Linux Foundation Announces Workgroup to Standardize the Future of the Software Supply Chain
The Linux Foundation | 05 October 2015
OpenChain Workgroup will create a set of best practices to ease open source compliance for companies and developers
DUBLIN, LinuxCon Europe and Embedded Linux Conference Europe, October 5, 2015 – The Linux Foundation, the nonprofit organization dedicated to accelerating the growth of Linux and collaborative development, today announced the OpenChain Workgroup, a community effort to standardize common best practices for open software compliance. It is expected to reduce costs and duplication of efforts and ease friction points in the software supply chain.
Founding members of the OpenChain Workgroup include ARM, Qualcomm, Samsung, SanDisk and Wind River.
“Because nearly every new technology today is built using Linux and open source software, today’s software supply chain is the open source software supply chain,” said Jim Zemlin, executive director at The Linux Foundation. “This means we need to revisit the way we standardize processes and compliance for checking code and ensure the cost and efficiency benefits of open source are sustained for decades to come. This is a long-term commitment to open compliance and one we take very seriously.”
Linux and open source software are being used to build the most innovative technologies of our time. It is being used everywhere, by more developers than ever before. Understanding the security and nature of open source components included in software packages that are delivered throughout the supply chain is critical to ensuring the benefits of Linux and open source software – cost, speed of development, freedom in innovation – are realized time and again.
The OpenChain Workgroup will provide a baseline process that can be customized as companies and developers see fit. It will initially provide a set of guidelines intended to be used as a basis for monitoring and developing compliance programs. OpenChain will leverage existing best practices in the Linux ecosystem such as Debian, as well as compatible formats with the Software Package Data Exchange® (SPDX), a standard format for communicating the components, licenses and copyrights associated with a software package. The SPDX standard helps facilitate compliance with free and open source software licenses by standardizing the way license information is shared across the software supply chain.
To learn more about the OpenChain Workgroup and to participate in early discussions, please visit: https://wiki.linuxfoundation.org/openchain/start
Member Comments
ARM
“As Linux becomes the standard platform for many new deployments, ensuring the open source software supply chain is trusted becomes increasingly important,” said Hobson Bullman, general manager, development solutions group, ARM. “This new initiative will help companies manage open source software more effectively and promote best practices in the industry.”
Qualcomm
“It’s time to eradicate the confusion, inefficiency and unnecessary cost from open source compliance. As an industry, we have a huge opportunity to improve compliance, reduce inefficiency and build common practices across the board. The OpenChain Workgroup is the open source ecosystem coming together on compliance to do the right thing, consistently, responsibly and well,” said David Marr, Vice President and Legal Counsel of Qualcomm Technologies, Inc.
SanDisk
“As more free and open source (FOSS) software enters the supply chain via third parties, it is important for companies to be able to comply with FOSS license obligations. OpenChain helps reduce duplication of effort and facilitates the creation of a trusted supply chain. The ability to adapt the OpenChain framework to big and small organization compliance practices is a huge plus as well,” said Lisa LaForge, Director, Legal and Chairperson of SanDisk’s Open Source Steering Committee.
Wind River
“Exchanging important open source compliance information in the software supply chain is critical and requires a certain level of discipline,” said Dinyar Dastoor, vice president and general manager of operating system platforms at Wind River. “As a longtime contributor, recipient and solution provider of open source, Wind River believes the OpenChain Workgroup will deliver the needed discipline and standardization that Linux and the open source movement will require as it continues on its path of success.”
About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at http://www.linuxfoundation.org.
# # #
The Linux Foundation and Linux Standard Base are trademarks of The Linux Foundation. Linux is a trademark of Linus Torvalds.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.