Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested


Mark Gisi
 

Hi Chris,

 

>> Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?

 

We introduced the security assurance guide as a separate deliverable initially to reduce friction to adoption of both the spec and security guide. We did not want to have a company feel obligated to conform with both to achieve either one. However, having noted that, they were designed to be highly similar in spirit and format, and easily achieved together should a company choose (or a customer requires it). That is, they are separate but highly complementary. The long term objective is to create trust in open source by working toward creating a suite of highly complementary conformance specifications (e.g., license compliance, security, quality, export compliance, …) such that an organization can choose the ones that best fit their needs. For that reason we are trying to avoid creating a single monolithic specification.

 

Let us know if that does not completely address your concern.

 

best,

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: main@... <main@...> On Behalf Of Christopher Wood
Sent: Tuesday, November 2, 2021 3:43 PM
To: main@...
Cc: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello

Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?

Thanks 

Chris



On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:



Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:

Join main@lists.openchainproject.org to automatically receive all group messages.