Imagine you have created an open source project that has become incredibly popular.  Thousands, if not millions, of developers worldwide, rely on the lines of code that you wrote. You have become an accidental hero of that community — people love your code, contribute to improving it, requesting new features, and encouraging others to use it. Life is amazing, but with great power and influence comes great responsibility.

When code is buggy, people complain. When performance issues crop up in large scale implementations, it needs to be addressed. When security vulnerabilities are discovered — because no code or its dependencies are always perfect — they need to be remediated quickly to keep your community safe.  

To help open source projects better address some of the responsibilities tied to security, many communities hosted by the Linux Foundation have invested countless hours, resources, and code into some important efforts. We’ve worked to improve the security of the Linux kernel, hosted Let’s Encrypt and sigstore, helped steward the ISO standardization for SPDX, and brought together a community building metrics for OSS health and risk through the CHAOSS project — among many others.

Today, we are taking steps with many leading organizations around the world to enhance the security of software supply chains. The Linux Foundation has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF) and its initiatives. This cross-industry collaboration brings together an ecosystem to collectively identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices, and vulnerability disclosure practices. We are also proud to announce that open source luminary, Brian Behlendorf, will serve the OpenSSF community as General Manager. 

Financial commitments for OpenSSF include Premier members such as AWS, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware. Additional commitments come from General members, including Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.

To learn more about how to join the OpenSSF or to get involved in one of its six working groups, listen in to this brief introduction from Brian Behlendorf recorded this week at KubeCon:

In 2021, the Linux Foundation and its community will continue to support education and share resources critical to improving open source cybersecurity.  For example, this week, we also hosted SupplyChainSecurityCon, where the SLSA and sigstore projects were heavily featured.

If you are an open source software developer, user, or other community participant who just wants to help further protect the software that accelerates innovation around the world, please consider joining one of our six OpenSSF working groups, or suggest a new working group that addresses gaps in software supply chain security needs.

You can follow the latest news from OpenSSF here on our blog, Twitter (@TheOpenSSF), and LinkedIn.

Background

The Academy Software Foundation (ASWF), a project hosted by The Linux Foundation, provides a neutral forum for open source software developers in the motion picture and broader media industries to share resources and collaborate on image creation, visual effects, animation, and sound technologies. 

It was created in 2018 after the conclusion of an investigation by the Academy of Motion Pictures Arts and Sciences (AMPAS) Science and Technology Council holding an 18-month investigation on the state of open source in the industry. This aligned with the need for a vendor-neutral foundation to provide a sustainable home for open source projects that are key to the growth of the industry.

Identifying the need for exemplar assets for community use

As of August 2021, The Academy Software Foundation provides a home for Open Shading Language, OpenColorIO, OpenCue, OpenEXR, OpenTimelineIO, OpenVDB, and MaterialX.

As these projects have progressed in development, there was a need identified to have production-grade digital assets (e.g.,3D scene data, images, image sequences, volumetric data, animation rigs, edit decision lists) available for use in development and testing environments to ensure these projects can scale to the demands of the movie and content creation processes. 

Furthermore, the ASWF identified an additional need to have production-grade assets for general research and learning purposes. 

The ASWF identified two objectives to address these requirements:

  • Provide a vendor-neutral home for both homing the assets and being a curator for exemplar assets that would align with the industry needs.
  • Create a licensing framework striking a balance between the needs in research, learning, and open source development, with the intellectual property concerns of production-grade assets (as they often come from real productions).

An open community comes together

There was some precedent in the industry, with the 2018 release of the Moana Island Scene by Disney Animation. This sparked several discussions in the industry on how to have a larger set of similar assets available for community use leading to the creation of an Asset Repository Working Group at the Academy Software Foundation in 2020.

The culmination of this working group came in July 2021, with the transition of the working group to a formal project that will establish the infrastructure and governance of the Assets Repository. The intention is for the project to function and work like any other open source project, with full transparency and community participation, to identify and curate exemplar assets. 

