 Speaking of board members, there's Kubota-san from Sony. Just picking on you randomly. We both have jet lag. We both live in Japan and we're both dying. Kubota-san is the person to ask about the new Sony Honda car. And he will politely not tell you anything about it, but I'm sure he knows something. And we also have Watanabe-san over here. This is the new head of the Japan Planning Subgroup, which is a polite way to say, she's the boss of the entire community. And towards the front we've got Kim and Kim from LG Electronics. Soham, yes, is interesting because Soham has made tons of mascots for us for 2023. I noticed that the Korean community was constantly swamped with really cool mascots. And it turns out that all of them are by Soham, who actually just spends all day doodling. So I said to her, can you create global mascots for our project? And she just sent me a ton of them. I said, just penguins is boring. How about we have all of the kind of animals from the cold places? And so we do. On every seat, you'll find the first iteration of one of our collected stickers. There's more by the projector. And we'll be doing all kinds of little mascot stuff and conference swag in the months to come. Thank you, Soham. That was very much appreciated. And on quite a tight time schedule, I was like, can I have 12 images now? All right. Our actual schedule today is a list of things which sounds intimidating and boring. But let's try to make sure that it's full of useful information. The first thing I'm going to do is give you an overview of where we are at with our standards and our community. Then we're going to start moving down the pyramid. Open chain is way up at the top high level process standards. We're going to move down a bit into briefly software bill of materials. Then we're going to move down more practically into how you automate stuff. And we're quite lucky that Helio is going to be running the automation discussion. After that, we're having a very special talk. A lot of people say we want to do automation around open source compliance, but we don't have enough money. We don't have enough time. What do we do? And then there are open source tools for open source compliance, but a lot of them are quite geeky. And a lot of our open source tools for doing this are hard to set up. Now, as it happens, LG Electronics, when Soham and the other members of the team aren't drawing. LG Electronics team, when not drawing cartoons, is also building cutting edge software. And they've built something called Fosslight, which is an open source project. It does open source automation. It works on compliance and security. And it includes things like fancy dashboards with analytics that you'd normally see in proprietary products. This is going to be an interesting talk. Oh, Rudin, David Rudin, Microsoft, one of the board members who took us through ISO and is going to be hanging out with me this evening. Looking forward. So Fosslight is an interesting tool to look at. It's going to be something that is the next generation of open source tooling for open source compliance. It's both free, powerful, and easy to use. Then we're going to move into the round table parts where we discuss things more openly, less presentation, more chatting. Okay, time is a little tight. So I'll start giving you some overviews of where we're at. As I mentioned, Volkswagen has just joined the board of the open chain project. So Cariad, that's the... I know I didn't ask your permission. I just stole images from your site. You're welcome. It's not as bad as what I did to Toyota. I took their moon buggy and put the open chain flag on it. As of today, officially, Cariad is part of the open chain board. They're a platinum member and they are represented by Helio, who, as I said, was the previously the BMW board member for open chain. So we're very glad to welcome him back and we're looking forward to next steps together. Now, when it comes to open chain as a project, our board is pretty big. We're at 25 companies on the board. And as you can see, it's a huge spread of types of corporation from cloud leaders like Microsoft, through to consumer electronics like Sony, through to tiny car companies like Toyota. We have a huge diversity of voices at the table. And when we have a board meeting, that means we have a great insight into where the overall market is going. When you count how much these companies are worth, the collected total is over $5.9 trillion. And that's great to have on the board. Not bad. I wish that was actual cash that we could have, but we're touching a lot of verticals. And I made this slide just to give a snapshot. Okay, so this is a selected snapshot of a few companies that have decided to announce adopting our standards on our website. This is not the market adoption as a whole, but it shows the type of momentum we're seeing and the type of companies we're seeing involved in using the standards built by open chain. So this lot of companies, as I said, is a snapshot. And when it comes to the type of market adoption in total we're seeing, indicators are positive. PWC did a survey in Germany, 2021. 