Date   

Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

 

All, context slides at link:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Jari, I think it’s a good idea, but I also fear it might add a little too much complexity at this time. How about we see how the slides are understood in Asia etc., seeing if any confusion exists, before action?

On Aug 25, 2021, at 17:35, Jari Koivisto <jari.p.koivisto@iki.fi> wrote:

Hi All,

I think that this new slide 10 is better now. It might add unnecessary complexity, but maybe each of the 4 arrows could have a small loop arrow on top depicting the nature of iterative work involved at each state, e.g. a company may try several types of automation to create the artefacts.

Jari


External Article: Happy birthday, Linux: From a bedroom project to billions of devices in 30 years

 

In a break from our usual governance-related discussions, Linux has hit a big milestone and Greg KH has a few words to share in an interview on the topic. Those who know Greg will know that he is one of the most effective communicators and bridge-builders across multiple domains in the open ecosystem. This short article is a nice starting point for people seeking context:
https://www.theregister.com/2021/08/25/linux_kernel_30_years_old/


Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

Christopher Wood
 

Hello all
This is a great discussion.  I do like Jacob's suggestion with some simple notation that indicates that the "levels" or whatever you call them are cumulative going from the base (Level 1 up through Level 4).  I also believe that formal adoption of each level's requirements will become necessary for any "vendor or supplier" due to market demands and agree with Shane that they should probably not be dictated by the OpenChain Project.  To show that the additive features of the Chart 10 could be added to an inverted stack of the levels. (Level 1 is foundational to the concept and building on Level 1 gives you advanced capabilities as a 4th column.



On Wednesday, August 25, 2021, 10:52:57 AM CDT, Jacob Wilson via lists.openchainproject.org <jacob.wilson=synopsys.com@...> wrote:


I agree with Steve’s sentiment of wandering tokens, in my opinion levels of assurance with progressive technology independent criteria are required.

Borrowing from other ISO standards, I propose these "levels" outline a 1) goal 2) business case 3) metric. Goal criteria should increment as assurance or level of trust is achieved, while the case and metric move as the technology and supplier landscape change around the business.

 

In the below table I outline one view of this concept:

  • Let’s say for example SBoM incorporates distributed ledger technology as discussed in other conversation threads. First the organization would build the business case around adapting SBoM technology to include blockchain, then they would establish a viable metric to measure this business justification. Ultimately the goal would remain intact because it was forward thinking and progressive in level of assurance.
  • Now let’s say that an organization is considering the move from internal assessment of OpenChain ISO 5230 to an external 3rd party assessment. They may revise their business case from “Prevent uncertainty through alignment with OpenChain ISO 5230” to “Prevent bias and uncertainty through independent confirmation of OpenChain ISO 5230 compliance”. The Metric remains intact to facilitate the audit process and the goal of dedicating assurance resources remains intact as well.

 

These are a couple of ways we can move along the field while keeping the goal posts intact. Of course I’m always open to feedback, and I realize this doesn’t prevent an organization from collecting artifacts of conformance (silver) before establishing a management framework (bronze). But we can see the crawl, walk, run analogy in the progression in levels of assurance (goals).. Perhaps platinum level is hiring Toni Kroos for 3rd party assessment.

 

 

 

Jacob Wilson

Senior Security Consultant
M: 773-372-8868 | jacob.wilson@...

Synopsys Software Integrity Group (SIG)

http://www.synopsys.com/software

 

From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Wednesday, August 25, 2021 4:36 AM
To: OpenChain Main <main@...>
Subject: Re: [openchain] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

 

Hi All,

 

I think that this new slide 10 is better now. It might add unnecessary complexity, but maybe each of the 4 arrows could have a small loop arrow on top depicting the nature of iterative work involved at each state, e.g. a company may try several types of automation to create the artefacts. 

 

   Jari

 


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto

 

 

On Wed, 25 Aug 2021 at 07:16, Shane Coughlan <scoughlan@...> wrote:

Thanks Steve. Slide 10 has been refined to place emphasis on the actions being non-normative evolution on the part of a single example company:

 

Regarding SPDX or other SBOM badges, I am sure we will see movement in this direction in the coming weeks.

 

Shane



On Aug 24, 2021, at 16:35, Steve Kilbane <stephen.kilbane@...> wrote:

Hi Shane,

As a comment on the revised slides, slide 10 doesn't work for me, since it shows a cycle, but you wouldn't go from your intended end-point (audit done) back to "just" OpenChain compliance without SBOM or automation.

As noted on the call, these aren't linear journeys, and an organisation could collect these plot tokens by wandering the map in whichever order they choose. They may add external audit first, then automation, then use that automation to produce their SBOMs.

I did like the idea of identifying them as best practices rather than "levels", because they can be adopted in any order. I did wonder whether it made sense to have a receiver award the SBOM badge to the supplier, but that might be problematic with respect to confidential business arrangements.

