.com/c/HonorOfficial

About the OpenChain Project

The OpenChain Project maintains the International Standard for open source license compliance. This allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. This is an open standard and all parties are welcome to engage with our community, to share their knowledge, and to contribute to the future of our standard.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.

Linux is a registered trademark of Linus Torvalds.

Today marks a significant step forward for both the field of Third-Party Certification and the Chinese market in the context of OpenChain ISO/IEC 5230, the International Standard for open source license compliance. The China Academy of Information and Communications Technology (CAICT) has helped three companies establish OpenChain conformant programs scoped to cover one key product from each. This type of program is a common method of helping companies to “onboard” to broader programs over time.

The products going through the new OpenChain conformant programs are:

• GBase 8a from General Data Technology Co., Ltd. (GBASE) [1]
• KingbaseES V8 from CETC Kingbase [2]
• Tidb enterprise v4.0 from PingCap [3]

CAICT has a Third-Party Certification Program that draws on their domain experience in legal compliance consulting and which lasts between four and six weeks. In words of Zhang Jun Xia, who is leading the program for CAICT, the process looks like this:

1. Agreement is reached on how to approach certification: “we talk about the importance of open source compliance with the key staffs of the companies, including their managers or vice managers of commercial ，developing and legal departments（from last year my team discussed with about 10 companies). Then some of them reach the agreement to set the opensource compliance management process.”
2. Kick off meeting to estimate the scope of work: “my team will hold a starting meeting with the company who decided to go through the OpenChain program. We invited almost every manager or vice manager whose responsibilities related to open source upstreaming and down-streaming. We talked about their understanding opensource compliance and the basic requirements of opensource compliance, and introduce the procedures that we will performance to help them meet the requirement.”
3. Training to share knowledge and increase cohesion between the company and CAICT teams: “we start the training step. according to the understanding and basic estimate at the kick-off meeting, we design the training courses which last to 6 hours to 12 hours, depending on the basis of different companies( Half of the training resources are from OpenChain training resource). By the course, we lead to the agreement what is opensource compliance and what should have to be done to meet it.”
4. The interview process: “we start a 2-3 days interviews with the key individuals who is involved in opensource compliance management，like the legal officer，the development manager，the product manager，the commercial officer….we dug out the specific procedures how the product is developed，how they manage the upgrade versions，and how to ensure the function and performance indexes such as availability ， reliability and security.”
5. Setting the compliance procedure to documents: “Next week we will write the documents which set the management processes, based on  their original ones, trying to make the least change and make sure to meet the 6 fields of OpenChain standard. We discussed the documents with the key staffs to reach another agreement (in this step we wrote a lot of documents, even described every steps procedure).”
6. Inspection period: “Once we both agreed, the product line will execute the management processes, and make the records，logs，and discuss every thing that should be cleared or should be changed. We will inspect the new process for 2 to 4 weeks, until we believe it is OK.”

“We are delighted to announce three new companies entering the OpenChain community of conformance today, ands we applaud CAICT on this exceptional certification accomplishment,” says Shane Coughlan, OpenChain General Manager. “The conformance of entities around the world falls into three categories. Self-certification, independent assessment and third-party certification. The availability of the latter is of critical important to ensure freedom of choice, and to ensure critical products in demanding industries are fully supported. The words largest technology production environment is reaching a new stage of maturity.”

[1]

Founded in 2004, GBASE adheres to the independent research and development and promotion of database, and provides users with full stack database products and services. As a state-level high-tech enterprise, GBASE has been rated as a leading domestic database enterprise for many years.

GBase 8a MPP Cluster is a leading product of massive parallel processing database management system, have entered the core business system of more than 80 large banks. The sales of GBase 8a have covered all provinces in China (except Hong Kong and Taiwan) and 34 countries, including the United States, Mexico, Pakistan, Japan, the United Kingdom, Russia and South Africa.

In recent years Gbase 8A adopts more and more open source components in version upgrading, and gradually realizes the importance of open source compliance. Through the Openchain compliance guidance provided by caict, the product has established a standardized open source management process, which greatly improved the transparency of SBOM transmission within the company and improved the reliability of open source compliance.

[2]

CETC Kingbase is a company specializing in database research and development and product services. It has mastered a number of database core technologies, developed large-scale general database products with international advanced level, and is widely used in high information security fields such as government, national defense, military industry, energy, finance and medical treatment, with a total installation and deployment of more than 1 million sets. Kingbases, its independently developed database management system, has passed a number of national security certifications and won the “second prize of national science and Technology Progress Award” in 2018.

In the process of product development, it took the  applying of ISO/IEC 5230:OpenChain standard and built a set of open source compliance management mechanism, which greatly reduced the risk of open source reference and effectively ensured the quality and safety of products.

[3]

Founded in 2015, Pingkai Xingchen (Beijing) Technology Co., Ltd (hereinafter referred to as PingCAP) is an enterprise-grade distributed database provider committed to delivering a modern data infrastructure for growth-oriented users that is efficient, reliable, open and compatible, unleashing  productivity, and accelerating digital transformation for enterprises.

PingCAP’s flagship project, TiDB, is an open-source, distributed Hybrid Transactional/Analytical Processing (HTAP) database that features horizontal scalability, strong consistency, and high availability with MySQL compatibility. TiDB 4.0 was designed for enterprise core business scenarios with requirements such as high availability, strong consistency, and large data scale, and has been adopted at scale in Finance, Internet, New economy, Public services, High-tech manufacturing and other industries in China.

As an open source company, PingCAP has been dedicated to driving forward autonomous  open source communities that honor contribution and participation as key credits. To date, TiDB as an open source project has received 30200+ stars on GitHub,  and has been adopted by over 2000 companies in production world wide, covering multiple industries such as Finance, Telecommunication, Manufacturing, Internet, and Public Service.