Re: OpenChain

Jim Hutchison

[hutch] To the extent that the application of OpenChain results in a collection of indications of how OpenChain is applied to a participant in a supply chain, these indications (artifacts of certification) could inform the downstream.  They/one might indicate that they determine licenses by controlling their in-take from up-stream.  They/one might indicate that they perform direct inspection, use tools, and/or benefit from third-party audits.  For some, a combination of these would perform best.  As we proceed into discussion of how OpenChain is applied to various sizes of supplier, it looks like we cannot simply conclude "yes" and "no", but there must also be information to share-forward.

I wholly agree with the benefit of these multiple approaches to training, as answers/analysis can have little quality when people do not understand the questions.  Hopefully we can quantify training in a way which builds appropriate downstream trust.


Jim Hutchison

Qualcomm Technologies, Inc.

At 05:30 AM 7/24/2015, RUFFIN, MICHEL (MICHEL) wrote:

[Oliver] yes I know to handle 3rd party software (no matter whether OSS of commercial of the shelf) in a correct manner affects the entire company including the Human Resource department because you need also job descriptions and of course the right trainings and a concept for which employees trainings are mandatory or optional, etc.
This brings me to another point these compliance processes is not caused by OSS. Every company which uses 3rd party software has to implement a license compliance process. There are only very view additional things to do in this process which are specific to OSS.
My intention with this statement is that to be fair in regard to OSS. I have often the impression that there is an “opinion” which sounds like “oh we have to do all this high effort license compliance stuff, because we use OSS” and this is simply not the truth. Every company which uses 3rd party software (or better to say software of which it holds not all rights) has to implement a license compliance process.
(Michel): the process to handle proprietary COTS is generally handled by procurement and supply chain, it is not so obvious with FOSS
So I would say step one is to raise awareness to R&D, to high exec, to legal and procurement, and to have the list of FOSS in your products available
In further steps you introduce tools like Blackduck or Palamida
In further steps you introduce tools such as code center Antelink, NextB, Nexus, …
[Oliver] I do not agree here. I would not require a supplier to license Blackduck and/or Palamida.
(Michel) as you said a lot of people still think it is open source so I can use it without consideration that the license must be respected.  It is true for ALU, for its suppliers, for its outsourcing development. The declarative approach (listing the FOSS used) is not enough, some people intoduce 100 lines of code from an open source) so we need to cross chaeck with tools. We do not impose that to suppliers, but in the future, ???? Note I cite 2 tools for scanning code, but there other competitors, nextB, Protocode, Antelink Openlogix (now owned by IBM)  and perhaps so I am not aware of.
[Oliver] yes i can imagine because simply the tooling you have mentioned above is not that cheap.
(michel) it is not really the tooling which is expensive but the experts trained to evaluate foss licenses, packaging the ALU products, using the tools, , and their training is expensive. The time for most people in the company to follow some basic trainings, … we have also a program with HR, Quality org, lawyers to empower the experts to do their job and to recognize them. All this is expensive.
Also a difficult aspect is decentralizing. Our process is decentralized we have 200 actives FOSS experts that can accept or reject FOSS according to license in all our organizations (We have trained around 350 people, this is the turnover aspect) and have the mission ot implement the process in their organization.  But I was the one that was doing the training (which is face to face and one week long), now we have decentralized this by having a trainer for each continent. Now I am thinking to decentralize some of the functions of our FOSS executive committee (because we meet every week but never go to the end of the agenda)
[Oliver] this  I do not really understand if you have e.g. one central DB were all the requested and approved components are listed with all their attributes, you can always control what’s going on.
(Michel) we have a central DB to gather IP issues with FOSS, but the people that fill this DB are decentralized, their trainers are also decentralized. Also decentralization allows awareness everywhere. I am convinced that only decentralized people and centralized information is a good solution for having a scalable governance process.
Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France
De : Fendt, Oliver [ mailto:oliver.fendt@...]
Envoyé : lundi 20 juillet 2015 11:46
À : RUFFIN, MICHEL (MICHEL); hutch@...
Cc : openchain@...
Objet : AW: OpenChain
Hi all,
I will not be able to participate in the todays call. So I try the email approach.
Regarding the “trademark” discussion my view is in line with Jeremiah as follows:
Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:
“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”
@ Michel: it is very nice that you are now with OpenChain.
I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”
We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?
Have a nice Day
Von: openchain-bounces@... [ mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain
FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward
Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place
Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent
My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.
A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..
Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …
Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…
And in all the process the resources to sustain it must be made available so everything  cannot be done at once.
ALU has gone to all this stages and we are still evolving
Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

Join to automatically receive all group messages.