Linux foundation specification for open software supply chain compliance

The Linux Foundation has used its news chain to unveil the OpenChain Specification 1.1 and an accompanying Online Self-Certification service.

The technology is positioned as a means for organisations to ensure consistent compliance management processes in what is being called the open source software supply chain.

Fantastic (first) four

The OpenChain Project has welcomed Siemens, Qualcomm, Pelagicore and Wind River as the first four organisations to self-certify to the OpenChain Specification 1.1.

According to the Linux Foundation, the OpenChain Project is a community effort to establish best practices for effective management of open source software compliance.

The project aims to help reduce costs, duplication of effort and ease friction points in the software supply.

The OpenChain Project aims to build trust in open source by making things simpler, more efficient and more consistent.

“The OpenChain Project is about open source compliance across the many entities in the modern IT supply chain,” said Kate Stewart, senior director of strategic programs, The Linux Foundation.

Trusted package, to trusted chain

Stewart explains that the long-established SPDX Project addresses the question of ‘how do you trust the contents of a software package?’

But now… the OpenChain Project addresses the question of ‘how do you trust companies in a supply chain?’

“Organisations can only build trust in other entities when they have the opportunity to demonstrate the way they are handling open source software meets the criteria of a good compliance process,” said Dr. Miriam Ballhausen, OpenChain Conformance Work Team Lead.

The latest version of the specification represents the work of more than a hundred contributors.