At the same time, the legal counsel across Academy Software Foundation members came together to align on the ASWF Digital Assets License, which was created in the spirit of licenses used previously in the industry and designed to specifically ensure these assets can be used for education, learning, research, and open source development. The ASWF Digital Assets License helped create a bridge between producers and consumers of these assets, establishing standardized terms to enable collaboration and the re-use of content in an industry where it had previously been limited.

As of August 2021, there is interest from multiple organizations in contributing assets to this repository as it takes form over the next few months.

Conclusion

The Linux Foundation has been the home for vendor-neutral collaboration in both horizontal technology spaces and vertical markets such as automotive, networking, energy, and here motion pictures. In supporting over 750 open source projects, we are starting to see more and more efforts such as these where the collaboration outside of traditional software development and into educational materials, community development, and standards. The Assets Repository project at the Academy Software Foundation is a great example of the unique collaboration opportunities that open source brings and are driven by our open communities.

We’re pleased to announce that Michael Cheng joined the Linux Foundation Board of Directors earlier this year. Michael is a product manager at Facebook, currently supporting open source and standards work across the company. Michael is a former network engineer and M&A attorney. He previously led the product, commercial, and intellectual property functions on Facebook’s M&A legal team.

Michael has built some of the world’s most valuable and innovative open source ecosystems, representing billions of dollars of value, including GraphQL, Magma, Diem, ML Commons, and many others.

In 2018, Michael helped design the Joint Development Foundation — a lightweight, turnkey solution for the development of technology standards and specifications. Michael then brought in GraphQL as the JDF’s first project. GraphQL now powers trillions of API calls every day for some of the world’s largest companies.

Michael Cheng

Michael was one of the founding members of ML Commons, an industry-wide consortium that aims to unlock the next stage of AI/ML adoption by creating useful measures of quality and performance, large-scale open data sets, and common development practices and resources. Michael served as ML Commons’ first treasurer, and it has since grown to more than 50 members and affiliates representing a broad cross-section of the ML ecosystem.

This year, Michael created the Magma Foundation, the first open source platform that enables telecom operators to build modern and efficient mobile networks at scale. Michael now chairs the board of the Magma Foundation — growing its ranks to more than 20 members this year.

Michael is also a champion of diversity. Late last year, at the height of the pandemic, Michael designed and launched the Major League Hacking (MLH) Fellowship program to address challenges faced by both early-career developers who saw many of their job and internship opportunities disappear open source maintainers struggling to keep projects afloat. The Fellowship has been effective at helping students land desirable jobs while increasing the aggregate health of the open source projects that participate in the program. Michael also launched the Black Developer Scholarship for developers who self-identify as Black or African diaspora to participate in the Fellowship.

Michael has also played an integral role in the creation of the Presto Foundation, eBPF Foundation, Ent Foundation, Reactive Foundation, Urban Computing Foundation, and OpenChain.

“Michael is one of the rare breeds of lawyers who possess both a strong technical background and a sharp mind for process improvement.  His leadership at Facebook has made a meaningful impact within the OpenChain project and beyond.  I warmly welcome him to the Linux Foundation board.”

Dave Marr, Vice President, Legal Counsel at Qualcomm Technologies

“Facebook is built on top of open source and has shown a strong commitment to investing back into the communities from which we all benefit. Micheal’s legal background and technical knowledge make him an ideal member of the Linux Foundation board. His leadership is just another example of Facebook’s commitment to open source and collective innovation.” 

Jim Zemlin, Executive Director, Linux Foundation

“Successful open source work requires an intersection of legal, business, technical, and community thinking and Michael brings all those skills in one very integrated way.  And his perspectives from his experience shepherding multiple open source projects at scale and in production is of great value to the Linux Foundation board. I am excited to welcome him to the board and to work with him on advancing open source innovation.” 

Nithya Ruff – Chair, Linux Foundation Board of Directors, Head, Comcast Open Source Program Office

“Michael’s role in growing some of the Linux Foundation’s most valuable communities cannot be understated. He brings a level of technical depth, legal acumen, and industry credibility that has been instrumental in stitching together novel coalitions of companies, NGOs, and individuals into dynamic and sustainable communities. We’re thrilled to have him on the board.”

