Date   

OpenChain Specification Work Team - Second Monday Meeting - Mon, 2020-08-10 9:00am-10:00am #cal-reminder

main@lists.openchainproject.org Calendar <main@...>
 

Reminder: OpenChain Specification Work Team - Second Monday Meeting

When: Monday, 10 August 2020, 9:00am to 10:00am, (GMT-07:00) America/Los Angeles

Where:Zoom

View Event

Organizer: Shane Coughlan scoughlan@...

Description:

Join Zoom Meeting ( https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 )
 
Meeting ID: 999 012 0120
Password: 123456


Shane on vacation

 

Greetings all!

It is a national holiday period and I will be largely away from my desk 10~14, 17~19. If you have an urgent request you can always reach me at +818040358083.

Shane


OpenChain in Sales and Procurement - Release Candidate Document

 

We are at two pages of text and about to go to LF creative to be turned into a pretty (around 4 page) leaflet.
https://1drv.ms/w/s!AsXJVqby5kpnj3yoNMe4Qm2yLd1E

Updates include making things shorter, making things clearer, and trying to include a wide variety of direct comments.

This is the last opportunity for comments before we publish.


OpenChain - The Big Picture (draft video)

 

I am preparing a new video series to help communicate the value of OpenChain and to explain how to conform. The first (draft) video is here and it is designed to be a two minute intro to what we are doing and why it is important to engage. Your feedback is most welcome:
https://www.youtube.com/watch?v=EZuEPMOgGwU

The script is here:

Hi, my name is Shane Coughlan and I am the general manager of the OpenChain Project.

This video will briefly explain the industry standard for open source compliance and how it builds trust across the business ecosystem.

The use of open source software provides tremendous advantages in accelerating innovation and time to market.

Open source software is third-party code provided under licenses that share similarities in granted rights and obligations.

These terms are important to consider when open source software is adopted, developed and deployed.

Our industry standard provides a simple, coherent definition of the key requirements of a quality open source compliance program.

It is designed to increase trust in internal or external supply chains by providing a single, clear framework for compliance activities.

Why?

Bespoke compliance requests introduce complexity and significantly increase the risk of errors without ensuring the desired outcome.

Our industry standard is the solution to this challenge. It is built from real world experience by hundreds of user companies.

Reducing or eliminating the need for bespoke approaches to open source compliance reduces both resource costs and the risk of missteps.

The industry standard is particularly relevant for procurement and sales activities. It enables simpler supplier selection, simpler contracts and quicker negotiations.

Organizations can self-certify or optionally get independent assessment or third-party certification in industries that need it.

Whatever choice you make in adopting this standard, it will help make your use of open source software more effective.


OpenChain Specification Work Team - Second Monday Meeting - Mon, 2020-08-10 9:00am-10:00am #cal-reminder

main@lists.openchainproject.org Calendar <main@...>
 

Reminder: OpenChain Specification Work Team - Second Monday Meeting

When: Monday, 10 August 2020, 9:00am to 10:00am, (GMT-07:00) America/Los Angeles

Where:Zoom

View Event

Organizer: Shane Coughlan scoughlan@...

Description:

Join Zoom Meeting ( https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 )
 
Meeting ID: 999 012 0120
Password: 123456


OpenChain Webinar #9 – OpenChain Self-Certification Questionnaire – Full Recording

 

This week we did something a little bit special with the webinar format. It was a live walk-through of the Conformance Questionnaire with example solutions to each question required for OpenChain conformance. This is the first run-through of what will become a formal OpenChain video guide later in the month. As such, it was interactive, and suggestions for improvement were taken on-board.

Of course, this run-through will be immediately useful to any organization considering or undergoing OpenChain conformance right now.
https://www.openchainproject.org/featured/2020/08/05/openchain-webinar-9-openchain-self-certification-questionnaire-full-recording


OpenChain Reference Tooling Work Group Meeting – July 27th – Morning and Afternoon – Full Recording

 

The OpenChain Reference Tooling Work Group meets bi-weekly to discuss open source tools for open source compliance. There are frequent demos and discussions around practical use. This is a good place to engage if you are considering open source tooling for your compliance activities.
This video is intended to give you an example of what our community gets up to in this area.
https://www.openchainproject.org/featured/2020/08/05/openchain-reference-tooling-work-group-meeting-july-27th-morning-and-afternoon-full-recording


OpenChain Fourth Monday Spec Call – July 2020 – Full Recording

 

We are discussing ideas and observations regarding OpenChain 2.0. This maps perfectly to our forthcoming ISO/IEC International Standard, currently under ballot as DIS5230, voting finishes September 23rd.