20% of companies with more than 2,000 employees were already using our standard for open source license compliance in that jurisdiction. When it comes to these verticals, that's over $7.5 trillion in market value, but there's a lot more. So I started going through some of our mailing lists. I say some, we have a lot of mailing lists and a lot of activities. And just by looking at our main mailing list, our automotive mailing list and our telco mailing list, these companies are all part of it. They're part of the meetings, discussions and so on. I'm putting Lockheed Martin Center because along with Helio from Cariad, the other co-chair of our spec is Chris Wood, a senior fellow at Lockheed Martin. And all of these companies in their own way are participating and contributing to what we do. And I'm very glad to see that. I mean, companies like Foxconn obviously are critical to the global supply chain. We've got companies which influence massive amounts of procurement like Korea Telecom. As these entities engage with us and spread the message, we're seeing our standards go deeper and deeper in the market. Right now, the project has 12 official tooling vendors. And these are companies that provide commercial services for tooling. An official vendor means that they're part of our community. They've committed to contributing to our community. And that includes things like helping us with events, translations, promotion and so on, far beyond product. We have 11 official third party certifiers. One of the most recent and significant is CESI, the China Electronic Standardization Institute, which makes the Chinese national standards around technology. And they, along with CAICT, both under the Ministry of Trade, are official certifiers for us in that market. Naturally, companies like Univeritas, Tov Nord, Tov Sud, PWC can certify people globally on these standards. Proviso, if you're new, you don't have to use a certifier to adopt Open Chain. Most people don't. Self-certification is what most people do, and it's what we encourage people to do in general. But in certain domains, you want to have third party certification, and it's available. We've got 27 official service providers, consultancies and so on, and we have 22 official legal providers. So the project has been busy doing a lot of stuff with a lot of people. Key news, as you may know, last year we finished drafting, after a year and a half process, a security standard. We originally came to market 2016 with a license compliance standard. After a while, our community noted that many parties were using the compliance standard for security. So we created a guide explaining how you can use parts of it for security, and that evolved into a sister security standard. That, as of recently, has entered the ISO process and is changing from a de facto into a formal industry standard. And it now has its draft international standard number from ISO. So ISO, IEC, DIS 18974 is the draft international standard, sister standard to our license compliance standard, and is designed for security. It is going to complete its ballot process in late June, and according to our partners in submitting to ISO, the Joint Development Foundation, that means we can expect, all being well, everything to be ready and published by end of July. So we'll have this security standard switch from de facto into formal ISO standard on target for the middle of the year. This, of course, is wonderful, and that will give us a lot of traction and procurement, but people are already using the de facto standard. LG most recently announced their adoption of it. Previously, we've had BlackBerry and Interneuron announce adoption of this standard. I mean, that kind of adoption gives us nice validation that the approach works well. Going back in time a little bit, back to our original reason for being here, our license compliance standard, ISO 5230, that, oh, hey Ninjoji-san, another board member. That's Tushiba. And the ISO 5230 is going quite well as well. We've had significant adoption. I mentioned earlier that some people announced via our website. At the moment, there's 98 companies listed on our website as conformant. These are the companies that explicitly came to us and said, hey, please add our logo to your website. As I mentioned, far more companies use the standard. These are just the people who came to us and said, hey, please add our logo. We're pretty happy to see that. It's nice to have it as an inspiration page to encourage people to see multiple sectors and company sizes in play. Recently, we've had a raft of significant announcements. A couple of them, I think, are notable from the Chinese market. Notable not only because they're large companies, but also because several of them have been in partnership with things like our third party certifiers. So Alibaba Cloud, one of the world's largest cloud companies, ByteDance, who you might know from TikTok, China Mobile, who provide services to one of the largest subscriber bases in the world, and Z1 at SAIC Motors, all announced conformance in the last couple of weeks. Z1 from SAIC Motors is roughly equivalent to Karyat at Volkswagen. SAIC is Shanghai Automotive. It's one of the world's largest motor companies. It's the second largest EV maker in the world, third largest hybrid maker in the world. It's the largest car company in China. So it was very nice to have all of these come on board. Over in Japan, my country of residents and adoptions, SocioNext, they do SOCs and stuff like that, and Cloudera, all announcing that they've adopted this standard. In some ways, that's not news. Everyone's used to people adopting our license compliance standard, but it's nice to put logos up and say, hey, look, momentum's still going. We've also had some cool stuff supporting it. I know this is a small step, but we're glad to have it. We finally have a Wikipedia page for our license compliance standard, and with that massive milestone, we can now turn our attention to building a Wikipedia page for the security standard. Okay, what else is happening? There's a ton of cool stuff happening elsewhere. The project has spent a lot of time improving itself to get ready for the future. We want to reach a lot more companies, and we have these new standards to talk about. So things like our one page overviews, of course, are being updated. We've improved our community calendar so people can turn up on calls more easily. We've completely