The OpenChain Project identifies the key requirements of a quality open source compliance program. It builds trust in open source by making things simpler, more efficient and more consistent. The OpenChain Specification is the industry-standard for managing open source compliance across the supply chain.

Where Can I Find A Formal Description Of The Project?

The Project Charter (PDF)

How does OpenChain work?

The OpenChain Project maintains a standard designed to create trust between organizations called the OpenChain Specification. We provide online and offline self-certification and extensive reference material to assist with implementation. The result is that open source becomes more predictable, understandable and efficient for internal and external supply chains of any type.

How is OpenChain organized?

The OpenChain Project has four public work teams:

  1. The Specification Work Team identifies and publishes the key requirements of a quality open source compliance program.
  2. The Conformance Work Team helps companies check that they are adhering to the Specification requirements.
  3. The Curriculum Work Team provides reference material to help companies meet the Specification requirements.
  4. The Onboarding Work Team creates material to make it easy to understand the OpenChain Project.

There are also three committees for member companies:

  1. The Governing Board manages policies or rules and procedures for the Project, fund raising, budgeting and so forth.
  2. The Steering Committee develops, manages and updates the OpenChain Compliance Specification.
  3. The Outreach Committee designs, develops and executes activities to expand the  OpenChain ecosystem.

How can I contribute?

Visit the OpenChain Community page for information on how to join and contribute.

How does the OpenChain Specification work?

There are four principles that guide the development of the OpenChain Specification:

  1. Build trust around the use of open source.
  2. Use a “Less is More” approach focused on the key requirements of a quality compliance program.
  3. Focus on “what and why” rather than “how and when” to ensure freedom of choice.
  4. Be an open development initiative that welcomes all contributions.

Who Conforms To The OpenChain Specification?

We maintain a list of organizations that have a publicly announced OpenChain Conformant Program. The OpenChain standard is primarily focused on the relationship between suppliers and customers, so organizations have the freedom to be conformant without public announcement.

Where can I find the current version of the OpenChain Specification?

You can find it on the OpenChain Specification page.

Does a open source program need to satisfy all the requirements of the specification to be considered OpenChain Conformant?

The specification defines the key requirements of a quality open source compliance program. A program must satisfy all the OpenChain requirements to conform.

Does conformance mean that all software from the organization is OpenChain Conformant?

When a software supplier states they are OpenChain conforming it means they have a program that satisfies all the requirements of the OpenChain specification. It does not mean that all software entering or exiting the company has passed through such a program. Anyone receiving software from the company can ask if the software received went through the  OpenChain conforming program.

Does all software in an organization need to be covered by an OpenChain Conforming program to achieve program conformance?

Organizations are sometimes composed of different groups and/or departments which may have different programs and release procedures (e.g., engineering vs professional services). One open source program within an organization can be classified as OpenChain Conformant if it satisfies the specification requirements while another program may not. Software is not OpenChain Conformant if it has not been reviewed under an OpenChain Conformant program.

Does the OpenChain Specification serve as a best practice guide?

The objective of the specification provides a set of requirements to help evaluate whether an open source compliance program is sufficient. It focuses on the “what and why” aspects of a program and not the “how” or “when.” The OpenChain Specification is not a best practice guide because there are many different ways to construct a open source compliance program (how and when) that would satisfy the conformance requirements. The specification provides a method of measuring whether a program has obtained a baseline level of quality and consistency.

Does the OpenChain Specification serve as a best practice guide?

The objective of the specification provides a set of requirements to help evaluate whether an open source compliance program is sufficient. It focuses on the “what and why” aspects of a program and not the “how” or “when.” The OpenChain Specification is not a best practice guide because there are many different ways to construct a open source compliance program (how and when) that would satisfy the conformance requirements. The specification provides a method of measuring whether a program has obtained a baseline level of quality and consistency.

How was the OpenChain Specification developed?

The Linux Foundation OpenChain Working Groups functions like an open source project by obtaining input from dozens of individuals, companies and organizations that have experiences preparing for and/or exchanging software in the software supply chain. There are no specific requirements for participating. The working group identified 6 main categories of a compliance program and then had contributors identify important tasks and deliverable for each category. The six categories were:

  1. Know Your Free and open source (open source) Responsibilities [i.e., “Policy and Training”]
  2. Assign Responsibility for Achieving Compliance
  3. Deliver open source Content Documentation and Artifacts
  4. Review and approve open source content
  5. Understand open source Community Engagement
  6. Certify Adherence to OpenChain Requirements

A number of reference documents were prepared and used as important sources of input into identifying core requirements of a quality compliance program. Several of those documents include:

Does the OpenChain Specification describe how to comply with the most popular open source licenses?

