Open Compliance Summit 2022: Full Schedule

In-person Event | December 7-8, 2022
View More Details

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for the Open Compliance Summit to participate in the sessions.

Open Compliance Summit is an exclusive event for Linux Foundation members and select invitees. Attendance is limited to ensure ease of networking and collaboration. The summit (like prior) will be held under Chatham House Rule. Please consent to this rule before you request an invitation.

Please note: This schedule is automatically displayed in Japan Standard Time (UTC+9:00). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

8:00am JST

Registration & Badge Pick-up

Wednesday December 7, 2022 8:00am - 5:30pm JST

Breaks & Registration

9:30am JST

Keynote: Welcome + Opening Remarks - Shane Coughlan, The Linux Foundation

Speakers

Shane Coughlan

General Manager, OpenChain

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include building the largest open source governance community in the world through the OpenChain Project, spearheading the licensing team that elevated Open Invention... Read More →

Wednesday December 7, 2022 9:30am - 9:35am JST
304

Keynote Sessions

Talk Type In-person

9:35am JST

Keynote: We Have Standards for License Compliance, Security and SBOM. Now What? - Shane Coughlan, The Linux Foundation

Speakers

Shane Coughlan

General Manager, OpenChain

Wednesday December 7, 2022 9:35am - 9:40am JST
304

Keynote Sessions

Talk Type In-person

9:40am JST

Keynote: State of the Union - Michael Dolan, The Linux Foundation

Speakers

Mike Dolan

Senior Vice President & General Manager of Projects, The Linux Foundation

Michael Dolan is SVP and GM of Projects at the Linux Foundation supporting open source projects and legal programs He has set up and launched hundreds of open source and open standards projects covering technology segments including networking, virtualization, cloud, blockchain, Internet... Read More →

2022 Open Compliance Summit FINAL pdf

Wednesday December 7, 2022 9:40am - 9:55am JST
304

Keynote Sessions

Talk Type In-person

10:00am JST

Sponsored Keynote: Renewal Process of OpenChain Conformance Over Organizational Changes - Tadayuki Osaki, Fujitsu Limited

OpenChain is the International Standard for open source compliance and adding its importance these days where inter-company cooperation has a crucial role, such as SBOM sharing in a supply chain. To confirm compliant state for conformant organizations, OpenChain specification requires organizations to renew its conformance every 18 month.

In the session, I would like to share part of our experiences we faced in renewal process, different from newly obtaining process.

Speakers

Tadayuki Osaki

OSS compliance manager, Legal & Intellectual Property Unit, Fujitsu Limited

Tadayuki "Tom" Osaki is OSS compliance manager of Fujitsu's Legal and Intellectual Property Unit. His team is serving for internal OSS compliance governance and open-communities-related activities. He is currently a board member of the Linux Foundation OpenChain Project.Prior to working... Read More →

Wednesday December 7, 2022 10:00am - 10:10am JST
304

Keynote Sessions

Talk Type In-person

10:15am JST

Sponsored Keynote: OBEY: The Challenges of Open Source Compliance Training - Sarajane Whitfield, Google

A robust training program is essential to build and sustain a culture of compliance, but it comes with a number of challenges. This session will discuss four features that are critical to address when developing such a program.

Speakers

Sarajane Whitfield

Open Source Advisor, Google

Wednesday December 7, 2022 10:15am - 10:20am JST
304

Keynote Sessions

Talk Type Virtual

10:25am JST

Keynote: Grabbing the Compliance Bull by the Horns: Why We Need to be Much More Proactive Towards Compliance Issues and Tooling and How - Armijn Hemel, Tjaldur Software Governance Solutions

Speakers

Armijn Hemel

General Manager, Tjaldur Software Governance Solutions

Armijn Hemel, MSc is the general manager/owner at Tjaldur Software Governance Solutions and an internationally recognized expert on GPL license enforcement and GPL license compliance.

Wednesday December 7, 2022 10:25am - 10:45am JST
304

Keynote Sessions

Talk Type In-person

10:50am JST

Open Source Compliance Takes a Village - David Hirsch, Dynatrace

There are numerous considerations that must be made when setting up and managing a comprehensive open source compliance and security program in an organization. We usually focus only on compliance when consuming, contributing or creating open source and tend o forget about who all of this is for.Throughout this session, David will share how Dynatrace has evolved this process over the last year, and will share the tools, process and teams that have made it possible.