Some of the comments raised will be addressed through reference material. Some of the comments will feed into discussions for further drafts of the standard.

https://www.openchainproject.org/featured/2020/08/04/openchain-fourth-monday-spec-call-july-2020-full-recording


Re: OpenChain 2.0 Self-Certification Questionnaire Update - Review before Thursday CoB Pacific

 

On Aug 5, 2020, at 7:56, Shane Coughlan <@shanecoughlan> wrote:

This is a big email. It is about taking the lessons learned on the Conformance Questionnaire Webinar held on the 3rd of August 2020 to improve our self-certification questionnaire. Lessons applicable to the questionnaire have been applied as discussed below.

The practical side of this update has happened on GitHub. It refers to this branch:
https://github.com/OpenChain-Project/conformance-questionnaire/tree/improving-questions-for-clarity
And this Pull Request for the Main branch:
https://github.com/OpenChain-Project/conformance-questionnaire/pull/47

However, you do not need to visit GitHub to review what I have been doing. Below you will find:
(1) The Updated Questions (and you can comment)
(2) The Updated Questions Alongside Strikethrough of the Old Questions
(3) A List of the Specific Commits on GitHub used

The update focuses on the following:
(a) Changing to active voice instead of passive voice
(b) Removing words or constructs not necessary for understanding
(c) Adjusting language to align more closely with the Specification
(d) Correcting terminology not used in the Spec but used in the Questionnaire
(e) Correcting typographical issues

Here is the Specification 2.0 for reference:
https://wiki.linuxfoundation.org/_media/openchain/openchainspec-2.0.pdf

Below is the adjusted Self-Certification Questionnaire for review.
Unless we have a blocking issue I would like to go live by Thursday CoB Pacific to ensure we can release the Self-Certification Walk-Through Video as soon as possible. Therefore, while all comments are welcome, requests for changes should be isolated to errors, if any.

Goal 1:

Do you have a documented policy governing the Open Source license compliance of the Supplied Software?

Do you have a documented procedure to communicate the existence of the Open Source policy to all Software Staff

Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program?

Have you identified and documented the competencies required for each role?

Have you documented the assessed competence for each Program participant?

Have you documented the awareness of your Program participants on the following topics?
The Open Source policy and where to find it;
Relevant Open Source objectives;
Contributions expected to ensure the effectiveness of the Program;
The implications of failing to follow the Program requirements.

Do you have a process for determining the scope of your Program?

Do you have a written statement clearly defining the scope and limits of the Program?

Do you have a documented procedure to review and document Open Source license obligations, restrictions and rights?

Goal 2: Relevant Tasks Defined and Supported

Have you assigned individual(s) responsibility for receiving external Open Source compliance inquiries?

Is the external Open Source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)?

Do you have a documented procedure for receiving and responding to Open Source compliance inquiries?

Have you documented the persons, group or function supporting the Program role(s) identified?

Have the identified Program roles been properly staffed and adequately funded?

Has legal expertise to address internal and external Open Source compliance been identified?

Do you have a documented procedure assigning internal responsibilities for Open Source compliance.

Do you have a documented procedure for handling review and remediation of non-compliant cases?

Goal 3: Open Source Content Review and Approval

Do you have a documented procedure for identifying, tracking and archiving information about the Open Source components in a Supplied Software release?

Do you have Open Source component records for Supplied Software which demonstrates the documented procedure was properly followed?

Do you have a documented procedure that covers these common Open Source license use cases for Open Source components in the Supplied Software?
Distribution in binary form;
Distribution in source form;
Containing modified Open Source;
Containing Open Source with attribution requirements;
Integration with other Open Source that may trigger copyleft obligations;
Containing Open Source or other software under incompatible licenses for interaction with other components in the Supplied Software.

Goal 4: Compliance Artifact Creation and Delivery

Do you have a documented procedure describing the process ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses?

Do you have a documented procedure for archiving copies of Compliance Artifacts for the Supplied Software?

Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses?

Goal 5: Understand Open Source Community Engagement

Do you have a policy for contribution to Open Source projects on behalf of the organization?

Do you have a documented procedure governing Open Source contributions?

Do you have a documented procedure for making all Software Staff aware of the Open Source contribution policy?

Goal 6: Adherence to the Specification Requirements

Do you have documentation confirming that your Program meets all the requirements of this specification?

Do you have documentation confirming that your Program conformance was reviewed within the last 18 months?

Here are the changes line by line

Goal 1:

Do you have a documented policy governing the Open Source license compliance of the Supplied Software?
Do you have a documented policy that governs open source license compliance of the Supplied Software distribution (e.g., via training, internal wiki, or other practical communication method)?

Do you have a documented procedure to communicate the existence of the Open Source policy to all Software Staff
Do you have a documented procedure that communicates the existence of the open source policy to all Software Staff?

Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program?
Have you identified the roles and the corresponding responsibilities that affect the performance and effectiveness of the Program?

Have you identified and documented the competencies required for each role?
Have you identified and documented the competencies required for each role?

Have you documented the assessed competence for each Program participant?
Have you documented evidence of assessed competence for each Program participant?

