Date   

Just a fun thought

Dave Marr
 

I wonder if they’re discussing OpenChain in Uzbekistan…!

 

http://news.uzreport.uz/news_8_e_155708.html

 

Dave


OpenChain Report: Work Team Call - 08-07-2017

Shane Martin Coughlan <coughlan@...>
 

Here are the minutes from our call. You can always find our agendas and minutes online here:
https://wiki.linuxfoundation.org/openchain/minutes

== Attendees ==

Kelly Williams
Jim Hutchison
Miriam Ballhausen
Kate Stewart
Mike Linksvayer
Hung Chang
Bill Weinberg
Dave Marr
Gary O'Neall
Joshua Kast
Akshu Thula
Jake McGowan
Nathan Kumagi
Catharina Maracke
Karen Copenhaver
Jilayne Lovejoy

(If I missed anyone please let me know)

== Project Update ==

Shane noted
• We continue to see significant momentum around membership, conformance and translations
• It was noted that Western Digital Corporation is our 10th and latest Platinum Member

== Specification ==

Mark was absent due to vacation. Shane provided an update on his behalf. The primary news around Specification was isolated to translations this time around.

One item discussed was translation consistency and spec language complexity. It was noted that if the language used in the spec could be simplified it would assist in the translation efforts.

== Conformance ==

Miriam opened by discussing volunteer conformance team contacts rotation length on the mailing list and how to do handover. It was agreed by common consensus that we would switch from a monthly rotation to a six month schedule.

The possibility of automation in terms of conformance replies was discussed. It was decided by common consensus that no automation was needed at this juncture.

It was decided that Shane and Miriam would create a calendar item to manage the six monthly rotation schedule. It was additionally decided that we would post the rotation schedule on the wiki or the website.

Miriam pointed out that organization is not explicitly defined as a legal entity in the current OpenChain material.

It was decided that for now we will define organization as legal entity, but companies with other structures can also self-certify by using Legal entity > StructureName. If they have any questions or need assistance they can contact the conformance work team volunteers.

== Curriculum ==

Alexios was absent due to vacation. Shane provided an update on his behalf. The key news is that Alexios has created a github repository to house the curriculum material. This include the slides and also newer donations such as the checklists, flowcharts and (soon) the reference open source policy. Donations of further material is welcome.

== Other notes ==

We discussed the pilot partner program. It was noted that it must be understood as a practical program supported by and designed for companies. It was also noted that the program must never interfere with self-certification or be perceived as a barrier to conformance, and this is explicitly outlined in the partner program guide. Our goal is to build a supportive eco-system around the OpenChain Project and the Specification we deploy.


--
Shane Coughlan
OpenChain Program Manager
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance


Re: OpenChain for Managers

Shane Martin Coughlan <coughlan@...>
 

Thanks Sami! I adjusted the first sentence to: "The OpenChain Project builds trust by making open source license compliance simpler and more consistent across the supply chain.”

Regards

Shane

--
Shane Coughlan
OpenChain Program Manager
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance

On Aug 15, 2017, at 15:46, Sami Atabani <Sami.Atabani@...> wrote:

Hi Shane,

Very good and clear. I would add "across the supply chain" at the end of the first sentence.

Best regards,

Sami

-----Original Message-----
From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Shane Martin Coughlan
Sent: 15 August 2017 08:35
To: OpenChain <openchain@...>
Subject: [OpenChain] OpenChain for Managers

Dear All

I have been working on some language to describe OpenChain to manager (non-technical, non-legal people with little assumed knowledge of Open Source).

This is what I have:
https://docs.google.com/document/d/1a9szsE8KxifW2ria_nC83CA6B7--v48YStNDyl2x8FI/edit#heading=h.6vlx6s7t70s6

Rather than having many cooks around one pot (everyone trying to rephrase each sentence) I wanted to flag this item and provide an opportunity for people to chime in if they believe I have missed an important point.

Regards

Shane

--
Shane Coughlan
OpenChain Program Manager
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


Re: OpenChain for Managers

Sami Atabani
 

Hi Shane,

Very good and clear. I would add "across the supply chain" at the end of the first sentence.

Best regards,

Sami

-----Original Message-----
From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Shane Martin Coughlan
Sent: 15 August 2017 08:35
To: OpenChain <openchain@...>
Subject: [OpenChain] OpenChain for Managers

Dear All

I have been working on some language to describe OpenChain to manager (non-technical, non-legal people with little assumed knowledge of Open Source).

