The Linux Foundation Core Infrastructure Initiative and the Open Source Technology Improvement Fund to partner on advancing state-of-the-art open source security

SAN FRANCISCO, Calif. January 28, 2020 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, and the Open Source Technology Improvement Fund (OSTIF) today announced a strategic partnership to advance security for open source software (OSS) that has become critical to the world’s infrastructure.

The organizations will bring together and build on a depth of their experience supporting security audits for widely deployed open source communities. This formal and strategic agreement will allow the Linux Foundation to augment its work on security audits, of which it has already invested more than $1m across more than 20 security audits for open source projects to date, by including audit sourcing experts through OSTIF’s network. OSTIF will share the resources available through the Linux Foundation’s Community Bridge, a funding and support ecosystem for developers and projects, with its community to help fundraise for new audits.

“The Linux Foundation’s ability to fundraise across industries to support thousands of developers around the world is unprecedented,” said Amir Montazery, vice president of development at OSTIF. “The Linux Foundation is a pioneer in open source software and one of the few organizations taking the actions required to truly support it for generations to come. We are excited to join forces and increase our collective impact on improving critical software.”

As part of the strategic partnership, The Linux Foundation will appoint Mike Dolan, vice president of strategic programs, to the OSTIF Advisory Board.

“OSTIF represents a global community and network of security experts and developers and demonstrates an important commitment to the improvement and sustainability of open source software,” said Mike Dolan, vice president of strategic programs, Linux Foundation. “This is a natural collaboration that we hope will increase trust in the global open source software supply chain that underpins modern society.”

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

About Open Source Technology Improvement Fund
The Open Source Technology Improvement Fund is a non-profit organization that connects open source security projects with much needed funding and logistical support. This core value is driven by public fundraising and by soliciting donations from corporate and government donors. For more information, please visit https://ostif.org

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.
Linux is a registered trademark of Linus Torvalds.

###
Media Contact
pr@linuxfoundation.org

“What copyright notice should appear at the top of a file in an OSS project with many contributors?” This is a question we get all the time. Many of our communities have discussed this issue and aligned on a common approach that we thought would be useful to share.

When source code, documentation and other content is contributed to an OSS project, the copyrights in those contributions typically remain owned by the original copyright holders1.

What follows is a discussion of the typical OSS project where each contributing organization and individual retains ownership of their copyrights that they make available under the project’s open source software license. In this case, the copyrights are licensed for distribution as part of the project. Whether a project uses the Developer Certificate of Origin (“DCO”) and/or a Contributor License Agreement (“CLA”), the original copyright holders retain their copyrights.

Copyright Notices – Community Best Practice

Most LF project communities do not require or recommend that every contributor include their copyright notice in contributed files. See below for more details on why not.

Instead, many LF project communities recommend using a more general statement in a form similar to the following (where XYZ is the project’s name):

  • Copyright The XYZ Authors.
  • Copyright The XYZ Contributors.
  • Copyright Contributors to the XYZ project.

These statements are intended to communicate the following:

  • the work is copyrighted;
  • the contributors of the code licensed it, but retain ownership of their copyrights; and
  • it was licensed for distribution as part of the named project.

By using a common format, the project avoids having to maintain lists of names of the authors or copyright holders, years or ranges of years, and variations on the (c) symbol. This aims to minimize the burden on developers and maintainers as well as redistributors of the code, particularly where compliance with the license requires that further distributions retain or reproduce copyright notices.

What if I want my copyright notice included?

Please note that it is not wrong, and it is acceptable, if a contributor wishes to keep their own copyright notices on their contributions. The above is a recommended format for ease of use, but is not mandated by LF project communities.

If you are contributing on behalf of your employer, you may wish to discuss with your legal department about whether they require you to include a copyright notice identifying the employer as the copyright holder in contributions. Many of our members’ legal departments have already approved the above recommended practice.

What about code copied into the project repository from a Third Party?

If a file only contains code that originates from a third party source who didn’t contribute it themselves, then you would not want to add the notices above. (In a similar vein, you wouldn’t add a notice identifying you as the copyright holder either, if you didn’t own it.) Just preserve the existing copyright and license notices as they are.

If, however, you add copyrightable content to a pre-existing file from another project, then at that point you could add a copyright notice similar to the one above.

Don’t change someone else’s copyright notice without their permission

You should not change or remove someone else’s copyright notice unless they have expressly (in writing) permitted you to do so. This includes third parties’ notices in pre-existing code.

Why not list every copyright holder?

