Our newest ambassador works full-time at the Eclipse Foundation, whose mission is to host and sustain Open Source projects by enabling healthy collaboration and nurturing communities. His mandate is to help large accounts manage open source and open as much code as possible, preferably on well-known public instances of GitLab and on GitHub, archived by Software Heritage. Beyond his professional role, he’s been a dedicated free software enthusiast since 1999.

In his free time, he geeks out as an administrator and board member at LinuxFr.org, a leading French-speaking, community-driven website for open source. His nearly two decades in open-source consulting have seen him advise on everything from software quality to governance, licensing, InnerSource, and change management for the likes of ENGIE (previously Gaz de France), Bouygues Telecom, Henix, and others.

Today, as Open Source Services Team Lead at the Eclipse Foundation, he’s helping members and projects better understand, manage, and master Open Source with a focus on the automotive industry, mobility sector, and research organizations. As an active contributor to the OSPO Alliance, serving as Vice-Chair, and the Good Governance Initiative, his efforts focus on building an open community. This community shares guidance, empowering organizations to manage the use, contribution, and publication of open-source software. 

As an ambassador, he aims to expand Software Heritage’s reach, inviting more to join the ascent.

If you’d like to learn more about our mission or connect with him, please don’t hesitate to use the links below. We’re also seeking passionate individuals and organizations to volunteer as ambassadors and help us expand the Software Heritage community. If you’d like to become an ambassador, please tell us a bit about yourself and your interest in the Software Heritage mission.

• https://www.linkedin.com/in/florentzara 
• https://mamot.fr/@flzara

The post Why software preservation may be an extreme sport appeared first on Software Heritage.

At Software Heritage, we believe that these changes present not only challenges but also opportunities to create a safer, more transparent open-source ecosystem. As the largest public archive of source code, supported by French research institute Inria and UNESCO, we’re a founding member of the Eclipse Foundation’s newly formed Open Regulatory Compliance Working Group (ORCWG). This group is dedicated to helping open-source projects navigate emerging regulatory requirements while ensuring that innovation and collaboration continue to thrive.

Why now: A new era of regulation

Over the past few years, regulations such as the Digital Services Act, Digital Markets Act, and the General Data Protection Regulation (GDPR) have introduced sweeping changes to the tech landscape.

The CRA, set to be in full force by the end of 2027, will also impact all software put on the market in Europe. It will require organizations to trace their software’s origins, manage vulnerabilities, and ensure that critical software components are properly documented. This highlights the need for strong tools and infrastructure to meet these requirements, which Software Heritage is equipped to provide.

Traceability and security with Software Heritage

Modern software development has often been compared to a Jenga tower. Each block is a component, and if one wobbles, the whole thing could crumble. Today, most software stacks are built on a foundation of external components, often open source. To ensure a secure system, it’s crucial to know exactly what those blocks are and where they came from.

Enter ‘Know Your Software (KYSW). Just as banks must identify their customers, developers need to understand their software’s components. To achieve complete traceability, every piece of software, from binary to source code, must be created, shared, validated, and tracked.

That’s where Software Heritage comes in. We’ve secured over 50 billion software artifacts through the Software Hash Identifier (SWHID) specification, guaranteeing long-term availability, ensuring integrity, and enabling traceability across the entire software ecosystem.

With new regulations come basic needs that become best practices: making source code publicly available, identifying precisely the versions with or without this or that known vulnerability, tracing the origin of software components, finding a reference place where to store qualified metadata, and more.

Contributing to the future of open-source security

Joining the ORCWG is just the next step in our mission to make software safer and more open. We’ve been actively engaged in discussions about securing the software supply chain for years, and the SWHID is part of the SPDX 2.2 specification and included in the 2021 report of the working group on Software Bill of Materials (SBOM) that NTIA launched in 2018.

ORCWG just launched but is already gearing up for a major challenge: building a blueprint for cybersecurity that aligns with CRA. ORCWG’s mission? To deliver a clear roadmap for open-source projects, helping them navigate the new security landscape.

Get involved

We’re in good company: key players from foundations and corporations are joining forces in this new working group, organized by the Eclipse Foundation. At launch time, members included Apache Software Foundation (ASF), Blender Foundation, Robert Bosch GmbH, CodeDay, The Document Foundation, FreeBSD Foundation, Matrix.org Foundation, NLnet Labs, Open Elements, OpenForum Europe, OpenInfra Foundation, Open Source Initiative (OSI), Open Source Robotics Foundation (OSRF), OWASP, Payara Services, The PHP Foundation, Python Software Foundation, Rust Foundation, SCANOSS and Siemens.

If you’d like to join us, there are plenty of ways to get involved from a mailing list to a Matrix chat, weekly office hours, webinars and repos. You can also apply to become a member.

The post Joining forces for a secure open source software supply chain appeared first on Software Heritage.