Have you documented the awareness of your Program participants on the following topics?
The Open Source policy and where to find it;
Relevant Open Source objectives;
Contributions expected to ensure the effectiveness of the Program;
The implications of failing to follow the Program requirements.
Do you have evidence documenting the awareness of your personnel of the following topics?
The open source policy and where to find it,
The relevant open source objectives,
The contributions expected to ensure the effectiveness of the Program,
The implications of failing to follow the Program requirements,

Do you have a process for determining the scope of your Program?
Do you have a process for determining the scope of your Program?

Do you have a written statement clearly defining the scope and limits of the Program?
Do you have a written statement that clearly defines the scope and limits of the Program?

Do you have a documented procedure to review and document Open Source license obligations, restrictions and rights?
Do you have a process for reviewing open source license obligations, restrictions and rights?
Do you have a documented procedure to review and document the obligations, restrictions and rights?

Goal 2: Relevant Tasks Defined and Supported

Have you assigned individual(s) responsibility for receiving external Open Source compliance inquiries?
Have you assigned individual(s) responsible for receiving external open source compliance inquiries (\"Open Source Liaison\")?

Is the external Open Source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)?
Is the Open Source Liaison function publicly identified (e.g. via an email address and/or the Linux Foundation\u0027s Open Compliance Directory)?

Do you have a documented procedure for receiving and responding to Open Source compliance inquiries?
Do you have a documented procedure that assigns responsibility for receiving and responding to open source compliance inquiries?

Have you documented the persons, group or function supporting the Program role(s) identified?
Have you documented the persons, group or function supporting the Program role(s) identified?

Have the identified Program roles been properly staffed and adequately funded?
Have the identified Program roles been properly staffed and has adequate funding provided?

Has legal expertise to address internal and external Open Source compliance been identified?
Is legal expertise pertaining to internal and external open source compliance identified?

Do you have a documented procedure assigning internal responsibilities for Open Source compliance.
Do you have a documented procedure assigning internal responsibilities for Open Source compliance.

Do you have a documented procedure for handling review and remediation of non-compliant cases?
Do you have a documented procedure for handling review and remediation of non-compliant cases?

Goal 3: Open Source Content Review and Approval

Do you have a documented procedure for identifying, tracking and archiving information about the Open Source components in a Supplied Software release?
Do you have a documented procedure for identifying, tracking and archiving information about the collection of open source components from which a Supplied Software release is comprised?

Do you have Open Source component records for Supplied Software which demonstrates the documented procedure was properly followed?
Do you have open source component records for each Supplied Software release which demonstrates the documented procedure was properly followed?

Do you have a documented procedure that covers these common Open Source license use cases for Open Source components in the Supplied Software?
Distribution in binary form;
Distribution in source form;
Containing modified Open Source;
Containing Open Source with attribution requirements;
Integration with other Open Source that may trigger copyleft obligations;
Containing Open Source or other software under incompatible licenses for interaction with other components in the Supplied Software.
Have you implemented a procedure that handles at least the following common open source license use cases for the open source components of each supplied Supplied Software release?
distributed in binary form;
distributed in source form;
integrated with other open source such that it may trigger copyleft obligations;
contains modified open source;
contains open source or other software under an incompatible license interacting with other components within the Supplied Software;
contains open source with attribution requirements.

Goal 4: Compliance Artifact Creation and Delivery

Do you have a documented procedure describing the process ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses?
Do you have a documented procedure that describes a process that ensures the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses?

Do you have a documented procedure for archiving copies of Compliance Artifacts for the Supplied Software?
Do you archive copies of the Compliance Artifacts of the Supplied Software?

Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses?
Are the copies of the Compliance Artifacts archived for at least as long as the Supplied Software is offered or as required by the Identified Licenses (whichever is longer)?

Goal 5: Understand Open Source Community Engagement

Do you have a policy for contribution to Open Source projects on behalf of the organization?
Do you have a policy that governs contributions to open source projects on behalf of the organization?

Do you have a documented procedure governing Open Source contributions?
Do you have a documented procedure that governs Open Source contributions?

Do you have a documented procedure for making all Software Staff aware of the Open Source contribution policy?
Do you have a documented procedure that makes all Software Staff aware of the existence of the Open Source contribution policy?

Goal 6: Adherence to the Specification Requirements

Do you have documentation confirming that your Program meets all the requirements of this specification?
Do you have documentation confirming that your Program meets all the requirements of this specification?

Do you have documentation confirming that your Program conformance was reviewed within the last 18 months?
Do you have documentation confirming that your Program conformance was reviewed within the last 18 months?

