Guest post: Mark Gisi, Director of Intellectual Property and Open Source at Wind River
The SParts project (https://github.com/Wind-River/sparts) developed a Hyperledger Sawthooth based Software Parts Ledger to track the open source components from which today’s manufactured products and devices are constructed. A number of important benefits are obtained by knowing which open source components are used such as:
1) ensuring manufactures are able to identify and secure the distribution (licensing) rights for all open source components;
2) understanding the impact of open source based security vulnerabilities;
3) enable identification of cryptography technologies (e.g., FIPS 140-2 certification, export licensing);
4) enable accurate reporting on all open source parts as a requirement to obtaining functional safety certification for safety critical products (e.g., medical devices, aircraft, autonomous vehicles, elevators, …)
The Software Part ledger establishes trust between a manufacture and its suppliers by tracking suppliers, their software parts, the open source components used and their corresponding compliance artifacts (e.g., source code, legal notices, Open Source BOM, SPDX data, cryptography data). This is particular helpful for manufactures who build products by utilizing software from many different suppliers (and sub-suppliers). To achieve accountability a mechanism is need to maintain global state information about suppliers; their parts and compliance artifacts for all participate across the supply chain. To establish trust among all participants, these records need to be i) transparent, ii) immutable, while iii) removing the dependence on third party information brokers (middlemen). We obtain the required level of trust by utilizing the Hyperledger Sawtooth platform to construct a Software Parts Ledger.
A demo of the Software Parts Ledger will be given in Intel’s booth at Linux Foundation’s Open Source Summit Europe on October 23rd, 24thand 25th. Come on by to see it in action!