Chris Aniszczyk, CTO, CNCF

“Michael’s talents, skills, and experience have been brought to bear at Facebook to transform the company’s identity in the open source software community. His leadership, vision and understanding of the importance of collaboration and the development of consensus in the legal and technical communities of important projects have made Facebook a key driver in open source.”

Keith Bergelt, CEO, Open Invention Network

Today, the Linux Foundation announced that Ent, an entity framework for Go that was developed and open sourced by Facebook in 2019, has moved under the governance of the Linux Foundation to help accelerate its development and foster the community of developers and companies using it.

Ent was designed to enable developers to work on complex backend applications. Developers working on these applications faced the challenge of maintaining a codebase used to manage hundreds of different entity types with numerous, complex relationships between them. Ent uses graph concepts to model an application’s schema and employs advanced code-generation techniques to create type-safe, efficient code that greatly simplifies working with databases compared to other approaches.

Ent is similar to traditional ORMs (Object-Relational Mappers) but takes an opinionated approach that is especially effective in improving developer productivity. 

  • First, schemas are modeled in graph concepts (nodes and edges) instead of the more common table-oriented method that makes traversing through datasets and expressing complex queries easier and less error-prone. 
  • Second, the code generated by Ent is completely type-safe, which means that many classes of common bugs are caught very early on in the development process. In addition, code editing software can understand Ent code very well to offer developers useful hints and feedback as they are typing code. 
  • Finally, schemas are defined in actual Go code, which facilitates a very rich feature set ranging from integrations with observability systems to the definition of privacy (authorization) rules right at the data-access layer. 

“From the start it was obvious that Ent would present a unique and compelling value proposition to a diverse range of use cases across any industry with complex technology stacks,” said Ariel Mashraki, Ent’s creator and lead maintainer. “The promise of collaborating with a broad coalition of users was the main reason we open-sourced Ent.” 

Since it was open-sourced in 2019, engineers from many leading companies have contributed code to Ent, including Facebook, GitHub, Mail.ru, Scaleway and VirtaHealth. Ent has also been used by the CNCF projects and by other open source ecosystems. Ariel Mashraki recently started a new company, Ariga, to create a data fabric solutions provider that is built on Ent. “With the move to the Linux Foundation’s neutral governance model, we (on behalf of myself and the rest of the Ent maintainers) hope to double-down on growing Ent into the industry standard for data-access in Go. You should expect to see a lot of exciting developments in the next six months from the community and we invite all to participate,” said Mashraki.

Ent is just the latest in a variety of technologies that Facebook has first open sourced to the public and then transferred control to the community. “This additional step of enabling open source contributors to take direct ownership of a project’s technical vision is part of our longstanding commitment to open and sustainable innovation,” said Michael Cheng, product manager at Facebook. “Enabling a project’s maintainers to chart their course often sparks additional investment, contributions and new companies building products and platforms based on that project, for example, GraphQL, Presto, ONNX, and Magma, to name a few. We see that Ent is already following a similar pattern and we’ll be cheering on the Ent community as it enters this next stage of exciting growth.”


You can learn more about Ent framework for Go, sample the technology, and contribute back to the project at https://github.com/ent/ent.

Open source software (OSS) is vitally important to the functioning of society today; it underpins much of the global economy. However, some OSS is highly secure, while others are not as secure as they need to be.

By its very nature, open source enables worldwide peer review, yet while its transparency has the potential for enhanced software security, that potential isn’t always realized. Many people are working to improve things where it’s needed. Most of that work is done by volunteers or organizations outside the Linux Foundation (LF) who directly pay people to do the work (typically as employees). Often those people work together within a foundation that’s part of the Linux Foundation. Sometimes, however, the LF or an LF foundation/project (e.g., a fund) directly funds people to do security work.

At the Linux Foundation (LF), I have the privilege of overseeing focused work to improve OSS security by the very people paid to do it. This work is funded through various grants and foundations, with credits to organizations like Google, Microsoft, the Open Source Security Foundation (OpenSSF), the LF Public Health foundation, and the LF itself.

