Re: Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18

Steve Kilbane

Please feel free. And my apologies to the LG presenter, too – I didn't manage to catch your name.


From: main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Wednesday, 24 May 2023 at 07:42
To: OpenChain Main <main@...>
Subject: Re: [openchain] Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18


Steve, your notes are *amazing.* Thank you so much. With your permission, I am going to add them to our blog post containing the slides:;!!A3Ni8CS0y2Y!7zaDSKm9LZSzzRsnv6o22oavPRpHSFwxfILT8ad_NdOwH3Jh8BD1c9ZTdOuwxEiX_HZMYCI1wnAh345uUNNIab5UdjKQibc$

About the final point:
>  cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch)

It was FOSSology and sw360.



> On May 23, 2023, at 18:45, Steve Kilbane <stephen.kilbane@...> wrote:
> Hi Mary,
>  Here are my notes from the OpenChain mini-summary (or, at least, the sections where I can read my own handwriting…) – I'd particularly welcome comments / corrections from the presenters.

>     • Expecting the Security Spec to graduate from ISO/IEC at end of July.
>     • Shane has produced 8 case studies using ChatGPT.
>     • Helio on "State of Tooling in Open Source Automation" (Helio can probably share his slides, if they're not already on the LF platform)
>         • Tools, Trends, Insights.
>         • Previous trend was license compliance.
>         • Current trend is security.
>         • Few can consume SBOMs.
>         • Lots of gaps for license compliance automation.
>         • We need open data, avoiding control of that data by one entity.
>         • Binary analysis will displace source-only scans.
>             • I think this point here is that, current binary scans aren't sufficient, but as we move up SLSA levels, we'll have more attestations from the build, and those will be sufficient.
>         • Poor data quality, especially vulnerability databases.
>         • PURLs prevent vendor lock-in to a given DB.
>             • We need unique identifiers for software.
>         • We need to share the data of package review and curation, but need to overcome concerns from legal departments.
>         • Should we share scanner output first? (ahead of curations?)
>         • We should try to fix upstream (to have better compliance info / metadata)
>         • Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn't clear whether the call was for a federated network of standard servers.
>         • Licensing isn't the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
>         • License compatibility: Multiple tools / matrices in use, but they're all legally subjective and dependent on jurisdiction.
>         • Snippet matching
>             • V. expensive in terms of time (and, therefore, money)
>             • Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they've all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
>             • Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it'll generate new boilerplate from everyone's code.
>             • Note to self: Look into MatchCode, which Helio mentioned.
>         • SBOMs
>             • Not good, don't have all the data.
>             • Often can't read them anyway.
>             • Tools do not integrate them well.
>             • SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
>         • Collaboration opportunities
>             • "Live inventory of FOSS tools and their capabilities" – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
>     • FossLight presentation from LG (
>         • Scans with ScanOSS and ScanCode.
>         • Bunch of package managers supported.
>         • Has a built-in workflow – SBOM management?
>         • Has a Jenkins CI for the prechecker.
>         • Mails vulnerability notices to the dev team.
>         • Has a Supply Chain Management section, for third-party code.
>         • Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
>         • I didn't spot where the clearing/curation decision feeds back into a later scan.
>         • Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
>     • Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black Duck. So we have a way to go on making tooling easier to set up.
>  From: main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
> Date: Monday, 22 May 2023 at 20:25
> To: OpenChain Main <main@...>
> Subject: Re: [openchain] Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18
> [External]
> Hi Mary!
> I am afraid that because the event was fully integrated into Open Source Summit North America, it was officially being delivered via their stream, and that was live-only.
> There was an OpenChain zoom dial in, but honestly the capture was really only on the speakers, and really only mediocre. I did not have access to or control over room audio, and it was a big room. I can publish that Zoom recording but it will be low quality. Meanwhile, the slides are all here:
> I would like to work out a way to make our future summits fully recorded and released, even when they are co-located in the official tracks of major events, and therefore audio/visual is not necessarily in my hands.
> Regards
> Shane
> > On May 19, 2023, at 21:33, Mattran, Mary <mary.mattran@...> wrote:
> >
> > Hi Shane, 
> >
> > The (virtual) OS Summit for North America was awesome.  I attended many sessions and took copious notes that I will share with my team.  The likelihood of being able attend in person is very slim.  For the NA summit, I looked for a recording for the Open Chain mini-summit but there isn't one.  Do you know if this will be remedied?
> >
> > Mary
> >

Join { to automatically receive all group messages.