Open Compliance Summit 2024

It's been 20 years since the first in-court enforcement of the GNU General Public License. This anniversary provides an occasion for a retrospective on what, how and why happened back then - both as a reminder to those who have been around, or as a history lesson to the younger generation. In the early 2000s, the IT industry was already adopting Linux and other FOSS on a massive scale, but at the same time did not generally concern themselves a lot with license compliance. This in turn lead to a spike of enforcement activities. During the last two decades, many improvements in compliance related awareness, processes and tooling have happened. Does this mean the license compliance question has been solved?

License and policy changes are in the news recently: Hashicorp, Red Hat CENTOS, Grafana, and others. These changes often result in forks and other disruption. This session takes an analytical look at why these changes take place, their impact on license rights, and why they succeed or fail.

Suddenly Europe has market regulation for software. Lots of it. Discussions are already happening in other countries. Europe now has a product liability law which creates no-fault liability for software, there's a cyber resilience law which puts conditions on being allowed to publish software, and we have a 459-page law about artificial intelligence. This presentation is specifically aimed at non-European audiences, with information in two parts: Firstly, for non-Europeans doing business in Europe, or projects with developers in Europe: how can the free and open source software ecosystem organise compliance? Secondly, with other parts of the world looking to Europe to see what has been done right, or what should be done differently: how can we be part of leading the legislators towards a sensible legal framework that works well with free and open source software? Can sensible laws even produce incentives for publishing as free and open source software? While discussing these topics, there are also interesting learnings about how legislation interacts differently with free and open source software, and how our ecosystem can participate effectively in legislative procedures.

Fujitsu has recently obtained two international standards conformance certifications related to OSS. The first is ISO/IEC 5230 (OpenChain), which addresses OSS license compliance, and the second is ISO/IEC 18974 (OpenChain Security Assurance), which pertains to OSS security assurance. We will provide a brief overview of our efforts to conform to the OpenChain Security Assurance Standard (18974) in conjunction with the third renewal of the OpenChain Standard (5230) conformance.

Furthermore, we will present the international standardization of AI management systems (ISO/IEC 42001) and Fujitsu's contributions to the standardization process. The ISO/IEC 42001 standard, published in December 2023, is the first global management system standard for AI. Its structure is based on the software system lifecycle that has already been standardized in software engineering, and it addresses issues specific to AI, such as ethical issues, transparency, and continuous learning.

This presentation shares the experiences and challenges faced during the integration process of the Open Source Program Offices (OSPO) at LY Corporation, formed by the merger of LINE Corporation and Yahoo! Japan Corporation. It highlights the insights gained from merging two different OSPOs and aims to share best practices and strategies for effective compliance policy integration and operation. 

Challenges in adjusting in-production processes for improved open source management and how to overcome them - Volvo case study

We at Nokia are following the OpenChain compliance standard in our day to day operations of open source compliance. Our processes need to be very effective for the developers and the compliance staff due to the massive amount of open source usage and the criticality of our open source contributions. In their talk, Eleftheria and Gergely will uncover not only how the usage of the practices defined in OpenChain help to design and execute these lean compliance processes, but also what challenges the Nokia OSPO had in the evaluation of OpenChain compliance. Fulfilling the standard requirements is not a walk in the park, especially for large organizations with diverse business models that need to fight against decades of bias, misconceptions or even complete lack of knowledge towards open source. For adopting the OpenChain compliance standard, many different actors and stakeholders within an organization need to cooperate – and in some cases they do not understand every aspect of open source. In this presentation, we want to highlight how shifting the narrative and educating are pillars for a robust and well-functioning open source compliance management system.