This is what I have:
https://docs.google.com/document/d/1a9szsE8KxifW2ria_nC83CA6B7--v48YStNDyl2x8FI/edit#heading=h.6vlx6s7t70s6

Rather than having many cooks around one pot (everyone trying to rephrase each sentence) I wanted to flag this item and provide an opportunity for people to chime in if they believe I have missed an important point.

Regards

Shane

--
Shane Coughlan
OpenChain Program Manager
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


OpenChain for Managers

Shane Martin Coughlan <coughlan@...>
 

Dear All

I have been working on some language to describe OpenChain to manager (non-technical, non-legal people with little assumed knowledge of Open Source).

This is what I have:
https://docs.google.com/document/d/1a9szsE8KxifW2ria_nC83CA6B7--v48YStNDyl2x8FI/edit#heading=h.6vlx6s7t70s6

Rather than having many cooks around one pot (everyone trying to rephrase each sentence) I wanted to flag this item and provide an opportunity for people to chime in if they believe I have missed an important point.

Regards

Shane

--
Shane Coughlan
OpenChain Program Manager
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance


Re: Onboarding work team - CALL FOR MATERIALS

Shane Martin Coughlan <coughlan@...>
 

Hi Nathan

Beyond our current onboarding slides and handout (both of which are being distributed and translated with success via our website landing page) I believe one of our major holes is having a dedicated onboarding page on the website.

As a separate activity I have already initialized an “OpenChain for managers” webpage concept and have arranged for a graphic designer to create a five point infographic for that. I suggest this can be co-opted as the OpenBoarding landing page. Here is the current draft of the page content that will be used to create webpage and five point infographic:
https://docs.google.com/document/d/1a9szsE8KxifW2ria_nC83CA6B7--v48YStNDyl2x8FI/edit
It is pending review in the next day or two from a marketing professional. My proposal is to to offer the onboarding material here after the infographic on the final webpage.

What do you think? A reasonable start to build our larger on boarding from or we should keep the two activities (onboarding, openchain for managers) separate? Your call as Onboarding Work Team lead.

Regards

Shane

--
Shane Coughlan
OpenChain Program Manager
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance

On Aug 8, 2017, at 9:30, Nathan Kumagai <nathank@...> wrote:

If you needed one or two slides to convince an organization to pursue OpenChain conformance, what would you use?

As discussed in today's meeting, we are starting a work team to create focused, succinct content to promote awareness and acceptance of OpenChain. This is the marketing or "sell" deck to help our champions to promote adoption of OpenChain within their organizations and supply chain partners. Our work team will separately target legal, business and engineering audiences, including audiences with little open source awareness.

Our first drafts of onboarding materials can be found at:
The OpenChain Onboarding Document 1.0 Beta:
https://docs.google.com/document/d/1nJGAxzJggSvNtfUvWCWWKCXmR-rMTPOpj7cSYbhemGM/edit?usp=sharing

The OpenChain Onboarding Slides 1.0 Beta:
https://docs.google.com/presentation/d/1PiCkx17RaByYbF2BkEOXQWfkp1SlLrY_HPcJV0NKzRE/edit?usp=sharing
How to help:
• Please submit executive summaries, slide decks, testimonials, or anything that may be helpful in promoting OpenChain (also let us know that we would be free to use your materials - submissions to the curriculum team were made under CC-0 so we were free to reuse and edit)
• Join the work team in creating onboarding material
• Bring feedback about your own experiences promoting OpenChain - tell us what worked, and what type of hurdles or questions you faced

Any other feedback or suggestions are welcome of course. Thank you for your support!

Nathan Kumagai


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Shane Martin Coughlan <coughlan@...>
 

Hi Martin

As a shorthand way of describing OpenChain I saw “this is like ISO 9001 for open source compliance in the supply chain.” I would envision us continue our current path of pushing market adoption and maintaining de facto growth until we reach a certain tipping point, and then examining whether going down the ISO path makes sense.

Meanwhile, I concur with your note that we can learn from existing standards and existing processes. This will both help ensure we relearn lessons and it will help ensure that - when the day comes - we are able to easily align with de jure standard organizations. Your insight will be appreciate and invaluable in this regard.

