Open Source Summit Europe 2024

This session will introduce the SPDX Lite profile, its background, and what and how it solves with many JSON examples. The Lite profile of SPDX 3.0 is designed to make it quick and easy to start creating a Software Bill of Materials (SBOMs) when a company has limited capacity for introducing new items into its process. Over the past few years, the importance of SBOM has increased. As interest in SBOM from government agencies and industries grows, the SBOM specification extends significantly to meet these various needs. SPDX Lite is a lightweight and compact SBOM specification. The OpenChain Project Japan WG explores and promotes SBOM. The focus is on making the SBOM practical from security assurance and license compliance perspectives and on sharing and transferring SBOM across the global software supply chain in any industry. SPDX Lite is one of the achievements of collaboration between the OpenChain project and the SPDX project. Attendees in this session will learn the first steps to creating an SBOM using the Lite profile of SPDX 3.0 by several examples of SBOM documents that address regulations and requirements.

Product teams, R&D teams and OSPOs occasionally find themselves in an adversarial situation with IP Departments around open source and how it should be managed in an organization. This is usually due to misunderstandings about how open source provides value and how the risks associated with it can be contained. With open source increasingly necessary for organizations to compete effectively, it is important to ensure all departments understand its strategic importance, and how to manage it in the context of their KPIs and requirements. This talk will explain how to collaborate with IP Departments using the language of external risk containment and internal portfolio management, and help IP Department staff assess open source as part of a diversified IPR strategy.

In this presentation, we present how an analysis of companies and technical trends can lead to the formation of group-wide community and participation in open source alliance organizations. We analyzed companies and technological trends in the related technology area to clarify the situation around the company direction from top-level executives. As a result, we identified important foundations and open source projects in which companies in the related technology area were actively involved. These projects are also important for the Sony Group business. However, due to the diverse nature of Sony's business entities, the organization responsible for video production was unaware of the significance within Sony group, even though they were aware of the trends in OSS and the importance for their own business. In contrast, the organization in the electronics field lacked awareness of video production trends. We tailored the analysis results to each organization and communicated them accordingly. This explanation led to valuable insights for each tech executive, resulting in the formation of group-wide community and participation in a related alliance organization.

Three years have passed since the issuance of the U.S. Executive Order (EO #14028), the adoption of SBOM in Japan has gradually progressed. Japanese companies are learning the minimum elements of SBOM which was published by NTIA, and are converting to a development process that takes automated SBOM generation into account. In July 2023, the Ministry of Economy, Trade, and Industry (METI) published a guide on the introduction of SBOM for software management, then the second version is scheduled to be released this summer. In addition, in April 2024, Nikkei Computer, a prominent Japanese computer magazine, published a less than 20-page special feature on SBOM in its opening issue. In this session, Ayumi Watanabe, a Japanese SBOM evangelist and an advisor to METI's SBOM PoC project, will discuss the status of SBOM in Japan, including the content of METI's guidelines, and the maturity and challenges of SBOM implementation in Japanese companies.

As the complexity of software ecosystems continues to grow, the need for transparency and security in software components becomes increasingly critical. Software Bill of Materials (SBOMs) has emerged as a pivotal tool in understanding and managing software dependencies, vulnerabilities, and compliance. However, despite its growing adoption, several open questions remain regarding the creation, distribution, and practical use of SBOMs. This presentation aims to pose these questions and discuss the challenges faced by the industry.

Open source compliance management occupies an important position in enterprise open source management, but for operating systems, the scenarios that require compliance management are complex and numerous, and management is difficult, but it is still a task that we have to face.This topic focuses on enterprise open source compliance management, starting from the overall development process of the operating system, explains in detail a variety of development scenarios, analyzes the pain points and difficulties of compliance management in different scenarios, and gives some thoughts and suggestions on compliance management.

This session covers two major topics: Firstly, the significance of an open source management system in the context of IP management for heavily software-dependent companies. Managing open source dependencies is a key pain-point, since so much of modern software development depends on it. Yet only a small number of people truly understand open source beyond “just the code”. Although a company's heavily intellectual property (IP)-involved departments deal with IP management everyday, they are oblivious to open source software. This talk suggests ways to translate the ‘open source talk’ and make these departments your comrades in arms. Secondly, the speakers introduce the OpenChain Specification 2.1 (ISO/IEC 5230:2020) on open source license compliance, aka a framework and a blueprint for how to translate open source management into IP management. This session gives you the tools to turn the view of open source from a potential liability to a valuable asset. The speakers pull from their experience working in IP heavy weights such as Ericsson (more than 60.000 granted patents globally) to put the above into context and give example of Ericsson’s ongoing journey in this area.