The 12th meeting of the OpenChain Korea Work Group took place on December 20th and was absolutely packed with presentations and discussions. Check out the recordings below.
The OpenChain Project and the OpenChain ISO/IEC 5230:2020 international standard had an exceptional 2021. From conformance announcements to new members, it was clear that the market was ready to gather around a shared solution for effective, efficient use of open source in supply chains.
The question is “what next?”
The answer is “a lot.”
We have three new governing board members to announce, new certifiers, new partners, new conformant organizations and – perhaps most important for the long-term – deeper engagement on the policy level across multiple countries.
As a member of our community you can expect to continue receiving support from global and national work groups, ever improving material to help with the adoption and use of OpenChain ISO/IEC 5230:2020, and to be kept up-to-date on everything important in the compliance sphere via our webinars.
From a strategic perspective we are executing on the vision shared at the beginning of 2021: to scale engagement from thousands to tens of thousands of companies. With recent developments regarding open source, security and supply chain management the necessity of this is ever more clear.
There are three things to watch for in Q1 2022:
- The new board member announcements and their implications for geographies and sectors,
- Updated materials for suppliers to make OpenChain ISO/IEC 5230:2020 even easier,
- Announcements regarding how we will work even more closely with others in the compliance and security domain.
Thank you for all your support in 2021. I look forward to collaborating with you to make 2022 another milestone in our field.
As we head into the holiday season I wanted to take a moment and thank everyone for an exceptional year. The OpenChain Project has accomplished incredible things, from altering the status quo in the tooling landscape (and making it better) through to preparing our first online training course. Too many people to count assisted in this process. However, I wanted to give special thanks and acknowledgement to Mark Gisi, chairperson of the Specification Work Group. This year he lead an effort to conclusively bridge the gap between OpenChain ISO/IEC 5230 and the security domain.
This work was far more than speculative: companies around the world began using our ISO/IEC standard to accomplish security goals, especially in light of recent international developments. The situation was both supported and challenged by the market reality of deployment before full community cohesion. For large companies this is never a serious concern, but for small companies trying to get up-to-speed it is our job (and our pleasure) to make sure they can match their peers, their suppliers and their customers as soon as possible.
Mark took this all in his stride and coordinated a multi-month effort with exceptional consensus to produce our Security Assurance Reference Guide in August. Since that date the guide has been available to all parties for review, and Mark further shepherded feedback from that review to determine if updates were needed in the near term. They were not, because you all hit it out of the ballpark, and we got this artifact to market at precisely the right time to address topics like the US Executive Order.
Mark, thank you.
Now, Mark is far from the only person who has done exceptional things. I want to particularly thank Balakrishna for shepherding our first online training course (with certification) through reviews by many, many parties. We go live on the 16th December, tomorrow, and change the market in that direction. The course, of course, is free. I also want to thank Oliver, who has been running the OpenChain Reference Tooling Work Group on a breathtaking schedule of bi-weekly meetings. The sheer amount of information collected and experience shared eclipses anything done before in that domain. And finally in this list (but not in terms of amazing contribution), I want to thank Max for running the OpenChain Automation Case Study, which took all the ingredients around the world, and showed how to make them turnkey, how to many them work in the supply chain, and how to contextualize it as business intelligence.
OpenChain General Manager
The Open Compliance Summit had an excellent collection of speakers and participants for 2021. Continuing our tradition of recognizing some of the work done throughout the previous 12 months, we announced the following awards. Everyone here has contributed to making open source compliance faster, easier and more effective, and they have done a lot to make sure great compliance is available for every company of any size around the world.
We also awarded David Marr (Qualcomm) with a special award to recognize his exceptional and transformative contribution to our field. Thank you Dave. Without you, we would never have created OpenChain ISO/IEC 5230 and we would never have built this amazing community.
Watch The Awards
- Kris Feng
- Gao Kun
- Sami Atabani
- Balakrishna Mukundaraj
- Ayumi Watanabe
- Gary O’Neall
- Maximilian Huber
- Hiroyuki Fukuchi
- Kiyoshi Owada
- Andrew Katz
- Haksung Jang
- Oliver Fendt
The Steady Hand
- David Rudin
- Kate Stewart
- Michael Dolan
- Masato Endo
- Marcel Kurzmann
The New Guard
- Helio Chissini de Castro
- Jimmy Ahlberg
- Prasad Iyer
- Jari Koivisto
- Soim Kim
- Mary Mattran
The OpenChain Education Work Group and LF Training have collaborated on Introduction to Open Source License Compliance Management (LFC193), a free course with individual certification is now available.
Who Is It For
This course is intended for developers, project managers and executive decision makers who already know the basics of what open source software is and how copyrights work and are ready to take the next step towards building a formal compliance program for their organization.
What You’ll Learn
This course provides a reference example of how an open source compliance program should be structured. It is designed to be used in the context of OpenChain ISO/IEC 5230:2020 but can be used for any open source compliance program. The course provides knowledge from the basics of intellectual property through to key concepts of an open source review. It is based on real-world experience and focuses on outcomes that are directly applicable to product and service deployment. The outcome of this course will be a clear understanding of how to use compliance as business optimization, reducing resource use and increasing efficiency.
