Featured

Shane Coughlan’s Keynote

OpenChain Korea Work Group Meeting #18 from Shane Coughlan

Haksung, The Chair, Opens The Meeting

Seo-yeon – A Major Contributor – Gave A Great Talk As Usual

The Audience Was Dynamic And Attentive To All The Excellent Presentations

Also, Snacks

A Message From Seo-yeon Lee at LINE Plus.

안녕하세요 여러분! 라인의 이서연입니다.

어제는 잘 들어가셨나요~?

조금 더웠던 날씨에도 불구하고 모두들 에너지 넘치게 모임에 참석해주셔서 덕분에 이번에도 알찬 시간을 보낼 수 있었습니다. 

발표 준비에 수고해주신 발표자 여러분, 그리고 장소 준비에 힘써주신 카카오 크루 여러분께 다시 한 번 감사의 말씀 전합니다. 

어제 말씀드렸던 행사 피드백 설문조사를 보내드립니다. 아주 짧은 내용이오니 꼭 의견 보내주시면 다음 모임에 반영하도록 하겠습니다.

• https://forms.gle/BYgAUxhFCsEyuAKd9

추가로 그룹토의 활동 결과물도 보내드립니다. 

The 52nd OpenChain Webinar will cover a proposal from the Okinawa Open Labs in Japan to help “label” items in the supply chain to increase trust.

Our presenter will be MASANORI TSUJIKAWA (辻川公章) from Alaxala. 

Our topic will be the Trusted Network Introduction – Eco-system based Open Trust Chaining over existing value-chain and supply-chain.

Everyone can join from this link:
https://zoom.us/j/4377592799

The next meeting of the OpenChain Automotive Work Group is scheduled for June 14th at 08:00 Central, 09:00 Eastern, 13:00 UTC, 15:00 CEST, 21:00 CST and 22:00 JST.

Schedules permitting, we will be having case studies from North American and Asian automotive experts. We want to have a particular focus on the practical aspects of managing open source in large manufacturers with complex automotive supply chains.

Our agenda will be lead by our Chair, Masato Endo of Toyota in Japan, and Russ Eling of OSS Consultants in the USA. As usual, this will be a live event, and everyone is free to join.

When

Wednesday (2023-06-14) @ 09:00 Eastern, 13:00 UTC, 15:00 CEST, 21:00 CST and 22:00 JST

Location

https://zoom.us/j/4377592799

NORDEMANN, a law firm based in Germany, is the latest official OpenChain Partner. Based in Berlin, NORDEMANN combines a team with a long pedigree of legal provision with a clear, modern vision for making the complex simple.

“NORDEMANN as an IP/IT boutique law firm from Germany is committed to excellence in its work for its clients, such as IT companies and other industries using open source and contributing to such projects”, says founding partner Christian Czychowski, Honorary Professor at the University of Potsdam. “We are happy to now underline such excellence by having been accepted as partner of the renown OpenChain industry standard for open source compliance. By that can be part of this great community around the globe that sets the rules which help to build the all important trust in supply chains.”

“We are delighted to welcome the NORDEMANN team to the our official partner program,” says Shane Coughlan, OpenChain General Manager. “The availability of reputable legal advice is a key pillar in the effective market growth of our standards for open source license compliance and security assurance. The delivery of more choice in the German market marks a further milestone in the maturity of the OpenChain ecosystem.”

Learn More About NORDEMANN On Their Website

• https://nordemann.de/en/

The OpenChain Legal Work Group is exploring model provisions for OpenChain ISO/IEC 5230 or ISO/IEC DIS 18974 in procurement contracts and similar material. We decided to proceed via mirroring the format of the pre-existing public domain Risk Grid:
https://github.com/OpenChain-Project/Reference-Material/tree/master/General-Compliance-Support-Material/Risk-Grid

Our Current Draft Language Is Hosted On GitHub

• https://github.com/OpenChain-Project/Reference-Material/tree/master/Adoption-Preparation/Model-Provisions

Here Is The Recording Of Our Latest Meeting

Check Out The Slides

legal-work-group-2023-05-25 from Shane Coughlan

The Next Meeting Will Take Place In June

Currently scheduled for June 29th at 09:00 PDT / 16:00 UTC / 18:00 CEST / 00:00 CST / 01:00 KST + JST

Keep Up-To-Date

Join our mailing list to track our work and contribute to the development of the model provisions:
https://lists.openchainproject.org/g/legal-wg

Reminder:

The goal is to ensure people can understand options. We will not be prescriptive and these model provisions will remain part of the OpenChain reference material. They will not be included in the standards themselves.

The OpenChain Project, in collaboration with CAICT, SecTrend and Huawei, will host a governance conference in Shenzhen on the 3rd of June. We have a stellar schedule that will cover all aspects of open source management and processes. Shane Coughlan, OpenChain General Manager, will be there to provide a global perspective, and our local speakers will provide deep insight into matters of key strategic concern to the Chinese market.

Jimmy Ahlberg (OpenChain Chairperson) and Eleftheria Stefanaki have published an article entitled ‘Efficient IP management in a market increasingly using open source’ on IAM.

From The Article

Imagine finding out that 90% of the software in your products is not yours but only licensed in as third-party IP.  As soon as you start reading the agreements, you realise some of them contain terms you are not familiar with or have never even heard of before, such as “source code”, “binary”, “object code”, and “system libraries”. Moreover, you cannot find basic contractual provisions such as “governing law” or “jurisdiction” in the agreements. These agreements (and there are hundreds of them) are all different, non-negotiable, ‘take-it-or-leave-it’ standard template licences.

[…]

Against this background, this article describes the significance of open source management in the context of IP management. We would like to introduce you to the OpenChain Specification 2.1 (ISO/IEC 5230:2020) on open source licence compliance, and the benefits of implementing such a programme within the framework of your existing IP management.

