The Launchpad SIG is a group working within the Open Resources for Baselines, Interoperability and Tooling Working Group (WG).
ORBIT exists to develop and maintain interoperable resources for the identification and presentation of security-relevant data. It provides a home for collaborative activities, best practice definitions, documentation, testing, integration, and other artifacts supporting the mission. The Launchpad exists to connect maintainers of open source supply chain security tooling to their end users in a way that faciliates mutually beneficial alignment.
This SIG will partner closely with the Cyber Policy Working Group to identify and document specific compliance obligations that can drive tooling requirements for the upstream consumption of open source software. The Global Cyber Compliance Policy WG has on-going guidance discussions on preparing for OSS consumption. While the motivation of this SIG is due to CRA timelines, the goal is to accelerate tooling progress for the community.
Motivation
With the coming CRA regulation, many manufacturers of digital elements have spent the past year investing time and expertise in improving secure supply chain processes for their proprietary code. The motivation of this SIG is to use OpenSSF as a foundation for enterprises to share knowledge and tooling to uplift the community that consumes open source dependencies by creating a collaboration space for those large enterprises to donate their learnings and engineering expertise. The goal is to help accelerate access to harmonized tools to all members of the community who desire to perform good software security development practices using open source guidance and tools, regardless of size, time available for security, or security expertise. Additionally, the tools that open source projects have at their disposal to champion their secure software development practices should seamlessly work without any additional effort to those open source developers, and be easily consumed by any consumer of that open source as a dependency to demonstrate compliance. This is the work that OpenSSF has been doing in the past, and has created building blocks to do so. The motivation of this SIG is to accelerate harmonizing and completing OSS consumption guidance and tooling in 2026 in alignment with CRA deadlines.
Objective
Align Manufacturer CRA Compliance Requirements: Identify and document specific CRA compliance obligations that apply to the consumption of open source software for manufacturers.
Partner to Drive ORBIT Tooling Improvements Assess Baseline Catalog and extend to create a set of controls for CRA compliance for manufacturers. Evaluate existing tools as needed for CRA requirements not met by Baselines and implement improvements. Identify tooling gaps, create issues to address gaps enabling developer community engagement.
Promote ORBIT Tooling Improvements: Drive awareness for achieving and demonstrating secure compliance within the context of software supply chain security. Partner with Global Policy WG to develop CRA Security Compliance Tooling Guidance.
Active Projects
As of February 23, this SIG has met twice to discuss the 2026 roadmap and is actively working on prioritizing objectives.
Get Involved
- Star this repository
- Introduce yourself on Slack #sig-orbit-launchpad
- Join a SIG meeting
Meeting times
- Every other Friday at (March 6), 10:30 am MST; you can register for the community bi-weekly meetings with a calendar invite with this link.
- Meeting Minutes
Governance
The CHARTER.mdoutlines the scope and governance of our group activities.
Co-Chairs
- Sarah Evans Sarah.evans@dell.com,
- Nicole Bates NicoleBates@microsoft.com
Intellectual Property
In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:
[TODO: Select below the applicable license(s), delete those that don't apply, and update the LICENSE file accordingly. For specification development refer to the specific instructions on the Community Specification Getting Started page.
Note that for source code, instead of Apache, you may choose to use the MIT License available at https://opensource.org/licenses/MIT. Otherwise, no other license than those listed here may be used without approval from the Governing Board.]
- Software source code
- Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0;
- Data
- Any of the Community Data License Agreements, available at https://www.cdla.io;
- Specifications
- Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0
- All other Documentation
- Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/
Antitrust Policy Notice
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.