Re: OpenChain meeting today

Jeremiah Foster <jeremiah.foster@...>

On Tue, Oct 18, 2016 at 12:13 AM, Jonas Oberg <jonas@...> wrote:
Hi Mark, others,

by way of introduction first: for those of you who do not know me,
I'm the executive director for the FSFE, but for my participation
on this list, I'm speaking for Morus AB, a small consulting firm
in Sweden which help companies in their understanding of FOSS.

> Without committing to any one new extension, the idea is to set up
> a framework where we could experiment (pilot) new types of program
> requirements where one wants to establish trust around handling lots
> of open source with respect to a given extension type (e.g., security,
> export, …)

I do believe this makes sense in principle, but it may lead to confusion
around the OpenChain mark if this becomes wide spread and used for many
different areas.

Especially security does seem like a useful area to experiment with this
on though, and I'd be interested in this. Whether such an experiment then
leads to an extension of OpenChain or a certification in itself is
probably a later question, and both are certainly possible.

​I agree this makes sense on principle, and many vendors will include this data, not least because it is of great interest now. But we're wandering into an area that has lots of standards, certifications, established practices, and tooling already. What is OpenChain planning to bring that those other organizations do not bring?

 It seems that OpenChain is trying to justify an additional field in the already verbose SPDX output that might hold a hash to a CVE database entry or so. In the companies that I work with, they feel that there needs to be a much more stark separation of concerns since the largest security issue is connectivity where license compliance has a very limited role to play. A link to some CVE is useless in compliance and the security team never sees it.

Security discussion in OpenChain feels like feature creep and is as bad as license proliferation that many of us have railed against for years. If vendors want to sell it, by all means, but it poses some risks to OpenChain if compliance is going to try to enter the security domain.



Join to automatically receive all group messages.