SlideShare a Scribd company logo
State of the Union
Open Compliance Summit 2022
Mike Dolan, SVP and GM of Projects
1
15+ years ago, we starting collaborating to reduce
issues with open source license compliance
What license is
this code?
What license(s)
are in my code?
What license(s) are
in this code you
gave me?
2007
2007 2010
Legal and
developer
education
Scan and
document
SBOMs
2
15+ years ago, we starting collaborating to reduce
issues with open source license compliance
What license is
this code?
What license(s)
are in my code?
What license(s) are
in this code you
gave me?
2007
2007 2010
Scan and
document
SBOMs
I know what’s in
this code!
Success
Legal and
developer
education
3
These efforts used transparency to solve our
challenges with open source compliance
Greater transparency enables
decision makers to make
better decisions
With open source software, we
weren’t concerned about
confidential or proprietary
information in the open
source software
4
The business reason for open compliance was
cost effective legal risk management
● We were concerned about legal loss
events that could impact our
companies
● License non-compliance could
present various loss events:
○ Lawsuits
○ Damage to reputation
○ Business interruption due to injunctions
● “Compliance” became a quasi-legal
concern (but it’s not just that
anymore)
5
New! WebAssembly for legal professionals
https://www.linuxfoundation.org/research/webassembly-for-legal-professionals
English, Japanese (日本), Chinese (中国人) available
6
法律専門家のための WebAssembly 真新しい
https://www.linuxfoundation.jp/publications/2022/12/webassembly-for-legal-professionals/
7
As our challenges evolved, we
worked on new solutions… by
adding more transparency.
8
We then openly collaborated to reduce issues
with open source management
What license is
this code?
What license(s)
are in my code?
What license(s) are
in this code you
gave me?
How do I manage
my license
information?
2007
2007 2010
Educate others Scan and
document
SBOMs SBOM
management
2015
How do I
manage my
supply chain?
Process
Standards
2015
9
We built open source management groups
(OSPOs) to help scale risk management
● OSPOs started as “the open
source group” in many companies
● Ultimately OSPOs were designed
to manage risk for the company
○ Risk of licensing issues in products
○ Risk of licensing issues in supplier
artifacts
○ Risk of inappropriate product
dependencies
○ Community engagement risks
https://todogroup.org/guides/
10
The legal risks have continued to evolve …
requiring evolution in risk management
● Losses from trolls
○ Copyright trolls
○ Patent trolls
● We worked on new solutions
○ Developer Certificate of Origin (2004)
○ Linux Kernel Enforcement Statement
(2020)
○ Collaborations with Unified Patents and
Open Invention Network
https://www.kernel.org/doc/html/latest/process/kernel-enforcement-statement.html 11
We can work together even on complex issues
12
https://lore.kernel.org/netdev/Ye6jCQm7z0Yr3bqA@salvia/T/
With the legal risks managed, open source was
able to grow … massively
https://www.sonatype.com/state-of-the-software-supply-chain/open-source-supply-demand-security
13
And now we face cybersecurity risk, and a need
for open source security risk management
https://www.sonatype.com/state-of-the-software-supply-chain/open-source-supply-demand-security
14
And now we are openly collaborating to extend license
risk management tools, processes, and standards to
address security risks
What are we
building into
our product?
How do I share
what packages
are in this?
How do I verify this
is the package you
said it is?
CI/CD Build
Systems
SBOMs Attestation
service
How do I
manage my
supply chain?
Process
Standards
SLSA
Is that OSS
community
security
focused?
Scorecard
What is the
integrity?
Levels of
assurance
S2C2F
15
Our existing risk management standards are evolving
to address security risk mitigation requirements
16
https://www.linuxfoundation.org/blog/the-openchain-security-assurance-
specification-1.1-now-available
https://www.chainguard.dev/unchained/whats-new-in-spdx-2-3
Major Changes in SPDX 2.3
Security: One of the main uses of SBOMs today
is dependency and vulnerability management.
This version introduces advisory, fix, URL and
SWID as categories in the security identifiers to
link the package to additional security context.
GitBOM: Joining the list of persistent identifiers
comes gitoid, the identifier used by the GitBOM
project to cryptographically track where a
package fits in the dependency tree.
New investments in OSPOs are needed to help
CISO teams address open source cybersecurity
risks.
Licensing
Risks
Security
Risks
OSPOs that partner with product security teams help define policies,
processes, build system requirements, and supply chain transparency
for managing security risk in open source and commercial product
systems
17
ありがとうございました
Thank you!
18

