Re: OpenChain

Joseph Potvin

It appears that someone in this conversation has been tagged as advocating "some ISO regime that sues people over trademark". Let me correct that.

I have in the past, on this list, advocated our cooperation with the community around ISO 19600 Compliance management systems -- Guidelines. So let me attempt to reduce the confusion created by the parody of the so-called "ISO regime".

Let's consider two approaches:

OSADL License Compliance Audit (OSADL LCA)
Last year Siemens became "the first company authorized to label the audited product with the registered OSADL LCA hallmark, indicating to the purchasers of the product a high level of legal compliance when passing on the Open Source software contained in the product."

ISO 19600:2014 Compliance management systems -- Guidelines
"two important decisions have been made that determine the content and format of ISO/CD 18386 [ISO 19600]:
a) It will be a guidance document and not a specification (requirements standard);
b) It will describe a compliance management system.
The first decision implies that ISO/CD 18386 [ISO 19600] is not intended for certification, but provides organizations with ‘good practice’ that they can fully or partly implement."

On the page about the OSADL License Compliance Audit, we find a chart of fees for certification, and if I read that correctly (Oliver, please correct me if I'm wrong, as that article is about your team's audit) the OSADL certification is product-based. For any organization with many products, that seem a rather pricey treadmill to be on!

On the other hand, the ISO 19600 approach is a ‘good practice’ that organizations can fully or partly implement. Furthermore, the suggestion by David Marr (tweaked by me) that "Use of the OpenChain logo is limited to company level designations intended for use in relation to organizations, not products... The OpenChain logo ... must be clearly associated with the organization, not the product" seems to align with the ISO 19600 approach at the organization, rather than the product-by-product level.

Therefore I offer the following two hypotheses:

1. Jeremiah actually supports the ISO 19600 approach, and he abhors the OSADL approach;
2. Oliver led Siemens to the OSADL appraoch, and now regretting that decision, supports the ISO 19600 approach

So, I think we all like the ISO 19600 approach, but I trust I'll be corrected if I'm confused!

As to the matter of how difficult or easy it should be to use a trademark of a compliance certification process, that's orthoganal to the choice in overall approach discussed above. But I think we're all aware that license proliferation has made compliance a headache. Any inter-organizational license compliance managment system will therefore be very challenging. But it seems to me the organization-based ISO approach is a lot more practical and sustainable than the product-based OSADL approach.

FWIW, In my own free/libre/open work of the past decade and a half, for the above reasons I've generally tended towards "unified" licenses for whole applications, and "permissive" licenses for generic components and reference implementations. But I might be using an "elastic" license for the first time in a project I currently coordinate.
  • Permissive licenses (MIT, Apache) carry no restrictions on re-licensing when blending source code for distribution.
  • Elastic licenses (Eclipse) require that the original source code and its direct derivatives remain under the original licenses, whereas any code that is added can be under any license(s).
  • Unified licenses (GPL, AGPL) require consistent licensing of software at the program level when blending code for distribution.
Source: This spectrum is described on pg 89 in my 2011 article here:

Earlier Thread Summary:

[Jeremiah] "So companies going through certification can't use the logo or trademark? That seems a bit restrictive, especially during launch of the overall certification process when you really want to build brand awareness. Perhaps you have the Open Chain logo and you have a "Certified" logo for completing the ISO certification process. ... What sort of sanctions do you propose might happen should one claim their "product" as "certified"? You'd have to have some kind of meaningful leverage."

[Joseph] "Of course it's a bit restrictive. Isn't that the point of a certification process and certification mark? The sanctions, if necessary, would be most directly handled under normal trademark law.

[Jeremiah] "No. It should be about certifying a process that should be widely adopted with the fewest restrictions possible. ... I think this is completely the wrong approach. The whole point of Free Software is real freedom from this sort of legalistic nonsense. The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously"

[Joseph] Please see the OSI's Trademark Usage Guidelines ... You might also find the OSI-vs-OSHWA tussel about logos interesting


Joseph Potvin
Operations Manager | Gestionnaire des opérations
The Opman Company | La compagnie Opman
Mobile: 819-593-5983

On Mon, Jul 20, 2015 at 5:46 AM, Fendt, Oliver <oliver.fendt@...> wrote:

Hi all,


I will not be able to participate in the todays call. So I try the email approach.


Regarding the “trademark” discussion my view is in line with Jeremiah as follows:

Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:

“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”



@ Michel: it is very nice that you are now with OpenChain.

I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”

We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?



Have a nice Day




Von: openchain-bounces@... [mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain


FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward


Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place


Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent


My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.


A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…


And in all the process the resources to sustain it must be made available so everything  cannot be done at once.


ALU has gone to all this stages and we are still evolving



Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France


OpenChain mailing list

Join to automatically receive all group messages.