Open Source Summit Europe 2024

This talk will explain the process of going from a blank page to an ISO standard using OpenChain ISO/IEC 5230:2020 as a case study. It will explain how the OpenChain specification team came together, how they created the first iterations of what would become ISO/IEC 5230, and how they collaborated with Joint Development Foundation (JDF) to evolve from de-facto industry standard into formal international standard through the JTC-1 PAS Transposition Process. Attendees will learn how to frame, build and deploy their own specifications and standards, with a particular focus on the practical decisions required: should this be a specification, should it be an ISO standard and what do I need to do to make this happen?

"Next-Gen Testing and Compliance: Ensuring Integrity in a Complex World" delves into evolving testing and compliance frameworks to match the pace of digital innovation. This talk underscores the necessity for advanced methodologies to ensure standards maintain relevance and integrity amidst rapid technological advancements. We'll explore cutting-edge testing frameworks utilizing automation, AI, and machine learning, boosting the accuracy and efficiency of compliance checks. Highlighting adaptive testing environments, we emphasize simulating real-world scenarios for a nuanced approach to the software-hardware interplay in contemporary devices and systems. The session also tackles the challenge of keeping pace with compliance as technology outstrips regulation. We'll provide insights into anticipating future standards and preparing for compliance proactively. Through case studies of successful next-gen testing and compliance strategies, attendees will learn to navigate the complexities of maintaining specification integrity in our digital, interconnected era.

As policy makers are rushing towards standardizing open source security best practices, it is critical to make sure that the standards developed to organize open source software development and mainteance are themselves open source-compatible. Why is this important? What makes a standard open source-compatible? What can we learn from previous efforts such as OpenStand and what can we improve? We'll cover this and more in this talk.

SBOMs are a crucial tool for understanding the composition of software, which is particularly important in the context of managing security risks and licensing compliance. Recent regulatory efforts from, among others, the US and the EU, explicitly move towards requiring SBOM for each software delivery. SPDX (System Package Data Exchange) is a freely available ISO standard that provides a set of specifications for communicating SBOM information. It offers a common format for companies and organizations to share important data accurately and efficiently. This presentation will delve into the details of the newly released version of SPDX, providing a comprehensive understanding of their importance in the software industry.

With its global uptake, the RISC-V specifications and RISC-V International, as the standards-development body, are facing an unprecedented challenges: the international adoption of RISC-V as an alternative, open-standards ISA and its role in various digital sovereignty initiatives worldwide are putting a geopolitical spotlight on the the standards and specifications released by RISC-V International. Safeguarding the protected status as a standards-development body and ensuring ongoing, constructive collaboration between geographies in the setting of future standards, requires a focus on policies and processes in our standards-development process. This session compares the existing RISC-V specification development with the ISO processes, and provides an outlook to some of the process improvements underway that will lead to an even closer alignment: the ultimate goal being a path to publication of the publicly available RISC-V specifications as international standards. We will provide an overview of the role of the RISC-V Technical Steering Committee, into the quality-gates a proposed standard must pass, and the consensus-building processes within each specification group.