It would be nice if there were an SBOM badge that could be awarded to open source projects that are producing suitable output - uses SPDX Ids, includes an SBOM - but that's probably more down to the SPDX project than the OpenChain project.

steve


Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

Jacob Wilson
 

I agree with Steve’s sentiment of wandering tokens, in my opinion levels of assurance with progressive technology independent criteria are required.

Borrowing from other ISO standards, I propose these "levels" outline a 1) goal 2) business case 3) metric. Goal criteria should increment as assurance or level of trust is achieved, while the case and metric move as the technology and supplier landscape change around the business.

 

In the below table I outline one view of this concept:

  • Let’s say for example SBoM incorporates distributed ledger technology as discussed in other conversation threads. First the organization would build the business case around adapting SBoM technology to include blockchain, then they would establish a viable metric to measure this business justification. Ultimately the goal would remain intact because it was forward thinking and progressive in level of assurance.
  • Now let’s say that an organization is considering the move from internal assessment of OpenChain ISO 5230 to an external 3rd party assessment. They may revise their business case from “Prevent uncertainty through alignment with OpenChain ISO 5230” to “Prevent bias and uncertainty through independent confirmation of OpenChain ISO 5230 compliance”. The Metric remains intact to facilitate the audit process and the goal of dedicating assurance resources remains intact as well.

 

These are a couple of ways we can move along the field while keeping the goal posts intact. Of course I’m always open to feedback, and I realize this doesn’t prevent an organization from collecting artifacts of conformance (silver) before establishing a management framework (bronze). But we can see the crawl, walk, run analogy in the progression in levels of assurance (goals).. Perhaps platinum level is hiring Toni Kroos for 3rd party assessment.

 

 

 

Jacob Wilson

Senior Security Consultant
M: 773-372-8868 | jacob.wilson@...

Synopsys Software Integrity Group (SIG)

http://www.synopsys.com/software

 

From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Wednesday, August 25, 2021 4:36 AM
To: OpenChain Main <main@...>
Subject: Re: [openchain] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

 

Hi All,

 

I think that this new slide 10 is better now. It might add unnecessary complexity, but maybe each of the 4 arrows could have a small loop arrow on top depicting the nature of iterative work involved at each state, e.g. a company may try several types of automation to create the artefacts. 

 

   Jari

 


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto

 

 

On Wed, 25 Aug 2021 at 07:16, Shane Coughlan <scoughlan@...> wrote:

Thanks Steve. Slide 10 has been refined to place emphasis on the actions being non-normative evolution on the part of a single example company:

 

Regarding SPDX or other SBOM badges, I am sure we will see movement in this direction in the coming weeks.

 

Shane



On Aug 24, 2021, at 16:35, Steve Kilbane <stephen.kilbane@...> wrote:

Hi Shane,

As a comment on the revised slides, slide 10 doesn't work for me, since it shows a cycle, but you wouldn't go from your intended end-point (audit done) back to "just" OpenChain compliance without SBOM or automation.

As noted on the call, these aren't linear journeys, and an organisation could collect these plot tokens by wandering the map in whichever order they choose. They may add external audit first, then automation, then use that automation to produce their SBOMs.

I did like the idea of identifying them as best practices rather than "levels", because they can be adopted in any order. I did wonder whether it made sense to have a receiver award the SBOM badge to the supplier, but that might be problematic with respect to confidential business arrangements.

It would be nice if there were an SBOM badge that could be awarded to open source projects that are producing suitable output - uses SPDX Ids, includes an SBOM - but that's probably more down to the SPDX project than the OpenChain project.

steve


Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

Jari Koivisto
 

Hi All,

I think that this new slide 10 is better now. It might add unnecessary complexity, but maybe each of the 4 arrows could have a small loop arrow on top depicting the nature of iterative work involved at each state, e.g. a company may try several types of automation to create the artefacts. 

   Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto



On Wed, 25 Aug 2021 at 07:16, Shane Coughlan <scoughlan@...> wrote:
Thanks Steve. Slide 10 has been refined to place emphasis on the actions being non-normative evolution on the part of a single example company:

Regarding SPDX or other SBOM badges, I am sure we will see movement in this direction in the coming weeks.

Shane

On Aug 24, 2021, at 16:35, Steve Kilbane <stephen.kilbane@...> wrote:

Hi Shane,

As a comment on the revised slides, slide 10 doesn't work for me, since it shows a cycle, but you wouldn't go from your intended end-point (audit done) back to "just" OpenChain compliance without SBOM or automation.

As noted on the call, these aren't linear journeys, and an organisation could collect these plot tokens by wandering the map in whichever order they choose. They may add external audit first, then automation, then use that automation to produce their SBOMs.

