RUFFIN, MICHEL (MICHEL) <michel.ruffin@...>
Dear all I have just discover OpenChain today
I look at your criteria for good practice, and I think (I will have to cross check in detail) but Alcatel-Lucent is compliant to G1 to G6 and even to RP1 and more.
But it appears to me that you are still missing several things (sorry if I am wrong I have not checked all discussion and results)
1) Handling outsourcing, divertissement and merge and acquisition (this could be called RP2)
2) Handling new/quite recent technologies: DRM, Bit torrent, Saas, IaaS, PaaS, Maven, …
3) Measuring the level of implementation of the FOSS governance process: I am currently working on this in a company of 60 000 people so it is not yet well done in ALU but I have ideas like having internal audits, having certificate of compliance for ALU products, blocking the general availability of new products if they are not compliant (we already do that partially) etc.
FYI the FOSS governance process of ALU is a set of 120 pages of information addressing all (20 page on how to package an ALU product with FOSS); We have a FOSS executive committee that meet all weeks during 1h30 since 2007 with lawyers, procurement technical people, we have 180 FOSS evaluators in the company (coach by the FOSS EC), which corresponds to your FOSS compliance officers, we have registered tutorials, we have a process to contribute to open source, …. We have plan to issue a compliance alert in the company in September to inform people on FOSS in which training will be mandatory even for high executives, We have launched a recognition program for FOSS evaluator with Human resource, and quality group to be sure that they are empowered.
I am not too sure, that I can participate to your meetings (too much things to do), but this need to be addressed.
Now I am curious to know if you have some plans to make this like a CCMi certification program and in what timeframe
To provide you a small contribution, I send you the FOSS clauses that we put in ALL our suppliers contracts (I would like to standardize that). It is a public document that has already been sent to the FTF Europe legal network and to the SPDX group. Note that clause 5 needs to be reworked, because it does not exactly means what we intend to do. The legal phrasing is asking too much compared to what we expect. We also plan to change this clauses to impose the SPDX format rather that “electronic form”. Our internal tools are SPDX compliant (not perhaps yet to SPDX 2 yet , but to SPDX 1.2)
Now I have another important comment to your group. The criteria that you define are Ok for Alcatel-lucent, we can already claim that we are compliant with the highest criteria and I can prove it. But for companies which are far from this level of compliance, it is freighting, I do not know how this can be solved, but you should think a little bit about that. Because an open source process in a company needs steps to be acceptable and you need to put resource in place to face the demands.
My two cents, like we say in US