Synopsys has been announced as a global third-party certifier for OpenChain ISO 5230, the International Standard for open source license compliance. They join PwC and TUV SUD in providing such services.
“Establishing trust in open source is a continual journey with growing obligations,” says Jacob Wilson, Senior Security Consultant with the Synopsys Software Integrity Group. “Becoming an OpenChain 3rd party certifier allows Synopsys to promote the ISO/IEC 5230:2020 Standard and OpenChain community.”
“Welcoming Synopsys as a third-party certifier is an important milestone in two respects for the OpenChain Project,” says Shane Coughlan, OpenChain General Manager. “Firstly, they have exceptional reach to provide certification services to a worldwide customer base, and this will be beneficial for the both the OpenChain community and the broader open source market. Secondly, as the third entity providing such services, the OpenChain community now has significant freedom of choice when seeking vendor support.”
It is time to explore the results of our Q1 survey! At the bottom of this post you can download the full document. Let’s check out the highlights:
- Engagement and satisfaction is rated as very good or (more frequently) excellent across the board. The vast majority of respondents believe that we are “Very Good” or “Excellent” in putting forward what we are doing and sharing our information – either the business value, conformance, reference materials, and our website. Most importantly, people see us as a community that is easy to engage with and easy to get help from.
- Our conformance response revealed something interesting. About half of our respondents are primarily interested in something other than a private health of their compliance program or being listed publicly as having an OpenChain conformant program.This is worth digging into more (and we will), but some preliminary notes are:
- Feedback indicates that a relatively small percentage are seeking public announcements regarding conformance at this juncture, regardless of internal compliance activities. Their focus is instead on internal (or inter-supply chain) improvements and conformance.
- We additionally have a number of companies engaging with OpenChain ISO 5230 with applications outside of our core scope of conformance for the purpose of license compliance. These include entities engaging for activities related to security, mergers and acquisitions, and other business processes. We knew this from participants on our calls and so on, but it’s interesting how many of our community participants appear to fit into this demographic.
- About a third of respondents have used our online conformance web app, and those that have found it excellent in its ease of use, while about a third of respondents are not interested in getting more help conforming with OpenChain ISO 5230:2020 in the future. From other sources we have indications that this is due to two factors:
- People are using the specification directly for conformance or using our downloadable questionnaire.
- People are getting assistance from third parties such as participants in our partner program.
- We asked broader questions in the survey than those related only to OpenChain. For example, we asked about tooling, software bill of materials and interoperability. The interoperability questions were framed around determining what is important to the community in the context of open source license compliance and interoperability around Software Bill of Materials and/or automation. Respondents overwhelmingly expressed interest in greater interoperability for all tools and automation. This means supporting ingest and export of SPDX. It means greater interoperability between open source tooling as well as between open source and proprietary tooling.
Now we know what people want, it is time to make it happen.
You can expect the project as a whole to lean into supporting to diverse use-cases for OpenChain ISO 5230. You can expect the tooling group to lean into the interoperability question.
And…you are the community. Let’s get started!
Want To Check Out The Full Survey Results?
As recently noted by Jonas Oberg, Open Source Officer at Scania, OpenChain ISO 5230 and SPDX have been explicitly included in Scania Corporate Standard 4589 (STD 4589). This defines the expectations Scania has towards suppliers when they deliver a solution containing open source software.
Scania has three key considerations defined in STD 4589:
- Suppliers should conform to OpenChain ISO 5230.
- Suppliers should ideally contribute modifications to open source components to the originating open source project.
- Suppliers should provide a software bill of materials in SPDX format and any applicable source code when the software license requires it.
Linux Foundation Editorial Director Jason Perlow had a chance to speak with Masato Endo, OpenChain Project Automotive Chair and Leader of the OpenChain Project Japan Work Group Promotion Sub Group, about the Japan Ministry of Economy, Trade and Industry’s (METI) recent study on open source software management.