overhauled our reference library. We've got over a thousand reference documents in this library nowadays, so we have to do a lot of juggling to improve it and make it easier to navigate. We've continued to build new documents and update old documents, for instance, changing GPL flowcharts from word documents into more dynamic scripting languages, so it's very easy to create, adjust, and translate them. We've continued our webinar series incredibly. After starting as the pandemic hit in April 2020, we're already at 51 webinars, most recently on Clearly Defined, a project which helps people understand what's a software package, what's there, what's the information about it I need to know. Project was originally released by Microsoft and is now housed at the open source initiative. And we've had just tons of events, everything from talking to lawyers through to having our partners speak about us in different places. CAICT took the stage to explain OpenChain at the China Automotive Cybersecurity Conference recently, which was rather nice. We're publishing in different areas. This is, again, China. I thought this was rather fun because it's the first time we've, as far as I know, appeared in a Chinese journal. And OpenChain has been included in an article about how software supply chain security can and should happen. That type of stuff is useful because it embeds us deep into the industry. Finally, we've been going out there and double checking what's the market like today. Our industry survey technically closed end of April, but I put up a QR code there in case you want to just sneak in another submission before I actually put the results onto a slide deck. Our industry survey is a bit unique because our industry survey is entirely focused on what's the reality of the market today. We're not interested in promoting any norms or opinions. We're just asking corporate-wise, you know, do you have people allocated in this direction? Why? Do you have a policy pro or negative? Why? Very simple and it's anonymous, and we've had some good feedback from the market in the past. Okay. We're nearly there. Don't worry. We're nearly there. It's just been a lot going on. It's been busy. At the same time as having existing standards in the market and sharing them with companies, as an open source project, we're constantly editing the future. And we're working on the next generation of the licensing and security specifications, right? So these documents are living documents being edited right now. Everyone is welcome to be part of that. We edit our standards on GitHub. We have calls every two weeks where we discuss things live. We have a mailing list where other contributions can be placed. But every issue and every iteration just happens right there on GitHub so everyone can see how these standards are built and can take part in it. You are very welcome to be part of helping us build the next generation of these standards. Now, you might know that I mentioned we're ISO standards, right? So it's obvious we're not going to iterate our standards every week or every year or every two years. We're quite slow when it comes to actually publishing new versions of the standards, but we do write and we do collect issues and we do address them all the time to make sure that when we do hit the trigger, when we do release an update, it's extremely practical and timely for the market. And one aspect of something that's been asked about a lot is companies have said, okay, I can see you've got standards. I can see you have some reference material, et cetera, et cetera. But in practice, how do I include this? What ways do people include these standards in procurement discussions? Now, as an open source project in an open source organization like Linux Foundation, for obvious reasons, we have to be distant from the specifics of any commercial decision of any company. We're not touching that. What we are doing is we've got a legal workgroup and they're working on model provisions, model language for procurement. And their idea is to make some notes to explain options that people could have when they consider about how they approach procurement when they want to talk about these standards. What type of provisions, what type of language might they use for inspiration? So that is underway and that's something that your legal teams might like to know about, because if they're not familiar with open source or open chain, this provides some grounding for them. And we're not starting from zero. We're actually looking at something that comes from the far, far past 15 years ago, which is depressing because I was part of making it originally. There's something called the risk grid, which was designed a long time ago to show how when using open source in the commercial arena, different sides, for instance, supplier or customers could brainstorm who takes responsibility for what. And that was a whole series of examples. And it's been there in market for 15 years. I think it's on version 12 now. It's under CC0 public domain. And we're looking at that as a way to explain, okay, that type of discussion between sales and procurement, those examples were useful to market. How do we take that as inspiration for what we do around our standard? Okidoki. We're going to move down the pyramid now and turn to S-bombs in 2023. This is going to be, I think, a relatively easy one to do because we actually did the webinar on it already. So we did SPDX3 recently. And fundamentally, when it comes to something like S-bombs and open chain, the answer is very, very, very, very, very simple. We've always supported S-bombs. We've always required S-bombs. You can't use our standards without having an S-bomb period. But we're not prescriptive about it. We inherently match the guidance provided by