Linux Foundation’s JDF pushes for better open source compliance
The Linux Foundation’s “Joint Development Foundation” (JDF) has won formal approval to submit open source software (OSS) projects for recognition as international standards, in a landmark move — with an open source compliance project first to be submitted for approval.
The move comes as the Linux Foundation continues a push to boost the transparency, security and credibility of OSS across the business community, amid concerns about a lack of standardisation, sub-par maintenance of many widely used OSS components, and security fears.
Its new approval is for ISO/IEC JTC standards submissions. (The two are co-creators of ISO/IEC JTC 1, which sets IT standards.)
First Submission: OpenChain
This week the JDF made its submission — for OpenChain, a specification that identifies the key requirements of an open source compliance programme, designed to build trust between companies in the supply chain.
(OpenChain participants need to provide source code, build scripts, license copies, attribution notices, modification notices, SPDX data etc. Its charter’s vision is to be “a software supply chain where free/open source software is delivered with trusted and consistent compliance information”.)
“Open source is now a mainstream means of building infrastructure and providing a platform for innovation, said Seth Newberry, executive director at Joint Development Foundation.
He added: ” While open source development models focus on lowering the barriers to innovate and change, there comes a time when industries decide the next step is to agree on one approach to an issue and work together on that solution.” (The JDF has more than 250 companies participating).
Of the world’s top 10 most-used open source packages, seven are hosted on individual developer accounts, the Linux Foundation’s Core Infrastructure Initiative warned earlier this year, saying this could pose a security risk to code at the heart of the global economy. Hundreds of thousands of open source software packages are in production applications throughout the supply chain; many only sporadically updated or maintained.