What It Prepares You For
This course enables you to deal with the basics of open source license compliance management. You will be able to assess the current status of your company and begin planning improvements to processes. If you are a project manager, engineer or management personnel with a responsibility for architecture and strategy, this course will be particularly useful.
Get Started Here
Huge kudos to Balakrishna and everyone else in the Education Work Team for making this happen 🙂
The first OpenChain PlayBook is now available. It focuses on showing how a medium size company can go from considering to using OpenChain ISO/IEC 5230:2020.
The OpenChain PlayBooks are intended to help you understand the types of decisions made by managers in companies adopting OpenChain ISO/IEC 5230:2020. We cover examples of the decision-process in small, medium and large companies. Our examples are based on companies (a) in the technology industry, (b) in the middle of the supply chain and (c) shipping physical products containing software.
This may sound specific. However, the intention is to provide a thinking-tool for your company. Whether you are in the technology, finance, cloud, infrastructure or automotive industry (or any other), you will face similar challenges and solutions. The same applies whether you are in the middle of the supply chain or at its end, and whether you are shipping hardware or software. Our chosen examples cover a lot of ground.
Finally, this PlayBook contains an appendix with all the questions you need to answer to become OpenChain ISO/IEC 5230:2020 conformant. If you can answer all of these questions with “yes,” you have a conformant program. If you answer some of the questions with “no,” you know where to invest resources.
Get The Medium Company PlayBook
There may be situations where you would like more examples for more specific industries. This is where the OpenChain community comes in. You can join our mailing lists, our webinars, our group calls and our regional work groups to discuss challenges with your peers and in your native language.
You can get started here:
ETRI, Electronics and Telecommunications Research Institute of South Korea, has announced an OpenChain Conformant program. This program builds on other recent announcements of conformant programs in Korea from companies like LG Electronics and Samsung Electronics to solidify adoption of OpenChain ISO/IEC 5230:2020 in the market.
The ETRI is a global information and communication technology (ICT) research institute under the Ministry of Science and ICT that has led the growth of the information and communication industry in Korea for 45 years since its establishment in 1976. The research institute is preparing to take a powerful leap forward to realize ‘Korea, an AI powerhouse’ with the vision of “a national intelligence research institute that creates a future society”. ETRI has been conducting open source verification as a software quality management since 2008. ETRI established the Open Source Center as an enterprise-wide organization to support open source R&D activities as well as open source governance and compliance since 2017.
With this OpenChain certification, ETRI is pleased to have received international recognition as a more reliable and efficient open source management and development institution. And it is expected to increase the international credibility of the open source software developed by ETRI in the future. ETRI plans to continuously promote open innovation in open source R&D activities and to build the robust open source ecosystem through strong cooperation with other research institutes and companies as well as academia. The president of ETRI, Dr. Myung-Jun Kim said, “The open source based collaboration is now becoming a new paradigm to realize the R&D innovation that determines the future ICT competitiveness of the nation as a whole. We will take the lead in spreading the healthy and robust open source ecosystem.”
“The OpenChain Project maintains ISO/IEC 5230 and the support structures needed to sustain it,” says Shane Coughlan, OpenChain General Manager. “This has helped organizations around the world adopt our standard. Our greatest strength is the international community we have fostered to offer realistic, relatable knowledge in this field. I am proud to say that our Korea Work Group is one of the most dynamic in the world, and today’s news underscores the power of collaboration. We are delighted to welcome ETRI into the community of conformance, and we will work together at the cutting edge of technology and open source.”
Big news today as we formally welcome FOSSA to the OpenChain Partner Program. Their expertise and leadership gToday we welcome FOSSA to the OpenChain Partner Program. Their expertise and leadership gives a significant boost to support available for OpenChain ISO/IEC 5230, the International Standard for open source license compliance.
Learn more on their blog:
The OpenChain automation case study about using open source tools for open source compliance runs between September and December 2021. It is the largest case study ever undertaken in this space. The outcome of attending will include better knowledge of options for automation around open source compliance, a better understanding of interoperability in the space, and an awareness of how to engage with the field in a turn-key manner.
Part #6 digs further into how a Software Bill of Materials like SPDX ISO/IEC 5962 can optimize operations in the supply chain by ensuring manual or automated analysis works in a more efficient and effective manner.
- December 16th, a recap of the whole open source tooling eco-system at Open Compliance Summit 2021.
Available to Watch Now:
- Part #1 explores a new graphical tool from Facebook/TNG to make open source tooling easier to use. Our demo shows ORT calling ScanCode in a clean, simple way. We also discuss how the graphical interface was designed.
- Part #2 explores the engineering behind the new graphical tool from Facebook/TNG that makes open source tooling easier to use.
- Part #3 explores how ORT (the Open Source Review Toolkit) works both with the graphical tool and when used on its own.
- Part #4 explores how TERN (a container scanner) works both with the graphical tool and when used on its own.
- Part #5 explores how SPDX ISO/IEC 5962 works as a Software Bill of Materials (SBOM) in the supply chain through existing open source tooling for open source compliance.
- Part #6 digs further into how a Software Bill of Materials like SPDX ISO/IEC 5962 can optimize operations in the supply chain