News

Open Source Supply Chain Spec Released

• By David Ramel
• 04/28/2017

The Linux Foundation has released a new specification for managing compliance in enterprise supply chains that leverage open source software.

The new OpenChain Specification 1.1 comes from the four-year-old OpenChain Project, described as "a community effort to establish best practices for effective management of open source software compliance."

That project resulted from industry players recognizing that organizations that had enacted successful, mature open source compliance programs exhibited similarities in their processes, but others didn't have equally advanced programs. That resulted in a lack of trust among partners exchanging software. The goal of the project is to reduce that lack of trust among organizations while providing specifications that help the organizations with less-advanced programs save money by not having to duplicate the efforts already taken by organizations with more mature systems in place.

To accomplish that goal, the project has three working groups, for the specification, curriculum (training materials and education) and conformance (helping organizations check to ensure they are adhering to specification requirements).

"The OpenChain Project builds trust in open source by making things simpler, more efficient and more consistent," The Linux Foundation said in a news release yesterday. "The specification creates trust between organizations. The conformance allows new organizations to join the circle of trust. The curriculum supports implementation by entities of any size. The result is that open source becomes predictable, understandable and optimized for internal and external supply chains of any type."

As part of the new OpenChain spec, the project also provides an Online Self-Certification service.

"Organizations can only build trust in other entities when they have the opportunity to demonstrate the way they are handling open source software meets the criteria of a good compliance process," said Dr. Miriam Ballhausen, OpenChain Conformance Work Team Lead. "With the Online Self-Certification Web App, the OpenChain Project created a tool that allows organizations to demonstrate just that and potential partners to check their suppliers’ OpenChain conformance."

Siemens, Qualcomm, Pelagicore and Wind River were recognized as being the first four organizations to self-certify to the OpenChain Specification 1.1.