Open Compliance Summit 2024

This presentation shares the experiences and challenges faced during the integration process of the Open Source Program Offices (OSPO) at LY Corporation, formed by the merger of LINE Corporation and Yahoo! Japan Corporation. It highlights the insights gained from merging two different OSPOs and aims to share best practices and strategies for effective compliance policy integration and operation. 

Challenges in adjusting in-production processes for improved open source management and how to overcome them - Volvo case study

We at Nokia are following the OpenChain compliance standard in our day to day operations of open source compliance. Our processes need to be very effective for the developers and the compliance staff due to the massive amount of open source usage and the criticality of our open source contributions. In their talk, Eleftheria and Gergely will uncover not only how the usage of the practices defined in OpenChain help to design and execute these lean compliance processes, but also what challenges the Nokia OSPO had in the evaluation of OpenChain compliance. Fulfilling the standard requirements is not a walk in the park, especially for large organizations with diverse business models that need to fight against decades of bias, misconceptions or even complete lack of knowledge towards open source. For adopting the OpenChain compliance standard, many different actors and stakeholders within an organization need to cooperate – and in some cases they do not understand every aspect of open source. In this presentation, we want to highlight how shifting the narrative and educating are pillars for a robust and well-functioning open source compliance management system.

This panel will use two case studies to highlight how sharing experience from adopting industry solutions can help support the open source ecosystem. One is about how BlackBerry adopted ISO 5230 for open source license compliance with the assistance of OSS Consultants. The other is about how the openEuler Project adopted ISO 18974 for open source security assurance. Each case study explored different nuances of corporate or community activity to align with international standards, illustrating how common threads can be found to support continual improvement everywhere in our supply chain.

the incompatibility of open source licences has been one of the banes of our ecosystem (see for example the openvpn apache GPL licence amendment for mbedtls). All of these incompatibilities serve merely to promote confusion among open source developers about how the may legitimately share code among truly open projects, cause massive headaches for users and distributors trying to ensure licence compliance and do nothing to deter people out to violate the licence. The biggest problematic incompatibility is that of GPL with popular permissive licences like Apache-2. This comes about because of the licence steward (the FSF) and its rigid interpretation of the no additional restrictions clause. This talk will argue that this clause isn't as rigid as the FSF thinks and, in fact, restrictions compatible with the purpose of the licence (including the indemnity clause of Apache-2) can be accommodated.

There is a saying: in theory, theory and practice are the same but in practice they are not. We work in practice and we are seeing that many of the tools and processes that have been developed and that people have put a lot of time and effort in do not address our needs and only solve a small part of the compliance puzzle we are trying to solve daily. In this deep dive we want to show what challenges we face and where current tools and processes are letting us down. This will be a positive and uplifting talk.

Open source components form the backbone of nearly every application in every industry. Acquirers in M&A deals want to understand what risk is in the software they’re acquiring to avoid post-close headaches and integration nightmares. Your software due diligence process will help determine the ultimate success or failure of the transaction. Join us and a speaker who has “been there” for this live webinar as we discuss best practices before, during, and after the due diligence phase to ensure post-close success. We’ll cover: • Why open source due diligence is key in tech transactions • Lessons learned on how to perform open source due diligence • How to leverage diligence findings in post-close integration

Software supply chains would benefit from standardizing the declaration of cryptographic algorithms. Incorporating these algorithms into SBOMs is crucial for developing open, shared and transparent management processes in areas like export control or security compliance and auditing to declare, publish, distribute, etc. information about crypto algorithms present in any software composition within complex supply chains. Creating, maintaining, and publishing a curated list of cryptographic algorithms is a required infrastructure step, and the SPDX project has committed to perform these tasks, under an open participation process. During the talk, Julián and Agustin will describe the current state of SPDX's crypto algorithms list and its expected impact, together with future plans. List: https://github.com/spdx/crypto-algorithms Finally, both speakers will trigger a discussion around an open collaboration within OpenChain to foster a robust open-source tooling ecosystem for detecting cryptographic algorithms as well as to define those key management processes within complex supply chains.

Every single day, hundreds of companies scan exactly the same open source projects as each other, in order to detect and manage open source licenses. Find out how the Open Source Initiative’s ‘ClearlyDefined’ project takes the typical open source license scanning practices, leverages crowd-sourcing and open source contributions, in order to make the results available for all to consume.

In an increasingly complex software supply chain landscape, ensuring compliance, integrity, and traceability of source code is paramount. Software Heritage, launched by Inria in 2016 in partnership with UNESCO, is a global non profit long term initiative to collect, preserve and make easily accessible all publicly available source coce. As the reference infrastructure for archiving and referencing, it offers unparalleled potential to address these challenges.

This presentation will explore how Software Heritage’s initiatives, including the SWHID (Software Hash Identifier) and the upcoming "Code Commons" project, are poised to enhance compliance across the software supply chain. By integrating with SPDX and contributing to global standards, Software Heritage not only guarantees the availability and integrity of software source code, but also drives forward the business management of open source.

As an open multi-stakeholder non profit initiative, joining Software Heritage provides a unique opportunity to contribute to its roadmap and have your needs taken into account.