Speakers

David Hirsch

OSPO Program Manager, Dynatrace

David works as Program manager at Dynatrace's Open Source Program Office. He is driving process, compliance and security efforts around Open source within the company, as well as contribution and the creation of new projects. He also supports projects in their early stages, helping... Read More →

open source compliance pdf

Wednesday December 7, 2022 10:50am - 11:10am JST
304

End-User Sessions

Content Experience Level Intermediate
Talk Type In-person

11:10am JST

Coffee Break

Wednesday December 7, 2022 11:10am - 11:30am JST

Breaks & Registration

11:30am JST

Policy as [Versioned] Code - Andres Vega, ControlPlane

Beyond just "don’t run everything as root" In this talk Carmen and Andres will trace back the origins of how policies are often incepted, how it can get out of hand, be slow if not impossible to update and measure compliance, and often lead us to question of **is the policy helping or hindering**.

Speakers

Andres Vega

Vice President of Operations, ControlPlane

Andrés Vega is Vice President of Operations at ControlPlane focused on securing modern applications from supply-chain and runtime attacks with a zero trust, continuous security approach He is also an open source maintainer, contributor, and author.

Wednesday December 7, 2022 11:30am - 11:50am JST
304

End-User Sessions

Content Experience Level Any
Talk Type In-person

11:55am JST

OSS Lifecycle Management with SPDX - Keiya Nobuta, Fujitsu

Fujitsu supports SPDX evolution and the movement to an international standard that provides a common SBOM basis for software exploitation for companies throughout the supply chain. We have long provided multilateral support for SPDX, especially thorough activities in Yocto and SPDX-Lite. From 2016, we have been joining maintainers of meta-spdxscanner, enabling SPDX functionality for the Yocto Project. While the SBOM is static in terms of license compliance, lifecycle management including the dynamic element of vulnerability is important. In this session, we will introduce the mechanism of SPDX output and vulnerability detection using Yocto, and an example of lifecycle management of SBOM by using SW360.

Speakers

keiya nobuta

Software Engineer, Fujitsu

I am Embedded Linux Developer. I joined the Fujitsu Corporation since 2015. My major job is Linux kernel development for Embedded Systems.

OSS Lifecycle Management with SPDX pdf

Wednesday December 7, 2022 11:55am - 12:15pm JST
304

Technical Sessions

Content Experience Level Beginner
Talk Type In-person
Presentation Slides Attached Yes

12:20pm JST

How I Learned to Stop Worrying and Love the Bom - Simon Vestin & Manabu Niseki, LINE Corporation

SBOM, Software Bill of Materials, is a new concept in securing the software supply chain. With it, providing transparency for software consumers is possible, making vulnerable components hiding deep down in dependency hell visible. There is an abundance of tools for generating SBOMs, but the majority are based on static lock files. Lock files are not necessarily present on servers after software is deployed, making the generation of SBOMs incomplete without knowing exactly the source of all deployed software. The usage of lock files is neither mandatory in all programming languages, making lock file based SBOM for certain software doomed. To tackle this issue, SBOM collection also needs to some extent be done at runtime. In this talk, the speakers will explain the difference between static and runtime SBOM collection. This is followed by an elaboration on how they utilize the SBOM concept to collect metadata across multiple ecosystems in an infrastructure with over 150,000 servers, using the two methods. The methods' pros/cons will also be discussed. Furthermore, a brief note on how generated SBOMs can aggregate with an open source vulnerability database adopting the OpenSSF OSV format will be included.

Speakers

Manabu Niseki

LINE Corporation

A Botconf, HITCON, OBTS and JSAC speaker. A V3 climber forever.

Simon Vestin

Security Engineer, LINE Corporation

Simon Vestin joined LINE in 2015 upon graduating from university in his home country. He is working mostly in the network security field and in later years as a developer focusing on security infrastructure. Currently involved in building a system to find vulnerabilities / misconfigurations... Read More →

How I Learned to Stop Worrying and Love the Bom pdf

Wednesday December 7, 2022 12:20pm - 12:40pm JST
304

End-User Sessions

Talk Type In-person
Presentation Slides Attached Yes

12:45pm JST

Something Interesting and Thought Provoking - Andrew Katz, Moorcrofts

Speakers

Andrew Katz

Managing Partner and CEO, Moorcrofts LLP and Orcro LLP

Andrew Katz is a lawyer who has advised on free and open source software, open hardware and other opens for over 25 years. Formerly a software developer, he qualified as a barrister, requalified as a solicitor and is now partner and head of technology law at Moorcrofts LLP, a boutique... Read More →

Wednesday December 7, 2022 12:45pm - 12:55pm JST
304

End-User Sessions

1:00pm JST

ORT: Automate Your Open Source Policy Using Open Source & Inner Source - Thomas Steenbergen, EPAM Systems

