Open Compliance Summit 2024

Open Compliance Summit 2024

In-person Event | October 30-31, 2024
View More Details

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for the Open Compliance Summit to participate in the sessions.

Open Compliance Summit is an exclusive event for Linux Foundation members and select invitees. Attendance is limited to ensure ease of networking and collaboration. The summit (like prior) will be held under Chatham House Rule. Please consent to this rule before you request an invitation.

Please note: This schedule is automatically displayed in Japan Standard Time (UTC+9:00). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

arrow_back View All Dates

09:20 JST

Keynote: Welcome + Opening Remarks - Shane Coughlan, The Linux Foundation

Wednesday October 30, 2024 09:20 - 09:30 JST

Speakers

Shane Coughlan

General Manager, OpenChain

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated OIN into the largest patent non-aggression community in history and establishing the first global network for open... Read More →

Wednesday October 30, 2024 09:20 - 09:30 JST
Room 1

Keynote Sessions

09:30 JST

Keynote: Compliance in Japan - An Overview by Ayumi Watanabe

Wednesday October 30, 2024 09:30 - 09:40 JST

Speakers

Ayumi Watanabe

SBOM Evangelist, Hitachi Solutions, Ltd.

Ayumi Watanabe is a Senior OSS Specialist of Hitachi Solutions, Ltd.. She is also a core member of OpenChain Japan and known as a SBOM evangelist appointed by the Linux Foundation Japan. Her strong point is a knowledge of many tools for SBOM generation and management, a wide range... Read More →

Wednesday October 30, 2024 09:30 - 09:40 JST
Room 1

Keynote Sessions

09:40 JST

Keynote: The Dark Ages of GPL Compliance 20 Years Ago - Harald Welte, sysmocom

Wednesday October 30, 2024 09:40 - 10:00 JST

It's been 20 years since the first in-court enforcement of the GNU General Public License. This anniversary provides an occasion for a retrospective on what, how and why happened back then - both as a reminder to those who have been around, or as a history lesson to the younger generation. In the early 2000s, the IT industry was already adopting Linux and other FOSS on a massive scale, but at the same time did not generally concern themselves a lot with license compliance. This in turn lead to a spike of enforcement activities. During the last two decades, many improvements in compliance related awareness, processes and tooling have happened. Does this mean the license compliance question has been solved?

Speakers

Harald Welte

Founder, sysmocom

In his former life, Harald was a Linux Kernel developer, primarily active in the netfilter/iptables subsystem. In 2004, he founded the gpl-violations.org project, which achieved considerable success in early GPL enforcement. During the past 16 years, his main focus has shifted to... Read More →

Wednesday October 30, 2024 09:40 - 10:00 JST
Room 1

Keynote Sessions, Licensing

Content Experience Level Intermediate

10:05 JST

Keynote: License Changes: Why They Happen and What to Do - Heather Meeker, Tech Law Partners LLP

Wednesday October 30, 2024 10:05 - 10:25 JST

License and policy changes are in the news recently: Hashicorp, Red Hat CENTOS, Grafana, and others. These changes often result in forks and other disruption. This session takes an analytical look at why these changes take place, their impact on license rights, and why they succeed or fail.

Speakers

Heather Meeker

Partner, Tech Law Partners LLP

Heather Meeker is a partner at Tech Law Partners, LLP, www.techlawpartners.com, a law firm focused on technology transactions. She was a founding partner at OSS Capital, www.oss.capital, an early stage venture capital fund specializing in commercial open source development. Meeker... Read More →

Wednesday October 30, 2024 10:05 - 10:25 JST
Room 1

Keynote Sessions, Licensing

Content Experience Level Intermediate

10:30 JST

Keynote: Product Regulation for Software. Where Is the World Going? - Ciarán O'Riordan, OpenForum Europe & Catharina Maracke, Software Compliance Academy

Wednesday October 30, 2024 10:30 - 10:50 JST

Suddenly Europe has market regulation for software. Lots of it. Discussions are already happening in other countries. Europe now has a product liability law which creates no-fault liability for software, there's a cyber resilience law which puts conditions on being allowed to publish software, and we have a 459-page law about artificial intelligence. This presentation is specifically aimed at non-European audiences, with information in two parts: Firstly, for non-Europeans doing business in Europe, or projects with developers in Europe: how can the free and open source software ecosystem organise compliance? Secondly, with other parts of the world looking to Europe to see what has been done right, or what should be done differently: how can we be part of leading the legislators towards a sensible legal framework that works well with free and open source software? Can sensible laws even produce incentives for publishing as free and open source software? While discussing these topics, there are also interesting learnings about how legislation interacts differently with free and open source software, and how our ecosystem can participate effectively in legislative procedures.