There are several reasons why LF project communities do not require or recommend trying to list every copyright holder for contributions to every file:

  • Copyright notices are not mandatory in order for the contributor to retain ownership of their copyright.
  • Copyright notices are rarely kept up to date as a file evolves, resulting in inaccurate statements.
  • Trying to keep notices up to date, or to correct notices that have become inaccurate, increases the burden on developers without tangible benefit.
  • Developers and maintainers often do not want to have to worry about e.g. whether a minor contribution (such as a typo fix) means that a new copyright notice should be added.
  • Adding many different copyright notices may increase the burden on downstream distributors, when their license compliance processes involve reproducing notices.
  • The specific individual or legal entity that owns the copyright might not be known to the contributor; it could be you, your employer, or some other entity.

1 For all of the LF’s projects, copyright in each contribution remains owned by the original copyright owner who makes the contribution. Other organizations and projects outside the LF may use a contribution agreement to require assignment of contributions, meaning that your ownership of copyrights in the contributions is transferred to the entity maintaining the project. You should check a project’s contribution terms, mechanisms and policies to make sure you understand the effect of contributing.

TOKYO, DECEMBER 17 – Today Uber, a Platinum Member of the OpenChain Project, announces their conformance to the OpenChain Specification. This builds on their long-standing engagement and commitment to the project and a deep engagement with developing our industry standard, accompanying reference material, and our evolution into a formal ISO standard.

The OpenChain Project establishes trust in the open source from which software solutions are built. It accomplishes this by making open source license compliance simpler and more consistent. The OpenChain Specification defines inflection points in business workflows where a compliance process, policy or training should exist to minimize the potential for errors and maximize the efficiency of bringing solutions to market. The companies involved in the OpenChain community number in the hundreds. The OpenChain Specification is being prepared for submission to ISO and evolution from a growing de facto standard into a formal standard.

“Consistent and transparent compliance standards are critical for building trust among the open source community and our business partners,” said Matthew Kuipers, Senior Counsel, Uber. “ We’re increasing our commitment to the community and our partnerships by adopting the Linux Foundation’s OpenChain Specification.”

“Our collaboration with Uber began as the OpenChain Project scaled as an industry standard,” says Shane Coughlan, OpenChain General Manager. “Their engagement in our formative growth period provided valuable insight into how next-generation services companies operate today and where they are going tomorrow. Matt and his team have been a pivotal part of our evolution towards becoming an ISO standard and their commitment to excellence has raised the bar for great community engagement globally. We are looking forward to next steps together, particularly in fostering further adoption in areas where agile companies are establishing new markets.”

About Uber

Our mission is to ignite opportunity by setting the world in motion.

We revolutionized personal mobility with Ridesharing, and we are leveraging our platform to redefine the massive meal delivery and logistics industries.

We are a technology platform that uses a global network, leading technology, operational excellence and product expertise to power movement from point A to point B. We develop and operate proprietary technology applications supporting a variety of offerings on our platform. We connect consumers with providers of ride services, restaurants and food delivery services, public transportation networks, e-bikes, e-scooters and other personal mobility options. We use this same network, technology, operational excellence and product expertise to connect shippers with carriers in the freight industry. We are developing technologies to provide autonomous driving vehicle solutions to consumers, networks of vertical take-off and landing vehicles and new solutions to solve everyday problems.

About the OpenChain Project

The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Google, Siemens and VMware commit to the Automated Compliance Tooling project, community accelerating work on Tern, OSS Review Toolkit, FOSSology and Quartermaster

San Francisco, USA – December 12, 2019 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced founding member commitments from Google, Siemens and VMware for the Automated Compliance Tooling (ACT), as well as key advancements for tools that increase ease and adoption of open source software.

Using open source code comes with a responsibility to comply with the terms of that code’s license. The goal of ACT is to consolidate investments in these efforts and to increase interoperability and usability of open source compliance tooling. Google, Siemens and VMware are among the companies helping to underwrite and lead this collaborative work.

Also announced today is the availability of Tern 1.0. Tern was originally contributed by VMware and is an inspection tool that finds the metadata of the packages installed in a container image. It is now able to generate SPDX. There is also the new FOSSology 3.7 release available today for reading SPDX headers have also been added to more than 75 percent of the source code files in the Linux kernel. And the Google Summer of Code (GSoC) interns have updated the spdx-tools libraries to support translations in Java, Python and Go. This enables other tools to smooth the import and export of SPDX documents.