The LF and its foundations do much more that I don’t oversee, so I’ve only listed the ones I am personally involved with in the interest of brevity. I hope it will give you a sense of some of the things we’re doing that you might not know about otherwise.

The typical LF oversight process for this work is described in “Post-Approval LF Security Funding.” Generally, performers must provide a periodic summary of their work so they can get paid. Most of those summaries are public, and in those cases, it’s easy for others to learn about their interesting work!

Here’s a sample of the work I oversee:

  • Ariadne Conill is improving Alpine Linux security, including significant improvements to its vulnerability processing and making it reproducible. For example, as noted in the July 2021 report, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time. Alpine Linux’s security is important because many containers use it. For more information, see “Bits relating to Alpine security initiatives in June” and “Bits relating to Alpine security initiatives in July.”
  • kpcyrd is doing a lot of reproducible build work on Linux distributions, especially Alpine Linux (including on the Raspberry Pi) and Arch Linux. Reproducible builds are a strong countermeasure against build system attacks (such as the devastating attack on SolarWinds Orion). More than half of the currently unreproducible packages in Arch Linux have now been reviewed and classified.
  • David Huseby has been working on modifying git to have a much more flexible cryptographic signing infrastructure. This will make it easier to verify the integrity of software source code; git is widely used to manage source code.
  • Theo de Raadt has also been receiving funding to secure the critical “plumbing” behind modern communications infrastructure:
    • This funding is being used towards improving OpenSSH (a widely-used tool whose security is critical). These include various smaller improvements, an updated configuration file parser, and a transition to using the SFTP protocol rather than the older RCP protocol inside the scp(1) program.
    • It is also being used to improve rpki-client, implementing Resource Public Key Infrastructure (RPKI). RPKI is an important protocol for protecting the Internet’s routing protocols from attack. These improvements implement the RPKI Repository Delta Protocol (RRDP) data transfer protocol and fix various edge cases (e.g., through additional validation checks). The https://irrexplorer.nlnog.net/ service is even using rpki-client behind the scenes.
  • Nathan Chancellor is improving the Linux kernel’s ability to be compiled with clang (instead of just gcc). This includes eliminating warning messages from clang (which helps to reduce kernel bugs even when gcc is used) and fixing/extending the clang compiler (which helps clang users when compiling code other than the Linux kernel). Unsurprisingly this involves changing both the Linux kernel and the clang/LLVM compiler infrastructure, and sometimes other software as well.
    • In the long run, eliminating warnings that by themselves aren’t bugs is important; developers will ignore warnings if there are many irrelevant ones, but if there are only a few warnings, they’ll examine them (making warnings more useful).
    • Of notable mention for security implications is clang support for Control-Flow Integrity (CFI); this can counter many attacks on arm64, and work will eventually enable x86_64 support.
  • I oversee some security audits conducted via the Open Source Technology Improvement Fund (OSTIF) when funded through the LF. We (the LF) often work with OSTIF to conduct security audits. We work with OSTIF to define the audit scope, and then OSTIF runs a bidding process where qualified security audit firms propose to do the work. We then work with OSTIF to select the winner (who isn’t always the cheapest — we want good work, not a box-check). OSTIF & I then oversee the process and review the final result. 
    • Note that we don’t just want to do audits, we also want to fix or mitigate any critical issues the audits identify, but the audits help us find the key problems. Subject matter experts perform the audit reports, and handling bidding is OSTIF’s primary focus, so my main contribution is usually to help ensure these reports are clear to non-experts while still being accurate. Experts sometimes forget to explain their context and jargon, and it’s sometimes hard to fix that (you must know the terminology & technology to explain it).
    • This work included two security audits related to the Linux kernel, one for signing and key management policies and the other for vulnerability reporting and remediation. 
    • I’ve also overseen audits of the exposure notification applications COVID Shield and COVID Green: 
    • It’s not part of my oversight of OSTIF on behalf of the LF, but I also informally talk with OSTIF about other OSS they’re auditing (such as flux2, lodash, jackson-core, jackson-databind, httpcomponents-core, httpcomponents-client, laravel, and slf4j). A little coordination and advice-sharing among experts can make everything better.

