|
Re: OpenChain 2.0 Self-Certification Questionnaire Update - Review before Thursday CoB Pacific
Great comments already coming in here:
toggle quoted messageShow quoted text
https://github.com/OpenChain-Project/conformance-questionnaire/pull/47
On Aug 5, 2020, at 7:56, Shane Coughlan <scoughlan@linuxfoundation.org> wrote:
|
|
|
|
OpenChain 2.0 Self-Certification Questionnaire Update - Review before Thursday CoB Pacific
This is a big email. It is about taking the lessons learned on the Conformance Questionnaire Webinar held on the 3rd of August 2020 to improve our self-certification questionnaire. Lessons applicable to the questionnaire have been applied as discussed below. The practical side of this update has happened on GitHub. It refers to this branch: And this Pull Request for the Main branch: However, you do not need to visit GitHub to review what I have been doing. Below you will find: (1) The Updated Questions (and you can comment) (2) The Updated Questions Alongside Strikethrough of the Old Questions (3) A List of the Specific Commits on GitHub used The update focuses on the following: (a) Changing to active voice instead of passive voice (b) Removing words or constructs not necessary for understanding (c) Adjusting language to align more closely with the Specification (d) Correcting terminology not used in the Spec but used in the Questionnaire (e) Correcting typographical issues Here is the Specification 2.0 for reference: Below is the adjusted Self-Certification Questionnaire for review. Unless we have a blocking issue I would like to go live by Thursday CoB Pacific to ensure we can release the Self-Certification Walk-Through Video as soon as possible. Therefore, while all comments are welcome, requests for changes should be isolated to errors, if any. Goal 1: Do you have a documented policy governing the Open Source license compliance of the Supplied Software? Do you have a documented procedure to communicate the existence of the Open Source policy to all Software Staff Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program? Have you identified and documented the competencies required for each role? Have you documented the assessed competence for each Program participant? Have you documented the awareness of your Program participants on the following topics? The Open Source policy and where to find it; Relevant Open Source objectives; Contributions expected to ensure the effectiveness of the Program; The implications of failing to follow the Program requirements. Do you have a process for determining the scope of your Program? Do you have a written statement clearly defining the scope and limits of the Program? Do you have a documented procedure to review and document Open Source license obligations, restrictions and rights? Goal 2: Relevant Tasks Defined and Supported Have you assigned individual(s) responsibility for receiving external Open Source compliance inquiries? Is the external Open Source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)? Do you have a documented procedure for receiving and responding to Open Source compliance inquiries? Have you documented the persons, group or function supporting the Program role(s) identified? Have the identified Program roles been properly staffed and adequately funded? Has legal expertise to address internal and external Open Source compliance been identified? Do you have a documented procedure assigning internal responsibilities for Open Source compliance. Do you have a documented procedure for handling review and remediation of non-compliant cases? Goal 3: Open Source Content Review and Approval Do you have a documented procedure for identifying, tracking and archiving information about the Open Source components in a Supplied Software release? Do you have Open Source component records for Supplied Software which demonstrates the documented procedure was properly followed? Do you have a documented procedure that covers these common Open Source license use cases for Open Source components in the Supplied Software? Distribution in binary form; Distribution in source form; Containing modified Open Source; Containing Open Source with attribution requirements; Integration with other Open Source that may trigger copyleft obligations; Containing Open Source or other software under incompatible licenses for interaction with other components in the Supplied Software. Goal 4: Compliance Artifact Creation and Delivery Do you have a documented procedure describing the process ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses? Do you have a documented procedure for archiving copies of Compliance Artifacts for the Supplied Software? Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses? Goal 5: Understand Open Source Community Engagement Do you have a policy for contribution to Open Source projects on behalf of the organization? Do you have a documented procedure governing Open Source contributions? Do you have a documented procedure for making all Software Staff aware of the Open Source contribution policy? Goal 6: Adherence to the Specification Requirements Do you have documentation confirming that your Program meets all the requirements of this specification? Do you have documentation confirming that your Program conformance was reviewed within the last 18 months? Here are the changes line by line Goal 1: Do you have a documented policy governing the Open Source license compliance of the Supplied Software? Do you have a documented policy that governs open source license compliance of the Supplied Software distribution (e.g., via training, internal wiki, or other practical communication method)? Do you have a documented procedure to communicate the existence of the Open Source policy to all Software Staff Do you have a documented procedure that communicates the existence of the open source policy to all Software Staff? Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program? Have you identified the roles and the corresponding responsibilities that affect the performance and effectiveness of the Program? Have you identified and documented the competencies required for each role? Have you identified and documented the competencies required for each role? Have you documented the assessed competence for each Program participant? Have you documented evidence of assessed competence for each Program participant? Have you documented the awareness of your Program participants on the following topics? The Open Source policy and where to find it; Relevant Open Source objectives; Contributions expected to ensure the effectiveness of the Program; The implications of failing to follow the Program requirements. Do you have evidence documenting the awareness of your personnel of the following topics? The open source policy and where to find it, The relevant open source objectives, The contributions expected to ensure the effectiveness of the Program, The implications of failing to follow the Program requirements, Do you have a process for determining the scope of your Program? Do you have a process for determining the scope of your Program? Do you have a written statement clearly defining the scope and limits of the Program? Do you have a written statement that clearly defines the scope and limits of the Program? Do you have a documented procedure to review and document Open Source license obligations, restrictions and rights? Do you have a process for reviewing open source license obligations, restrictions and rights? Do you have a documented procedure to review and document the obligations, restrictions and rights? Goal 2: Relevant Tasks Defined and Supported Have you assigned individual(s) responsibility for receiving external Open Source compliance inquiries? Have you assigned individual(s) responsible for receiving external open source compliance inquiries (\"Open Source Liaison\")? Is the external Open Source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)? Is the Open Source Liaison function publicly identified (e.g. via an email address and/or the Linux Foundation\u0027s Open Compliance Directory)? Do you have a documented procedure for receiving and responding to Open Source compliance inquiries? Do you have a documented procedure that assigns responsibility for receiving and responding to open source compliance inquiries? Have you documented the persons, group or function supporting the Program role(s) identified? Have you documented the persons, group or function supporting the Program role(s) identified? Have the identified Program roles been properly staffed and adequately funded? Have the identified Program roles been properly staffed and has adequate funding provided? Has legal expertise to address internal and external Open Source compliance been identified? Is legal expertise pertaining to internal and external open source compliance identified? Do you have a documented procedure assigning internal responsibilities for Open Source compliance. Do you have a documented procedure assigning internal responsibilities for Open Source compliance. Do you have a documented procedure for handling review and remediation of non-compliant cases? Do you have a documented procedure for handling review and remediation of non-compliant cases? Goal 3: Open Source Content Review and Approval Do you have a documented procedure for identifying, tracking and archiving information about the Open Source components in a Supplied Software release? Do you have a documented procedure for identifying, tracking and archiving information about the collection of open source components from which a Supplied Software release is comprised? Do you have Open Source component records for Supplied Software which demonstrates the documented procedure was properly followed? Do you have open source component records for each Supplied Software release which demonstrates the documented procedure was properly followed? Do you have a documented procedure that covers these common Open Source license use cases for Open Source components in the Supplied Software? Distribution in binary form; Distribution in source form; Containing modified Open Source; Containing Open Source with attribution requirements; Integration with other Open Source that may trigger copyleft obligations; Containing Open Source or other software under incompatible licenses for interaction with other components in the Supplied Software. Have you implemented