“One of the most exciting parts of the ACT Project is its integration with pre-existing activities around the Linux Foundation Open Compliance Project,” says Shane Coughlan, OpenChain General Manager. “This includes the OpenChain Reference Tooling Work Group, with its focus on addressing real world challenges as efficiently as possible, an area where targeted investment is critical. The end result of these activities will ensure that open source tooling for open source compliance is more mature, more effective and easier to adopt for entities of all sizes.”

“Open Source tools that support the Open Source compliance process have seen great progress in recent months.” says Mirko Boehm, co-founder of Endocode and the QMSTR project. “With ACT, the efforts of the community, businesses and the funding for QMSTR from the European Commission’s Horizon 2020 program come together under one roof in direct collaboration with related industry projects like OpenChain. We expect an acceleration of the development of Open Source compliance solutions and are excited to collaborate with the partners at ACT, the community and the Linux Foundation”.

“It’s a testament to the community and the importance of automating compliance in software development that ACT membership and tools development and integration are coming together to create open source integrated solutions,” said Kate Stewart, senior director of Strategic Programs at Linux Foundation. “We applaud the contributions coming in from all corners of the community and look forward to what 2020 will bring to the work.”

Community members will be meeting this week at Open Compliance Summit in Tokyo, Japan. ACT is seeking new members, community partners and additional tooling projects. To get involved, contact act@linuxfoundation.org

ACT is composed of five primary projects:

FOSSology: An open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from a REST API. As a system, a database and web UI are provided to provide a compliance workflow. License, copyright and export scanners are tools available to help with compliance activities. FOSSology is an existing Linux Foundation project that will move under ACT.

OSS Review Toolkit (ORT) enables highly automated and customizable Open Source compliance checks the source code and dependencies of a project by scanning it, downloading its sources, reporting any errors and violations against user-defined rules, and by creating third-party attribution documentation. ORT is designed for the CI/CD world and supports a wide variety of package managers including Gradle, Go modules, Maven, npm and SBT. The project is being contributed to ACT by HERE Technologies.

Quartermaster(QMSTR), originally contributed by Encode, integrates into the build systems to learn about the software products, their sources and dependencies. Developers can run QMSTR locally to verify outcomes, review problems and produce compliance reports. By integrating into DevOps CI/CD cycles, license compliance can become a quality metric for software development. The project is being contributed to ACT by Endocode.

SPDX Tools: Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information including components, licenses, copyrights and security references. The main SPDX specification will remain separate from, yet complementary to, ACT, while the SPDX tools that meet the spec and help users and producers of SPDX documents will become part of ACT. SPDX is an existing Linux Foundation project.

Tern: Tern is an inspection tool to find the metadata of the packages installed in a container image. It provides a deeper understanding of a container’s bill of materials so better decisions can be made about container based infrastructure, integration and deployment strategies. Tern was created by VMware, who are contributing the project to ACT, to help developers meet open source compliance requirements for containers.

Member Quotes

Google, founding member

“To do open source compliance well, at scale, we need to ensure the community has easy access to advanced automation and tooling,” said Will Norris, Open Source Engineering Manager at Google. “Google has invested heavily in our own compliance tooling, and we are proud to be a part of the Automated Compliance Tooling project to share our experience and expertise with the broader community. We look forward to helping make it easier for everyone using open source code to do so respectfully and in accordance with open source licenses.”

New York University’s Secure Systems Lab, affiliate member

“The software compliance ecosystem has long needed an initiative such as ACT, and projects such as SPDX-tools and Tern are key elements in the challenge of automating compliance” said Santiago Torres-Arias, lead of the in-toto project and member of the New York University’s Secure Systems Lab, “We are most excited about the integration of in-toto into SPDX, which will help in providing strong, cryptographically-enforced compliance checks.  Security is not just a matter of protecting against outsiders, but also a matter of ensuring all actors within your supply chain are following the rules.”

Siemens, founding member

“An Open Source license compliance toolchain has to be Open Source itself. ACT is a milestone in building an integrated and automated end to end OSS compliance toolchain consisting of open source. ACT will boost the effort of the OpenChain Reference Tooling Work Group in realizing such a toolchain, which easily can be used free of charge – OSS license compliance for everyone.”

VMware, founding member

“Compliance is at the core of how companies need to engage with open source projects,” said Dirk Hohndel, vice president and chief open source officer, VMware. “The more we automate compliance processing, the better we are able to advance agile development and rapid response to address required changes such as security issues. For years, VMware has worked towards automating compliance tooling and we are committed to helping enterprises better understand what’s inside containers and manage their compliance obligations.”