Read The Article

• https://www.iam-media.com/article/efficient-ip-management-in-market-increasingly-using-open-source

Registration required.

About IAM

IAM is the trusted source of worldwide news, analysis and data on the management of intellectual property as a key business asset. It keeps in-house counsel up to speed with the global issues and strategies that matter, giving you the detail and depth you need to operate successfully.

• https://www.iam-media.com/info/about

The Open Compliance Summit (OCS) 2023 has been announced. It will once again be co-located with OSS Japan as a two day event. It takes place on the 7th and 8th December 2023.

From The Official Website:

OCS is an event for Linux Foundation members and select invitees to discuss process management and automation related to open source license compliance, security assurance and adjacent subjects. This is the world’s foremost venue to discuss and network around these topics. Our goal is to ensure the global supply chain works effectively and efficiently.

Submit a Talk

The Call for Papers is open and will continue until October 1st 2023.

Suggested Topics:

• Licensing
• Security
• Legal / IPR
• Other Process Management

SUBMIT A PROPOSAL

Important Dates

• CFP Closes: Sunday, October 1 at 11:59 PM PDT
• CFP Notifications: Monday, October 16
• Schedule Announcement: Tuesday, October 17
• Presentation Slide Due Date: Friday, December 1
• Event Dates: Wednesday, December 7 – Thursday, December 8

Official Website

• https://events.linuxfoundation.org/open-compliance-summit/

The OpenChain Project held a mini-summit adjacent to the Linux Foundation Open Source Summit North America. Check out our opening keynote for some substantial data points on our project, our standards for license compliance and security assurance, and the type of support you can get with adoption.

OpenChain Mini-Summit May 2023 from Shane Coughlan

We continued with a presentation from our board member Helio (CARIAD), with a strong focus on how people can use automation in the practical implementation of important compliance and security processes at scale.

OpenChain Mini-Summit 2023 – State of Tooling in Open Source Automation from Shane Coughlan

The final presentation drilled further down the stack, and we had a great contribution from the LG Electronics team as their explained FOSSLight, an open source tool for open source compliance or security management with sophisticated dashboard and automation. This solution is gaining traction in South Korea and is well worth attention globally.

FOSSLight at the OpenChain Mini-Summit May 2023 from Shane Coughlan

The overarching event this year had around 2,000 physical attendees and 2,000 virtual, and we were delighted to welcome some new faces to our corner of the open source community. It was also a pleasure to see many familiar faces in the room.

Minutes Prepared By Steve Kilbane of Analog Devices

• Expecting the Security Spec to graduate from ISO/IEC at end of July.
• Shane has produced 8 case studies using ChatGPT.
• Helio on “State of Tooling in Open Source Automation” (Helio can probably share his slides, if they’re not already on the LF platform)
  • Tools, Trends, Insights.
  • Previous trend was license compliance.
  • Current trend is security.
  • Few can consume SBOMs.
  • Lots of gaps for license compliance automation.
  • We need open data, avoiding control of that data by one entity.
  • Binary analysis will displace source-only scans.
    • I think this point here is that, current binary scans aren’t sufficient, but as we move up SLSA levels, we’ll have more attestations from the build, and those will be sufficient.
  • Poor data quality, especially vulnerability databases.
  • PURLs prevent vendor lock-in to a given DB.
    • We need unique identifiers for software.
  • We need to share the data of package review and curation, but need to overcome concerns from legal departments.
  • Should we share scanner output first? (ahead of curations?)
  • We should try to fix upstream (to have better compliance info / metadata)
  • Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn’t clear whether the call was for a federated network of standard servers.
  • Licensing isn’t the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
  • License compatibility: Multiple tools / matrices in use, but they’re all legally subjective and dependent on jurisdiction.
  • Snippet matching
    • V. expensive in terms of time (and, therefore, money)
    • Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they’ve all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
    • Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it’ll generate new boilerplate from everyone’s code.
    • Note to self: Look into MatchCode, which Helio mentioned.
  • SBOMs
    • Not good, don’t have all the data.
    • Often can’t read them anyway.
    • Tools do not integrate them well.
    • SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
  • Collaboration opportunities
    • “Live inventory of FOSS tools and their capabilities” – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
• FossLight presentation from LG (fosslight.org)
  • Scans with ScanOSS and ScanCode.
  • Bunch of package managers supported.
  • Has a built-in workflow – SBOM management?
  • Has a Jenkins CI for the prechecker.
  • Mails vulnerability notices to the dev team.
  • Has a Supply Chain Management section, for third-party code.
  • Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
  • I didn’t spot where the clearing/curation decision feeds back into a later scan.
  • Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
• Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn’t catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black Duck. So we have a way to go on making tooling easier to set up.

CARIAD, the wholly-owned division of VW Group creating advanced software for future vehicles, has joined the Governing Board of the OpenChain Project as a Platinum Member.

Helio Chissini de Castro, who will be representing CARIAD on the OpenChain Governing Board, is a familiar face to many in the OpenChain Project. He was previously our board member for BMW and is currently our co-chair of the Specification Work Group. As an old hand at Linux and other open technologies, Helio brings immense practical experience about open source and business management to the table.

About CARIAD

CARIAD is the software powerhouse of Volkswagen Group. Its mission: to bundle and further expand the software competencies of the Volkswagen Group. Mobility made easy. For everyone. Software driven. With a focus on the digital experience and automated driving, CARIAD is building the leading tech stack for the automotive industry. Aiming to create a new automotive experience and increase the innovation speed of Volkswagen Group to make the car a digital companion. The software-defined vehicle powered by CARIAD is a crucial contribution to the success of the Group’s NEW AUTO strategy.