2. How The Linux Foundation Standards For
Open Source Compliance And Security
Will Fix Your Supply Chain

3. A Tiny Guide To Doing Something That
Might Contribute Something To
Something Else

4. Why

5. Or

6. Context

7. What If This Was My Final Speech?

8. What Would I Say?

9. I Would Want To Talk About What Is Real

10. Open Source Has Done Well

11. It Powers Almost All Digital Technology

12. Digital Technology Powers Modern Society

13. In Theory, Everyone Can Be A Part Of This

14. But Not Everything Is About Technology

15. Open Source Has Not Solved Society

16. Technology Has Not Solved Society

17. It Made Some Things Better

18. It Made Some Things Worse

19. Engineers Want To Engineer

20. This Solves A Lot Of Functional Challenges

21. Bridges… Buildings… Spreadsheets…

22. But Engineers Are Not Political Scientists

23. Human Society Is Not A Subroutine

24. And Perhaps

25. Perhaps

26. This Is Too Often Forgotten

27. Open Source Has Done Stunning Things

28. And Now We Can Manage It Very Well

29. And More Stunning Things Will Happen

30. But Most Of Those Stunning Things…

31. They Are About Products And Services

32. There Are Other Things We Need To Solve

33. Access, Equality, Opportunity

34. These Are Not Functional Problems

35. They Will Not Be Solved By Licenses

36. They Will Not Be Solved By Code

37. They Will Be Solved By Legislation

38. We Can Build On What We Have Learned

39. Not 40 Years Of Free Software

40. Not 75 Years Of Software

41. But 10,000 Years Of History

42. So…

43. I Encourage You To Be Optimistic

44. I Encourage You To Be Realistic

45. I Encourage You To Be Thoughtful

46. Do Not Allow Dogma To Blind You

47. And Seek To Make Things Better

48. In Open Source That Means Processes

49. In Society It Means Different Processes

50. In All Cases It Means Doing Our Best

51. Sometimes It Is Relatively Easy (OpenChain)

52. Sometimes It Is Hard (Human Potential)

53. We Waste A Lot Of Energy Arguing

54. And Some Technology Has Harmed People

55. But What Is The Alternative?

56. Stagnant, Static Societies?

57. Things Can Be Better

58. We Are Here To Make Them Better

59. So…

60. Keep Focused. Get It Done.

61. Go Change The World For The Better

62. (In Our Tiny Part With Caveats)

63. How

64. New Stuff Is Nice

65. But Optimization Is The Key To Value

66. It Connects Potential And Reality

67. We Will Talk About One Tiny Optimization

68. In Our Tiny Part

69. Things Are Complex

70. There Are More Rules And Guidelines
NTIA on Software Bill of Materials (SBOM)
White House Executive Order
Cyber Resiliency Act (CRA)

71. 5.5tn
Global Cost of Cyber Crime
Source – CRA Explanatory Materials

72. Our Mental Model Of The Supply Chain

73. The Actual Supply Chain

74. 67.4%
of managers monitor their supply chain with Excel spreadsheets
https://www.zippia.com/advice/supply-chain-statistics/

75. 94%
of companies do not have full visibility of their supply chain
https://www.zippia.com/advice/supply-chain-statistics/

76. https://www.synopsys.com/blogs/software-security/open-source-trends-ossra-report/

77. Open Source Reality – We Are Doing Better
We have many challenges
We are solving them with better, more efficient practices
Example:
Creating the policy and processes to for SBOM adoption

78. Our Key Process Standards (Frameworks)
OpenChain ISO/IEC 5230:2020
The International Standard for open source license compliance.
OpenChain ISO/IEC DIS 18974
The de facto standard for open source security assurance compliance.
78

79. How These Standards Work
High level process standards
Simple, effective and suitable for companies of all sizes
Open, free and developed by a vibrant user community

80. The Standards Work Company By Company
Result = A More Predictable Supply Chain

81. Example Adoption Of
OpenChain ISO/IEC
5230:2020
81

82. Conformance Announcements ~4 Weeks
OpenChain ISO/IEC 5230
OpenChain ISO/IEC DIS 18974

83. 20%
of German companies with over 2,000 employees
already use OpenChain ISO/IEC 5230
https://www.pwc.de/en/digitale-transformation/pwc-bitkom-study-open-source-monitor-2021.pdf

84. Key Companies Supporting These Standards
84

85. Global Community
Main Work Groups:
● Specification (Spring 2016~)
● Education (Autumn 2020~)
Community Work Groups:
● Tooling (Summer 2019~)
● Export Control (Winter 2022~)
● Public Policy (Winter 2022~)
Special Interest Groups:
● Automotive (Summer 2019~)
● Telecom (Spring 2021~)
Regional User Groups
● Japan (Dec 2017~)
● Korea (Jan 2019~)
● India (Sept 2019~)
● China (Sept 2019~)
● Taiwan (Sept 2019~)
● Germany (Jan 2020~)
● UK (June 2020~)
● USA (Dec 2020~)

86. Self-Certification
Independent Assessment
Third-Party Certification
Freedom Of Choice In Adoption

87. Free Self-Certification Material
87

88. Free Online Training Courses
88
LFC193 - 4.65 out of 5 rating by users
LFC194 - 4.55 out of 5 rating by users

89. Be Part Of This
https://www.openchainproject.org/participate

90. By The Way…

91. Last Night I Was Anxious About This Talk

92. I Dreamt I Overslept And Missed It!

93. But I Didn’t

94. Unlucky You