The future is hard to predict, but we anticipate that we will be doing more. In late July, the OpenSSF Technical Advisory Council (TAC) recommended approving funding for a security audit of (part of) Symfony, a widely-used web framework. The OpenSSF Governing Board (GB) approved this on 2021-08-05 and I expect OSTIF will soon take bids on it.

The OpenSSF is also taking steps to raise more money via membership dues (this was delayed due to COVID; starting a new foundation is harder during a pandemic). Once the OpenSSF has more money, we expect they’ll be funding a lot more work to identify critical projects, do security audits, fix problems, and improve or create projects to enhance OSS security. The future looks bright.

Please remember that this is only a small part of ongoing work to improve OSS security. Almost all LF projects need to be secure, so most foundations’ projects include security efforts not listed here. As noted earlier, most development work is done by volunteers or by non-LF organizations directly paying people to do the work (typically employees). 

The OpenSSF has several working groups and many projects where people are working together to improve OSS security. These include free courses on how to develop secure software and the CII Best Practices badge project. We (at the LF) also have many other projects working to improve OSS security. For example, sigstore is making cryptographic signatures much easier; sigstore’s “cosign” tool just released its version 1.0. Many organizations have recently become interested in software bill-of-materials (SBOMs), and we’ve been working on SBOMs for a long time.

If you or your organization would like to fund focused work on improving OSS security, please reach out! You can contribute to the OpenSSF (in general or as a directed fund); just contact them (e.g., Microsoft contributed to OpenSSF in December 2020). If you’d prefer, you can create a grant directly with the Linux Foundation itself — just email me at <dwheeler@linuxfoundation.org> if you have questions. For smaller amounts, say to fund a specific project, you can also consider using the LFX crowdfunding tools to fund or request funding. Many people & organizations struggle to pay individual OSS developers because of the need to handle taxes and oversight. If that’s your concern, talk to us. The LF has experience & processes to do all that, letting experts focus on getting the work done.

My sincere thanks to all the performers for their important work and to all the funders for their confidence in us!

About the author: David A. Wheeler is Director of Open Source Supply Chain Security for The Linux Foundation.

The Linux Foundation is ecstatic to return to in-person events next month; we know how important these face-to-face gatherings are to accelerating collaboration and innovation in the open source community. 

We know you have questions surrounding health and safety at in-person events and want to pause for a moment to address these. Rest assured – your health has been at the forefront of every move and decision we have made as we make a safe return back to in-person events.  

Let’s start here with some items from behind the scenes.

  • The LF has a long-standing relationship with Dr. Joel Selanikio, a physician, former CDC epidemiologist and outbreak investigator, and consultant epidemiologist to the DC Department of Health and to FEMA for the COVID-19 response over 2020-21. Thanks to Dr. Selanikio’s council over the last two years, we have been able to take educated and well-thought out steps to ensure the safety of our community members as we navigate COVID-19. 
  • We are working closely with local Departments of Health to ensure we are following all local requirements and recommendations. 
  • We are continuing to monitor and follow all CDC, WHO and PHE/NHS (in the UK) guidelines, in addition to those of the local municipalities in which we are holding events.
  • We are checking in with our venues and vendors multiple times a week to ensure we are staying up-to-date on best practices and regulations.
  • Finally, The Linux Foundation Event Team have all been certified in handling Pandemic On-Site Protocols (by the Event Leadership Institute). The team is vaccinated, trained and equipped to handle safety protocols and procedures at our events and are more than happy to assist you onsite and ensure you are comfortable.  

Vaccines, masks and everyone’s new favorite phrase: social distancing.

  • As announced previously, in-person attendees will be required to be fully vaccinated against the COVID-19 virus. A vaccine verification app will be used to confirm vaccination status.
  • Additionally, masks will now be required for in-person attendance.
  • All event participants will receive a daily temperature check in order to enter the event zone and will receive a sticker to be able to enter and exit as needed.
  • Comfort level wristbands (in green, yellow, and red) will be provided for event participants to use if they choose to indicate their preference on social distancing comfort level. 