Regards

Shane

--
Shane Coughlan
OpenChain Program Manager
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance

On Aug 13, 2017, at 20:47, Martin Callinan <martin.callinan@...> wrote:

Hi Bill,



It is a fair point that ISO certification are a slog to bring to market.



I do think there is a lot we can learn about how ISO 19770-1 has been structured and regardless of ISO could be leveraged in OpenChain. I have an attached an early draft of the standard from when I was involved.



The overall process they lay out is similar in principle to OpenChain’s processes

<image001.png>






From: William Weinberg [mailto:bill@...]
Sent: 11 August 2017 19:54
To: Martin Callinan <martin.callinan@...>
Cc: Kate Stewart <kstewart@...>; openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)



Hi Martin



It has been the tradition of the Linux Foundation to sponsor projects that implement existing paper standards and create new de facto ones. A de jure, paper path that you suggest suffers from cost, slowness and the honor of being a “leading” vs. a following standard, thus engendering multiple, usually variously forked implementations, each with its own “secret sauce”. Even ISO process-oriented (vs. technology) standards suffer from this same ill.



Is there a real value in slogging through a full ISO certification? Would an ISO process certification really carry extra cachet at this point in history?



Bill W.





On Aug 11, 2017, at 1:32 PM, Martin Callinan <martin.callinan@...> wrote:



Hi Kate,



The standard was produced so anybody could create a tag. I once considered it as a service offering. TagVault was started by Steve Klos who was convener for the writing of ISO 19770-2 and have positioned themselves certification authority but that does not stop anybody creating tags without going through TagVault.



I was not meaning to suggest we go down the same route as SWIDs for Open Source but thought there may be some learnings we can take from the work they have done.



ISO always charges for standards but their standards have a lot of credibility and a lot of work goes into having a standard recognised.



In the UK there is an organisation called the British Standards Institute https://www.bsigroup.com/en-GB/our-services/certification/how-to-get-certified/ where they support groups creating standards which can then me moved up to ISO to evolve into an ISO ratified standard. I though as OpenChain matures it may be logical to aim for ISO certification.



Kind Regards,



Martin









From: Kate Stewart [mailto:kstewart@...]
Sent: 11 August 2017 16:22
To: Martin Callinan <martin.callinan@...>
Cc: Foster, Jeremiah <JFoster@...>; mballhausen@...; stcroppe@...; john@...; openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)



Hi Martin,



On Wed, Aug 9, 2017 at 12:44 PM, Martin Callinan <martin.callinan@...> wrote:

It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX



The challenge with using SWIDs is you have to pay for access to the specification.

https://www.iso.org/standard/65666.html SWIDs also don't have a good human

readable equivalent, as you'll need to use a tool to read one.



Also, as I understand it (please correct me) in order to get an SWID tag assigned,

you need to join an organization (tagvault) and pay a fee. Which isn't necessarily viable

for open source upstream projects and hence supply chains with open source

component dependencies.



Thanks, Kate



_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain



<19770-1 UK Draft 20050508.pdf>_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Martin Callinan
 

Hi Bill,

 

It is a fair point that ISO certification are  a slog to bring to market.

 

I do think there is a lot we can learn about how ISO 19770-1 has been structured and regardless of ISO could be leveraged in OpenChain. I have an attached an early draft of the standard from when I was involved.

 

The overall process they lay out is similar in principle to OpenChain’s processes

 

 

 

From: William Weinberg [mailto:bill@...]
Sent: 11 August 2017 19:54
To: Martin Callinan <martin.callinan@...>
Cc: Kate Stewart <kstewart@...>; openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

 

Hi Martin

 

It has been the tradition of the Linux Foundation to sponsor projects that implement existing paper standards and create new de facto ones.   A de jure, paper path that you suggest suffers from cost, slowness and the honor of being a “leading” vs. a following standard, thus engendering multiple, usually variously forked implementations, each with its own “secret sauce”.  Even ISO process-oriented (vs. technology) standards suffer from this same ill.

 

Is there a real value in slogging through a full ISO certification?  Would an ISO process certification really carry extra cachet at this point in history?

 

Bill W.

 

 

On Aug 11, 2017, at 1:32 PM, Martin Callinan <martin.callinan@...> wrote:

 

Hi Kate,

 

The standard was produced so anybody could create a tag. I once considered it as a service offering. TagVault was started by Steve Klos who was convener for the writing of ISO 19770-2 and have positioned themselves certification authority but that does not stop anybody creating tags without going through TagVault.

