Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
>> Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?
We introduced the security assurance guide as a separate deliverable initially to reduce friction to adoption of both the spec and security guide. We did not want to have a company feel obligated to conform with both to achieve either one. However, having noted that, they were designed to be highly similar in spirit and format, and easily achieved together should a company choose (or a customer requires it). That is, they are separate but highly complementary. The long term objective is to create trust in open source by working toward creating a suite of highly complementary conformance specifications (e.g., license compliance, security, quality, export compliance, …) such that an organization can choose the ones that best fit their needs. For that reason we are trying to avoid creating a single monolithic specification.
Let us know if that does not completely address your concern.
Empowering Engineers & Customers to Prosper using Open Source
From: main@... <main@...>
On Behalf Of Christopher Wood
[Please note: This e-mail is from an EXTERNAL e-mail address]
Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?