Here are the changes as per GitHub

Updated Question 1(a) for clarity …
d114034

Updated Question 1(b) for clarity
17c5bca

Updated Question 1(c) for clarity
ec468ff

Updated Question 1(d) for clarity
4fa152d

Corrected 1(d), reverted because of double-check with spec
7a3f70e

Improved 1(e) for clarity
3f6b2ae

Improved 1(f) for clarity
8b51cf0

Updated 1(f)ii for clarity
0878235

Updated 1(f)iii for clarity
71b01ec

Updated 1(h) for clarity
dff6cb9

Updated 1(i) to clarify conflation between "process" and "procedure" … …
76033ba

Improved 2(a) for clarity
0200570

Fixed "open source" to Open Source throughout as this is a defined te… …
e501444

Improved Question 2(b) for clarity
6b12c98

Improved 2(c) for clarity and to bring it closer to the precise words… …
91e6ad6

Improved 2(e) for clarity
061c387

Improved 2(f) for clarity and to bring the wording closer to the spec
71cf4f6

Further improvement to 2(f) for clarity
b1eaa18

Improved 3(a) for clarity
800b25c

Improved 3(b) for clarity
e3aa6c9

Improved 3(c) for clarity
abde070

Updated 3.c.i to active voice for clarity
b795769

Updated 3.c.ii to active voice for clarity
64b1bdd

Updated Updated 3.c.iii to active voice for clarity, also reduced unn… …
ca882cb

Fixed 3(c) because it used the term "at least" these use cases but th… …
1ae5a99

Updated 3.c.iv to active voice
f253c0b

Updated 3.c.v to active voice and for clarity
fa4b8ac

Updated 3.c.vi to active voice
62ceb8f

Re-ordered questions under 3(c).X to make a better read path …
d2256e7

Changed 4.a to active voice
6fc0fb6

Improved 4.b to bring it closer to the actual wording of the Spec
0683ad0

Improved 4.d for clarity (using AND instead of OR as the effect of AN… …
5f3fcbe

Tweaked for clarity
5fead24

Improved 5.a to bring it closer to the wording of the spec
0d60b84

Updated 5.b to active voice
3587ad4

Updated legacy error with numbering (4.d to 4.c as no 4.c existed prior)
3936cf9

Updated 5.c to active voice and for clarity
750cde1

Updated bullet list formatting to match the rest of the document
0715c0a

Corrected typo (. instead of ?) in 2.g
0f875a7


OpenChain 2.0 Self-Certification Questionnaire Update - Review before Thursday CoB Pacific

 

This is a big email. It is about taking the lessons learned on the Conformance Questionnaire Webinar held on the 3rd of August 2020 to improve our self-certification questionnaire. Lessons applicable to the questionnaire have been applied as discussed below.

The practical side of this update has happened on GitHub. It refers to this branch:
And this Pull Request for the Main branch:

However, you do not need to visit GitHub to review what I have been doing. Below you will find:
(1) The Updated Questions (and you can comment)
(2) The Updated Questions Alongside Strikethrough of the Old Questions
(3) A List of the Specific Commits on GitHub used

The update focuses on the following:
(a) Changing to active voice instead of passive voice
(b) Removing words or constructs not necessary for understanding
(c) Adjusting language to align more closely with the Specification 
(d) Correcting terminology not used in the Spec but used in the Questionnaire 
(e) Correcting typographical issues

Here is the Specification 2.0 for reference: 

Below is the adjusted Self-Certification Questionnaire for review.
Unless we have a blocking issue I would like to go live by Thursday CoB Pacific to ensure we can release the Self-Certification Walk-Through Video as soon as possible. Therefore, while all comments are welcome, requests for changes should be isolated to errors, if any.

Goal 1: 

Do you have a documented policy governing the Open Source license compliance of the Supplied Software?

Do you have a documented procedure to communicate the existence of the Open Source policy to all Software Staff

Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program?

Have you identified and documented the competencies required for each role?

Have you documented the assessed competence for each Program participant?

Have you documented the awareness of your Program participants on the following topics?
The Open Source policy and where to find it;
Relevant Open Source objectives;
Contributions expected to ensure the effectiveness of the Program;
The implications of failing to follow the Program requirements.

Do you have a process for determining the scope of your Program?

Do you have a written statement clearly defining the scope and limits of the Program?

Do you have a documented procedure to review and document Open Source license obligations, restrictions and rights?

Goal 2: Relevant Tasks Defined and Supported

Have you assigned individual(s) responsibility for receiving external Open Source compliance inquiries?

Is the external Open Source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)?

Do you have a documented procedure for receiving and responding to Open Source compliance inquiries?

Have you documented the persons, group or function supporting the Program role(s) identified?

Have the identified Program roles been properly staffed and adequately funded?

Has legal expertise to address internal and external Open Source compliance been identified?

Do you have a documented procedure assigning internal responsibilities for Open Source compliance.

Do you have a documented procedure for handling review and remediation of non-compliant cases?

Goal 3: Open Source Content Review and Approval

Do you have a documented procedure for identifying, tracking and archiving information about the Open Source components in a Supplied Software release?

Do you have Open Source component records for Supplied Software which demonstrates the documented procedure was properly followed?