a procedure that handles at least the following common open source license use cases for the open source components of each supplied Supplied Software release? distributed in binary form; distributed in source form; integrated with other open source such that it may trigger copyleft obligations; contains modified open source; contains open source or other software under an incompatible license interacting with other components within the Supplied Software; contains open source with attribution requirements. Goal 4: Compliance Artifact Creation and Delivery Do you have a documented procedure describing the process ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses? Do you have a documented procedure that describes a process that ensures the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses? Do you have a documented procedure for archiving copies of Compliance Artifacts for the Supplied Software? Do you archive copies of the Compliance Artifacts of the Supplied Software? Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses? Are the copies of the Compliance Artifacts archived for at least as long as the Supplied Software is offered or as required by the Identified Licenses (whichever is longer)? Goal 5: Understand Open Source Community Engagement Do you have a policy for contribution to Open Source projects on behalf of the organization? Do you have a policy that governs contributions to open source projects on behalf of the organization? Do you have a documented procedure governing Open Source contributions? Do you have a documented procedure that governs Open Source contributions? Do you have a documented procedure for making all Software Staff aware of the Open Source contribution policy? Do you have a documented procedure that makes all Software Staff aware of the existence of the Open Source contribution policy? Goal 6: Adherence to the Specification Requirements Do you have documentation confirming that your Program meets all the requirements of this specification? Do you have documentation confirming that your Program meets all the requirements of this specification? Do you have documentation confirming that your Program conformance was reviewed within the last 18 months? Do you have documentation confirming that your Program conformance was reviewed within the last 18 months? Here are the changes as per GitHub Updated Question 1(a) for clarity … d114034 Updated Question 1(b) for clarity 17c5bca Updated Question 1(c) for clarity ec468ff Updated Question 1(d) for clarity 4fa152d Corrected 1(d), reverted because of double-check with spec 7a3f70e Improved 1(e) for clarity 3f6b2ae Improved 1(f) for clarity 8b51cf0 Updated 1(f)ii for clarity 0878235 Updated 1(f)iii for clarity 71b01ec Updated 1(h) for clarity dff6cb9 Updated 1(i) to clarify conflation between "process" and "procedure" … … 76033ba Improved 2(a) for clarity 0200570 Fixed "open source" to Open Source throughout as this is a defined te… … e501444 Improved Question 2(b) for clarity 6b12c98 Improved 2(c) for clarity and to bring it closer to the precise words… … 91e6ad6 Improved 2(e) for clarity 061c387 Improved 2(f) for clarity and to bring the wording closer to the spec 71cf4f6 Further improvement to 2(f) for clarity b1eaa18 Improved 3(a) for clarity 800b25c Improved 3(b) for clarity e3aa6c9 Improved 3(c) for clarity abde070 Updated 3.c.i to active voice for clarity b795769 Updated 3.c.ii to active voice for clarity 64b1bdd Updated Updated 3.c.iii to active voice for clarity, also reduced unn… … ca882cb Fixed 3(c) because it used the term "at least" these use cases but th… … 1ae5a99 Updated 3.c.iv to active voice f253c0b Updated 3.c.v to active voice and for clarity fa4b8ac Updated 3.c.vi to active voice 62ceb8f Re-ordered questions under 3(c).X to make a better read path … d2256e7 Changed 4.a to active voice 6fc0fb6 Improved 4.b to bring it closer to the actual wording of the Spec 0683ad0 Improved 4.d for clarity (using AND instead of OR as the effect of AN… … 5f3fcbe Tweaked for clarity 5fead24 Improved 5.a to bring it closer to the wording of the spec 0d60b84 Updated 5.b to active voice 3587ad4 Updated legacy error with numbering (4.d to 4.c as no 4.c existed prior) 3936cf9 Updated 5.c to active voice and for clarity 750cde1 Updated bullet list formatting to match the rest of the document 0715c0a Corrected typo (. instead of ?) in 2.g 0f875a7
|
|
|
|
Wipro Limited is the latest OpenChain Partner
SAN FRANCISCO, August 4, 2020 –The OpenChain Project today announced Wipro Limited (NYSE: WIT, BSE: 507685, NSE: WIPRO), a leading global information technology, consulting and business process services company as the latest participant in the growing partner program. Wipro will provide an important bridge between companies seeking to adopt the OpenChain industry standard for compliance and the implementation of quality open source compliance programs.
Learn More: https://www.openchainproject.org/news/2020/08/04/wipro-limited-is-the-latest-openchain-partner
|
|
|
|
Thank you for an excellent webinar!
Great questions, comments and suggestions! I’ll be making sure we incorporate all we covered to make OpenChain adoption easier for all types of stakeholder.
