Diving in to Open Source supply chain; connecting and collaborating with communities

It has been about one month since I’ve joined the Open Source Initiative, and I’ve been busy learning about ClearlyDefined and how it fits into the Open Source supply chain compliance and security ecosystem. This is an exciting area that has a major impact not just in the tech sector, but on society as a whole, as Open Source has become pervasive.

A few weeks ago, I had the opportunity to attend FOSS Backstage in Berlin. This was a wonderful event run by Plain Schwarz, event organizers for and with Open Source communities, acting as non-code contributors to OSS projects of all kinds. I had the chance to meet several interesting people who deeply care about Open Source.

The organizers of this event have always been very supportive of the Open Source Initiative (OSI). In fact, their first edition five years ago celebrated OSI’s 20th Anniversary, and this year they celebrated with us again both OSI’s 25th Anniversary and FOSS Backstage’s 5th Anniversary.

One of the best ways to learn is to dive right in and teach others, so I was excited for the opportunity to speak at FOSS Backstage about this topic. While I’m still rather new to Open Source supply chain and technologies like SBOMs and Sigstore, I thought it would be interesting to bring my experience on Confidential Computing and see how they could all work together. My talk was very much inspired by the SLSA security framework, where the major threats are highlighted in each stage of the supply chain. Interestingly enough, currently SLSA does not cover much of the last mile of the supply chain, when the application/workload is actually deployed, and this is where Confidential Computing can play an important role. If you are interested in learning more, please check out the video recording of my session.

One of my favorite presentations at FOSS Backstage was from Clare Dillon, Executive Director of InnerSource Commons. Her talk entitled “Open Collaboration and our Lizard Brains” provided a pretty good overview of neuro-science and psychology to understand what triggers emotional responses that either drive people to compete or collaborate. It’s also interesting to note how InnerSource has emerged as a movement that helps organizations to embrace the principles of open collaboration. It serves as an entry point for organizations that are not ready to go all in on Open Source by eliminating the fears associated with developing and governing in the open. To learn more, please check out the video recording of her session.

After FOSS Backstage, I had the opportunity to attend the first ever ORT Community Day. The OSS Review Toolkit (ORT) is a Linux Foundation project that is currently being used by several organizations for managing Open Source supply chain compliance and security, and is one of the key projects that currently makes use of and promotes ClearlyDefined.

ORT Community Day was a wonderful experience and I really enjoyed getting to know the community behind this project. They really understand the principles of open collaboration. Building a healthy Open Source community is much more than just adopting an Open Source license for the project, but also embracing open collaboration so that all members feel welcome to actively participate in and contribute to the project. This is what I hope to achieve at ClearlyDefined in partnership with ORT and other adjacent communities. If we really want to help organizations worldwide to secure the Open Source supply chain, we have to bring our lizard brains together to fully embrace open collaboration, one chain at a time!

Image credits: Azim Khan RonniePlain Schwarz, and Nick Vidal