Re: New definition for section 4.1 Compliance Artifacts

Kate Stewart

On Thu, Mar 23, 2017 at 12:19 AM, Gisi, Mark <Mark.Gisi@...> wrote:



At the last OpenChain spec meeting it was decided to try and rewrite section 4.1 to include SPDX documents in the Compliance Artifacts definition. This is one of the most important definitions of the specification. The rewrite of section 4.1 is presented below. We are seeking your feedback.





4.1         Prepare the set of artifacts which represent the output of the of the FOSS review program for each Supplied Software release. This set is referred to as the Compliance Artifacts which may include (but not limited to) the following: source code, attribution notices, copyright notices, copy of licenses, modification notifications, written offers, SPDX documents and so forth.


Verification Artifact(s):

ð      4.1.1 A documented procedure exists describing a process that ensures the Compliance Artifacts are prepared and distributed with Supplied Software as required by the Identified Licenses.


ð      4.1.2 Copies of the Compliance Artifacts of the Supplied Software are archived and easily retrievable, and the archive is planned to exist for at least as long as the Supplied Software is offered or as required by the Identified Licenses (whichever is longer).



Ensure the complete collection of Compliance Artifacts accompany the Supplied Software as required by the Identified Licenses that govern the Supplied Software along with other reports created as part of the FOSS review process.


Thanks Mark.   Looks good to me!


Join to automatically receive all group messages.