The Linux Foundation Drives Standardization of Open Source Software Supply Chain
The Linux Foundation | 04 October 2016
OpenChainTM Project releases first specification to establish best practices for open source software supply chain
Berlin, Germany (LinuxCon and ContainerCon Europe) – October 4, 2016 – The Linux Foundation®, the nonprofit advancing professional open source management for mass collaboration, today announced that the OpenChain Project has established its first set of requirements and best practices for consistent free and open source software (FOSS) management processes in the open source software supply chain. The OpenChain Specification 1.0 aims to facilitate greater quality and consistency of open source compliance to help reduce duplication of effort caused by lack of standardization and transparency throughout professional open source organizations.
Open source is the new norm for software development, evidenced by nearly 70 percent of hiring managers looking to recruit and retain open source professionals within the next six months (see: 2016 Open Source Jobs Survey and Report). From society lifelines such as healthcare networks and financial institutions to in-car entertainment and movie production, open source has become a key software supply chain every major industry is dependent upon. Businesses ranging from startups to enterprises are looking to establish, build and sustain open source projects that support long-term innovation and reduce R&D costs. For open source software to continue to thrive, there must be a common set of requirements and best practices established to ensure consistency of use and quality of software. Individuals and organizations reliant on open source software must also have access to training resources and expertise such as licensing and compliance to uphold the integrity of code.
“Hundreds of thousands of people around the globe, including the world’s largest companies, leverage open source software, so we need to work together to support best practices for software license compliance throughout a supply chain,” said Jim Zemlin, executive director, The Linux Foundation. “Licensing, best practices, training, certification and other resources are needed to scale open source and protect the innovation built on top of it. The OpenChain Project is taking a major step forward by helping create software supply chains that are both efficient and compliant.”
The OpenChain Project is a community effort to establish common best practices for effective management of open source software and compliance with open source software licenses. The project aims to help reduce costs, duplication of effort, and ease friction points in the software supply. Today the OpenChain Project releases its first specification that defines a common set of requirements and best practices for open source organizations to follow in an attempt to encourage an ecosystem of transparent sharing and open source software compliance. The goals and requirements of the OpenChain Compliance Specification 1.0 include:
● Document FOSS policy and training for software staff;
● Assign responsibility for achieving compliance via designated FOSS-related roles;
● Review and approval of FOSS content;
● Deliver FOSS content documentation and artefacts such as copyright notices, licenses, source code, etc;
● Understand FOSS community engagement including legal approval, business rationale, technical review of code, community interaction and contribution requirements; and
● Adhere to OpenChain requirements for certification.
The OpenChain Project has also established three Work Teams to collaborate on future refinements of the OpenChain Specification, to develop training materials and create conformance criteria for organizations. The project will also begin the roll out of a self-conformance program this year.
Platinum Members of the OpenChain Project include Adobe, ARM, Cisco, Harman, Hewlett Packard Enterprise, Qualcomm, Siemens and Wind River.
Supporting Comments
Adobe
“Open source as a development philosophy is acknowledged to both increase innovation and drive adoption. Adobe is an active participant in open source efforts and supports open activities by contributing to existing projects, releasing code as open source, and providing open access and conversations. Starting with the contribution of Tamarin to the Mozilla Foundation in 2006, Adobe has released hundreds of pieces of technology under open source licenses, and knows first-hand the value of establishing known, trusted standards. At Adobe, the Web is not only about the technology and code but also about the content and its delivery, and we support OpenChain’s efforts to standardize and improve the quality and consistency of open source for everyone.”
James Oh, Vice President, Associate General Counsel, Adobe
ARM
“A large number of global businesses rely on open source software so it must be delivered with trusted and consistent compliance information. The OpenChain Project will help to meet this objective by providing a collaborative framework for companies to effectively manage open source software, promote best practices and build confidence among ecosystem partners. ARM, as a founder member, supports the initiative as it will improve efficiency and trust across the supply chain.”
Hobson Bullman, general manager, Technology Services Group, ARM
Harman
“The OpenChain Project is helping define best practices and establish consistency throughout the open source software supply chain. This effort is critical to ensuring greater quality of code and help limit duplication of effort so that development efforts remain focused and innovative.”
Alyssa Harvey Dawson, Vice President, Global Intellectual Property, Harman
Qualcomm
“We all know that the open source ecosystem today is a huge driver of growth for our industry, yet in the area of open source compliance we are all still plagued by uncertainty over code pedigree, redundant work being performed at each tier in the distribution chain, and persistent inefficiency – all perpetuated by the lack of confidence in the compliance work done by each other. OpenChain creates a foundation for that confidence. The adoption of OpenChain by our industry will improve compliance while at the same time increasing efficiency and lowering costs.”
Roger Martin, Senior Vice President, Chief IP Strategist, Qualcomm
Siemens
“OpenChain is addressing one of the biggest challenges the software industry is facing – ensuring transparency and license compliance through the software supply chain. OpenChain will help to achieve license compliance through the entire supply chain by additionally lowering the costs. Thus, the OpenChain Project is of great importance for the entire software ecosystem.”
Oliver Fendt, R&D Strategy Team Leader Open Source Governance, Siemens AG
Wind River
“As the importance of open source in modern day software solutions continues to grow, the OpenChain standard can help establish the required trust among software supply chain participants. OpenChain is a logical step to foster greater license compliance, reduced cost and even greater success through the creation and use of open source software. We look forward to advancing this initiative through our continued, active participation in the open source community.”
Dinyar Dastoor, General Manager, Operating Systems at Wind River
To learn more about the OpenChain Project and to participate in early discussions, please visit: http://www.openchainproject.org.
About The Linux Foundation
The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.
# # #
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page: https://www.linuxfoundation.org/trademark-usage.
Linux® is a registered trademark of Linus Torvalds.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.