Do you have a documented procedure that covers these common Open Source license use cases for Open Source components in the Supplied Software?
Distribution in binary form;
Distribution in source form;
Containing modified Open Source;
Containing Open Source with attribution requirements;
Integration with other Open Source that may trigger copyleft obligations;
Containing Open Source or other software under incompatible licenses for interaction with other components in the Supplied Software.

Goal 4: Compliance Artifact Creation and Delivery

Do you have a documented procedure describing the process ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses?

Do you have a documented procedure for archiving copies of Compliance Artifacts for the Supplied Software?

Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses?

Goal 5: Understand Open Source Community Engagement

Do you have a policy for contribution to Open Source projects on behalf of the organization?

Do you have a documented procedure governing Open Source contributions?

Do you have a documented procedure for making all Software Staff aware of the Open Source contribution policy?

Goal 6: Adherence to the Specification Requirements

Do you have documentation confirming that your Program meets all the requirements of this specification?

Do you have documentation confirming that your Program conformance was reviewed within the last 18 months?

Here are the changes line by line

Goal 1: 

Do you have a documented policy governing the Open Source license compliance of the Supplied Software?
Do you have a documented policy that governs open source license compliance of the Supplied Software distribution (e.g., via training, internal wiki, or other practical communication method)?

Do you have a documented procedure to communicate the existence of the Open Source policy to all Software Staff
Do you have a documented procedure that communicates the existence of the open source policy to all Software Staff?

Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program?
Have you identified the roles and the corresponding responsibilities that affect the performance and effectiveness of the Program?

Have you identified and documented the competencies required for each role?
Have you identified and documented the competencies required for each role?

Have you documented the assessed competence for each Program participant?
Have you documented evidence of assessed competence for each Program participant?

Have you documented the awareness of your Program participants on the following topics?
The Open Source policy and where to find it;
Relevant Open Source objectives;
Contributions expected to ensure the effectiveness of the Program;
The implications of failing to follow the Program requirements.
Do you have evidence documenting the awareness of your personnel of the following topics?
The open source policy and where to find it,
The relevant open source objectives,
The contributions expected to ensure the effectiveness of the Program,
The implications of failing to follow the Program requirements,

Do you have a process for determining the scope of your Program?
Do you have a process for determining the scope of your Program?

Do you have a written statement clearly defining the scope and limits of the Program?
Do you have a written statement that clearly defines the scope and limits of the Program?

Do you have a documented procedure to review and document Open Source license obligations, restrictions and rights?
Do you have a process for reviewing open source license obligations, restrictions and rights?
Do you have a documented procedure to review and document the obligations, restrictions and rights?

Goal 2: Relevant Tasks Defined and Supported

Have you assigned individual(s) responsibility for receiving external Open Source compliance inquiries?
Have you assigned individual(s) responsible for receiving external open source compliance inquiries (\"Open Source Liaison\")?

Is the external Open Source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)?
Is the Open Source Liaison function publicly identified (e.g. via an email address and/or the Linux Foundation\u0027s Open Compliance Directory)?

Do you have a documented procedure for receiving and responding to Open Source compliance inquiries?
Do you have a documented procedure that assigns responsibility for receiving and responding to open source compliance inquiries?

Have you documented the persons, group or function supporting the Program role(s) identified?
Have you documented the persons, group or function supporting the Program role(s) identified?

Have the identified Program roles been properly staffed and adequately funded?
Have the identified Program roles been properly staffed and has adequate funding provided?

Has legal expertise to address internal and external Open Source compliance been identified?
Is legal expertise pertaining to internal and external open source compliance identified?

Do you have a documented procedure assigning internal responsibilities for Open Source compliance.
Do you have a documented procedure assigning internal responsibilities for Open Source compliance.

Do you have a documented procedure for handling review and remediation of non-compliant cases?
Do you have a documented procedure for handling review and remediation of non-compliant cases?

Goal 3: Open Source Content Review and Approval

Do you have a documented procedure for identifying, tracking and archiving information about the Open Source components in a Supplied Software release?
Do you have a documented procedure for identifying, tracking and archiving information about the collection of open source components from which a Supplied Software release is comprised?

Do you have Open Source component records for Supplied Software which demonstrates the documented procedure was properly followed?
Do you have open source component records for each Supplied Software release which demonstrates the documented procedure was properly followed?

Do you have a documented procedure that covers these common Open Source license use cases for Open Source components in the Supplied Software?
Distribution in binary form;
Distribution in source form;
Containing modified Open Source;
Containing Open Source with attribution requirements;
Integration with other Open Source that may trigger copyleft obligations;
Containing Open Source or other software under incompatible licenses for interaction with other components in the Supplied Software.
Have you implemented a procedure that handles at least the following common open source license use cases for the open source components of each supplied Supplied Software release?
distributed in binary form;
distributed in source form;
integrated with other open source such that it may trigger copyleft obligations;
contains modified open source;
contains open source or other software under an incompatible license interacting with other components within the Supplied Software;
contains open source with attribution requirements.