 

I was not meaning to suggest we go down the same route as SWIDs for Open Source but thought there may be some learnings we can take from the work they have done.

 

ISO always charges for standards but their standards have a lot of credibility and a lot of work goes into having a standard recognised.

 

In the UK there is an organisation called the British Standards Institute https://www.bsigroup.com/en-GB/our-services/certification/how-to-get-certified/ where they support groups creating standards which can then me moved up to ISO to evolve into an ISO ratified standard. I though as OpenChain matures it may be logical to aim for ISO certification.

 

Kind Regards,

 

Martin

 

 

 

 

From: Kate Stewart [mailto:kstewart@...] 
Sent: 11 August 2017 16:22
To: Martin Callinan <martin.callinan@...>
Cc: Foster, Jeremiah <JFoster@...>; mballhausen@...; stcroppe@...; john@...; openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

 

Hi Martin,

 

On Wed, Aug 9, 2017 at 12:44 PM, Martin Callinan <martin.callinan@...> wrote:

It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of  ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX

 

The challenge with using SWIDs is you have to pay for access to the specification.

https://www.iso.org/standard/65666.html     SWIDs also don't have a good human

readable equivalent, as you'll need to use a tool to read one.

 

Also, as I understand it (please correct me) in order to get an SWID tag assigned,  

you need to join an organization (tagvault) and pay a fee.   Which isn't necessarily viable

for open source upstream projects and hence supply chains with open source 

component dependencies. 

 

Thanks, Kate

 

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Kate Stewart
 

Hi Martin,

On Fri, Aug 11, 2017 at 12:32 PM, Martin Callinan <martin.callinan@...> wrote:

Hi Kate,

 

The standard was produced so anybody could create a tag. I once considered it as a service offering. TagVault was started by Steve Klos who was convener for the writing of ISO 19770-2 and have positioned themselves certification authority but that does not stop anybody creating tags without going through TagVault.


Thanks for clarifying this Martin.   
 

 

I was not meaning to suggest we go down the same route as SWIDs for Open Source but thought there may be some learnings we can take from the work they have done.


Completely agree. 
 
Thanks, Kate


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

William Weinberg <bill@...>
 

Hi Martin

It has been the tradition of the Linux Foundation to sponsor projects that implement existing paper standards and create new de facto ones.   A de jure, paper path that you suggest suffers from cost, slowness and the honor of being a “leading” vs. a following standard, thus engendering multiple, usually variously forked implementations, each with its own “secret sauce”.  Even ISO process-oriented (vs. technology) standards suffer from this same ill.

Is there a real value in slogging through a full ISO certification?  Would an ISO process certification really carry extra cachet at this point in history?

Bill W.


On Aug 11, 2017, at 1:32 PM, Martin Callinan <martin.callinan@...> wrote:

Hi Kate,
 
The standard was produced so anybody could create a tag. I once considered it as a service offering. TagVault was started by Steve Klos who was convener for the writing of ISO 19770-2 and have positioned themselves certification authority but that does not stop anybody creating tags without going through TagVault.
 
I was not meaning to suggest we go down the same route as SWIDs for Open Source but thought there may be some learnings we can take from the work they have done.
 
ISO always charges for standards but their standards have a lot of credibility and a lot of work goes into having a standard recognised.
 
In the UK there is an organisation called the British Standards Institute https://www.bsigroup.com/en-GB/our-services/certification/how-to-get-certified/ where they support groups creating standards which can then me moved up to ISO to evolve into an ISO ratified standard. I though as OpenChain matures it may be logical to aim for ISO certification.
 
Kind Regards,
 
Martin
 
 
 
 
From: Kate Stewart [mailto:kstewart@...] 
Sent: 11 August 2017 16:22
To: Martin Callinan <martin.callinan@...>
Cc: Foster, Jeremiah <JFoster@...>; mballhausen@...; stcroppe@...; john@...; openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)
 
Hi Martin,
 
On Wed, Aug 9, 2017 at 12:44 PM, Martin Callinan <martin.callinan@...> wrote:
It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of  ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX
 
The challenge with using SWIDs is you have to pay for access to the specification.
https://www.iso.org/standard/65666.html     SWIDs also don't have a good human
readable equivalent, as you'll need to use a tool to read one.
 
