The Erlang Ecosystem Foundation has set goals for 2025 of raising the community infrastructure, processes and tooling profile to accommodate the latest industry standards for supply chain and cybersecurity. The Erlang/OTP team is thrilled to announce that the Erlang/OTP project now are conformant to OpenChain ISO/IEC 5230, the international standard for open source license compliance.
For the majority of users, this simply states that we follow best practices and comply with licenses in an adequate manner, respecting licenses and copyrights.
The team would like to extend their thanks to EEF staff and community, the OpenChain community, and Ericssons Open Source Program Office for their support in getting to this point.
In case it helps anyone else: Both ISO/IEC 5230:2020 and ISO/IEC 18974:2023 are available for free off the OpenChain site, in a mildly obfuscated way, or for ~£200 a pop if you go for the first search hit!
ISO/IEC 18974 is more security focussed (in the sense of CVE management as best I can tell from a quick skim); whereas ISO/IEC 5230 is more about license management.
Excerpt from ISO/IEC 5230 introductory text:
This document defines the key requirements of a quality open source license compliance program. The objective is to provide a benchmark that builds trust between organizations exchanging software solutions comprised of open source software. Specification conformance provides assurance that a program has been designed to produce the required compliance artifacts (i.e., legal notices, source code and so forth) for each software solution.
Excerpt from ISO/IEC 18974 introductory text:
This specification is intended to identify and describe the key requirements of a quality security assurance program in the context of using open source Software. It focuses on a narrow subset of primary concern: checking open source Software against publicly known security vulnerabilities like CVEs, GitHub/GitLab vulnerability reports, and so on.
What does this mean for me as a contributor? The passage in contributing.md merely says that all contributions must be under the Apache 2.0 license, or a compatible one under certain circumstances. What, if anything, should I do different now?
Nothing for you to do differently If you want to contribute, simply place your contributions under Apache 2.0
That the Erlang/OTP complies with OpenChain ISO means that our team has some infrastructure, processes, support, and tooling to comply with licenses, monitor them, and know how to do open source in a sustainable way, what the repercussions are of having non-compatible licenses, etc.
The best example is that we are going to start releasing a source SBOM in each release (including patches, AFAIK, starting with OTP-28, including release candidates to catch early bugs). As a user, you can use this license information to build your Xxx SBOM (where Xxx could be Source/Build/runtime/etc) for when the Cyber Resillient Act (CRA) comes into effect, or DORA or any other compliance rule/mandate.
Before we created this source SBOM, did you notice that Erlang/OTP has more than 10 licenses (including exceptions) spread out in the code base? Is your company against any of these licenses? Who knows, if no one writes all of them up! The best we had was system/COPYRIGHT which was a good effort, but a good manual effort. Now that effort has been automated, and you as a user can see that. The fact that we have internal processes does not impact your work, but it is important to us (Erlang/OTP) because it help us to work and know what to do.
Before we announced this, we were already mostly doing all of the points from the OpenChain License ISO, but we were not fulfilling all of them.
If you want to contribute, simply place your contributions under Apache 2.0