Home

OpenChain

OpenChain is an initiative within the Linux Foundation that defines a standard for open source license compliance across the software supply chain. Its aim is to help organizations verify that the open source components they use, modify, redistribute, or ship comply with licensing obligations, while reducing the risk of license violations and promoting trust in software supply chains. OpenChain provides a specification and a conformance program that organizations can implement to demonstrate compliance.

The core element of OpenChain is the Minimum Conformance Requirements (MCRs). The MCRs specify the essential

OpenChain was launched by the Linux Foundation in 2016. Since then, it has been adopted by many

policies,
processes,
roles,
training,
and
documentation
needed
for
conformance.
The
specification
is
designed
to
be
lightweight
and
scalable
for
a
range
of
organizations,
from
small
teams
to
large
enterprises,
and
it
accommodates
different
development
models
and
supply
chain
relationships.
Compliance
artifacts
may
include
a
policy
document,
a
software
bill
of
materials
(SBOM)
or
inventory,
license
and
provenance
information,
and
training
records.
The
project
also
encourages
the
use
of
common
industry
practices
such
as
SPDX
license
identifiers.
organizations
across
various
sectors,
with
participating
companies
and
contributors
providing
guidance
to
evolve
the
conformance
program.
Governance
is
provided
through
a
steering
committee
and
working
groups
under
the
Linux
Foundation,
with
input
from
member
companies
and
open-source
communities.
OpenChain
aims
to
streamline
open
source
management,
reduce
risk,
and
promote
transparency
in
software
supply
chains.