Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Home Messages Hashtags Subgroups Calendar

#4266

Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Mark Gisi #4266 Hi Chris, >> Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item? We introduced the security assurance guide as a separate deliverable initially to reduce friction to adoption of both the spec and security guide. We did not want to have a company feel obligated to conform with both to achieve either one. However, having noted that, they were designed to be highly similar in spirit and format, and easily achieved together should a company choose (or a customer requires it). That is, they are separate but highly complementary. The long term objective is to create trust in open source by working toward creating a suite of highly complementary conformance specifications (e.g., license compliance, security, quality, export compliance, …) such that an organization can choose the ones that best fit their needs. For that reason we are trying to avoid creating a single monolithic specification. Let us know if that does not completely address your concern. best, Mark Gisi Director, Open Source Program Office Empowering Engineers & Customers to Prosper using Open Source (510) 749-2016 From: main@... <main@...> On Behalf Of Christopher Wood Sent: Tuesday, November 2, 2021 3:43 PM To: main@... Cc: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...> Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested [Please note: This e-mail is from an EXTERNAL e-mail address] Hello Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item? Thanks Chris toggle quoted messageShow quoted text On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote: Hello Mark and Shane, I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something: My understandings are: (1) This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately. (2) In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant. Are all of the above OK? Best Regards Tak On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote: As discussed on our global work team calls, the security assurance reference guide has a dedicated page here: https://www.openchainproject.org/security-guide Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome. Regards Shane Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
More All Messages By This Member

View All 7 Messages In Topic

#4266

Join main@lists.openchainproject.org to automatically receive all group messages.

Home Hashtags Subgroups Calendar Terms