Also, as I understand it (please correct me) in order to get an SWID tag assigned,  
you need to join an organization (tagvault) and pay a fee.   Which isn't necessarily viable
for open source upstream projects and hence supply chains with open source 
component dependencies. 
 
Thanks, Kate
 
_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Martin Callinan
 

Hi Kate,

 

The standard was produced so anybody could create a tag. I once considered it as a service offering. TagVault was started by Steve Klos who was convener for the writing of ISO 19770-2 and have positioned themselves certification authority but that does not stop anybody creating tags without going through TagVault.

 

I was not meaning to suggest we go down the same route as SWIDs for Open Source but thought there may be some learnings we can take from the work they have done.

 

ISO always charges for standards but their standards have a lot of credibility and a lot of work goes into having a standard recognised.

 

In the UK there is an organisation called the British Standards Institute https://www.bsigroup.com/en-GB/our-services/certification/how-to-get-certified/ where they support groups creating standards which can then me moved up to ISO to evolve into an ISO ratified standard. I though as OpenChain matures it may be logical to aim for ISO certification.

 

Kind Regards,

 

Martin

 

 

 

 

From: Kate Stewart [mailto:kstewart@...]
Sent: 11 August 2017 16:22
To: Martin Callinan <martin.callinan@...>
Cc: Foster, Jeremiah <JFoster@...>; mballhausen@...; stcroppe@...; john@...; openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

 

Hi Martin,

 

On Wed, Aug 9, 2017 at 12:44 PM, Martin Callinan <martin.callinan@...> wrote:

It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of  ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX

 

The challenge with using SWIDs is you have to pay for access to the specification.

https://www.iso.org/standard/65666.html     SWIDs also don't have a good human

readable equivalent, as you'll need to use a tool to read one.

 

Also, as I understand it (please correct me) in order to get an SWID tag assigned,  

you need to join an organization (tagvault) and pay a fee.   Which isn't necessarily viable

for open source upstream projects and hence supply chains with open source 

component dependencies. 

 

Thanks, Kate

 


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Kate Stewart
 

Hi Martin,

On Wed, Aug 9, 2017 at 12:44 PM, Martin Callinan <martin.callinan@sourcecodecontrol.co> wrote:
It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of  ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX

The challenge with using SWIDs is you have to pay for access to the specification.
https://www.iso.org/standard/65666.html     SWIDs also don't have a good human
readable equivalent, as you'll need to use a tool to read one.

Also, as I understand it (please correct me) in order to get an SWID tag assigned,  
you need to join an organization (tagvault) and pay a fee.   Which isn't necessarily viable
for open source upstream projects and hence supply chains with open source 
component dependencies. 

Thanks, Kate
 


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Matija Šuklje
 

Dne četrtek, 10. avgust 2017 ob 18:26:25 CEST je Shane Martin Coughlan
napisal(a):
Self-certified OpenChain conformance for the next 24 months. Partner network
built out at the same time to help support organizations with this process.
Around the 24 month mark we explore having a secondary badge: audited
conformance. This is where a third party verifies conformance.
Sounds like a plan to me :)


cheers,
Matija
--
gsm: tel:+386-41-849-552
www: http://matija.suklje.name
xmpp: matija.suklje@...
sip: matija_suklje@...


Re: Onboarding work team - CALL FOR MATERIALS

Matija Šuklje
 

Dne četrtek, 10. avgust 2017 ob 18:21:10 CEST je Shane Martin Coughlan
napisal(a):
I think we have the foundation in place and we are going in the right
direction.
[…]
Make sense?
I think we are heading in the right direction as well and what you described
makes a lot of sense.

Now we only need to make sure we effectively communicate that to those who are
not part of our choir.


cheers,
Matija
--
gsm: tel:+386-41-849-552
www: http://matija.suklje.name
xmpp: matija.suklje@...
sip: matija_suklje@...


More translations: this time our on boarding handout and slides into Portuguese

Shane Martin Coughlan <coughlan@...>
 

OpenChain releases Portuguese introduction handout and slides thanks to Bill and Gianna at Open Source Sense: https://www.openchainproject.org/news/2017/08/11/openchain-expands-portuguese-translations

Another step forward thanks to our vibrant community of contributors!

Regards

Shane

--
Shane Coughlan
OpenChain Program Manager
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Shane Martin Coughlan <coughlan@...>
 

Hi Martin

On Aug 9, 2017, at 12:44, Martin Callinan <martin.callinan@...> wrote:

It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX

When I worked at Microsoft we created a maturity Assessment (see attached) which rated different processes with a maturity rating rather than a binary yes/no.

