Re: Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18


Steve, your notes are *amazing.* Thank you so much. With your permission, I am going to add them to our blog post containing the slides:

About the final point:
cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch)
It was FOSSology and sw360.



On May 23, 2023, at 18:45, Steve Kilbane <stephen.kilbane@...> wrote:

Hi Mary,
Here are my notes from the OpenChain mini-summary (or, at least, the sections where I can read my own handwriting…) – I'd particularly welcome comments / corrections from the presenters.

• Expecting the Security Spec to graduate from ISO/IEC at end of July.
• Shane has produced 8 case studies using ChatGPT.
• Helio on "State of Tooling in Open Source Automation" (Helio can probably share his slides, if they're not already on the LF platform)
• Tools, Trends, Insights.
• Previous trend was license compliance.
• Current trend is security.
• Few can consume SBOMs.
• Lots of gaps for license compliance automation.
• We need open data, avoiding control of that data by one entity.
• Binary analysis will displace source-only scans.
• I think this point here is that, current binary scans aren't sufficient, but as we move up SLSA levels, we'll have more attestations from the build, and those will be sufficient.
• Poor data quality, especially vulnerability databases.
• PURLs prevent vendor lock-in to a given DB.
• We need unique identifiers for software.
• We need to share the data of package review and curation, but need to overcome concerns from legal departments.
• Should we share scanner output first? (ahead of curations?)
• We should try to fix upstream (to have better compliance info / metadata)
• Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn't clear whether the call was for a federated network of standard servers.
• Licensing isn't the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
• License compatibility: Multiple tools / matrices in use, but they're all legally subjective and dependent on jurisdiction.
• Snippet matching
• V. expensive in terms of time (and, therefore, money)
• Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they've all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
• Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it'll generate new boilerplate from everyone's code.
• Note to self: Look into MatchCode, which Helio mentioned.
• Not good, don't have all the data.
• Often can't read them anyway.
• Tools do not integrate them well.
• SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
• Collaboration opportunities
• "Live inventory of FOSS tools and their capabilities" – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
• FossLight presentation from LG (
• Scans with ScanOSS and ScanCode.
• Bunch of package managers supported.
• Has a built-in workflow – SBOM management?
• Has a Jenkins CI for the prechecker.
• Mails vulnerability notices to the dev team.
• Has a Supply Chain Management section, for third-party code.
• Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
• I didn't spot where the clearing/curation decision feeds back into a later scan.
• Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
• Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black Duck. So we have a way to go on making tooling easier to set up.
From: main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Monday, 22 May 2023 at 20:25
To: OpenChain Main <main@...>
Subject: Re: [openchain] Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18

Hi Mary!

I am afraid that because the event was fully integrated into Open Source Summit North America, it was officially being delivered via their stream, and that was live-only.

There was an OpenChain zoom dial in, but honestly the capture was really only on the speakers, and really only mediocre. I did not have access to or control over room audio, and it was a big room. I can publish that Zoom recording but it will be low quality. Meanwhile, the slides are all here:;!!A3Ni8CS0y2Y!6Uh5UhK1fbSHQljX0zJe5z7cor4awpgDGCJHlTTvHzmmvRl3ztYmXxuDThe70j4Kaq9tTp05dTRbWJHqUgYQFSdrMkQkoDk$

I would like to work out a way to make our future summits fully recorded and released, even when they are co-located in the official tracks of major events, and therefore audio/visual is not necessarily in my hands.



On May 19, 2023, at 21:33, Mattran, Mary <mary.mattran@...> wrote:

Hi Shane,

The (virtual) OS Summit for North America was awesome. I attended many sessions and took copious notes that I will share with my team. The likelihood of being able attend in person is very slim. For the NA summit, I looked for a recording for the Open Chain mini-summit but there isn't one. Do you know if this will be remedied?


Join { to automatically receive all group messages.