Even if large companies have already established policies and processes for Open Source Compliance, considering the huge and complex software supply chain, it is difficult to escape from compliance risks, no matter how well-completed processes are in place. After all, it is important to increase the level of compliance for all companies in the software supply chain. To do this, companies that already have a good understanding of Open Source Compliance should share their assets and guide them so that other companies can easily participate.
Even if a company’s Open Source Compliance assets are shared with competitors, it does not adversely affect sales. Conversely, finding out a competitor’s Open Source Compliance policy cannot link it to an increase in corporate profits. If companies share best practices for Open Source Compliance with each other, each company can achieve significant levels of compliance with little cost and resources.
Some Korean companies also shared the same idea, and in January 2019, the first OpenChain KWG (Korea Work Group) meeting was held in which open source people from LG Electronics, SK Telecom, Kakao, Hyundai Motors, and Samsung Electronics participated.
For details, refer to the next page.
1 - 11th Meeting
Online Meeting, September 2021
Schedule
Schedule: 2021-09-30 (Thu) 2:00-4:00 PM
How to join
Zoom (Please refer to the e-mail for the access address)
1. OpenChain Update (Shane Coughlan / Linux Foundation)
OpenChain is going to be approved as ISO standard soon
According to this, we’re going to create educational materials. And we’ll need translations by multiple languages
We’re going to make OpenChain T-shirt
2. Introduction of LG Electronics’ Open Source Compliance Management System, OSC System (Soim Kim / LG Electronics)
Main features
Project : Perform the OSC process by creating it for each software you distribute
When the included OSS list is uploaded, the reviewer reviews, and the system shows the part that needs disclosure.(The details for each license are shown, so that the user can check the scope of source code disclosure)
Finally the OSS Notice is issued, and the file and source code to be disclosed are distributed to http://opensource.lge.com
3rd Party Project : Manage OSS list by 3rd party software
OSS / License details : Obligation according to OSS, License, and Restriction can be checked. (Each nickname is managed and mapped even if the same license are indicated differently)
Vulnerability : Check security vulnerabilities by OSS
BAT (Binary analysis tool) : When a binary is uploaded, OSS is detected and displayed
A book that tells readers how to contribute to the FOSS project, regardless of skill level or area of expertise.
What Free and Open Source can do for you
benefits to your skillset, benefits to your career, benefits to your personal network
Prepare to contribute
Let’s make a checklist to see what kind of contributions you can make
Contribution process
Realize that you want to contribute - Find a project - Find a task - Configure the environment - Work on your contribution - Submit a contribution - Get feedback and repeat code improvements - Contributions are accepted - (Repeat)
Find a project
Set your goals
Collect your requirements: skills, interests, time slots, goals
Search candidate projects
Let’s check if the software we use every day is FOSS
Let’s search for your interest + open source
Things to check before making your final choice
How easy is it to contribute? Are the guides well-documented?
Take a look at the issue tracker and ask a question
Start small and have a long-term perspective
How to make use of this book
Use as an open source contribution guide
Open source contribution workshop
Use as a standard on how friendly open source projects of your company is to new contributors
4. Case Study: Open source release practices(GitHub, CLA, etc)
Subject: What is the subject of open source compliance and security vulnerability checks?
Do you perform open source compliance activities for fonts? (Example: Open Font)
Does the company distribute mobile apps (Android, iOS) for in-house employees? If so, are you also performing open source compliance activities for them?
How do you classify the open source security vulnerability check targets? Do you include not only the software to be distributed, but also the software that is being used for infrastructure and servers as inspection targets?
Attendees
Hyundai Mobis
Hyundai Motors
Kakao
ktds
LINE Plus
LG Electronics
NCSOFT
SamSung Electronics
SK telecom
Video
Introductions and Update
Hyundai’s Open Source Governance System
Trends in Software Component Analysis (SCA)
Kakao’s Olive System
Minutes
1.OpenChain Update (Shane Coughlan, Linux Foundation)
OpenChain 2.1-ISO / IEC International Standard
Scheduled to be published on 12/14 (Mon)
Promotion scheduled for Japanese and Korean companies on the same day
2. Hyundai Motors open source governance system (Songha Paik, Hyundai Motors)
background
In 2015, joined the Open Invention Network (OIN): Cross licensing organization for patent rights for open source
A lot of OIN promotion was done in industry consortiums where Toyota, BMW, and Honda participate.