For more information, please contact: act@linuxfoundation.org

 

About The Linux Foundation
Founded in 2000, The Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

SAN FRANCISCO, DECEMBER 12 – Today, the OpenChain Project announced Microsoft, a Platinum Member, is the latest company to achieve OpenChain conformance.  This milestone is an example of how OpenChain can be an important part of building quality open source compliance programs that meet the needs of companies and that build trust in the ecosystem.

The OpenChain Project establishes trust in the open source from which software solutions are built. It accomplishes this by making open source license compliance simpler and more consistent. The OpenChain Specification defines inflection points in business workflows where a compliance process, policy or training should exist to minimize the potential for errors and maximize the efficiency of bringing solutions to market. The companies involved in the OpenChain community number in the hundreds. The OpenChain Specification is being prepared for submission to ISO and evolution from a growing de facto standard into a formal standard.

“Open source compliance is a top priority for Microsoft and we respect the license choices developers make”, said David Rudin, Assistant General Counsel, Microsoft. “We value our partnership with OpenChain to help build trust in the larger open source community. Through investments in open source policy, tools to identify open source software, and collaboration with the open source community in projects like OpenChain, the TODO Group, and ClearlyDefined, we are committed to working with the community to develop and share best practices for open source compliance.”

“Microsoft has been an exceptional contributor to the OpenChain Project both in terms of board engagement and in broader engagement with our work teams around the world,” says Shane Coughlan, OpenChain General Manager. “One of the defining aspects of the OpenChain industry standard is our broad applicability to companies of all sizes and in all sectors. It has been fantastic to work with Microsoft to understand the needs of the cloud and large enterprises, especially with regards to how some approaches differ to consumer electronic, infrastructure and other markets. The conformance announcement today is a milestone that greatly supports our evolution as we head into 2020 and underlines once again the value of our continued collaboration.”

About the OpenChain Project

The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and industry adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

New release includes an updated CLI and support for custom report formats and analysis tool extensions

TERNTern is a VMware-originated open source tool that inspects container images to find individual software packages and their metadata installed in the image.

Due to changes in the command line options, Tern version 1.0.0 is the first non-backwards compatible release. If you have been using previous versions of Tern, we recommend that you upgrade to the latest release. You can run Tern by installing it from PyPI or you can clone the project from GitHub and install the project after cloning it.

Tern has a number of built-in report styles available including SPDX tag-value, JSON and YAML. Tern release 1.0.0 provides the ability to customize your own report plugin, which allows data collected by Tern to be formatted in a custom way to accommodate any user’s internal automation and auditing process. Tern uses the OpenStack Stevedore python module to dynamically load any customized report plugins at runtime. If you’re curious about how you can customize your own report plugin, we supply directions for how to do this on Tern’s GitHub page.

In addition to customizing your report format, the Tern 1.0.0 release can be extended to analyze container images using external file or filesystem analysis tools. The two currently supported external tools are scancode-toolkit and cve-bin-tool. Support for formatting the output of these external tools is expected to be completed in subsequent releases.

Scancode-toolkit is a license scanning tool that finds licenses in source code and binaries. cve-bin-tool is a security vulnerability scanning tool that finds common vulnerabilities. Note that although you can use a security scanner with Tern, there isn’t any support for reporting the results beyond printing them to console. This may change as the industry demand for security information in Software Bill of Materials seems to be on the rise. If you would like incorporate your own tool extension to Tern, there are some general steps to follow documented on Tern’s GitHub page.

The 1.0.0 release for Tern also includes important bug fixes to support the SPDX tag-value reporting that Tern does. These bug fixes primarily improve Tern’s compatibility with the SPDX online validation tool.

Other notable additions to Tern in the 1.0.0 release include:

  • Enablement for Tern to consume raw image tarballs
  • Continue to analyze the base image if a Docker build fails from a Dockerfile
  • Gracefully exit if Docker is not installed or properly setup
  • Fix working directory cleanup after a keyboard interrupt
  • Bug fixes that improve the overall stability and robustness of the tool

The next Tern release will be a little smaller in scope. It will focus on enabling the pip package manager to collect information and adding a “dockerfile freeze” command line option which will produce an annotated Dockerfile with all the versions pinned to the versions Tern finds in order help developers achieve a somewhat repeatable build (similar to the “pip freeze” functionality in Python).

If you are interested in contributing to Tern, or just want to know more about the project, visit our GitHub page.

Confidential Computing Consortium Establishes Formation with Founding Members and Open Governance Structure

Premiere Members

Alibaba
“Confidential computing provides new capabilities for cloud customers to reduce trusted computing base in cloud environments and protect their data during runtime. Alibaba launched Alibaba Encrypted Computing technology powered by Intel SGX in Sep 2017 and has provided commercial cloud servers with SGX capability to our customers since April 2018. We are very excited to join CCC and work with the community to build a better confidential computing ecosystem,” said Xiaoning Li, chief security architect, Alibaba Cloud.