More Related Content

Similar to Open Compliance Summit 2022 – State of the Union from Mike Dolan, SVP and GM of Projects at The Linux Foundation

Introduction to OpenDaylight
Introduction to OpenDaylightIntroduction to OpenDaylight
Introduction to OpenDaylight
Open Networking Summits
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
Felipe Prado
 
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
FINOS
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
Shane Coughlan
 
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
Shane Coughlan
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companies
iasaglobal
 
A tale of two cities: Merging Yahoo and Aol’s open source programs
A tale of two cities: Merging Yahoo and Aol’s open source programsA tale of two cities: Merging Yahoo and Aol’s open source programs
A tale of two cities: Merging Yahoo and Aol’s open source programs
Ashley Wolf
 
Exploring Open Source Licensing
Exploring Open Source LicensingExploring Open Source Licensing
Exploring Open Source Licensing
Stefano Fago
 
OpenChain Monthly Meeting (US / Europe) 2023-01-03
OpenChain Monthly Meeting (US / Europe) 2023-01-03OpenChain Monthly Meeting (US / Europe) 2023-01-03
OpenChain Monthly Meeting (US / Europe) 2023-01-03
Shane Coughlan
 
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays
 
The Role of Legal Counsels in Focusing Compliance on Scaling and Execution
The Role of Legal Counsels in Focusing Compliance on Scaling and ExecutionThe Role of Legal Counsels in Focusing Compliance on Scaling and Execution
The Role of Legal Counsels in Focusing Compliance on Scaling and Execution
Samsung Open Source Group
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Black Duck by Synopsys
 
OpenBrighton Event - Nov 2014
OpenBrighton Event - Nov 2014OpenBrighton Event - Nov 2014
OpenBrighton Event - Nov 2014
Paolo Vecchi
 
Open Brighton - Open Source and your business
Open Brighton - Open Source and your businessOpen Brighton - Open Source and your business
Open Brighton - Open Source and your business
Omnis Systems
 
OpenChain @ RIOS Open-Source Hardware IP Licensing and Policy Workshop
OpenChain @ RIOS Open-Source Hardware IP Licensing and Policy WorkshopOpenChain @ RIOS Open-Source Hardware IP Licensing and Policy Workshop
OpenChain @ RIOS Open-Source Hardware IP Licensing and Policy Workshop
Shane Coughlan
 
Why open source is good for your economy
Why open source is good for your economyWhy open source is good for your economy
Why open source is good for your economy
Dirk Riehle
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks,  and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks,  and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Black Duck by Synopsys
 
OSS - enterprise adoption strategy and governance
OSS -  enterprise adoption strategy and governanceOSS -  enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governance
Prabir Kr Sarkar
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
Black Duck by Synopsys
 

Similar to Open Compliance Summit 2022 – State of the Union from Mike Dolan, SVP and GM of Projects at The Linux Foundation (20)

Introduction to OpenDaylight
Introduction to OpenDaylightIntroduction to OpenDaylight
Introduction to OpenDaylight
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
 
OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07OpenChain Monthly Meeting North America - Europe - 2023-02-07
OpenChain Monthly Meeting North America - Europe - 2023-02-07
 
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
 
Open Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated CompaniesOpen Source Governance in Highly Regulated Companies
Open Source Governance in Highly Regulated Companies
 
A tale of two cities: Merging Yahoo and Aol’s open source programs
A tale of two cities: Merging Yahoo and Aol’s open source programsA tale of two cities: Merging Yahoo and Aol’s open source programs
A tale of two cities: Merging Yahoo and Aol’s open source programs
 
Exploring Open Source Licensing
Exploring Open Source LicensingExploring Open Source Licensing
Exploring Open Source Licensing
 
OpenChain Monthly Meeting (US / Europe) 2023-01-03
OpenChain Monthly Meeting (US / Europe) 2023-01-03OpenChain Monthly Meeting (US / Europe) 2023-01-03
OpenChain Monthly Meeting (US / Europe) 2023-01-03
 
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
apidays LIVE Paris 2021 - The GDPR Developer Guide by Jerome Gorin, CNIL
 
The Role of Legal Counsels in Focusing Compliance on Scaling and Execution
The Role of Legal Counsels in Focusing Compliance on Scaling and ExecutionThe Role of Legal Counsels in Focusing Compliance on Scaling and Execution
The Role of Legal Counsels in Focusing Compliance on Scaling and Execution
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
 