In 2016, after joining OIN from Toyota, donated 10 million dollars and was approved as a Gold Member
In 2017, received professional training for open source SW licenses and recognized the importance of compliance
New TFT in 2018
Industry characteristics
More than 100 million lines of software included in automobiles (more weighted than other software)
More than 3,000 parts are delivered from supply chain companies, and among them, about 300 parts are supplied by the first-tier supplier directly
How to manage many suppliers is an issue
Currently established compliance plan
Open source management TFT composition under the IP organization
Responsible for legal response, distribution of license policies to third-party partners, open source verification, and license notification
directional
Step 1) Establish simple standards
Case where only the open source source code is disclosed and notified
A case that reveals the edited and added parts
Establish countermeasures for the three cases in which all combined user codes are disclosed and notified
Step 2) Signed a business agreement with NIPA
NIPA asks companies to request verification, and Hyundai Motor Company receives verification reports from companies.
Step 3) Utilize the OPENCHAIN project
By utilizing the OPENCHAIN project, we are trying to raise the level of open source compliance awareness among companies.
Issue: Open source and patents
Open source can also be protected by patent, and application and registration procedures are required
It is not only necessary to comply with the licensing regulations, but also check whether there is a problem with the third party’s patent rights and whether there is any impact on the company’s patent use.
Hyundai Motor Company cross-licensing related technologies through OIN and Linux System Definition
Q&A
How many primary and secondary companies are requesting training/verification from NIPA?
Since it started this year, about 20 companies still request verification. Currently, open source verification is in progress for new models rather than already released models.
What is the patent verification method?
There is no tool to match the source code. Knowing the technology and searching for a search word in the patent tool to check if it infringes the patent
Were there any patent litigation issues related to open source?
There were no litigation cases, but disputes and issues are known to exist.
TF was started at Namyang Research Institute, and it will be expanded to the entire company.
Are there any special processes in contract
Provides drawings and specifications to be observed when requesting technology development. At this time, standard specifications related to open source are provided together to ensure compliance. Plan to create open source related provisions when contracting with companies In this
Others: The reason why the former did not join OIN
I reviewed OIN subscription twice but eventually did not sign up. It is not clear to what extent should be shared when determining the scope of OIN cross-licensing Companies with many patents may lose their license due to OIN. Judging that there is a risk
Automated process to discover and manage security, licensing compliance
SCA related research
Gartner Report Research Results
The most important tasks when using OSS were the long-term viability of open source projects (#1), open source security issues (#2), and vulnerabilities (#3).
SCA tool selection criteria
Vulnerability database: Provides a vulnerability database based on NVD
Developer support: Whether there is an open source evaluation function, recommendation function, etc. before adding IDE and Repository integration code
Open source license compliance: Can set license policies and have the ability to track licenses?
Shorter response time: whether vulnerabilities can be quickly detected and prioritized
Report issuance
Forrester Wave Research Results
In 2017, SCA was just beginning, and in 2019, existing companies settled in leadership positions and new services were born.
According to the G2 software evaluation agency
1st place is called Gitlab, 2nd place is called WhiteSource
SCA vs SAST SCA is a tool that manages open source vulnerabilities and licenses, while SAST is a tool that detects flaws in proprietary code and detects vulnerabilities before code production.
Introduction of representative SCA tools
FOSSA
The initial concept started as a license compliance management tool, and the project started with 4 people in 2018
Support for open source vulnerability management in 2020
It is said to have a rich database
Snyk
Contrary to FOSSA, it started as an open source vulnerability management tool, and recently supported license compliance management.
WhiteSource
Whitesource has been providing SCA tools since its inception, and has grown to become a leader among related companies.
Linked to Azure, Gitlab, etc.
SCA companies commonly operate a community such as a blog to provide various information.