Arm
“Arm’s vision for the next-generation infrastructure requires complete edge-to-cloud security for protecting and managing the data across a trillion connected devices,” said Richard Grisenthwaite, senior vice president, chief architect and fellow, Architecture and Technology Group, Arm. “Arm is already very involved in helping to develop the Confidential Compute Consortium’s charter, and we see our participation and the new Open Enclave SDK as a critical collaboration with the rest of the industry in making TEE’s easy to deploy.”

Google
“To help users make the best choice for how to protect their workloads, they need to be met with a common language and understanding around confidential computing. As the open source community introduces new projects like Asylo and OpenEnclave SDK, and hardware vendors introduce new CPU features that change how we think about protecting programs, operating systems, and virtual machines, groups like the Confidential Computing Consortium will help companies and users understand its benefits and apply these new security capabilities to their needs,” said Royal Hansen, vice president, Security, Google.

Huawei
Huawei’s vision of end-to-end, trustworthy connectivity for the world includes securing the endpoints in an open and transparent manner. We see the establishment of the Confidential Computing Consortium as an important conduit and platform for collaboration around the ease of security deployment and use on IoT, IoV, Mobile, Consumer and Cloud Hardware”, said Peixin Hou, Chief Expert on Open System and Software, Huawei. “We look forward to leveraging our robust experience with secure environments, already deployed in billions of devices, for the benefit of the Confidential Computing Consortium and making contribution to confidential computing technology development on various hardware architectures and software platforms.”

Intel
“Software developed through this consortium is critical to accelerating confidential computing practices built with open source technology and Intel SGX,” said Anand Pashupathy, GM, Security System Software at Intel. “Combining the Intel SGX SDK with Microsoft’s Open Enclave SDK will help simplify secure enclave development and drive deployment across operating environments.”

Microsoft
“The Open Enclave SDK is already a popular tool for developers working on Trusted Execution Environments, one of the most promising areas for protecting data in use,” said Mark Russinovich, chief technical officer, Microsoft Azure. “We hope this contribution to the Consortium can put the tools in even more developers’ hands and accelerate the development and adoption of applications that will improve trust and security across cloud and edge computing.”

Red Hat
“Security is consistently top of mind for our customers, and, really, for all of us, as security incidents and data breaches make the headlines. While hardware support for security continues to advance, creating secure computing environments can still be challenging,” said Chris Wright, senior vice president and Chief Technology Officer at Red Hat. “We are developing the Enarx project to help developers deploy applications into computing environments which support higher levels of security and confidentiality and intend to bring it to the Confidential Computing Consortium. We look forward to collaborating with the broader industry and the Confidential Computing Consortium to help make confidential computing the norm.”

General Members

Baidu
“The formation of Confidential Computing Consortium under Linux Foundation is an important step towards the future of technologies across cloud computing, blockchain and security. It will help to create the global technical standards of confidential computing and promote its business use at the enterprise level in different industries,” said Fei Song, head of product committee, AI Cloud, Baidu.

ByteDance
At ByteDance, we take data security and privacy very seriously. Confidential Computing provides additional data security capabilities to allow new form of secure end-to-end computation paradigm in an ever-increasing hybrid and multi-cloud environment. We are very excited to be part of this community to promote the broader adoption of this technology. We look forward to collaborating with members in the Consortium to unlock the potential of confidential computing to protect sensitive data in real-world applications.

Decentriq
“Today and in the future, the analysis of sensitive data from distributed sources will be paramount for increased organizational effectiveness. At decentriq, we believe the Confidential Computing Consortium helps to put down the foundations for a standardized and safe approach to establish trust between several parties. At decentriq we enable our customer to fully unlock the potential of multiparty analytics,” said Stefan Deml, Co-Founder, decentriq.

Fortanix
“We are pleased to join some of our most important long-standing partners in this consortium to advance the cause of data protection and data privacy,” said Ambuj Kumar, Founder and CEO of Fortanix. “After three years of implementing our Runtime Encryption technology in confidential computing applications including protecting sensitive cloud workloads, databases, and SaaS applications, we are looking forward to working with the consortium to contribute our expertise in the standardization of confidential computing and help move the industry forward.”