Goal 4: Compliance Artifact Creation and Delivery

Do you have a documented procedure describing the process ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses?
Do you have a documented procedure that describes a process that ensures the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses?

Do you have a documented procedure for archiving copies of Compliance Artifacts for the Supplied Software?
Do you archive copies of the Compliance Artifacts of the Supplied Software?

Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses?
Are the copies of the Compliance Artifacts archived for at least as long as the Supplied Software is offered or as required by the Identified Licenses (whichever is longer)?

Goal 5: Understand Open Source Community Engagement

Do you have a policy for contribution to Open Source projects on behalf of the organization?
Do you have a policy that governs contributions to open source projects on behalf of the organization?

Do you have a documented procedure governing Open Source contributions?
Do you have a documented procedure that governs Open Source contributions?

Do you have a documented procedure for making all Software Staff aware of the Open Source contribution policy?
Do you have a documented procedure that makes all Software Staff aware of the existence of the Open Source contribution policy?

Goal 6: Adherence to the Specification Requirements

Do you have documentation confirming that your Program meets all the requirements of this specification?
Do you have documentation confirming that your Program meets all the requirements of this specification?

Do you have documentation confirming that your Program conformance was reviewed within the last 18 months?
Do you have documentation confirming that your Program conformance was reviewed within the last 18 months?

Here are the changes as per GitHub

Updated Question 1(a) for clarity  …
d114034

Updated Question 1(b) for clarity
17c5bca

Updated Question 1(c) for clarity
ec468ff

Updated Question 1(d) for clarity
4fa152d

Corrected 1(d), reverted because of double-check with spec
7a3f70e

Improved 1(e) for clarity
3f6b2ae

Improved 1(f) for clarity
8b51cf0

Updated 1(f)ii for clarity
0878235

Updated 1(f)iii for clarity
71b01ec

Updated 1(h) for clarity
dff6cb9

Updated 1(i) to clarify conflation between "process" and "procedure" …  …
76033ba

Improved 2(a) for clarity
0200570

Fixed "open source" to Open Source throughout as this is a defined te…  …
e501444

Improved Question 2(b) for clarity
6b12c98

Improved 2(c) for clarity and to bring it closer to the precise words…  …
91e6ad6

Improved 2(e) for clarity
061c387

Improved 2(f) for clarity and to bring the wording closer to the spec
71cf4f6

Further improvement to 2(f) for clarity
b1eaa18

Improved 3(a) for clarity
800b25c

Improved 3(b) for clarity
e3aa6c9

Improved 3(c) for clarity
abde070

Updated 3.c.i to active voice for clarity
b795769

Updated 3.c.ii to active voice for clarity
64b1bdd

Updated Updated 3.c.iii to active voice for clarity, also reduced unn…  …
ca882cb

Fixed 3(c) because it used the term "at least" these use cases but th…  …
1ae5a99

Updated 3.c.iv to active voice
f253c0b

Updated 3.c.v to active voice and for clarity
fa4b8ac

Updated 3.c.vi to active voice
62ceb8f

Re-ordered questions under 3(c).X to make a better read path  …
d2256e7

Changed 4.a to active voice
6fc0fb6

Improved 4.b to bring it closer to the actual wording of the Spec
0683ad0

Improved 4.d for clarity (using AND instead of OR as the effect of AN…  …
5f3fcbe

Tweaked for clarity
5fead24

Improved 5.a to bring it closer to the wording of the spec
0d60b84

Updated 5.b to active voice
3587ad4

Updated legacy error with numbering (4.d to 4.c as no 4.c existed prior)
3936cf9

Updated 5.c to active voice and for clarity
750cde1

Updated bullet list formatting to match the rest of the document
0715c0a

Corrected typo (. instead of ?) in 2.g
0f875a7


Wipro Limited is the latest OpenChain Partner

 

SAN FRANCISCO, August 4, 2020 –The OpenChain Project today announced Wipro Limited (NYSE: WIT, BSE: 507685, NSE: WIPRO), a leading global information technology, consulting and business process services company as the latest participant in the growing partner program. Wipro will provide an important bridge between companies seeking to adopt the OpenChain industry standard for compliance and the implementation of quality open source compliance programs.

Learn More:
https://www.openchainproject.org/news/2020/08/04/wipro-limited-is-the-latest-openchain-partner


Thank you for an excellent webinar!

 

Great questions, comments and suggestions! I’ll be making sure we incorporate all we covered to make OpenChain adoption easier for all types of stakeholder.

Recording coming soon.

