Re: OpenChain

Armijn Hemel - Tjaldur Software Governance Solutions

On 20-07-15 14:50, Joseph Potvin wrote:

Therefore I offer the following two hypotheses:

1. Jeremiah actually supports the ISO 19600 approach, and he abhors
the OSADL approach;
2. Oliver led Siemens to the OSADL appraoch, and now regretting that
decision, supports the ISO 19600 approach
As one of the auditors involved in the OSADL audit I think you do not
understand the OSADL license audit approach, why it was developed, what
the experience of the auditors has been and what the next steps are.

So allow me to enlighten you.

When we developed the product audit (in 2012) there was no auditing
method for what we wanted to achieve. Of course there was already the
FSF certification program (see for more information)
but that is not what we wanted.

The product audit was scoped by *design* to keep it simple enough to
understand and explain, and easy to do within a short period of day (1
working day, with a bit of work before and after). Another reason to
scope it is that we can also compare results of audits, if needed.
Another important part of the design is to use open methods to make the
process repeatable for basically anyone who wants to.

The audit is performed on site, with one or two people of the
(development) team in the room during the audit and results are
discussed and explained in a continuous dialogue between and with the
auditors, as part of knowledge sharing.

At all audits we have done so far we find that it is actually good
enough as a test for compliance within a company/department/team and
discover processes that are wrong. Effectively we are using a scoped
*product* audit to uncover larger compliance *process* issues in a

From the experiences from the product audits that we have done a process
audit is being developed and the knowledge is widely shared with whoever
wants to hear about it (like OpenChain from before day one).

Regarding pricing: yes, having every product and firmware audited is
expensive. For the companies the goal has not been getting the
certificate, but finding out how well they are doing with respect to

Regarding your hypotheses:

* no one we have audited has regretted the decision. The audit is hard
to pass and we have uncovered real issues in companies and supply chains.
* I talk to Jeremiah every now and then at conferences and as far as I
know he *loves* the OSADL method

With the OSADL audit we proved that with an ultralightweight open method
(the algorithm behind the tooling that we use has been published at
plenty of conferences and I can explain the technical part of the audit
in under 1 minute) we can achieve a lot. It's open. There is no secret
sauce. It's simple. It's clean. And: it *exists* and *works*.

I hope this helps you put the OSADL license compliance audit in context.


Armijn Hemel, MSc
Tjaldur Software Governance Solutions

Join to automatically receive all group messages.