NTIA and CISA. We inherently match the minimum requirements for an S-bomb that the White House discussed in their executive order. We're saying you need to have an S-bomb in play that allows the companies to share the information. We've always had that stance. We've always been agnostic about what S-bomb people use. So whether it's SPDX or Cyclone DX or SWID, I'm naming those three because that's what the NTIA discussion was focused on. Or something else. Quite frankly, the open chain project doesn't care as long as you have a functional S-bomb for your supply chain. Just like everything else, what we want is a result. So fundamentally then we're positioned well on the S-bomb discussion. And the only thing that's been notable for me as I look at the supply chain has been that SPDX, Cyclone and SWID started out as the three things in the NTIA discussion. I'm both slightly concerned and slightly amused to note that now people are remixing everything. So I noticed that Toyota recently have SPDX Lite plus T, so some additions there. Siemens now has the Siemens S-bomb, which is built on Cyclone DX. This is a natural thing. Whenever there's more than one standard, people look at it and think, oh, there's several standards. What can we do? Let's make a new standard. And that's a normal process. And honestly, it's not going to be an issue for the market over time. People will shake out ideas and options. Eventually something optimal will come to the fore. But I mentioned I was slightly concerned. And the concern is really that while the market is experimenting with S-bombs and while people are shaking out options in the procurement cycle, we're probably going to have to make sure that we have solid communication and support for small to medium companies. It's going to be very confusing for these companies to deal with, even for instance, the changeover from SPDX2 to SPDX3, let alone trying to understand, oh, people are remixing SPDX. People have Cyclone DX plus remixing that. What on earth am I meant to do? Correct guidance from our perspective as the Open Chain Project is you do whatever your specific supply chain needs. That's fine. But we do want to make sure that we support people. And this is where I hope that we can spend some time in our project, around our education resources, to make sure that small, medium companies or large companies with limited time to spend can get the guidance they need. I actually had a question. Sorry to single you out here, Gary. I just had a question because you were probably at the SPDX meeting this morning. And I noticed that in SPDX right now, there's lots of new profiles with SPDX3. And some of the profiles, like AI profiles, might seem quite alien to a lot of the supply chain because they're not there yet. When it comes to the basics of SPDX3, is there a simple migration path from 2 to 3? Or do people have to relearn everything? Right. Very cool. Okay. I think that'll be the first question we get. What's the easiest way to do the simplest migration and come to the various profiles later? Actually, that's really good guidance because one of the main problems we've had with Open Chain is that every time we provide detailed information about a topic, a lot of people gravitate towards the detailed information and assume it's general. And they're like, oh, wow, that's heavy. It's like, no, no, that's specific. So people can just start really light, just stick with their problem domain. Don't worry about the rest until they need to go there. That's a good message. We'll be passing that out to our teams. But anyway, fundamentally, we're supporting this stuff. We've long had great collaboration with the SPDX project. And we're ready essentially to guide all those companies who don't use S-Bombs or don't know what they are into that fold. As soon as they adopt our standards, they have to use some form of S-Bomb. Now, we're going to take a break for coffee for 10 minutes, and then we're going to bring Helio up to talk about automation. Then we're going to have Fosslight as a very practical example of highly advanced automation from the Korean market. But before we do that, I'm going to do something obvious and go in the AI domain. This is going to, you've got to tell, you've got to tell Justin about this. So obviously because Xamarin and so on at LF are hyperactive about ChatGPT, I thought, OK, so OpenChain has to do something here. So I actually got ChatGPT to help us with case studies. And it generated 8 case studies in a few minutes. Are they all great? Actually, they're not bad. I'll give an honest assessment. They are solid mediocre, which is a damn good start. That's good. That's good. That means that we have a basis. And one of the things that's held back aspects of our community is that people are quite keen on improving material, but the slog to go from a blank page to a document is a heck of a slog when you're a volunteer with 20 minutes in an evening. And ChatGPT, interestingly, might have provided us a way to get around that and produce more material. It only knows up to 2021, right? So it can't talk about our security standard, which came out 2022, but it can talk about our license compliance standard. And the quality was just fine. It's not a lot of factual errors, but no, it was surprisingly good. Anyway, they're just out on our website now. They're on GitHub. And with a few tweaks, I actually think that we'll have several viable case studies. My favorite is probably when I told it interestingly, it's somehow managed with the security standard. I told it to talk about adopting our security standard, our license compliance standard, and SPDX. And it spat out a case study that wasn't crazy. So that's there, and that's cool. And with that, let's break for the coffee and have 10 minutes.