Speakers

Catharina Maracke

Senior Advisor Open Source Strategy, Software Compliance Academy

Dr. Catharina Maracke is a lawyer by training and has been involved in intellectual property and public licensing and models for over 15 years. She has worked closely with the World Economic Forum, where she served on the Global Agenda Council on the intellectual property system... Read More →

Ciarán O'Riordan

Sr. Policy Advisor, OpenForum Europe

Senior Policy Advisor at OFE, Ciarán O’Riordan has been working in Brussels since 2004 with a focus on EU policy and free and open source software. He recently worked on the EU's Cyber Resilience Act as well as coordinating the efforts of many free and open source organisations... Read More →

Wednesday October 30, 2024 10:30 - 10:50 JST
Room 1

Keynote Sessions, Supply Chain

Content Experience Level Intermediate

10:55 JST

Coffee Break

Wednesday October 30, 2024 10:55 - 11:25 JST

Wednesday October 30, 2024 10:55 - 11:25 JST
Room 1

Breaks

11:25 JST

Open Source as a Strategic Asset in M&A: The Evolving Landscape of Transactional Risk Management - Andrew Katz & Stephen Pollard, Orcro; Heather Meeker, Tech Law Partners; Lewis Parle, Lockton; Byron Frost & Ayako Suga, Baker & McKenzie

Wednesday October 30, 2024 11:25 - 12:00 JST

Software has eaten the world, and features as a strategic asset in an overwhelming proportion of M&A transactions. That software will almost always contain a significant amount of open source, and lawyers, insurers, corporate finance specialists and VCs are evolving techniques to assess, understand, manage and outsource the risks which open source, for all its well understood benefits, is also perceived to present. However, adoption of techniques to manage these risks remains inconsistent, and this panel, consisting of experts in the fields of open source law, M&A, private equity finance, insurance and risk process management will explore current risk management techniques in the context of M&A, and expose trends and evolving practice in the area. The panel will draw on experience in North America, Europe [and Asia] and draw on case studies involving transactions globally, and present a roadmap for managing future transactions.

Speakers

Byron Frost

Partner, Baker & McKenzie

Byron Frost is a member of the Corporate/M&A group of Baker McKenzie's Tokyo office. Byron is also a member of the Tokyo office’s Technology, Media and Telecommunications industry group steering committee. Prior to joining the Firm, he worked at a major law firm in Australia.

Heather Meeker

Partner, Tech Law Partners LLP

Heather Meeker is a partner at Tech Law Partners, LLP, www.techlawpartners.com, a law firm focused on technology transactions. She was a founding partner at OSS Capital, www.oss.capital, an early stage venture capital fund specializing in commercial open source development. Meeker... Read More →

Lewis Parle

Head of IP Risk, Lockton

Lewis heads Lockton's IP Risk practice, which helps private equity, VC and corporate clients and their IP advisors find strategic risk transfer solutions for IP risks in various contexts including M&A, licensing, product launches, financing and litigation. Lewis is a qualified solicitor... Read More →

Andrew Katz

CEO and Consultant, Orcro Limited/Bristows LLP

Andrew Katz is a solicitor who has been advising on Open Source and Open Technologies for over 30 years. He is CEO of Orcro Limited, a specialist open source compliance consultancy, and Solicitor Consultant at Bristows LLP in London, one of the UK's leading IP-focussed law firms... Read More →

Stephen Pollard

Director, Orcro

Stephen was managing director of Arup’s UKIMEA consulting unit. His skillset and experience are focused on the capabilities needed to put new strategies into action. Stephen advises clients on how to achieve their strategic goals and acts as a partner in helping drive through change... Read More →

Ayako Suga

Counsel, Baker & McKenzie

Ayako Suga is a member of the Firm's IP Tech group in Tokyo. Ayako is a native Japanese speaker and is fluent in English.