Kindite
“Kindite strongly supports the consortium formation and recognizes confidential computing as a cornerstone for a new cloud-era in which organizations will be able to store and process data externally while keeping it completely private. Our goal within the organization is to promote such capabilities while keeping application code, cloud functionality and scale intact. Confidential computing is a key component of Kindite’s vision. Our offering is based on a  unified data protection platform that is consistent throughout all environments, agnostic to every architecture component and covers all enterprise workloads within a hybrid, multi-cloud environment. We see the goal of de-coupling the data-layer from the cloud infrastructure as game-changing for cloud vendors and customers alike, setting the boundaries of the shared responsibility model once and for all. This accomplishment will finally allow enterprises to enhance their cloud presence while fully protecting sensitive information and will surely play an important role in public cloud growth for years to come.”

Oasis Labs
“Oasis Labs is building the platform for privacy-first applications. We are thrilled to be a founding member of the Confidential Computing Consortium and to build a community that pushes the boundaries of secure, private computation,” said Dawn Song, CEO and Founder of Oasis Labs.

Swisscom
“As the leading telecom and ICT provider in Switzerland, we adhere to the highest security standards. Something that is particularly important given the increasing relevance of security for our customers in the wake of new technologies such as 5G and critical IoT or cloud applications. It is a privilege that we, as a Swiss company, are able to join forces with internationally leading technology companies to launch the Confidential Computing Consortium and are thus helping to define standards, frameworks and tools for securing data in the cloud,” said Christoph Aeschlimann, CTO & CIO, Swisscom.

Tencent
“Confidential computing offers CPU-based hardware technology to protect cloud users’ data in use, which we believe will become a basic capability for cloud provider in future,” said Wei Li, vice president of Tencent Security, the head of Cloud Security.

VMware
A common, easy to use, comprehensive standard for confidential computing is a critical component of VMware’s end-to-end, on-by-default, secure-everywhere vision. It is a crucial ingredient for protecting user data at runtime, especially in settings where sensitive workloads may be required to run in a cloud or remote setting where more often than not physical control of the infrastructure is not a given. We are committed to driving forward a secure, safe, and confidential computing future.

Industry’s biggest technology leaders advance computational trust and security for next-generation cloud and edge computing

SAN FRANCISCO, Calif., October 17, 2019 – The Confidential Computing Consortium, a Linux Foundation project and community dedicated to defining and accelerating the adoption of confidential computing, today announced the formalization of its organization with founding premiere members Alibaba, Arm, Google Cloud, Huawei, Intel, Microsoft and Red Hat. General members include Baidu, ByteDance, decentriq, Fortanix, Kindite, Oasis Labs, Swisscom, Tencent and VMware.

The intent to form the Confidential Computing Consortium was announced at Open Source Summit in San Diego earlier this year. The organization aims to address data in use, enabling encrypted data to be processed in memory without exposing it to the rest of the system, reducing exposure to sensitive data and providing greater control and transparency for users. This is among the very first industry-wide initiatives to address data in use, as current security approaches largely focus on data at rest or data in transit. The focus of the Confidential Computing Consortium is especially important as companies move more of their workloads to span multiple environments, from on premises to public cloud and to the edge.

With the formalization of the group, the open governance structure is established and includes a Governing Board, a Technical Advisory Council and a separate oversight for each technical project. It is intended to host a variety of technical open source projects and open specifications to support confidential computing. The Consortium is funded by membership dues. For more information and to contribute to the project, please visit: https://confidentialcomputing.io

Contributions to the Confidential Computing Consortium already include:

  • Software Guard Extensions (Intel SGX) SDK, designed to help application developers protect select code and data from disclosure or modification at the hardware layer using protected enclaves in memory.
  • Open Enclave SDK, an open source framework that allows developers to build Trusted Execution Environment (TEE) applications using a single enclaving abstraction. Developers can build applications once that run across multiple TEE architectures.
  • Enarx, a project providing hardware independence for securing applications using TEEs.

The Consortium is a Bronze sponsor of Open Source Summit Europe and will be host three sessions, beginning with a session on how to approach security for data in use and a Birds of a Feather (BoF) session on Monday, October 28 and a panel about the state of the Consortium on Tuesday, October 29.

Member comments about the Consortium can be found in the accompanying quote sheet.

