Introduction to ISO/IEC 5230 OpenChain Standard

Build trust in your software supply chain

The OpenChain Project

In 2013 the Linux Foundation started the OpenChain Project led by Shane Coughlan. The project sought to define an effective specification for open source license compliance throughout the software supply chain.

So why is compliance important?

David Rudin, Assistant General Counsel at Microsoft says,

‘When companies, especially large enterprises, purchase software, they need to know what open source is included in the product so they can be sure to meet their compliance obligations. As supply chains grow, each link in the chain must meet its open source obligations – a weak link means you can’t trust the code… and if you can’t trust the code… you can’t easily use it.’

When members of the supply chain are OpenChain compliant, the use of open source software becomes much easier. Organisations can use open source software and trust that the provider has quality governance in place to ensure the software is compliant.

Microsoft announced its conformance to the OpenChain specification back in 2019. Many other organisations have also publicly announced OpenChain conformant programs including Arm, Cisco, Siemens and Uber.

Conformance to the specification can be self-assessed or assessed independently. The specification is also supported by extensive reference material including information on training, policies and case studies.

Introducing ISO/IEC 5230

The OpenChain specification was published as an industry standard by the International Organization for Standardization in December of 2020. Therefore, the ISO/IEC 5230 standard and the Open Chain specification are functionally identical.

The standard defines the key requirements of a quality open source license compliance program, which builds trust between organisations exchanging software solutions composed of open source software.

This ‘trust’ is founded on the fact that an organisation’s conformant program indicates to others that it has been designed to achieve license compliance for the open source software it shares.

The importance of a quality compliance program

An important and often overlooked aspect of open source is compliance with the obligations of open source licenses.

When developers are utilising third party components from repositories it is likely those components have an open source license attached to them.

Generally, these licenses expressly state the terms of use for that particular component. This means there are obligations you must fulfil to use the open source software without infringing the rights of the copyright holder.

The obligations you must fulfil are dependent on the terms of the licenses for each component. These licences may have conditions related to providing attributions, copyright statements, or a written offer to make the source code available​.

By fulfilling the license obligations you are respecting the intellectual property of the developers and organisations that have contributed code for re-use.

ISO/IEC 5230 defines the key requirements for a quality program which governs compliance with these obligations.

The idea is that the compliance program should become part of the business-as-usual quality assurance process for a software project. This will ensure open source license obligations attached to components, libraries and packages used to deliver a solution are met correctly.

What does the standard tell us?

The standard highlights what needs to be done by organisations to achieve a quality compliance program and the reasons for this. What the standard does not do is provide a template for your compliance program. This allows for the specific decisions regarding license compliance to be left to you.

Open Chain refer to this as the ‘what’ and ‘why’ approach. This ensures flexibility for different organisations, of different sizes, in different markets so they may choose specific policy and process content that fits their goals and scope.

In practice, this means that a conformant program may address a single product or the entire organisation as a whole.

Information you may expect to see in the standard includes:

  • Building a foundation for your compliance program and policy
  • Open source content review and approval
  • License compliance
  • Open source community engagement

Conformance has its benefits!

What are the benefits for your organisation if you adopt the standard?

Matt Conway, CTO of Interneuron says “OpenChain conformance benefits our whole organization – from developers onboarding and releasing their first FOSS products, through to the implementation team building trust and confidence with our customers,”.

Conformance to the standard increases the probability that license compliance will be achieved in your software releases. This allows you to build trust amongst your customers whilst also decreasing business, legal and reputational risks around non-compliance.

The OpenChain specification also compliments existing Quality Assurance programs and standards such as ISO 9001:2015 which, sets out the criteria for a quality management system.

Adherence to the standard will reduce your overall compliance effort, saving time, legal and engineering resources.

For example, in a typical supply chain, each member may be working to different compliance standards. This often means that duplicate compliance efforts for the software of others need to be made, this wastes time and resources.

Whereas the Open Chain specification provides a consistent standard to which all those in a supply chain can follow. Meaning no duplication of efforts need to be made as organisations can trust that other members of the supply chain are working towards the same compliance standard.

As an example, ‘just like an individual car buyer should not have to inspect the factory floor to make sure their car was made to be safe, a user of software should not have to inspect how the software was made to make sure it meets its open source obligations’, says David Rudin, Assistant General Counsel at Microsoft.

Conclusion

The obligations attached to open source licences make it incredibly important to have a quality open source software compliance program in place for your organisation. ISO/IEC 5230 and the OpenChain Project can guide you through the process of making a quality compliance program.

Conformance will not just reduce your compliance effort and save time, money and resources but it is also a way for your organisation to demonstrate you respect the intellectual property of others and that you have process’ in place to manage your use of open source software.

As demonstrated by one of our customers, Interneuron, they say:

“OpenChain conformance demonstrates to all Interneuron’s commitment to delivering enterprise level open source solutions with quality management and security at the heart of our development processes.”

Finally, when you adopt ISO/IEC 5230 you are conforming to a stable specification that is widely backed by community participants and the International Organization for Standardization.

Sources

The sources used for this article are listed below. For more information on ISO/IEC 5230 and the Open Chain Project, you can visit their websites.

2 thoughts on “Introduction to ISO/IEC 5230 OpenChain Standard

Leave a Reply

Your email address will not be published. Required fields are marked *