Shane


OpenChain Bi-Weekly Webinar - Mon, 2020-08-03 #cal-notice

main@lists.openchainproject.org Calendar <noreply@...>
 

OpenChain Bi-Weekly Webinar

When:
Monday, 3 August 2020
9:00am to 10:00am
(GMT-07:00) America/Los Angeles

Where:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Organizer:
scoughlan@... 00818040358083

Description:
This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here: https://www.openchainproject.org/webinars-interviews

Join Our Zoom Meeting

Password

  • 123456

One Tap Telephone (no screensharing)

  • +358 9 4245 1488,,9990120120# Finland
  • +33 7 5678 4048,,9990120120# France
  • +49 69 7104 9922,,9990120120# Germany
  • +852 5808 6088,,9990120120# Hong Kong
  • +39 069 480 6488,,9990120120# Italy
  • +353 6 163 9031,,9990120120# Ireland
  • +81 524 564 439,,9990120120# Japan
  • +82 2 6105 4111,,9990120120# Korea
  • +34 917 873 431,,9990120120# Spain
  • +46 850 539 728,,9990120120# Sweden
  • +41 43 210 71 08,,9990120120# Switzerland
  • +44 330 088 5830,,9990120120# UK
  • +16699006833,,9990120120# US (San Jose)
  • +12532158782,,9990120120# US

Find your local number: https://zoom.us/u/abeUqy3kYQ
Not all countries have available numbers.

After dialing the local number enter 9990120120#


OpenChain Bi-Weekly Webinar - Mon, 2020-08-03 9:00am-10:00am, Please RSVP #cal-reminder

main@lists.openchainproject.org Calendar <main@...>
 

Reminder: OpenChain Bi-Weekly Webinar

When: Monday, 3 August 2020, 9:00am to 10:00am, (GMT-07:00) America/Los Angeles

Where:https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

An RSVP is requested. Click here to RSVP

Organizer: Shane Coughlan scoughlan@... 00818040358083

Description: This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here: https://www.openchainproject.org/webinars-interviews

Join Our Zoom Meeting

Password

  • 123456

One Tap Telephone (no screensharing)

  • +358 9 4245 1488,,9990120120# Finland
  • +33 7 5678 4048,,9990120120# France
  • +49 69 7104 9922,,9990120120# Germany
  • +852 5808 6088,,9990120120# Hong Kong
  • +39 069 480 6488,,9990120120# Italy
  • +353 6 163 9031,,9990120120# Ireland
  • +81 524 564 439,,9990120120# Japan
  • +82 2 6105 4111,,9990120120# Korea
  • +34 917 873 431,,9990120120# Spain
  • +46 850 539 728,,9990120120# Sweden
  • +41 43 210 71 08,,9990120120# Switzerland
  • +44 330 088 5830,,9990120120# UK
  • +16699006833,,9990120120# US (San Jose)
  • +12532158782,,9990120120# US

Find your local number: https://zoom.us/u/abeUqy3kYQ
Not all countries have available numbers.

After dialing the local number enter 9990120120#


OpenChain Automotive Work Group - Europe / Asia Virtual Workshop on the 19th of August @ 10:00 CEST / 17:00 Japan and Korea

 

The OpenChain Automotive Work Group will hold a Europe / Asia Virtual Workshop on the 19th of August @ 10:00 CEST / 17:00 Japan and Korea. This event will be chaired by Masato Endo from Toyota. It will be our final Automotive meeting before the release of the OpenChain ISO standard circa Late September / Early October. All welcome.

Join Zoom Meeting

https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120

Passcode: 123456

One tap mobile

+16699006833,,9990120120#,,,,,,0#,,123456# US (San Jose)

+12532158782,,9990120120#,,,,,,0#,,123456# US (Tacoma)

Find your local number: https://us02web.zoom.us/u/kMNHHXxlG


OpenChain Japan - Our Series of Articles Continue with SPDX Lite - SW360/SPDX Liteを利用して、AGLリリースソフトを簡単に確認出来るようにする

 

OpenChain Japan - Our Series of Articles Continue with SPDX Lite - SW360/SPDX Liteを利用して、AGLリリースソフトを簡単に確認出来るようにする
https://www.openchainproject.org/news/2020/07/27/%e3%82%88%e3%81%86%e3%81%93%e3%81%9dopenchain-japan-wg%e3%81%b8%ef%bc%81-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2
(This is worth a spin through Google translate if you are interested in seeing how this new part of the SPDX specification was created)


The OpenChain Interviews: Meet SZ Lin

 

Our latest OpenChain interview is now online. This time around we are speaking with SZ Lin, a key figure beyond OpenChain in Taiwan, and one of the most recent additions to the governing board of the project. Check out his story:
https://www.openchainproject.org/openchain-interview-14-en
You can also read all our past interviews here:
https://www.openchainproject.org/webinars-interviews


Reminder: OpenChain Webinar #9 Today (Monday) at 9am Pacific - The OpenChain Conformance Questionnaire

 

This week we will be doing something a little bit special with the webinar format. It will be a live walk-through of the Conformance Questionnaire with example solutions to each question required for OpenChain conformance. This is the first run-through of what will become a formal OpenChain video guide later in the month. As such, it will be interactive, and your suggestions for improvement will be taken on-board. Meanwhile, this run-through will be immediately useful to any organization considering or undergoing OpenChain conformance right now. Join us at 9am Pacific.

