Swedish OSPO Network Workshop 9: OpenChain in Practice

There are 3 pillars of the open source ecosystem, tecnhnology, community and legal
It is important to think beyond code -- beyond the pull requests and CI pipelines -- and into the broader questions of how we build, share, and sustain open source software together. The ninth Swedish OSPO Network workshop, hosted by WirelessCar in Gothenburg, was exactly that kind of event.

What is the Swedish OSPO Network?

Before I dive into the workshop itself, a bit of context. The Swedish OSPO Network is an informal network of Swedish organizations, companies, government agencies, and academic institutions, that are building or running Open Source Program Offices (OSPOs). The idea is simple and powerful: people who are figuring out how to use, develop, and contribute to open source in a structured way within their organizations come together, share what they have learned, and help each other navigate the challenges.

The network operates on shared ownership. Members take turns hosting workshops, and discussions follow the Chatham House Rule to encourage honest, open conversations. The presentations and materials are made publicly available whenever possible. It is open source in spirit, not just in subject matter.

What is OpenChain?

OpenChain is a Linux Foundation project initiated in the year 2016, intended to bring transparency and consistency open source software's supply chain. OpenChain addresses this by maintaining two ISO standards:

• ISO/IEC 5230 the international standard for open source license compliance programs.
• ISO/IEC 18974 the industry standard for open source security assurance programs.

They provide a practical framework for organizations to establish clear policies, define roles, train their people, and build repeatable processes around open source compliance and security. Over a thousand companies globally use OpenChain resources, and adoption is growing notably, 31% of large German companies already use or plan to adopt the standard.

The kick off

The session was kicked off by walking us through the "what" and "why" behind the network -- reminding us of the vital role Open Source Program Offices play in modern organizational strategy.

A masterclass on integrating open source into automotive software lifecycle.

The approach of the organization rests on three pillars:

• Create -- building innovative solutions that drive the next generation of digital car services.
• Use -- leveraging the existing open source ecosystem for agility and security.
• Contribute -- returning value to the communities that support their progress.

What struck me was how the presenter's team have woven compliance, developer productivity, and community engagement into a single, coherent pipeline through their OSPO. It is not just about consuming open source; it is about being a genuine participant in the ecosystem.

Supply Chain: The Spaghetti Monster

Then we deangled a complex, and hard to navigate path of Supply Chain security, the spaghetti monster. The speaker walked us through a clear, structured journey of how the OpenChain Project evolved to tame it:

1. Study and Brainstorm identifying the tangled complexities.
2. The Guide creating navigation pathways.
3. The Specification establishing foundational standards.
4. The Standard achieving ISO/IEC 18974:2023 certification.

The key takeaway? Using OpenChain is not just about ticking a compliance checkbox. It is about building trust and establishing clarity in processes that were previously opaque. That distinction matters.

Licensing First

One discussion that really stayed with me was around software licensing as a quality gate. The room reached a consensus that I think more of the industry needs to hear: software licenses must be the first check on code before we even look at security, functionality, or performance.

The reasoning is straightforward. Without proper licensing compliance, even the most brilliantly engineered software becomes a liability rather than an asset. Legal usage rights form the foundation upon which everything else is built.

Integrating OpenChain standards in the open source strategy early on is not just about compliance it establishes trust throughout the supply chain. It was clearly encouraging to hear big organizations talk about it.

All OSPOs Look Different

A theme that ran through the entire day was that there is no one-size-fits-all OSPO. Every organization's open source journey is different. Some are just getting started with a handful of policies; others have mature, centralized functions with open source champions embedded across teams. The workshop featured a practical case study of an organization that transitioned from fragmented, reactive compliance to a centralized OSPO function -- complete with tiered training programs, SBOM requirements in SPDX format, and trust-based policies with clear escalation paths.
With regulations like the Cyber Resilience Act (CRA) demanding better visibility into dependencies and contribution capabilities, OpenChain provides a framework for implementation the legal rules.

Looking Back

What I appreciated most about this workshop was the openness. People were genuinely sharing their struggles, their experiments, and their wins. Nobody pretended to have it all figured out. Thank you to WirelessCar for hosting and thank you everyone who shared their experiences and insights.
Looking foward to the next one!