Setting up or maintaining a FOSS compliance processes is not simple as most organizations use a wide variety of programming languages, code build tools and delivery methods. Ideally, you want to automate most of the compliance work but as most Open Source Program Offices (OSPO) have found out, there are often significant gaps between what is offered by most tools and what you would like to have. Given this, several OSPOs have been collaborating to build OSS Review Toolkit (ORT). In this session Thomas demonstrates how one can use ORT to safely use, integrate, modify and redistribute third party software including FOSS in your software project(s). He will show a FOSS review from start to finish e.g. from scanning a repository for packages, licensing and vulnerabilities to fixing found issues and generating attribution documents, source bundles and SBOMs (CycloneDX/SPDX). By the end of this session you should be able to replicate an ORT-based compliance process within your organization including automating your FOSS policy using Policy as Code and save process/review time by using an InnerSource-based review process and re-using FOSS clearance artifacts from the community.

Speakers

Thomas Steenbergen

Head of Open Source Program Office, EPAM Systems

Thomas Steenbergen is the Head of Open Source Program Office at EPAM Systems (www.epam.com).He is steering committee member and one of the co-founders/organizers of the European Chapter of the TODO group and co-founder of the OpenChain Automation Work Group - both industry working... Read More →

ORT Automate Your Open Source Policy Using Open Source and InnerSource pdf

Wednesday December 7, 2022 1:00pm - 1:15pm JST
304

Technical Sessions

Content Experience Level Intermediate
Talk Type Virtual

1:15pm JST

Lunch

Wednesday December 7, 2022 1:15pm - 2:15pm JST

Breaks & Registration

2:15pm JST

Export Control: Briefing and Open Discussion

Wednesday December 7, 2022 2:15pm - 2:55pm JST
304

End-User Sessions

Talk Type In-person

3:00pm JST

Panel: Automation for Open Source Security

Wednesday December 7, 2022 3:00pm - 3:40pm JST
304

End-User Sessions

Talk Type In-person

3:40pm JST

Coffee Break

Wednesday December 7, 2022 3:40pm - 4:00pm JST

Breaks & Registration

4:00pm JST

Panel: The SBOM Panel of Japan - Masato Endo & Miyu Tanaka, Toyota Motor Corporation; Ayumi Watanabe, Hitachi Solutions, Ltd.; Yoshiyuki Ito, Renesas Electronics

In 2022, SBOM is becoming a larger trend also in Japan for proper license compliance and security management within organizations and supply chains. In fact, some electronics and automotive industries’ supply chains are sharing software component information by SBOM. Recently, Japanese government is actively promoting the use of SBOM and continues to update its collection of case studies of SBOM-related efforts by leading companies. And, some PoC on SBOM management within the supply chain are also underway. The panel will be joined by Japanese front-runners of SBOM, including members involved in the creation of SPDX Lite, members who support companies in implementing SBOM, and members contributing to the Japanese government project. This panel discussion will introduce the latest trends in Japan regarding the implementation of SBOM. Furthermore, we will discuss the challenges Japanese companies are facing in the global supply chain and their solutions.

Speakers

Masato Endo

Group Manager, Toyota Motor Corporation

Masato Endo is the Group Manager of Driver Monitoring Group, Value Chain Service and Technology Development, Technical Project Field of Advanced R&D and Engineering Company in TOYOTA. He focuses also on building the Open Source governance structure within Toyota and developing relationships... Read More →

Ayumi Watanabe

Senior OSS Specialist, Hitachi Solutions, Ltd.

Ayumi Watanabe is a Senior OSS Specialist of Hitachi Solutions, Ltd. She is also a core member of OpenChain Japan Sub Workgroup and known as a SBOM evangelist. Her strong point is a knowledge of many tools for SBOM generation and management, a wide range of experiences as an OSS management... Read More →

Miyu Tanaka

Member of Intellectual Property Division, Toyota Motor Corporation

She is engaged in process development and in-house education for using and contributing to the open source software at Toyota Motor Corporation. Recently, she is also focusing on the collaboration between Toyota and its related companies with respect to the open source software c... Read More →

Yoshiyuki Ito

Principal Expert, Renesas Electronics

Joined NEC at Apr. 1993, NEC electronics at Jun. 2003 and RENESAS Electronics at Apr. 2010. Member of Automotive Digital Products Marketing Division of the RENESAS Electronics. He is the leader of License information exchange Subgroup OpenChain Japan Workgroup.