All of the above protocols are in place for LF and LF Project events (like KubeCon + CloudNativeCon) through November 2021.

We are working closely with each of our venues and their local jurisdictions to ensure we are following all local requirements and recommendations. Here are some items you can expect on-site at any of our events through November:

  • Reduced conference room capacity: space between you and your neighbors.
  • More physical space between speakers and attendees: so speakers can present without their masks (and you can hear them clearly!).
  • Wider aisles and thoroughfares through event spaces.
  • Sponsor booths spread further apart in the exhibit hall as well as wider aisles. 
  • Socially distanced areas for eating/drinking and mask breaks
  • Close organization with venues: to ensure rigorous onsite cleaning and sanitizing of all touch points, sneeze guards where necessary, and sanitation stations.

You can view a full list of onsite safety procedures on the Health and Safety page, under the “Attend” tab on all event microsites at events.linuxfoundation.org.

Quick Links

View Open Source Summit + ELC + OSPOCon Health and Safety page

View Open Networking + Edge Summit & Kubernetes on Edge Day Health and Safety page

View KubeCon + CloudNativeCon Health and Safety page

We are keeping our health and safety guidelines updated regularly, and adding to the FAQ as necessary.  If these resources do not answer a question you may have, reach out to us at events@linuxfoundation.org.

After much research and with guidance from Dr. Selanikio, we believe the combination of vaccination and mask requirements, along with the other protocols we are putting in place, provides a safe environment for our in-person event participants.

We understand that not everyone will be able to join us in-person due to a variety of factors, which is why we are delighted to offer attendees the ability to participate in our events virtually. To learn more about the different pass options, click on the “Register” tab on any of our event websites.

We hope this information brings you assurance that keeping you and all our event participants safe is top of mind – and will continue to be as we make each and every decision. A big THANK YOU to the entire open source community for your understanding during this fluid COVID-19 situation and this very challenging time in our history. We look forward to seeing you at our events this fall!

Modern day supply chains leave greater potential for vulnerabilities, and supply chain security should be a high priority for organizations. Vulnerabilities could be catastrophic, and lead to unnecessary costs, inefficient delivery schedules and a loss of intellectual property. 

In addition, over the last few years, supply chains have increasingly been exposed as a major weak point in organizational security. While security may be top of mind within company walls, you are only as strong as your most vulnerable supplier.

We are excited to bring the community a new event where folks can learn directly from experts who have been working on how to solve these vulnerabilities for almost a decade, to find out how to best protect their supply chain and mitigate potential disaster.

Anyone involved in ensuring their company’s supply chain is secure including security professionals, executive leadership and tech leaders.

The event is free to attend, and will take place virtually on August 18. It is comprised of nine sessions covering all aspects of protecting the supply chain, including talks on:

  • Generating SBOMs for IoT at Build Time
  • Securing GCC & GLIBC
  • Building Signing, Distributing SPDX SBOMs as Artifact Reference Type
  • Software Supply Chain Integrity with Sigstore

View all sessions, speakers and register to attend here.

One of the greatest strengths of open source development is how it enables collaboration across the entire world. However, because open source development is a global activity, it necessarily involves making available software across national boundaries. Some countries’ export control regulations, such as the United States, may require taking additional steps to ensure that an open source project is satisfying obligations under local laws.

In July of 2020, The Linux Foundation published a whitepaper on how to address these issues in detail, which can be downloaded here. In 2021, the primary update in the paper is to reflect a change in the US Export Administration Regulations.

  • Previously, in order for publicly available encryption software under ECCN 5D002 to be not subject to the EAR, email notifications were required regardless of whether or not the cryptography it implemented was standardized.
  • Following the change, email notifications are only required for software that implements “non-standard cryptography”.

Please see the updated paper and the EAR for more specific details about this change.

The National Telecommunications and Information Administration (NTIA) recently asked for wide-ranging feedback to define a minimum Software Bill of Materials (SBOM). It was framed with a single, simple question (“What is an SBOM?”), and constituted an incredibly important step towards software security and a significant moment for open standards.