Recording coming soon. Shane
|
|
|
|
OpenChain Bi-Weekly Webinar - Mon, 2020-08-03
#cal-notice
main@lists.openchainproject.org Calendar <noreply@...>
OpenChain Bi-Weekly Webinar When: Where: Organizer: Description: Join Our Zoom Meeting Password
One Tap Telephone (no screensharing)
Find your local number: https://zoom.us/u/abeUqy3kYQ After dialing the local number enter 9990120120#
|
|
|
|
OpenChain Bi-Weekly Webinar - Mon, 2020-08-03 9:00am-10:00am, Please RSVP
#cal-reminder
main@lists.openchainproject.org Calendar <main@...>
Reminder: OpenChain Bi-Weekly Webinar When: Monday, 3 August 2020, 9:00am to 10:00am, (GMT-07:00) America/Los Angeles Where:https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 An RSVP is requested. Click here to RSVP Organizer: Shane Coughlan scoughlan@... 00818040358083 Description: This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here: https://www.openchainproject.org/webinars-interviews Join Our Zoom Meeting Password
One Tap Telephone (no screensharing)
Find your local number: https://zoom.us/u/abeUqy3kYQ After dialing the local number enter 9990120120#
|
|
|
|
OpenChain Automotive Work Group - Europe / Asia Virtual Workshop on the 19th of August @ 10:00 CEST / 17:00 Japan and Korea
The OpenChain Automotive Work Group will hold a Europe / Asia Virtual Workshop on the 19th of August @ 10:00 CEST / 17:00 Japan and Korea. This event will be chaired by Masato Endo from Toyota. It will be our final Automotive meeting before the release of the OpenChain ISO standard circa Late September / Early October. All welcome.
Join Zoom Meeting https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 Meeting ID: 999 012 0120 Passcode: 123456 One tap mobile +16699006833,,9990120120#,,,,,,0#,,123456# US (San Jose) +12532158782,,9990120120#,,,,,,0#,,123456# US (Tacoma) Find your local number: https://us02web.zoom.us/u/kMNHHXxlG
|
|
|
|
OpenChain Japan - Our Series of Articles Continue with SPDX Lite - SW360/SPDX Liteを利用して、AGLリリースソフトを簡単に確認出来るようにする
OpenChain Japan - Our Series of Articles Continue with SPDX Lite - SW360/SPDX Liteを利用して、AGLリリースソフトを簡単に確認出来るようにする
https://www.openchainproject.org/news/2020/07/27/%e3%82%88%e3%81%86%e3%81%93%e3%81%9dopenchain-japan-wg%e3%81%b8%ef%bc%81-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2 (This is worth a spin through Google translate if you are interested in seeing how this new part of the SPDX specification was created)
|
|
|
|
The OpenChain Interviews: Meet SZ Lin
Our latest OpenChain interview is now online. This time around we are speaking with SZ Lin, a key figure beyond OpenChain in Taiwan, and one of the most recent additions to the governing board of the project. Check out his story:
https://www.openchainproject.org/openchain-interview-14-en You can also read all our past interviews here: https://www.openchainproject.org/webinars-interviews
|
|
|
|
Reminder: OpenChain Webinar #9 Today (Monday) at 9am Pacific - The OpenChain Conformance Questionnaire
This week we will be doing something a little bit special with the webinar format. It will be a live walk-through of the Conformance Questionnaire with example solutions to each question required for OpenChain conformance. This is the first run-through of what will become a formal OpenChain video guide later in the month. As such, it will be interactive, and your suggestions for improvement will be taken on-board. Meanwhile, this run-through will be immediately useful to any organization considering or undergoing OpenChain conformance right now. Join us at 9am Pacific.
This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here: https://www.openchainproject.org/webinars-interviews Join Our Zoom Meeting * https://zoom.us/j/9990120120 ( https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fj%2F9990120120&;sa=D&usd=2&usg=AOvVaw3kFRATgXJbTk7iL3HEkTN1 ) Password * 123456 One Tap Telephone (no screensharing) * +358 9 4245 1488,,9990120120# Finland * +33 7 5678 4048,,9990120120# France * +49 69 7104 9922,,9990120120# Germany * +852 5808 6088,,9990120120# Hong Kong * +39 069 480 6488,,9990120120# Italy * +353 6 163 9031,,9990120120# Ireland * +81 524 564 439,,9990120120# Japan * +82 2 6105 4111,,9990120120# Korea * +34 917 873 431,,9990120120# Spain * +46 850 539 728,,9990120120# Sweden * +41 43 210 71 08,,9990120120# Switzerland * +44 330 088 5830,,9990120120# UK * +16699006833,,9990120120# US (San Jose) * +12532158782,,9990120120# US Find your local number: https://zoom.us/u/abeUqy3kYQ ( https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fu%2FabeUqy3kYQ&;sa=D&usd=2&usg=AOvVaw2yK4fS2trpB1lITLI31XE9 ) Not all countries have available numbers. After dialing the local number enter 9990120120#
|
|
|
|
Re: [spdx] Funding for Hosting On-Line SPDX Tools
Phil Odence <Phil.Odence@...>
Thank, Steve. And, McCoy, thanks in advance for the contribution! Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
From: <main@...> on behalf of Steve Winslow <swinslow@...>
Sorry to hear that, McCoy... I've reached out to the CommunityBridge maintainers to ask them to look into this and figure out what's going on. Will let you know what I hear back.