The OpenChain Specification is structured to provide a list of requirements for a quality open source compliance program. The key goal of the specification is to foster trust around open source compliance between two parties exchanging software. The specification does not focus on the specifics of complying to individual open source licenses.

Does the OpenChain Specification provide legal guidance?

The OpenChain Specification does not provide legal guidance. It does require an organization to designate a legal expert who can assist with legal guidance. It also requires that a process exists to ensure appropriate attention is given to license requirement analysis and and fulfillment.

Does OpenChain Conformance guarantee license compliance?

OpenChain Conformance significantly reduces the likelihood of license compliance issues but it does not provide an assurance that no issues will occur.

Are there resources to help with OpenChain Conformance?

The OpenChain Curriculum working group has developed reference materials that can help with conformance. There are also extensive compliance-related resources hosted by the Linux Foundation Open Compliance Program.

Are there resources to help with OpenChain Conformance?

The OpenChain Curriculum working group has developed reference materials that can help with conformance. There are also extensive compliance-related resources hosted by the Linux Foundation Open Compliance Program.

Are there Case Studies for OpenChain Conformance?

The OpenChain Project has begun to release case studies from conformant organizations. You can read the first case study here.

How is the OpenChain Specification licensed?

The specification is licensed under the Creative Commons Attribution License 4.0 (CC-BY-4.0). You can get a copy of that license here: here. All other material in the OpenChain Project is provided under the Creative Commons 1.0 Universal (CC0 1.0) Public Domain Dedication. You can get a copy of that license here.

What is the difference between Conformance and Compliance?

In the specification text we do not use the term “Compliance” with respect to satisfying the specification requirements. This is to prevent confusion with with “license compliance” or “open source compliance program” as mentioned throughout the specification text. This is why we use the term “Conformance” to mean a program has satisfied all the specification requirements.

What is the objective of OpenChain Conformance?

OpenChain Conformance assess whether an organization has applied the key requirements of a quality open source compliance program as outlined in a specific version of the OpenChain Specification. Organizations of any size can accomplish this through free self-certification via our online questionnaire. Organizations also have the option to ask a third party to provide “audited certification” if required in their industry sector.

Where can I access the free self-certification questionnaire?

Where can I get help with OpenChain Self-Certification?

You can start with the Getting Started instructions on the OpenChain Self Certification page.

Can I change my submission?

You will see an Unsubmit button at the bottom of the page after signing in to the Online Self-Certification site. Clicking this button will cancel your previous OpenChain Self-Certification submission. You can then re-submit the conformance check.

What if I don’t agree with a submission made by another organization?

Email openchain-conformance@linux-foundation.com with the name of the organization you are concerned about and the reason you disagree with their submission. You should expect a response within 4 weeks.

What response time should I expect to a submittal request?

If all information is correct, the submittal will automatically be approved by the system. Any omissions or incorrect answers will be reported by the user.

How do I report issues with the Online Self-Certification Questionnaire?

Email openchain-conformance@linux-foundation.com with any issues. Please include specific information on the issue you have encountered.

What is the OpenChain Curriculum for?

The OpenChain Curriculum is intended to help organizations shipping or receiving open source software through supply chains. It provides reference material to help organizations fill out any process gaps and meet the OpenChain specification requirements.

What legal jurisdiction does the material cover?

The OpenChain Curriculum reference material is focused on US law. Companies need to take this into account when considering the use of the reference slides for in-house training. Different legal jurisdictions have different legal requirements.

Does the OpenChain Curriculum contain everything you need to be compliant with open source licenses?

The OpenChain Curriculum is intended to help companies either get started with an OpenChain conformant program or to expand an existing program. It is not intended to identify and provide solutions to all aspects of managing open source compliance.

How does OpenChain relate to CII Best Practices?

OpenChain and CII Best Practices are both Linux Foundation projects that identify open source process quality criteria. OpenChain focuses on the supply chain between organizations. The CII best practices badge focuses on criteria for well-run open source projects. See the CII Best Practices website for more details of their great work.