22.11.2024
Claire Cheng
Open Source
As a member of the OpenChain community Bitsea maintains partnerships worldwide. Today we would like to share insights on open source compliance in Taiwan, provided by Claire Cheng. Cheng has been working for the OCF in Taiwan for a long time and advises companies on open source processes and trains customers on the special features of using open source.
This article reflects on my three years of work promoting OpenChain at the Open Culture Foundation (OCF), where I focused on understanding and advocating for the project. Despite our efforts, adoption in Taiwan remains limited, with companies often having inconsistent approaches to open-source licensing and lacking strong incentives to adopt ISO 5230 and ISO 18974 without external pressures. I want to document our progress and the challenges we faced to help inform future efforts in OpenChain advocacy.
2 Key ISO Standards Addressing the Open Source Management Problems in OpenChain Project.
The Linux Foundation’s 2023 survey found that over 90% of organizations use open-source software, as building everything from scratch is impractical. Like food traceability builds trust by making information transparent, the software supply chain needs a system to help vendors manage code and ensure quality.
Without this, it’s hard to verify code origins, versions, or compliance with licensing, weakening manufacturers’ ability to address security and legal issues.
OpenChain, initiated by the Linux Foundation, addresses these challenges by ensuring reliable, consistent management of open-source components across the supply chain. Supported by a global community, it has developed two ISO standards—ISO 5230, which aids compliance with open-source licenses (with 121 certified companies), and ISO 18974, launched in December 2023, to secure open-source software, already adopted by companies like LG, BlackBerry, and Honda.
Why Do You Need OpenChain?
Today’s specialized supply chains rely on collaboration across multiple suppliers to create competitive products. Each company contributes only a portion, making it essential to track components and ensure compliance.
Imagine facing a major security vulnerability: if I can’t quickly verify with my team whether we’re affected, hackers may exploit the issue, risking customer trust. Or, if a customer finds a licensing violation in a component, I’d need to confirm it with the upstream supplier, risking reputation and potential legal issues.
OpenChain provides a traceability system for tracking components and ensuring licensing compliance, enabling manufacturers to respond swiftly to security or compliance issues and protect customer trust.
OpenChain in Taiwan: Currently Only Early Adopters Are Considering to Adopt.
In 2020, OCF began promoting open source compliance, and by 2022 successfully guided KKCompany to become the first, and currently the only, company in Taiwan to obtain ISO 5230 certification through third-party assistance and approval.
Open source compliance is still in the “early adopter” stage in Taiwan. Although a small group within some companies recognizes the importance of managing the open-source components used internally, they have not yet convinced corporate decision-makers to prioritize open-source compliance.
Companies Haven’t Found The Compelling Incentives to Adopt.
As a country heavily dependent on international trade, Taiwan will inevitably follow global trends as managing open-source components becomes increasingly important worldwide and open-source compliance requirements emerge from supply chains. However, no major international manufacturer has yet mandated that all its suppliers obtain open-source compliance certification.
Additionally, the Taiwanese government has not listed open-source compliance as a key priority for manufacturers. Even if a company recognizes that early adoption of OpenChain could improve output quality, it may not act immediately. OpenChain can reduce risks related to litigation, security, and reputation. However, the immediate benefits are not always clear, especially when compared to other business priorities.
After all, companies don’t face questions about open-source licensing violations or security crises every day. The resources spent on implementing open-source compliance may not yield immediate results. In contrast, investing those same resources into new business opportunities offers a clearer, more tangible path to increased profits, which is easier for decision-makers to envision.
Awareness Gap in Open Source Compliance Among Stakeholders.
If a company prioritizes open source compliance introduction, it is typically because someone closely involved with open source management—often from the programming or legal department—recognizes its importance. However, this doesn’t necessarily mean that the entire company views OpenChain as essential.
Some people within the company may not even realize their products contain open-source components. They might assume that open source simply means free software that can be used without restrictions. Even developers who work with code daily may not see the need for meticulous management of component origins or ensuring compliance with licensing obligations.
Lack of Professional Expertise in Open Source Management
At present, Taiwan has few professionals offering services related to open source compliance, such as open source licensing or building a Software Bill of Materials (SBOM). This scarcity is partly because open source compliance is still in its “early adopter” stage in Taiwan. When demand is low, it’s challenging to foster a thriving ecosystem of service providers.
To encourage more companies to adopt open-source compliance, the Linux Foundation allows businesses to self-certify for ISO 5230 and ISO 18974. Additionally, through community collaboration, guidelines for obtaining these certifications are made freely available on their website, allowing companies willing to research to avoid common pitfalls.
From the perspective of promoting open-source compliance, these free resources and self-certification options lower the entry barriers for businesses. Companies can handle the basics without spending significant amounts on consultants or auditing firms. However, this also means that professional service providers need to find more specialized niches for their offerings.
Currently, Taiwanese companies do not face significant external pressure from supply chains or the government to provide compliance documentation. Therefore, even those interested in adopting open-source compliance can start by following the OpenChain community’s materials and implementing the process by themselves. There is no rush to perfect it immediately.
Thus, the focus should not be on offering the consulting packages of ISO adoption, but rather on providing consulting or customized services to help companies resolve specific issues they encounter during their self-implementation.
Sharing Knowledge and Experiences to Prepare for Taiwan’s OpenChain Wave
I previously worked at OCF, a non-profit organization dedicated to fostering a thriving open-source ecosystem. OCF’s mission is twofold: first, to help companies avoid reinventing the wheel by utilizing open-source code, and second, to encourage them to contribute back to the community in compliance with open-source licensing obligations.
With this goal in mind, OCF continues to promote OpenChain. Although we are not yet able to begin with supply chains, and advocating for open-source compliance within the government remains a challenging task, we persist in organizing events and outreach efforts.
These initiatives aim to raise awareness of open source compliance among Taiwanese companies, with the ultimate goal of making it a corporate priority.
The Taiwan OpenChain Working Group, of which OCF is a member, consists of dedicated volunteers. We host at least one gathering each year, which is free and open to anyone interested. These events not only provide a platform for exchanging ideas but also serve as a space to share new insights into OpenChain. The working group invites domestic and international experts to share practical experiences and the latest updates on ISO 5230 and ISO 18974, encouraging Taiwanese companies to engage in discussions on open source compliance.
From time to time, OCF conducts sharing sessions, writes popular science articles and research reports, and shares information about open-source compliance with everyone.
Currently, only a few Taiwanese companies recognize that managing open source components and ensuring compliance is a necessary part of their infrastructure. However, I firmly believe that continued information sharing and communication are crucial foundations for raising awareness of open source compliance among Taiwanese businesses.
When will Taiwanese companies experience an urgent and large-scale need to implement open source compliance? It may happen when key stakeholders begin to intervene. For instance, if a major international manufacturer requires its suppliers to obtain ISO 5230 or ISO 18974 certification, Taiwanese suppliers in those supply chains will feel pressured to comply. Alternatively, if a well-known Taiwanese manufacturer becomes an early adopter of OpenChain’s ISO certifications, it could lead the way for other small and medium-sized enterprises to follow suit.
Writer: Claire Cheng
Originally published in Mandarin here.
License: CC BY 4.0
Next Post