I still have a connection with the working group for ISO SAM/ITAM standards (WG 21) and have tried to get open source software on their radar.

In UK and Europe SAM is broadly adopted. There are full time employees and in some cases teams solely dedicated to SAM/ITAM. The principles as regards processes for SAM are similar to what is required to managed SAM.

If you think there is mileage in a liaison with WG21 I could pursue it.
I think it’s too early for us. However, it is useful to know we can pick your brain when the time comes!

Regards

Shane


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Shane Martin Coughlan <coughlan@...>
 

Hi Steve

On Aug 9, 2017, at 4:32, Steve Cropper <stcroppe@...> wrote:
A very interesting thread but I think we need to walk before we run on this.
Agreed. We are purposefully pursuing self-certification with limited “proof” for OpenChain Conformance to have a minimal barrier to entry. We want to make it as easy as possible for organizations to confirm they have the processes for open source compliance in the supply chain in place.

First you have to consider the adoption curve of both Open Chain and SPDX. If you want adoption then you can't throw new levels of complexity at the intended practitioners. Software Asset Management is still a nascent art and seems to have more focus in the IT world than in a typical manufacturing organization. Even then SAM is still not standard across most companies.
While automation and tooling are very helpful, they also create limitations and restrictions upon how something should be done. […] In many cases I think the fact that they implement and document a process and follow it (a la ISO 9001) is probably a step in the right direction. How they do it and with what tools should be independent of OpenChain purview.
Precisely.

As far as proving compliance goes, I think this is required for assurance purposes. However, not many companies, that I know of, will allow you to examine their processes and 'books' without appropriate paperwork (legal documentation - NDAs etc.) in place. So you now approach the realms of auditing, which is a requirement of any standardisation activity and needs a formal definition and process to go with it.
Indeed.

[…]
You could apply this type of certification as a way of asserting levels of confidence in the OpenChain compliance claim.
1. Self Certified with no evidence -> 'Novice' not to be trusted fully but obviously heading in the right direction.
2. Self Certified with evidence (what evidence should this be and how trustworthy will it be?) -> 'Provisional' higher level of trust but still likely to be non-conforming
3. Audited and Approved -> 'Fully Licensed' and have been independently reviewed by an OpenChain approved auditor for compliance.
Whatever the decision here, we should try not to build a wall too high for the intended users to climb thereby defeating the objective of OpenChain :-).
Absolutely.

I would envision something like this:

Self-certified OpenChain conformance for the next 24 months. Partner network built out at the same time to help support organizations with this process. Around the 24 month mark we explore having a secondary badge: audited conformance. This is where a third party verifies conformance.

Is this a value add? Too early to tell. It may be, or we may want to leave the entire question of audits and verification between customers/suppliers. Let’s discuss in more detail after we pass the much earlier hurdle of continuing to build general adoption.

Regards

Shane


Re: Onboarding work team - CALL FOR MATERIALS

Shane Martin Coughlan <coughlan@...>
 

Hi Jeremiah

On Aug 8, 2017, at 9:36, Foster, Jeremiah <JFoster@...> wrote:

On Tue, 2017-08-08 at 16:22 +0200, Matija Šuklje wrote:
Hi Shane,

I fully agree that holding a central repo of compliance artifacts is
a no-go,
and also in general I feel we are on the same page here.
Why? Is it the leaking of confidential information that is the concern?
What if that info was "abstracted" away? After all, many companies have
to publish these artifacts in accordance with some FOSS licenses when
they distribute a product.
It introduces another layer of friction because additional permissions for document preparation and release are needed. This friction is unnecessary because the only people who care if the artifacts exist will be customers. Therefore the organization can simply confirm the artifacts exist and provide them - if requested - to customers with the knowledge that existing confidentiality agreements are in place.

When we grow to hundreds and thousands of compliant companies, the
burden will shift from person-to-person trust to trust in OpenChain proper.

Still, I agree that making the specs and the conditions in it grow
organically together with the community of companies it caters. But perhaps it
will soon be time to start marketing OpenChain with a longer-term view in mind.