Best, Steve
On Fri, Jul 31, 2020 at 11:02 AM Shane Coughlan <scoughlan@...> wrote:
--
Steve Winslow
|
|
|
|
Re: [spdx] Funding for Hosting On-Line SPDX Tools
J Lovejoy
I just donated using a Visa and it worked.
toggle quoted messageShow quoted text
J.
|
|
|
|
Re: [spdx] Funding for Hosting On-Line SPDX Tools
Steve Winslow
Sorry to hear that, McCoy... I've reached out to the CommunityBridge maintainers to ask them to look into this and figure out what's going on. Will let you know what I hear back. Best, Steve
On Fri, Jul 31, 2020 at 11:02 AM Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
Re: [spdx] Funding for Hosting On-Line SPDX Tools
Looping our SPDX friends into the thread so they can check this out. :O
On Jul 31, 2020, at 23:25, McCoy Smith <mccoy@...> wrote:
|
|
|
|
Re: [spdx] Funding for Hosting On-Line SPDX Tools
McCoy Smith
Not sure who to alert on this, but I’ve tried to donate, and I keep getting rejected. It won’t accept any credit card of mine. “Failed to Create Credit Card” is the error message I get (both for AmEx & Visa cards).
From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Thursday, July 30, 2020 4:58 PM To: OpenChain Main <main@...>; OpenChain Tooling <oss-based-compliance-tooling@groups.io> Subject: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools
For those with an interest in tooling and SPDX :)
|
|
|
|
OpenChain Sponsors COSCUP Again – Local Team Doing Awesome Talk As Well
The OpenChain Project is once again sponsoring the COSCUP conference in Taiwan, an event that provides a unique opportunity to connect with individuals at the heart of one of the most innovative locations for information technology. Even more importantly, our OpenChain Taiwan Work Group founders, SZ Lin and Lucien Lin, will be delivering a talk on the first day of the event, August 1st!
https://www.openchainproject.org/news/2020/07/30/openchain-sponsors-coscup-again-local-team-doing-awesome-talk-as-well
|
|
|
|
Bitsea is the Latest OpenChain Partner
Bitsea, a company helping customers to analyse, assess, and optimize Software Development processes, has joined the OpenChain Partner program. This marks another significant expansion of the OpenChain ecosystem into the German software industry, and provides another milestone in our preparation to support our growth as a formal International Standard in Q4.
https://www.openchainproject.org/featured/2020/07/30/bitsea-is-the-latest-openchain-partner
|
|
|
|
[spdx] Funding for Hosting On-Line SPDX Tools
For those with an interest in tooling and SPDX :)
|
|
|
|
OpenChain Specification Work Team - Fourth Monday Call - Mon, 2020-07-27 5:00pm-6:00pm
#cal-reminder
main@lists.openchainproject.org Calendar <main@...>
Reminder: OpenChain Specification Work Team - Fourth Monday Call When: Monday, 27 July 2020, 5:00pm to 6:00pm, (GMT-07:00) America/Los Angeles Where:Zoom Organizer: Shane Coughlan scoughlan@... Description: Join Zoom Meeting ( https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 )
Meeting ID: 999 012 0120
Password: 123456
|
|
|
|
OpenChain Specification Work Team - Fourth Monday Call - Mon, 2020-07-27 5:00pm-6:00pm
#cal-reminder
main@lists.openchainproject.org Calendar <main@...>
Reminder: OpenChain Specification Work Team - Fourth Monday Call When: Monday, 27 July 2020, 5:00pm to 6:00pm, (GMT-07:00) America/Los Angeles Where:Zoom Organizer: Shane Coughlan scoughlan@... Description: Join Zoom Meeting ( https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 )
Meeting ID: 999 012 0120
Password: 123456
|
|
|
