Building a Trusted Open Source Software Supply Chain With OpenChain


There are many examples of collaboration all around us that stretch far beyond the type of collaboration in open source projects. As preparation for her keynote at LinuxCon Europe, Jilayne Lovejoy, Principal Open Source Counsel at ARM, watched a TED talk by Rodney Mullen and was inspired by how he talked about collaboration within the skateboarding community where he compared it to hackers within the open source community.

Lovejoy says, “You’d think the people in this room had an invented the whole concept of collaboration, but you can actually find examples of collaboration all around us, like in the way skateboarding evolved from freestyle to street skating by adapting to a new environment.” She talks about how the values underpinning collaboration are inherently compelling and goes on to talk about how “it’s about being motivated by the respect from your peers, the satisfaction of creating something others can use, and being part of a community that you helped build and you can see other people contributing that and taking it to the next level.”

However, within her own profession, lawyers don’t tend to work in a collaborative atmosphere. Even between people who work in open source, there are other things, like training materials and internal company policies, that we don’t always think to develop collaboratively with other people outside of our teams. 


Lovejoy asks, “How can we take the advantage of collaboration and apply it to making software moving through the supply chain, have less friction, and build trust. What if we had a collaborative group to solve this, to help define what the processes look like? Enter OpenChain. OpenChain is a new Linux Foundation collaborative project with a vision of a software supply chain where free and open source software is delivered with trust and consistent compliance information.”

There are three key areas within the OpenChain project:

  • Specification: Organized into 6 goals, the specification is the description of effective FOSS with requirements and rationale for why it’s important. The first version of the specification was released at LinuxCon Europe.
  • Curriculum: The initial set of training materials are available now, and they have begun working on a teacher’s guide to go along with these materials.
  • Conformance: This will contain a way to self-certify that you’ve met the requirements of the specification.

Lovejoy wants you or someone from your company to participate! 

“OpenChain is run like the other collaborative projects. Anyone can join. Anyone can participate. All the work is done in the open. Some of the things we’ll be working on and need help with includes working on the specification. We’ve got the first version out, but of course, we’re always going to make improvements and there’ll be other versions. Also, the curriculum slides I mentioned, we have the first version out, we’ll be working on those, … the teacher’s guide to go with those, the conformance questions, website issues and so forth and so on. My question to all of you is this. If someone from your company isn’t already following or contributing to OpenChain, who’s it going to be? When you go back to your office after spending time in this lovely city, who are you going to go have a chat with to get involved with OpenChain to make doing software business easier for all of us so we can focus on the more fun, challenging, and differentiating aspects of all of our jobs?”

Watch the entire talk to learn more about how you can contribute to OpenChain.

LinuxCon Europe videos