I hope this clarifies my position. If not, please do tell me to
rephrase. I’m
not entirely happy that what I wrote above reflects what I see in my
mind.
Isn't the purpose of OpenChain to allow this kind of many-to-many trust
network to develop?
Yes, but through creating a social norm rather than engineering it. It is important to remember that OpenChain Specification is a standard like ISO 9001. As long as entities conform and state their conformance to such a standard we are usually “done” and everyone is happy. By way of real-world example, just think of the last time CompanyX asked CompanyY for details of ISO 9001 conformance. It is a very rare occurrence. Good to have that ability, but not something you would expect to see happen day to day.

Regards

Shane


Re: Onboarding work team - CALL FOR MATERIALS

Shane Martin Coughlan <coughlan@...>
 

Hi Matija

On Aug 8, 2017, at 9:22, Matija Šuklje <matija@...> wrote:
The main point I wanted to make with my previous e-mail, was that we should
think how we “market” trust in OpenChain better to wider audience.
To give some context to my thinking:
The issue is that as long as there are only dozens of compliant companies who
(already) talk to each other, we are all in agreement because we already know
what that means and we’ve (more or less) trusted each other already from
before .
When we grow to hundreds and thousands of compliant companies, the burden will
shift from person-to-person trust to trust in OpenChain proper.
Still, I agree that making the specs and the conditions in it grow organically
together with the community of companies it caters. But perhaps it will soon
be time to start marketing OpenChain with a longer-term view in mind.
I think we have the foundation in place and we are going in the right direction.

Early phase is all about self-conformance and easy of adoption.

Meanwhile, we will build out a partner network to support adoption.

One “ask” of the partner network members is likely to be audits, allowing for potential future “spot checks” to randomly ensure conformance.

In the longer term there may be a self-conformance and an audited conformance status, allowing differentiation for conformance with and without third party oversight.

Make sense?

Regards

Shane


Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Martin Callinan
 

It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX

When I worked at Microsoft we created a maturity Assessment (see attached) which rated different processes with a maturity rating rather than a binary yes/no.

I still have a connection with the working group for ISO SAM/ITAM standards (WG 21) and have tried to get open source software on their radar.

In UK and Europe SAM is broadly adopted. There are full time employees and in some cases teams solely dedicated to SAM/ITAM. The principles as regards processes for SAM are similar to what is required to managed SAM.

If you think there is mileage in a liaison with WG21 I could pursue it.

Kind Regards,

Martin


From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Foster, Jeremiah
Sent: 09 August 2017 16:28
To: mballhausen@...; stcroppe@...; john@...
Cc: openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

On Wed, 2017-08-09 at 08:33 -0400, John Scott wrote:
There are a number of projects the US government is working on. Essentially these projects are about creating artifacts to approve system to operate (Authority to Operate) - ATO). I’m involved in most of these 
themes useful one right now is Project Boise aims to update the federal government’s software security compliance process that require an agency to obtain an ATO and comply with additional requirements prior to adoption of new commercial software.

http://www.executivegov.com/2017/07/18f-launches-interagency-project-to-accelerate-govt-adoption-of-commercial-tech/


there is also rumor that the upcoming NIST RMF rev 5 will have a lot of detail about forcing vendors to provide their software supply chain. 


IMO automation vi artifacts is the only way to go IF you want real security versus just compliance 

Exactly. And not just security, but also regulatory compliance. Let's look at the recent VW case; software was written to get around regulations. Regulatory bodies could not inspect the software and could not find the reason for the regulatory discrepancy. After a year of work, they received information from the software designers themselves on how they defeated the inspection regime. This points to the necessity of understanding what every line of code does in your system for regulatory reasons. We already know we need this for security. But customers will need this, at least to certain degree, for the autonomous vehicles they ride in. Insurers will need it for the vehicles they insure. The list of stakeholders in complex autonomous systems running artificial intelligence algorithms in the functional safety domain is long. What are the tools that those stakeholders can use today?

Perhaps OpenChain is not the "solution" here, and I apologize if I'm off-topic, but OpenChain holds the keys to nascent and established best practices around introspection of complex software systems. We have code scanning tools and a way to package their results. We have a way to determine a one to one correspondence between license and software component. We have a way to determine the contents of git repos by examinging SHA sums. I think that there may be a way to build upon OpenChain to provide some degree of assurance that the contents of a given system are consistent with its attestations and claims to functionality, certification, etc. Yes, this may not be in the OpenChain mission, but where then is the best forum for this discussion?

Regards,

Jeremiah

<snip>

________________________________________

This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.

3741 - 3760 of 4814