Wednesday October 30, 2024 11:25 - 12:00 JST
Room 1

Breakout Sessions, Legal / IPR

Content Experience Level Intermediate

12:00 JST

Sponsored Keynote: Fujitsu's OSS Standards Conformance and AI Management System Standardization Participation - Tadayuki Osaki & Dr. Yuchang Cheng, Fujitsu Limited

Wednesday October 30, 2024 12:00 - 12:10 JST

Fujitsu has recently obtained two international standards conformance certifications related to OSS. The first is ISO/IEC 5230 (OpenChain), which addresses OSS license compliance, and the second is ISO/IEC 18974 (OpenChain Security Assurance), which pertains to OSS security assurance. We will provide a brief overview of our efforts to conform to the OpenChain Security Assurance Standard (18974) in conjunction with the third renewal of the OpenChain Standard (5230) conformance.

Furthermore, we will present the international standardization of AI management systems (ISO/IEC 42001) and Fujitsu's contributions to the standardization process. The ISO/IEC 42001 standard, published in December 2023, is the first global management system standard for AI. Its structure is based on the software system lifecycle that has already been standardized in software engineering, and it addresses issues specific to AI, such as ethical issues, transparency, and continuous learning.

Speakers

Tadayuki Osaki

OSS compliance manager, Legal & Intellectual Property Unit, Fujitsu Limited

Mr. Tadayuki Osaki serves as the Open Source Software (OSS) and Standards Community Manager of Fujitsu's Legal and Intellectual Property Unit. His team is responsible for managing international standards- and OSS community-related activities. He currently serves on the board of the... Read More →

Yuchang Cheng

Senior Research Manager, Fujitsu Limited

Dr. Yuchang Cheng serves as a Senior Research Manager of the Artificial Intelligence Laboratory at Fujitsu Limited. His responsibilities at Fujitsu include spearheading the standardization of AI and leading the research of AI trust. Additionally, he serves as a delegate of the Japanese... Read More →

Wednesday October 30, 2024 12:00 - 12:10 JST
Room 1

Keynote Sessions

12:10 JST

Lunch

Wednesday October 30, 2024 12:10 - 13:30 JST

Wednesday October 30, 2024 12:10 - 13:30 JST
Room 1

Breaks

13:30 JST

Protecting Open Source and Companies' Intellectual Property Rights - Keith Bergelt, Open Invention Network

Wednesday October 30, 2024 13:30 - 13:55 JST

Intellectual property rights (IPR) help drive competition, innovation and differentiation for software companies. But, overly aggressive companies and Non-Practicing Entities look to hinder growth or extract unjustified value. Keith Bergelt, CEO of Open Invention Network, will share IPR strategies while addressing ways to mitigate risk to open source software projects, investors, companies and their developers. While differentiation higher in the software stack should garner significant IPR, the sharing of foundational technologies much lower in the stack significantly increases innovation, while lowering everyone’s costs. This presentation will discuss the key tenets around patent non-aggression in open source, ways to ensure IPR higher in the software stack and best practices that open source projects and companies should consider moving forward. . Key Takeaways: - Ways to differentiate and effectively compete in a software industry increasingly dependent on open source software - An understanding of the patent threat matrix to open source platforms and companies - Best practices for managing IPR higher in the software stack

Speakers

Keith Bergelt

CEO, Open Invention Network

Keith Bergelt is the CEO of Open Invention Network (OIN), the only institution focused on mitigating patent risk in open source software. Funded by Google, IBM, NEC, Philips, Sony, SUSE, and Toyota, OIN has nearly 4,000 community members. In his capacity as CEO, he is directly responsible... Read More →

Wednesday October 30, 2024 13:30 - 13:55 JST
Room 1

Breakout Sessions, Legal / IPR

Content Experience Level Intermediate

13:55 JST

Managing Compliance Artifacts as Code with OSCAL and Compliance-Trestle - Chris Butler, Red Hat

Wednesday October 30, 2024 13:55 - 14:20 JST

Compliance-as-code encompasses many activities such as automation of system configuration and general DevSecOps approaches. One area examined less is how to manage the documentary artefacts associated with compliance ‘as code’, replacing word documents and excel spreadsheets with markdown, yaml and json. Emerging data standards such as NIST’s OSCAL facilitate this approach. The OSCAL standard has been adopted by FedRAMP, Australian Cyber Security Centre, Centre for Internet Security, Singapore’s GovTech, among others. Compliance-trestle, or trestle, is an ensemble of open source tools that enable the creation, validation, and governance of documentation artefacts for compliance needs. It leverages NIST's OSCAL and provides an opinionated compliance-as-code approach to OSCAL adoption. Trestle is the central sub-project under the CNCF sandbox project OSCAL Compass. This talk will focus on three topics: - An conceptual overview of OSCAL and starting points in adopting the standard through an organisation's compliance processes - How to use trestle to manage OSCAL based compliance artefacts as code for DevOps teams. - How Red Hat has been using Trestle internally via Trestle-bot

