Re: Flagged for OpenChain Conformance+Specification Work Team - Review Needed


J Lovejoy
 

Hi Mark,

Sounds good!

Thanks,
Jilayne

On Oct 5, 2018, at 12:21 PM, Gisi, Mark <Mark.Gisi@...> wrote:

Hi Jilayne,

I updated the text by replacing "requirement" with "option" and now reads:

Although currently an audit by a third party is not an option, a partner or customer may ask for evidence of the Verification Materials as a condition for doing business (e.g., under an Non-Disclosure agreement).

-----Original Message-----
From: J Lovejoy [mailto:opensource@...]
Sent: Friday, October 05, 2018 10:16 AM
To: Gisi, Mark
Cc: Shane Coughlan; Miriam Ballhausen; openchain@...; Openchain-specification@...; Openchain-conformance@...
Subject: Re: [OpenChain] Flagged for OpenChain Conformance+Specification Work Team - Review Needed

Hi all,

Just a small point on that FAQ answer, where it says, "Although currently an audit by a third party is not a requirement of the OpenChain specification, a partner or customer may ask for evidence of the Verification Materials as a condition for doing business (e.g., under an Non-Disclosure agreement). . . .”

I would remove the first part where it says, "Although currently an audit by a third party is not a requirement of the OpenChain specification,” - this sort of implies that may be a requirement in the future. I don’t think that should ever be a requirement - there should always be the option to self-certify (conferment) or hire a third party - which I think is what the ISO example Shane provided explains.

Thanks,
Jilayne

On Oct 5, 2018, at 8:30 AM, Gisi, Mark <Mark.Gisi@...> wrote:

Hi Shane,

I wanted to suggest that conformance+specification work teams may want to look at this and consider how
we adjust our material to reflect this wording.
The specification today makes a distinction between conformance (self-certification) and certification (third party audited certification). All the specification wording (including emails) intentionally makes reference to conformance (or conforming) because ONLY a self-certify process exists today. It has been discussed that once we have a third party audit program an organization could declare their program to be "certified" ( = conformance verified by third party). Until such a program is in place conformance is the only option and term to use. This is briefly discussed in the following spec FAQ.

- Mark

https://wiki.linuxfoundation.org/openchain/specification-questions-and-answers#is-a-third-party-audit-required-to-declare-an-open-source-compliance-program-to-be-openchain-conforming

Q: Is a third party audit required to declare an Open Source Compliance program to be OpenChain Conforming?

A: No. At least not yet. The OpenChain 1.2 specification is simply structured to provide a list of requirements where each requirement maintains a set of acceptance criteria (Verification Materials). Each requirement is a description of an important quality a Open Source Compliance program must satisfy. The Verification Materials for a requirement represent a list of tangible artifacts that must exist in order for one to determine the specific requirement has been met. Although artifacts must exist, one is not required to make them public. The key goal of the specification is to foster trust around Open Source compliance between two parties exchanging software. Although currently an audit by a third party is not a requirement of the OpenChain specification, a partner or customer may ask for evidence of the Verification Materials as a condition for doing business (e.g., under an Non-Disclosure agreement). That is, the obligation to provide evidence of the existence of the artifacts, and the willingness to do so, is determined by the relationship entered into by two parties. It has been discussed that a future version of the specification may provide more specific guidelines on how to obtain third party certification but that is not available today.


-----Original Message-----
From: Shane Coughlan [mailto:coughlan@...]
Sent: Friday, October 05, 2018 1:22 AM
To: Miriam Ballhausen; Gisi, Mark
Cc: Openchain-conformance@...; Openchain-specification@...; openchain@...
Subject: Flagged for OpenChain Conformance+Specification Work Team - Review Needed

Hi Miriam, Mark, everyone on the conformance and specification work teams!

Some questions have popped up about whether it is possible to self-certify to an ISO standard (our target for formal standardization 2019/2020). The answer is yes, with ISO using the terminology of “certified” for third party certification and “conformance” for self-driven efforts.

"An option often overlooked is the fact that a business can be “ISO 9001:2015 compliant” and not have to go through the rigor of a certification audit. The same goes for ISO 14001, 27001, and 45001. This compliance option may meet your customers’ expectations for the implementation of a formal quality management system (QMS) based on the ISO standard. This option can be considered a type of “self-assessment.” With this option, you will still implement a complete QMS but, not take the final step of hiring a Registrar to conduct the certification audit, saving you time, money and the stress of “passing” a certification audit."
https://www.thecoresolution.com/iso-compliance-vs-certification

I wanted to suggest that conformance+specification work teams may want to look at this and consider how we adjust our material to reflect this wording.

Pages that might need review are:

Conformance:
https://www.openchainproject.org/conformance
https://www.openchainproject.org/conformance-faq

Spec:
https://www.openchainproject.org/spec
https://www.openchainproject.org/specification-faq

Both:
https://www.openchainproject.org/faq

Regards

Shane


--
Shane Coughlan
General Manager, OpenChain
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

Join main@lists.openchainproject.org to automatically receive all group messages.