OpenBrighton Event - Nov 2014
OpenBrighton Event - Nov 2014OpenBrighton Event - Nov 2014
OpenBrighton Event - Nov 2014
 
Open Brighton - Open Source and your business
Open Brighton - Open Source and your businessOpen Brighton - Open Source and your business
Open Brighton - Open Source and your business
 
OpenChain @ RIOS Open-Source Hardware IP Licensing and Policy Workshop
OpenChain @ RIOS Open-Source Hardware IP Licensing and Policy WorkshopOpenChain @ RIOS Open-Source Hardware IP Licensing and Policy Workshop
OpenChain @ RIOS Open-Source Hardware IP Licensing and Policy Workshop
 
Why open source is good for your economy
Why open source is good for your economyWhy open source is good for your economy
Why open source is good for your economy
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks,  and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks,  and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
 
OSS - enterprise adoption strategy and governance
OSS -  enterprise adoption strategy and governanceOSS -  enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governance
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
 

More from Shane Coughlan

OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17
OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17
OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17
Shane Coughlan
 
Korea Work Group Meeting 22 - 2024-06-20
Korea Work Group Meeting 22 - 2024-06-20Korea Work Group Meeting 22 - 2024-06-20
Korea Work Group Meeting 22 - 2024-06-20
Shane Coughlan
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
Shane Coughlan
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
Shane Coughlan
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
Shane Coughlan
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
Shane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
Shane Coughlan
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
Shane Coughlan
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
Shane Coughlan
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
Shane Coughlan
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
Shane Coughlan
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
Shane Coughlan
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
Shane Coughlan
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
Shane Coughlan
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group -  2024-01-17OpenChain Legal Work Group -  2024-01-17
OpenChain Legal Work Group - 2024-01-17
Shane Coughlan
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
Shane Coughlan
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
Shane Coughlan
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
Shane Coughlan
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
Shane Coughlan
 

More from Shane Coughlan (20)

OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17
OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17
OpenChain Webinar - Open Source Due Diligence for M&A - 2024-06-17
 
Korea Work Group Meeting 22 - 2024-06-20
Korea Work Group Meeting 22 - 2024-06-20Korea Work Group Meeting 22 - 2024-06-20
Korea Work Group Meeting 22 - 2024-06-20
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
OpenChain Legal Work Group - 2024-01-17
OpenChain Legal Work Group -  2024-01-17OpenChain Legal Work Group -  2024-01-17
OpenChain Legal Work Group - 2024-01-17
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023Maturity Models - Open Compliance Summit 2023
Maturity Models - Open Compliance Summit 2023
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 

Recently uploaded

Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio, Inc.
 
ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Ortus Solutions, Corp
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
Optimizing Your E-commerce with WooCommerce.pptx
Optimizing Your E-commerce with WooCommerce.pptxOptimizing Your E-commerce with WooCommerce.pptx
Optimizing Your E-commerce with WooCommerce.pptx
WebConnect Pvt Ltd
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
alowpalsadig
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
chandangoswami40933
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
Refactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contextsRefactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contexts
Michał Kurzeja
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
kalichargn70th171
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
kalichargn70th171
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Vince Scalabrino
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
kgyxske
 
What’s New in VictoriaLogs - Q2 2024 Update
What’s New in VictoriaLogs - Q2 2024 UpdateWhat’s New in VictoriaLogs - Q2 2024 Update
What’s New in VictoriaLogs - Q2 2024 Update
VictoriaMetrics
 
Hands-on with Apache Druid: Installation & Data Ingestion Steps
Hands-on with Apache Druid: Installation & Data Ingestion StepsHands-on with Apache Druid: Installation & Data Ingestion Steps
Hands-on with Apache Druid: Installation & Data Ingestion Steps
servicesNitor
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 

Recently uploaded (20)

Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
 
ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
Optimizing Your E-commerce with WooCommerce.pptx
Optimizing Your E-commerce with WooCommerce.pptxOptimizing Your E-commerce with WooCommerce.pptx
Optimizing Your E-commerce with WooCommerce.pptx
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
Computer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdfComputer Science & Engineering VI Sem- New Syllabus.pdf
Computer Science & Engineering VI Sem- New Syllabus.pdf
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
Refactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contextsRefactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contexts
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
 
What’s New in VictoriaLogs - Q2 2024 Update
What’s New in VictoriaLogs - Q2 2024 UpdateWhat’s New in VictoriaLogs - Q2 2024 Update
What’s New in VictoriaLogs - Q2 2024 Update
 