Wednesday December 7, 2022 4:00pm - 4:40pm JST
304

Technical Sessions

Content Experience Level Beginner
Talk Type In-person

4:45pm JST

One Step a Day. Vision of Tooling Subgroup at OpenChain Korea WG - Wonjae Park, LG Electronics

Even in the same field, the proficiency of OSPOs at each company differs, and the know-how to achieve opensource compliance is not widely shared. The members of the Tooling Subgroup at OpenChain Korea Working Group share information on opensource and commercial tooling information and were able to build a more efficient opensource compliance chain at each company. Also, through the activities of the group, collaborating projects between opensource and commercial tools were created and an opensource project initiated by member companies is about to kick off.

Speakers

Wonjae Park

Open Source Program Manager, LG Electronics

Wonjae Park is an Open Source Program Manager at LG Electronics and have been working on company wide consulting and educating on open source compliance and spreading open source culture. He is very interested in Open Source Compliance tooling, collaborating with industry leaders... Read More →

OCS22 OneStepADay pdf

Wednesday December 7, 2022 4:45pm - 5:05pm JST
304

End-User Sessions

Content Experience Level Beginner
Talk Type In-person
Presentation Slides Attached Yes

5:10pm JST

Satisfying Safety Standards with the SPDX Build Profile - Brandon Lum, Google & Kate Stewart, The Linux Foundation

When a system has functionality incorporated that could have serious consequences in terms of a person’s well being or significant loss, the details matter. The level of transparency and traceability may need to be at different levels of details based on the seriousness of the consequences. For safety standards, such as Automotive (ISO 26262), Aviation (DO 178C), and many more, tracking details of configuration management at the build level is vital. How was a piece of software built? Who was it built by? What is the toolchain that was used to build it, and how were they configured? The SPDX Build Profile provides additional extensibility on top of the SPDX SBOM standard. In this talk we will share what the build profile is and how it can be used to capture build metadata and how safety and critical compliance benefits from it.

Speakers

Brandon Lum

Software Engineer, Google

Brandon loves designing and implementing computer systems (with a focus on Security, Operating Systems, and Distributed/Parallel Systems). Brandon is a Co-chair of the CNCF Security TAG, and as a part of Google's Open Source Security Team, he works on improving the security of the... Read More →

Kate Stewart

VP Dependable Embedded Systems, Linux Foundation

Kate Stewart is Vice President of Dependable Embedded Systems at the Linux Foundation. She works with the safety, security and license compliance communities to advance the adoption of best practices into embedded open source projects. Since joining The Linux Foundation, she has launched... Read More →

OSS JP Satisfying Safety Standards with the SPDX Build Profile pdf

Wednesday December 7, 2022 5:10pm - 5:30pm JST
304

Technical Sessions

Content Experience Level Beginner
Talk Type In-person
Presentation Slides Attached Yes

5:30pm JST

Keynote: Closing Remarks - Shane Coughlan, The Linux Foundation

Speakers

Shane Coughlan

General Manager, OpenChain

Wednesday December 7, 2022 5:30pm - 5:35pm JST
304

Keynote Sessions

Talk Type In-person

9:15am JST

Registration & Badge Pick-up at HALL | BUKATSUDO

Thursday December 8, 2022 9:15am - 1:00pm JST
HALL | BUKATSUDO

Breaks & Registration

9:30am JST

SPDX Mini-Summit

Over the last year, the SPDX community has been making progress to the underlying 3.0 core model, as well as various domain specific profiles of metadata information to be shared. Join us in this session to get an understanding of each of the new emerging profiles, as well as how they will interact. If time permits, we'll also go into the 2.2/2.3 --> 3.0 migration plans.

Miniconference Schedule
• Core Overview
• Build Profile Overview & Update
• Usage Profile Overview & Update
• Discussion of Overlaps between Build and Usage Profiles
• AI Profile Overview
• Dataset Profile Overview
• OpenDatology applying SPDX profiles
• Security Profile Update
• Licensing Profile Update
• Safety Profile Overview (3.1 target)
• Discussion of overlaps across profiles

Speakers

Yoshiyuki Ito

Principal Expert, Renesas Electronics

Brandon Lum

Software Engineer, Google

Kate Stewart

VP Dependable Embedded Systems, Linux Foundation

Gopi Krishnan Rajbahadur

Senior Researcher, Huawei

Gopi Krishnan Rajbahadur is a Senior Researcher at the Centre for Software Excellence at Huawei, Canada. He holds a PhD in computer science from Queen's University, Canada. He received his BE in Computer Science and Engineering from SKR Engineering College, Anna University, India... Read More →

Thursday December 8, 2022 9:30am - 11:00am JST
HALL | BUKATSUDO

Mini-Summits