About the Confidential Computing Consortium

Established in 2019, the Confidential Computing Consortium brings together hardware vendors, cloud providers, developers, open source experts and academics to accelerate the confidential computing market; influence technical and regulatory standards; build open source tools that provide the right environment for TEE development’ and host industry outreach and education initiatives. Its aims to address computational trust and security for data in use, enabling encrypted data to be processed in memory without exposing it to the rest of the system, reducing exposure to sensitive data and providing greater control and transparency for users. For more information, please visit: https://confidentialcomputing.io

###

Media Contact
Jennifer Cloer
reTHINKit Media
503-867-2304
jennifer@rethinkitmedia.com

Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent will collaborate on open source technologies and standards that accelerate the adoption of confidential computing

SAN DIEGO, Calif., Open Source Summit, August 21, 2019 – The Linux Foundation today announced the intent to form the Confidential Computing Consortium, a community dedicated to defining and accelerating the adoption of confidential computing. Companies committed to this work include Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent.

Across industries computing is moving to span multiple environments, from on premises to  public cloud to edge. As companies move these workloads to different environments, they need protection controls for sensitive IP and workload data and are increasingly seeking greater assurances and more transparency of these controls. Current approaches in cloud computing address data at rest and in transit but encrypting data in use is considered the third and possibly most challenging step to providing a fully encrypted lifecycle for sensitive data. Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users.

“The earliest work on technologies that have the ability to transform an industry is often done in collaboration across the industry and with open source technologies,” said Jim Zemlin, executive director at The Linux Foundation. “The Confidential Computing Consortium is a leading indicator of what’s to come for security in computing and will help define and build open technologies to support this trust infrastructure for data in use.”

The Confidential Computing Consortium will bring together hardware vendors, cloud providers, developers, open source experts and academics to accelerate the confidential computing market; influence technical and regulatory standards; and build open source tools that provide the right environment for TEE development. The organization will also anchor industry outreach and education initiatives.

Participants plan to make several open source project contributions to the Confidential Computing Consortium, including:

  • Intel® Software Guard Extensions (Intel® SGX) Software Development Kit, designed to help application developers protect select code and data from disclosure or modification at the hardware layer using protected enclaves.
  • Microsoft Open Enclave SDK, an open source framework that allows developers to build Trusted Execution Environment (TEE) applications using a single enclaving abstraction. Developers can build applications once that run across multiple TEE architectures.
  • Red Hat Enarx, a project providing hardware independence for securing applications using TEEs.

The proposed structure for the Consortium includes a Governing Board, a Technical Advisory Council and separate technical oversight for each technical project. It is intended to host a variety of technical open source projects and open specifications to support confidential computing. Confidential Computing Consortium will be funded through membership dues. For more information and to contribute to the project, please visit: https://confidentialcomputing.io

Supporting Quotes

Alibaba
“Confidential computing provides new capabilities for cloud customers to reduce trusted computing base in cloud environments and protect their data during runtime. Alibaba launched Alibaba Encrypted Computing technology powered by Intel SGX in Sep 2017 and has provided commercial cloud servers with SGX capability to our customers since April 2018. We are very excited to join CCC and work with the community to build a better confidential computing ecosystem,” said Xiaoning Li, chief security architect, Alibaba Cloud.

Arm
“Arm’s vision for the next-generation infrastructure requires complete edge-to-cloud security for protecting and managing the data across a trillion connected devices,” said Richard Grisenthwaite, senior vice president, chief architect and fellow, Architecture and Technology Group, Arm. “Arm is already very involved in helping to develop the Confidential Compute Consortium’s charter, and we see our participation and the new Open Enclave SDK as a critical collaboration with the rest of the industry in making TEE’s easy to deploy.”

Baidu
“The formation of Confidential Computing Consortium under Linux Foundation is an important step towards the future of technologies across cloud computing, blockchain and security. It will help to create the global technical standards of confidential computing and promote its business use at the enterprise level in different industries,” said Fei Song, head of product committee, AI Cloud, Baidu.

Google
“To help users make the best choice for how to protect their workloads, they need to be met with a common language and understanding around confidential computing. As the open source community introduces new projects like Asylo and OpenEnclave SDK, and hardware vendors introduce new CPU features that change how we think about protecting programs, operating systems, and virtual machines, groups like the Confidential Computing Consortium will help companies and users understand its benefits and apply these new security capabilities to their needs,” said Royal Hansen, vice president, Security, Google.

IBM
“IBM was one of the earliest companies to champion open source, and now aligned with Red Hat we are excited for the future. One of the emerging areas of interest to our IBM Cloud and Systems clients is Trusted Execution Environments (TEEs). Combined with new open software projects like Enarx and OpenEnclave SDK, they hold the promise of making future workloads as secure as possible in the next chapter of cloud. IBM has a history of leadership in secure computing, and we are proud to join the Confidential Computing Consortium to help it fulfill its promise of spanning multiple hardware architectures and cloud platforms, to protect tomorrow’s applications and data,” said Todd Moore, vice president, Open Technology and Developer Advocacy, IBM.