Speakers

Chris Butler

Chief Architect, Red Hat

Dr. Chris Butler is a Chief Architect in the APAC Field CTO Office at Red Hat. Chris’ focus is working with regulated clients who are building infrastructure, application and AI platforms. Chris facilitates co-innovation engagements with our clients and partners with our product... Read More →

Wednesday October 30, 2024 13:55 - 14:20 JST
Room 1

Breakout Sessions, Technical Deep Dive

Content Experience Level Intermediate

14:20 JST

OSS-Rules: An Open Framework for Automated Open Source License Compliance at Scale - Diego Jorquera & Oscar Valenzuela, Amazon

Wednesday October 30, 2024 14:20 - 14:55 JST

This session introduces OSS-Rules, an open framework by Amazon to standardize and automate Open Source Compliance at scale. It features configurations and business rules for Third-Party Package Curation, Open Source License Assessment, Package Inventory, and Package Guidance. Speakers will discuss the challenges large organizations face in implementing Open Source Compliance Standards at scale and how a federated model with decentralized knowledge and shared practices can help overcome obstacles and speed up adoption. The talk will showcase how OSS-Rules' programmatic rules and configurations can integrate various processes and tools into an automated compliance system, allowing compliance engineers to benchmark tools based on expected outputs. The evolution of a governance model with standard compliance engineering methodologies and shared knowledge as programmatic rules is the foundation for the next generation of risk assessment. Attendees will learn how OSS-Rules can help automate compliance processes and share best practices, including knowledge related to programming language packages, making Open Source license compliance more efficient, auditable, and scalable.

Speakers

Oscar Valenzuela

Principal Open Source Engineer, Amazon

As Principal Open Source Engineer, Oscar leads Amazon's technical strategy for license compliance. Leveraging his experience, he defines compliance methodologies and tools to optimize and scale compliance processes across the company. In his role, Oscar provides technical guidance... Read More →

Diego Jorquera

Senior Open Source Engineer, Amazon

Diego Jorquera is a Senior Open Source Engineer at Amazon's Open Source Program office. His role is focused mainly on technical Open Source compliance, leveraging his software development background to help development teams across Amazon use and distribute Open Source software in... Read More →

Wednesday October 30, 2024 14:20 - 14:55 JST
Room 1

Breakout Sessions, Other Process Management

Content Experience Level Intermediate

14:55 JST

Rapid Handling of Vulnerabilities in the Supply Chain with SBOM and VEX - Yoshihisa Morizumi, Wang Mingyu & Lei Maohul, Fujitsu Limited

Wednesday October 30, 2024 14:55 - 15:20 JST

Fujitsu supports SPDX evolution and the movement to an international standard that provides a common SBOM basis for software exploitation for companies throughout the supply chain. We have long provided multilateral support for SPDX, especially thorough activities in Yocto and SPDX-Lite. From 2016, we have been joining maintainers of meta-spdxscanner, enabling SPDX functionality for the Yocto Project. Also, we are the top contributors of patch submissions to the Yocto Project. In recent years, increasing interest in cybersecurity has led to the need to quickly determine whether a product is vulnerable or not. In the supply chain, vulnerability information can be handled in combination with SBOM and VEX. An SBOM should be generated for each build, and a VEX should be generated for each vulnerability detection. It is necessary to manage them separately because their life cycles are different. In addition, there is a problem in the accuracy of the vulnerability, and there are some measures to solve it. In this presentation, we describe the advantages and challenges of creating VEX in Yocto as a use case.

Speakers

Wang Mingyu

Engineer, Fujitsu

Wang Mingyu joined the Fujitsu Corporation in 2008. Her main job now is developing an In-House Distro for Embedded Ecosystems which is based on Yocto project and LTS Kernel. She is one of the maintainers of Yocto and contributing actively to the community.

Lei Maohui

Software Engineer, Fujitsu

Yoshihisa Morizumi

Lead engineer, Fujitsu Limited

I am Embedded Linux Developer. I joined the Fujitsu Corporation since 2010. My major job is developing a In-House Distro for Embedded Systems.