This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here:
https://www.openchainproject.org/webinars-interviews

Join Our Zoom Meeting

* https://zoom.us/j/9990120120 ( https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fj%2F9990120120&sa=D&usd=2&usg=AOvVaw3kFRATgXJbTk7iL3HEkTN1 )

Password

* 123456

One Tap Telephone (no screensharing)

* +358 9 4245 1488,,9990120120# Finland
* +33 7 5678 4048,,9990120120# France
* +49 69 7104 9922,,9990120120# Germany
* +852 5808 6088,,9990120120# Hong Kong
* +39 069 480 6488,,9990120120# Italy
* +353 6 163 9031,,9990120120# Ireland
* +81 524 564 439,,9990120120# Japan
* +82 2 6105 4111,,9990120120# Korea
* +34 917 873 431,,9990120120# Spain
* +46 850 539 728,,9990120120# Sweden
* +41 43 210 71 08,,9990120120# Switzerland
* +44 330 088 5830,,9990120120# UK
* +16699006833,,9990120120# US (San Jose)
* +12532158782,,9990120120# US

Find your local number: https://zoom.us/u/abeUqy3kYQ ( https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fu%2FabeUqy3kYQ&sa=D&usd=2&usg=AOvVaw2yK4fS2trpB1lITLI31XE9 )
Not all countries have available numbers.

After dialing the local number enter 9990120120#


Re: [spdx] Funding for Hosting On-Line SPDX Tools

Phil Odence <Phil.Odence@...>
 

Thank, Steve. And, McCoy, thanks in advance for the contribution!

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1086835228   signature_1086237430   signature_69066209   signature_1717334311

 

 

From: <main@...> on behalf of Steve Winslow <swinslow@...>
Reply-To: "main@..." <main@...>
Date: Friday, July 31, 2020 at 11:22 AM
To: "main@..." <main@...>
Cc: OpenChain Tooling <oss-based-compliance-tooling@groups.io>, "spdx@..." <spdx@...>
Subject: Re: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

Sorry to hear that, McCoy... I've reached out to the CommunityBridge maintainers to ask them to look into this and figure out what's going on. Will let you know what I hear back.

 

Best,

Steve

 

On Fri, Jul 31, 2020 at 11:02 AM Shane Coughlan <scoughlan@...> wrote:

Looping our SPDX friends into the thread so they can check this out.

 

:O



On Jul 31, 2020, at 23:25, McCoy Smith <mccoy@...> wrote:

Not sure who to alert on this, but I’ve tried to donate, and I keep getting rejected.  It won’t accept any credit card of mine. “Failed to Create Credit Card” is the error message I get (both for AmEx & Visa cards).

 

From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Thursday, July 30, 2020 4:58 PM
To: OpenChain Main <main@...>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>
Subject: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

For those with an interest in tooling and SPDX :)

 

Begin forwarded message:

 

From: "Phil Odence" <phil.odence@...>

Subject: [spdx] Funding for Hosting On-Line SPDX Tools

Date: July 29, 2020 3:18:03 JST

To: "spdx@..." <spdx@...>

Reply-To: spdx@...

 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there. 

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

 

 

<image001.png>

 

 

 

 



--

Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: [spdx] Funding for Hosting On-Line SPDX Tools

J Lovejoy
 

I just donated using a Visa and it worked.

J.

On Jul 31, 2020, at 9:22 AM, Steve Winslow <swinslow@...> wrote:

Sorry to hear that, McCoy... I've reached out to the CommunityBridge maintainers to ask them to look into this and figure out what's going on. Will let you know what I hear back.

Best,
Steve

On Fri, Jul 31, 2020 at 11:02 AM Shane Coughlan <scoughlan@...> wrote:
Looping our SPDX friends into the thread so they can check this out.

:O

On Jul 31, 2020, at 23:25, McCoy Smith <mccoy@...> wrote:



Not sure who to alert on this, but I’ve tried to donate, and I keep getting rejected.  It won’t accept any credit card of mine. “Failed to Create Credit Card” is the error message I get (both for AmEx & Visa cards).

 

From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Thursday, July 30, 2020 4:58 PM
To: OpenChain Main <main@...>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>
Subject: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

For those with an interest in tooling and SPDX :)



Begin forwarded message:

 

From: "Phil Odence" <phil.odence@...>

Subject: [spdx] Funding for Hosting On-Line SPDX Tools

Date: July 29, 2020 3:18:03 JST

Reply-To: spdx@...

 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there. 

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

 

 


<image001.png>

 

 

 

 






--
Steve Winslow
Director of Strategic Programs
The Linux Foundation