Hands-on with Apache Druid: Installation & Data Ingestion Steps
Hands-on with Apache Druid: Installation & Data Ingestion StepsHands-on with Apache Druid: Installation & Data Ingestion Steps
Hands-on with Apache Druid: Installation & Data Ingestion Steps
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 

Open Compliance Summit 2022 – State of the Union from Mike Dolan, SVP and GM of Projects at The Linux Foundation

  • 1. State of the Union Open Compliance Summit 2022 Mike Dolan, SVP and GM of Projects 1
  • 2. 15+ years ago, we starting collaborating to reduce issues with open source license compliance What license is this code? What license(s) are in my code? What license(s) are in this code you gave me? 2007 2007 2010 Legal and developer education Scan and document SBOMs 2
  • 3. 15+ years ago, we starting collaborating to reduce issues with open source license compliance What license is this code? What license(s) are in my code? What license(s) are in this code you gave me? 2007 2007 2010 Scan and document SBOMs I know what’s in this code! Success Legal and developer education 3
  • 4. These efforts used transparency to solve our challenges with open source compliance Greater transparency enables decision makers to make better decisions With open source software, we weren’t concerned about confidential or proprietary information in the open source software 4
  • 5. The business reason for open compliance was cost effective legal risk management ● We were concerned about legal loss events that could impact our companies ● License non-compliance could present various loss events: ○ Lawsuits ○ Damage to reputation ○ Business interruption due to injunctions ● “Compliance” became a quasi-legal concern (but it’s not just that anymore) 5
  • 6. New! WebAssembly for legal professionals https://www.linuxfoundation.org/research/webassembly-for-legal-professionals English, Japanese (日本), Chinese (中国人) available 6
  • 8. As our challenges evolved, we worked on new solutions… by adding more transparency. 8
  • 9. We then openly collaborated to reduce issues with open source management What license is this code? What license(s) are in my code? What license(s) are in this code you gave me? How do I manage my license information? 2007 2007 2010 Educate others Scan and document SBOMs SBOM management 2015 How do I manage my supply chain? Process Standards 2015 9
  • 10. We built open source management groups (OSPOs) to help scale risk management ● OSPOs started as “the open source group” in many companies ● Ultimately OSPOs were designed to manage risk for the company ○ Risk of licensing issues in products ○ Risk of licensing issues in supplier artifacts ○ Risk of inappropriate product dependencies ○ Community engagement risks https://todogroup.org/guides/ 10
  • 11. The legal risks have continued to evolve … requiring evolution in risk management ● Losses from trolls ○ Copyright trolls ○ Patent trolls ● We worked on new solutions ○ Developer Certificate of Origin (2004) ○ Linux Kernel Enforcement Statement (2020) ○ Collaborations with Unified Patents and Open Invention Network https://www.kernel.org/doc/html/latest/process/kernel-enforcement-statement.html 11
  • 12. We can work together even on complex issues 12 https://lore.kernel.org/netdev/Ye6jCQm7z0Yr3bqA@salvia/T/
  • 13. With the legal risks managed, open source was able to grow … massively https://www.sonatype.com/state-of-the-software-supply-chain/open-source-supply-demand-security 13
  • 14. And now we face cybersecurity risk, and a need for open source security risk management https://www.sonatype.com/state-of-the-software-supply-chain/open-source-supply-demand-security 14
  • 15. And now we are openly collaborating to extend license risk management tools, processes, and standards to address security risks What are we building into our product? How do I share what packages are in this? How do I verify this is the package you said it is? CI/CD Build Systems SBOMs Attestation service How do I manage my supply chain? Process Standards SLSA Is that OSS community security focused? Scorecard What is the integrity? Levels of assurance S2C2F 15
  • 16. Our existing risk management standards are evolving to address security risk mitigation requirements 16 https://www.linuxfoundation.org/blog/the-openchain-security-assurance- specification-1.1-now-available https://www.chainguard.dev/unchained/whats-new-in-spdx-2-3 Major Changes in SPDX 2.3 Security: One of the main uses of SBOMs today is dependency and vulnerability management. This version introduces advisory, fix, URL and SWID as categories in the security identifiers to link the package to additional security context. GitBOM: Joining the list of persistent identifiers comes gitoid, the identifier used by the GitBOM project to cryptographically track where a package fits in the dependency tree.
  • 17. New investments in OSPOs are needed to help CISO teams address open source cybersecurity risks. Licensing Risks Security Risks OSPOs that partner with product security teams help define policies, processes, build system requirements, and supply chain transparency for managing security risk in open source and commercial product systems 17