- Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)
Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)
toggle quoted messageShow quoted text
It is a fair point that ISO certification are a slog to bring to market.
I do think there is a lot we can learn about how ISO 19770-1 has been structured and regardless of ISO could be leveraged in OpenChain.
I have an attached an early draft of the standard from when I was involved.
The overall process they lay out is similar in principle to OpenChain’s processes
From: William Weinberg [mailto:bill@...]
Sent: 11 August 2017 19:54
To: Martin Callinan <martin.callinan@...>
Cc: Kate Stewart <kstewart@...>; openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)
It has been the tradition of the Linux Foundation to sponsor projects that implement existing paper standards and create new de facto ones. A de jure, paper path that you suggest suffers from cost, slowness and the honor of being a “leading”
vs. a following standard, thus engendering multiple, usually variously forked implementations, each with its own “secret sauce”. Even ISO process-oriented (vs. technology) standards suffer from this same ill.
Is there a real value in slogging through a full ISO certification? Would an ISO process certification really carry extra cachet at this point in history?
The standard was produced so anybody could create a tag. I once considered it as a service offering. TagVault was started by Steve Klos who was convener for the
writing of ISO 19770-2 and have positioned themselves certification authority but that does not stop anybody creating tags without going through TagVault.
I was not meaning to suggest we go down the same route as SWIDs for Open Source but thought there may be some learnings we can take from the work they have done.
ISO always charges for standards but their standards have a lot of credibility and a lot of work goes into having a standard recognised.
It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time
proprietary) which led to the publication of ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which
in a way is similar to SPDX
The challenge with using SWIDs is you have to pay for access to the specification.
readable equivalent, as you'll need to use a tool to read one.
Also, as I understand it (please correct me) in order to get an SWID tag assigned,
you need to join an organization (tagvault) and pay a fee. Which isn't necessarily viable
for open source upstream projects and hence supply chains with open source
OpenChain mailing list
Join email@example.com to automatically receive all group messages.