Q&A
When did the term SCA come about?
It has already been used for a long time, but it seems that the name SCA has come out in earnest in research results from 2017.
Can Github be considered SCA?
Open source identification is possible, but it does not appear to be classified as SCA because it does not provide license identification or meta information.
Can you provide a list of SCA blogs?
To be shared Many SCA companies have blogs, and you can read a lot of high-quality articles.
4. Olive released (Hwang Min-ho (Robin), Kakao)
-Olive URL: https://olive.kakao.com
-Kakao login-based, Github integration required
-Currently, only the beta version has been released, and will be officially released by expanding the function.
-Some modules will be released as open source
5. Case Study
Mailing list member only
6. OpenChain KWG Update (Haksung Jang, SK telecom)
KWG T-shirt
In-house design production (Thanks to Soim!)
Served to all applicants (supported by the Linux Foundation)
Contributors: Jongho Hong (LG Electronics), Yunhwan Jung (Samsung Electronics), Hanjoo Kim (Hyundai MNSOFT), Dongmin Kim (NCSoft), Heedoo Jin (LG Electronics)
There is still something missing, so please give us a lot of feedback to make the translation as natural as possible! (github Issue or PR)
Received a citation from the Minister of Science, Technology, Information and Communication (in the field of merit in the development of the open SW industry): Haksung Jang, SK telecom - https://www.oss.kr/festival/award
How will the OpenChain KWG meeting be held in the future?
Would it be better to do it as it is now? Is there a better way?
There are a lot of sub-group meetings in Japan, and it would be nice if we could develop a sub-group or study group, but it will be possible only after the corona pendemic ends.
If you have any opinions on how KWG proceeds, please feel free to tell us!
1. Open source requirements demanded by global automakers 2. Sharing litigation cases - Github Copilot - Google v. Oracle - Getty Images v. Stability AI
Lightning Talk 2 - 2024 Open Source Settlement that Developers Should Know - Expansion of Open Source User Rights and Importance of Providing LGPL-2.1 Installation Information as Seen in the AVM Litigation - ISO/IEC 18974 Corporate Introduction and Certification Strategy
- Seo-yeon Lee, Line Plus - Haksung Jang, SK Telecom
![[2023 June] OpenChain Korea Work Group in Kakao](https://live.staticflickr.com/65535/52994813939_af4a8d3eb2.jpg)
![[2023 Sep] OpenChain Korea Work Group in Hyundae Autoever](https://live.staticflickr.com/65535/53212082529_fe12947413_z.jpg)
![[2023 Sep] OpenChain Korea Work Group in Hyundae Autoever](https://live.staticflickr.com/65535/53376561936_fc29beb126_z.jpg)
![[2024 Mar] OpenChain Korea Work Group in Kakao](https://live.staticflickr.com/65535/53614314174_87fac88cda_c.jpg)
![[2024 June] OpenChain Korea Work Group in CJ](https://live.staticflickr.com/65535/53815041656_c76c2ea04f_c.jpg)
![[2024 September] OpenChain Korea Work Group in ETRI](https://live.staticflickr.com/65535/53986987363_97693d6340_c.jpg)
![[2024 November] OpenChain Korea Work Group in LG AI Research](https://live.staticflickr.com/65535/54167655625_3a95bde645_b.jpg)
![[2025 March] OpenChain Korea Work Group in RaonSecure](https://live.staticflickr.com/65535/54411244629_77f26387dd_b.jpg)
![[2025 June] OpenChain Korea Work Group in Samsung Electronics](https://live.staticflickr.com/65535/54601376288_9379ecd7ec_b.jpg)
![[2025 October] OpenChain Korea Work Group in ETRI](https://live.staticflickr.com/65535/54872127249_0004fa81e6_h.jpg)
![[2025 December] OpenChain Korea Work Group in HANCOM](https://live.staticflickr.com/65535/55002647623_5cc2ea7f35_h.jpg)
![[2026 March] OpenChain Korea Work Group in LINE PLUS](https://live.staticflickr.com/65535/55178954631_1fe94cb8f7_h.jpg)
