Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)


 

Thanks for the great feedback Kate and Mark (on this list) and loads of other people (on our call).

In broad strokes:
(1) we decided to make it *very* clear this was not about variants of OpenChain ISO 5230 but rather about where companies can go next after adoption
(2) we decided to pull back from “quality grading” by the project and instead providing case studies and examples to help inspire companies

Check out the latest (and dramatically overhauled) edit here:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

On Aug 23, 2021, at 23:06, Mark Gisi <mark.gisi@windriver.com> wrote:

One of the core guiding principles for the OpenChain Specification is to focus on the what and why of compliance (and avoid the how and when). This is highlighted in the introduction of the spec. That is avoid being prescriptive.

It was always understood that the OpenChain Project would foster the creation of various materials around best practices to educate how other companies achieve conformance. That is - to describe the prescriptive ways of others. This has not been done with any formal structure yet within the project. The proposed levels approach is the first attempt to do this which I commend. What I disagree with is mixing the specification to tightly with prescriptive ways because it undermines a core principle and purpose of the specification.

I suggest we create a complimentary best practice program/guide that encourages companies to consider various prescriptive levels. That is, have Best Practice Levels (bronze, silver, gold, …) but DON’T confuse it with the spec (which is: about what and why, practice neutral, non-prescriptive, …). For instance, have a program with its own logo (for example - see attached)

best,

Mark Gisi
Director, Open Source Program Office
Empowering Customers to Prosper using Open Source
(510) 749-2016





-----Original Message-----
From: specification@lists.openchainproject.org <specification@lists.openchainproject.org> On Behalf Of Shane Coughlan
Sent: Monday, August 23, 2021 1:43 AM
To: OpenChain Main <main@lists.openchainproject.org>
Cc: OpenChain Japan <japan-wg@lists.openchainproject.org>; OpenChain Korea <korea-wg@lists.openchainproject.org>; OpenChain Germany <germany-wg@lists.openchainproject.org>; OpenChain India <india-wg@lists.openchainproject.org>; OpenChain UK <uk-wg@lists.openchainproject.org>; OpenChain Partners <partners@lists.openchainproject.org>; OpenChain Automotive <openchain-automotive-work-group@groups.io>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>; OpenChain Specification <specification@lists.openchainproject.org>
Subject: [specification] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

[Please note: This e-mail is from an EXTERNAL e-mail address]

Dear all

During a recent OpenChain Japan Planning meeting we discussed the challenge of “next steps” in OpenChain ISO 5230 conformance. Our initial goal of adoption in the supply chain is well underway. Our basic concept of “raising all the boats” is working. But now it is time to talk in more detail about “raising the boats to where?”

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230.

Attached is a slide-deck exploring how this can be done. We will be discussing this in the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC. All welcome. No registration.
https://zoom.us/j/4377592799

You can add comments to this document online:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Regards

Shane












<ocbp-logo.jpg>

Join main@lists.openchainproject.org to automatically receive all group messages.