Wednesday October 30, 2024 14:55 - 15:20 JST
Room 1

Breakout Sessions, Security

Content Experience Level Intermediate

15:20 JST

Coffee Break

Wednesday October 30, 2024 15:20 - 15:50 JST

Wednesday October 30, 2024 15:20 - 15:50 JST
Room 1

Breaks

15:50 JST

AI Panel: Jonathan Torres, Meta & Heather Meeker, OMM

Wednesday October 30, 2024 15:50 - 16:15 JST

Speakers

Heather Meeker

Partner, OMM

Jonathan Torres

ACG, Open Source, AI, Meta

Wednesday October 30, 2024 15:50 - 16:15 JST
Room 1

Breakout Sessions, AI Compliance

16:15 JST

Unpacking AI Model Licensing: Navigating Intellectual Property Challenges - Ye Tao, Grandall Law Firm

Wednesday October 30, 2024 16:15 - 16:40 JST

In the past year, many high-quality AI models have been "open sourced," but under various licenses. Google and Meta, for example, have adopted self-created licenses, while Stable Diffusion moved from the standardized OpenRail-M to a self-created license. In contrast, xAI chose the traditional Apache 2.0 license to "open source" Grok. Open source organizations like the Linux Foundation, the Open Source Initiative, and the Chinese OpenAtom Foundation are working on drafting frameworks, definitions, and standardized licenses to address the rising selection costs caused by non-standard licenses. The complexity and lack of standardization in AI model licenses arise because AI models, as structured data, present more confusing intellectual property issues compared to traditional software, which benefits from the Berne Convention and the WIPO Copyright Treaty (WCT). This session will explore the intellectual property challenges surrounding AI models, leveraging the experience of drafting the OpenAtom Model License. We aim to clarify what rights are actually licensed and outline what a robust license should cover, offering recommendations for future license drafting and standard-setting.

Speakers

Ye Tao

Partner, Grandall Law Firm

Ye Tao specializes in open source compliance and governance. He is a co-drafter of the OpenAtom Model License and has extensive experience in drafting AI model licenses. As an Open Source evangelist for the Linux Foundation APAC, Ye Tao is deeply engaged with the open source community... Read More →

Wednesday October 30, 2024 16:15 - 16:40 JST
Room 1

Breakout Sessions, Licensing

Content Experience Level Advanced

16:40 JST

AI Regulation and Startup Innovation in India: Ensuring Compliance with OpenChain ISO Standards - Arun Azhakesan, Siemens Healthineers

Wednesday October 30, 2024 16:40 - 17:05 JST

In recent years, artificial intelligence (AI) has emerged as a transformative technology with the potential to revolutionize industries globally. In India, the rapid growth of AI-based tech startups underscores the need for robust regulatory frameworks to ensure ethical, secure, and compliant AI deployment. This presentation analyzes existing AI and large language model (LLM) regulations in India, focusing on challenges and opportunities for AI startups. It explores the role of the Open Chain project and its ISO standards for security and compliance, ISO 5230 and ISO 18974, in supporting these startups. India's AI regulatory framework is evolving, with the Ministry of Electronics and Information Technology (MeitY), the National Strategy for Artificial Intelligence (NSAI), and the Personal Data Protection Bill (PDPB) 2019 playing key roles. AI startups face challenges in regulatory compliance, data privacy, and security. Implementing ISO standards offers structured compliance, enhanced data security, and improved operational efficiency. By adhering to ISO 5230 and ISO 18974, AI startups can navigate the regulatory landscape, protect user data, and focus on innovation and growth.

Speakers

Arun Azhakesan

Head of Secure Development Lifecycle, Siemens Healthineers

Arun Azhakesan heads the Secure Development Lifecycle team at Siemens Healthineers, steering secure development lifecycle activities within the Corporate Cyber Security organization. He co-leads the Eclipse SW360 project, chairs the OpenChain India Workgroup, and actively participates... Read More →

Wednesday October 30, 2024 16:40 - 17:05 JST
Room 1

Breakout Sessions, AI Compliance

Content Experience Level Intermediate

17:30 JST

Keynote: Closing Remarks - Shane Coughlan, The Linux Foundation

Wednesday October 30, 2024 17:30 - 17:35 JST

Speakers

Shane Coughlan

General Manager, OpenChain

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated OIN into the largest patent non-aggression community in history and establishing the first global network for open... Read More →

Wednesday October 30, 2024 17:30 - 17:35 JST
Room 1

Keynote Sessions