From NTIA’s SBOM FAQ  “A Software Bill of Materials (SBOM) is a complete, formally structured list of components, libraries, and modules that are required to build (i.e. compile and link) a given piece of software and the supply chain relationships between them. These components can be open source or proprietary, free or paid, and widely available or restricted access.”  SBOMs that can be shared without friction between teams and companies are a core part of software management for critical industries and digital infrastructure in the coming decades.

The ISO International Standard for open source license compliance (ISO/IEC 5230:2020 – Information technology — OpenChain Specification) requires a process for managing a bill of materials for supplied software. This aligns with the NTIA goals for increased software transparency and illustrates how the global industry is addressing challenges in this space. For example, it has become a best practice to include an SBOM for all components in supplied software, rather than isolating these materials to open source.

The open source community identified the need for and began to address the challenge of SBOM “list of ingredients” over a decade ago. The de-facto industry standard, and most widely used approach today, is called Software Package Data Exchange (SPDX). All of the elements in the NTIA proposed minimum SBOM definition can be addressed by SPDX today, as well as broader use-cases.

SPDX evolved organically over the last decade to suit the software industry, covering issues like license compliance, security, and more. The community consists of hundreds of people from hundreds of companies, and the standard itself is the most robust, mature, and adopted SBOM in the market today. 

The full SPDX specification is only one part of the picture. Optional components such as SPDX Lite, developed by Pioneer, Sony, Hitachi, Renesas, and Fujitsu, among others, provide a focused SBOM subset for smaller supplier use. The nature of the community approach behind SPDX allows practical use-cases to be addressed as they arose.

In 2020, SPDX was submitted to ISO via the PAS Transposition process of Joint Technical Committee 1 (JTC1) in collaboration with the Joint Development Foundation. It is currently in the approval phase of the transposition process and can be reviewed on the ISO website as ISO/IEC PRF 5962.

The Linux Foundation has prepared a submission for NTIA highlighting knowledge and experience gained from practical deployment and usage of SBOM in the SPDX and OpenChain communities. These include isolating the utility of specific actions such as tracking timestamps and including data licenses in metadata. With the backing of many parties across the worldwide technology industry, the SPDX and OpenChain specifications are constantly evolving to support all stakeholders.

Industry Comments

The Sony team uses various approaches to managing open source compliance and governance… An example is using an OSS management template sheet based on SPDX Lite, a compact subset of the SPDX standard. Teams need to be able to review the type, version, and requirements of software quickly, and using a clear standard is a key part of this process.

Hisashi Tamai, SVP, Sony Group Corporation, Representative of the Software Strategy Committee

“Intel has been an early participant in the development of the SPDX specification and utilizes SPDX, as well as other approaches, both internally and externally for a number of open source software use-cases.”

Melissa Evers, Vice President – Intel Architecture, Graphics, Software / General Manager – Software Business Strategy

Scania corporate standard 4589 (STD 4589) was just made available to our suppliers and defines the expectations we have when Open Source is part of a delivery to Scania. So what is it we ask for in a relationship with our suppliers when it comes to Open Source? 

1) That suppliers conform to ISO/IEC 5230:2020 (OpenChain). If a supplier conforms to this specification, we feel confident that they have a professional management program for Open Source.  

2) If in the process of developing a solution for Scania, a supplier makes modifications to Open Source components, we would like to see those modifications contributed to the Open Source project. 

3) Supply a Bill of materials in ISO/IEC DIS 5962 (SPDX) format, plus the source code where there’s an obligation to offer the source code directly, so we don’t need to ask for it.

Jonas Öberg, Open Source Officer – Scania (Volkswagen Group)

The SPDX format greatly facilitates the sharing of software component data across the supply chain. Wind River has provided a Software Bill of Materials (SBOM) to its customers using the SPDX format for the past eight years. Often customers will request SBOM data in a custom format. Standardizing on SPDX has enabled us to deliver a higher quality SBOM at a lower cost.

Mark Gisi, Wind River Open Source Program Office Director and OpenChain Specification Chair

The Black Duck team from Synopsys has been involved with SPDX since its inception, and I had the pleasure of coordinating the activities of the project’s leadership for more than a decade. In addition, representatives from scores of companies have contributed to the important work of developing a standard way of describing and communicating the content of a software package.

