Dear all,

In my experience 3-6 months is nowhere near enough time for a new (large, FOSS-immature) acquisition to become compliant to the FOSS policies and practices of the new parent….even 6-12 months may not be achievable. I think it’s better to have the subsidiary distinct until its compliant.

These comments resonate with me as well.  As an attempt to capture the two related but distinct discussions on this point so far I’m seeing proposals to:

·         Build a pre-set, standard time duration for an entity’s OpenChain Certification.  An annual duration was proposed. Additional justification for setting a duration is because over time the person(s) in the FOSS Compliance Role might transition from that role, whether leaving the entity or changing job responsibilities within the entity.

·         Consider either a distinction for companies that have been purchased or provide a period (such as three to six months) for the certifying company to certify that the new “subsidiary” can be considered compliant.

On the second point, I’m attracted to the suggestion of making a distinction.  Perhaps any OpenChain Certification should extend to the entity and its subsidiaries at the time of certification (a snapshot in time), without automatic application to new subs, until the next annual(?) certification?

Dave

If the certification includes an identification of the person who is responsible (and I think that it should), I suggest that one requirement of certification is that they keep someone in that role during the period of certification.