Re: Certification Services
Hi Mary
Adding the relevant text from the specification below for everyone (minus rationale expansion). Full specification here:
Each process identified by OpenChain has verification materials that must be output. This allows the company and (their customers) to check to ensure a software package has been correctly passed through the process at any time during production or later.
This means a company can implement the processes and self-certify or get independent assessment or third-party certification, and thereafter there is a permanent sanity check (or as long as required by licensed and law).
A review, audit or remediation procedure can ask for the verification artifacts. Indeed, the second to final section of OpenChain addresses this specifically with the verification artifact for the verification artifacts:
“3.6.1 In order for a program to be deemed OpenChain conformant, the organization shall [have] A document affirming the program [...] satisfies all the requirements of this [specification].”
Thus any customer/supplier question flow could look like this:
Are you OpenChain Conformant?
Can you provide the verification artifact for section 3.6.1?
And maybe:
As part of our final review, can you provide the verification artifacts for sections X, Y and Z?
Each industry sector will decide what level of fidelity is necessary to proceed. We expect variance to be relatively wide by sector, but less so inside each sector.
(e.g. I would be surprised if a defense company didn’t say “give me all the artifacts” but I would be less surprised if a consumer electronics company focused on specific artifacts to satisfy their assessment, up to and including being satisfied if supplierX simply provided the 3.6.1 + 3.6.2 (confirmation of being current)).
== specification text ==
3.3.1 Bill of materials
A process shall exist for creating and managing a bill of materials that includes each open source component (and its identified licenses) from which the supplied software is comprised.
Verification material(s):
3.3.1.1 A documented procedure for identifying, tracking, reviewing, approving, and archiving information about the collection of open source components from which the supplied software is comprised.
3.3.1.2 Open source component records for the supplied software that demonstrates the documented procedure was properly followed.
3.4.1 Compliance artifacts
A process shall exist for creating the set of compliance artifacts for the supplied software.
Verification material(s):
3.4.1.1 A documented procedure that describes the process under which the compliance artifacts are prepared and distributed with the supplied software as required by the identified licenses.
3.4.1.2 A documented procedure for archiving copies of the compliance artifacts of the supplied software - where the archive is planned to exist for a reasonable period of time1 since the last offer of the supplied software; or as required by the identified licenses (whichever is longer). Records exist that demonstrate the procedure has been properly followed.
On Mar 3, 2021, at 21:54, Mattran, Mary <mary.mattran@...> wrote:
Open Chain has built into it that people are aware of the policy and their role in the open source arena, and evidence needs to be provided that the process is followed (3.3.1.2, 3.4.1.2) so they can't just build the thing, then get certified. They need to show that it is being followed, too.