Phil Odence, General Manager, Black Duck Audits, Synopsys

With the rapidly increasing interest in the types of supply chain risk that a Software Bill of Materials helps address, SPDX is gaining broader attention and urgency. FossID (now part of Snyk) has been using SPDX from the start as part of both software component analysis and for open source license audits. Snyk is stepping up its involvement too, already contributing to efforts to expand the use cases for SPDX by building tools to test out the draft work on vulnerability profiles in SPDX v3.0.

Gareth Rushgrove, Vice President of Products, Snyk

For more information on OpenChain: https://www.openchainproject.org/

For more information on SPDX: https://spdx.dev/

References:

After careful consideration, we have decided that the safest course of action for returning to in-person events this fall is to take a “COVID-19 vaccine required” approach to participating in-person. Events that will be taking this approach include:

We are still evaluating whether to keep this requirement in place for events in December and beyond. We will share more information once we have an update.

Proof of full COVID-19 vaccination will be required to attend any of the events listed above. A person is considered fully vaccinated 2 weeks after the second dose of a two-dose series, or two weeks after a single dose of a one-dose vaccine.

Vaccination proof will be collected via a digitally secure vaccine verification application that will protect attendee data in accordance with EU GDPR, California CCPA, and US HIPAA regulations. Further details on the app we will be using, health and safety protocols that will be in place onsite at the events, and a full list of accepted vaccines will be added to individual event websites in the coming months. 

While this has been a difficult decision to make, the health and safety of our community and our attendees are of the utmost importance to us. Mandating vaccines will help infuse confidence and alleviate concerns that some may still have about attending an event in person. Additionally, it helps us keep our community members safe who have not yet been able to get vaccinated or who are unable to get vaccinated. 

This decision also allows us to be more flexible in pivoting with potential changes in guidelines that venues and municipalities may make as organizations and attendees return to in person events. Finally, it will allow for a more comprehensive event experience onsite by offering more flexibility in the structure of the event.

For those that are unable to attend in-person, all of our Fall 2021 events will have a digital component that anyone can participate in virtually. Please visit individual event websites for more information on the virtual aspect of each event.

We hope everyone continues to stay safe, and we look forward to seeing you, either in person or virtually, this fall. 

The Linux Foundation

FAQ

Q:If I’ve already tested positive for COVID-19, do I still need to show proof of COVID-19 vaccination to attend in person? 

A: Yes, you will still need to show proof of COVID-19 vaccination to attend in-person.

Q: Are there any special circumstances in which you will accept a negative COVID-19 test instead of proof of a COVID-19 vaccination? 

A: Unfortunately, no. For your own safety, as well as the safety of all our onsite attendees, everyone who is not vaccinated against COVID-19 will need to participate in these events virtually this year, and will not be able to attend in-person.

Q: I cannot get vaccinated for medical, religious, or other reasons. Does this mean I cannot attend?

A: For your own safety, as well as the safety of all our onsite attendees, everyone who is not vaccinated against COVID-19 – even due to medical, religious or other reasons – will need to participate in these events virtually this year, and will not be able to attend in-person.

Q: Will I need to wear a mask and socially distance at these events if everyone is vaccinated? 

A: Mask and social distancing requirements for each event will be determined closer to event dates, taking into consideration venue and municipality guidelines.

Q: Can I bring family members to any portion of an event (such as an evening reception) if they have not provided COVID-19 vaccination verification in the app? 

A: No. Anyone that attends any portion of an event in-person will need to register for the event, and upload COVID vaccine verification into our application.

Q: Will you provide childcare onsite at events again this year?

A: Due to COVID-19 restrictions, we unfortunately cannot offer child care services onsite at events at this time. We can, however, provide a list of local childcare providers. We apologize for this disruption to our normal event plans. We will be making this service available as soon as we can for future events.

Q: Will international (from outside the US) be able to attend? Will you accept international vaccinations?

A: Absolutely. As mentioned above, a full list of accepted vaccines will be added to individual event websites in the coming months.