Intel
“Software developed through this consortium is critical to accelerating confidential computing practices built with open source technology and Intel SGX,” said Imad Sousou, corporate vice president and general manager, System Software Products at Intel. “Combining the Intel SGX SDK with Microsoft’s Open Enclave SDK will help simplify secure enclave development and drive deployment across operating environments.”

Microsoft
“The Open Enclave SDK is already a popular tool for developers working on Trusted Execution Environments, one of the most promising areas for protecting data in use,” said Mark Russinovich, chief technical officer, Microsoft. “We hope this contribution to the Consortium can put the tools in even more developers’ hands and accelerate the development and adoption of applications that will improve trust and security across cloud and edge computing.”

Red Hat
“Security is consistently top of mind for our customers, and, really, for all of us, as security incidents and data breaches make the headlines. While hardware support for security continues to advance, creating secure computing environments can still be challenging,” said Chris Wright, senior vice president and Chief Technology Officer at Red Hat. “We are developing the Enarx project to help developers deploy applications into computing environments which support higher levels of security and confidentiality and intend to bring it to the Confidential Computing Consortium. We look forward to collaborating with the broader industry and the Confidential Computing Consortium to help make confidential computing the norm.”

Swisscom
“As the leading telecom and ICT provider in Switzerland, we adhere to the highest security standards. Something that is particularly important given the increasing relevance of security for our customers in the wake of new technologies such as 5G and critical IoT or cloud applications. It is a privilege that we, as a Swiss company, are able to join forces with internationally leading technology companies to launch the Confidential Computing Consortium and are thus helping to define standards, frameworks and tools for securing data in the cloud,” said Christoph Aeschlimann, CTO & CIO, Swisscom.

Tencent
“Confidential computing offers CPU-based hardware technology to protect cloud users’ data in use, which we believe will become a basic capability for cloud provider in future,” said Wei Li, vice president of Tencent Security, the head of Cloud Security.

About the Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation projects like Linux, Kubernetes, Node.js and more are considered critical to the development of the world’s most important infrastructure. Its development methodology leverages established best practices and addresses the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Cloer
reTHINKit Media
503-867-2304
jennifer@rethinkitmedia.com

Leading Japanese information and communication technology company to support industry’s only open source compliance standard for collaboration across supply chains

SAN FRANCISCO & HALF MOON BAY, Calif. – OPEN SOURCE LEADERSHIP SUMMIT –  March 13, 2019 — The OpenChain Project, which builds trust in open source by making open source license compliance simpler and more consistent, announced today at Linux Foundation’s Open Source Leadership Summit (OSLS), that Fujitsu has joined as a Platinum member.

Fujitsu joins other recent Platinum member additions including Bosch, Microsoft, Uber, Google and Facebook. OpenChain provides a specification as well as overarching processes, policies and training that companies need to be successful in managing open source license compliance so that it becomes more efficient, understandable and predictable for participants of the software supply chain.

As code flows between companies that consume billions of lines of open source software through their supply chains to build new products and services, a key challenge is ensuring the relevant license requirements are met in a timely and effective manner. The OpenChain Project provides a consistent way to address that and other challenges. Conformance with the OpenChain Specification shows that an organization follows the key requirements of a quality open source compliance program, and builds trust between organizations in the supply chain. It makes procurement easier for purchasers and preferred status easier for suppliers.

“Fujitsu has been a long supporter of open source communities and the Linux Foundation;  we believe open source compliance is crucial factor for open source collaborations,” said Kaneshige Kenji Vice President, and Head of the Linux Development Division, Platform Software Business unit of Fujitsu. “We’re excited to join the OpenChain project to foster trust in open source supply chain and encourage greater compliance for open source software rapidly increasing in our society.”

“We are delighted to have Fujitsu join the OpenChain Project as a platinum member,” said Shane Coughlan,  General Manager, OpenChain. “Their expertise and support will be crucial as we continue to build our industry standard for open source compliance in the supply chain. I am particularly excited to gain access to the substantial knowledge Fujitsu possesses in areas like IoT and cloud technology.”

As a Platinum member, a representative from Fujitsu will join the OpenChain Governing Board. Other Platinum members of the OpenChain project include Adobe, Arm Holdings, Bosch, Cisco, Comcast, Facebook, Google, Harman International, Hitachi, Microsoft, Qualcomm, Siemens, Sony, Toshiba, Toyota, Uber, and Western Digital.

Additional Resources

About the OpenChain Project
The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.

About The Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more.  The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

###

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.