I did like the idea of identifying them as best practices rather than "levels", because they can be adopted in any order. I did wonder whether it made sense to have a receiver award the SBOM badge to the supplier, but that might be problematic with respect to confidential business arrangements.

It would be nice if there were an SBOM badge that could be awarded to open source projects that are producing suitable output - uses SPDX Ids, includes an SBOM - but that's probably more down to the SPDX project than the OpenChain project.

steve


Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

 

Thanks Steve. Slide 10 has been refined to place emphasis on the actions being non-normative evolution on the part of a single example company:

Regarding SPDX or other SBOM badges, I am sure we will see movement in this direction in the coming weeks.

Shane

On Aug 24, 2021, at 16:35, Steve Kilbane <stephen.kilbane@...> wrote:

Hi Shane,

As a comment on the revised slides, slide 10 doesn't work for me, since it shows a cycle, but you wouldn't go from your intended end-point (audit done) back to "just" OpenChain compliance without SBOM or automation.

As noted on the call, these aren't linear journeys, and an organisation could collect these plot tokens by wandering the map in whichever order they choose. They may add external audit first, then automation, then use that automation to produce their SBOMs.

I did like the idea of identifying them as best practices rather than "levels", because they can be adopted in any order. I did wonder whether it made sense to have a receiver award the SBOM badge to the supplier, but that might be problematic with respect to confidential business arrangements.

It would be nice if there were an SBOM badge that could be awarded to open source projects that are producing suitable output - uses SPDX Ids, includes an SBOM - but that's probably more down to the SPDX project than the OpenChain project.

steve


Re: [india-wg] [openchain] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

 

Thanks Matija. Glad it reads well to you!

Regards

Shane

On Aug 24, 2021, at 20:02, Matija Šuklje <matija@suklje.name> wrote:

Die 24. 08. 21 et hora 09:00 Shane Coughlan scripsit:
In broad strokes:
(1) we decided to make it *very* clear this was not about variants of
OpenChain ISO 5230 but rather about where companies can go next after
adoption
(2) we decided to pull back from “quality grading” by the project
and instead providing case studies and examples to help inspire companies
This sounds like a sane approach to me.

Check out the latest (and dramatically overhauled) edit here:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc
After opening the slide deck today, I was wondering what the complaints were
against :)

The slides look OK to me at the time of this writing.


cheers,
Matija


Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

Matija Šuklje
 

Die 24. 08. 21 et hora 09:00 Shane Coughlan scripsit:
In broad strokes:
(1) we decided to make it *very* clear this was not about variants of
OpenChain ISO 5230 but rather about where companies can go next after
adoption
(2) we decided to pull back from “quality grading” by the project
and instead providing case studies and examples to help inspire companies
This sounds like a sane approach to me.

Check out the latest (and dramatically overhauled) edit here:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc
After opening the slide deck today, I was wondering what the complaints were
against :)

The slides look OK to me at the time of this writing.


cheers,
Matija
--
gsm: tel:+386.41.849.552
www: https://matija.suklje.name
xmpp: matija.suklje@gabbler.org
sip: matija_suklje@ippi.fr


Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

Steve Kilbane
 

Hi Shane,

As a comment on the revised slides, slide 10 doesn't work for me, since it shows a cycle, but you wouldn't go from your intended end-point (audit done) back to "just" OpenChain compliance without SBOM or automation.

As noted on the call, these aren't linear journeys, and an organisation could collect these plot tokens by wandering the map in whichever order they choose. They may add external audit first, then automation, then use that automation to produce their SBOMs.

I did like the idea of identifying them as best practices rather than "levels", because they can be adopted in any order. I did wonder whether it made sense to have a receiver award the SBOM badge to the supplier, but that might be problematic with respect to confidential business arrangements.

It would be nice if there were an SBOM badge that could be awarded to open source projects that are producing suitable output - uses SPDX Ids, includes an SBOM - but that's probably more down to the SPDX project than the OpenChain project.

steve

-----Original Message-----
From: main@lists.openchainproject.org <main@lists.openchainproject.org> On Behalf Of Shane Coughlan
Sent: 24 August 2021 08:00
To: OpenChain Main <main@lists.openchainproject.org>
Cc: OpenChain Specification <specification@lists.openchainproject.org>; OpenChain Japan <japan-wg@lists.openchainproject.org>; OpenChain Korea <korea-wg@lists.openchainproject.org>; OpenChain Germany <germany-wg@lists.openchainproject.org>; OpenChain UK <uk-wg@lists.openchainproject.org>; OpenChain Partners <partners@lists.openchainproject.org>; OpenChain Automotive <openchain-automotive-work-group@groups.io>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>; OpenChain India <india-wg@lists.openchainproject.org>
Subject: Re: [openchain] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

[External]

Thanks for the great feedback Kate and Mark (on this list) and loads of other people (on our call).

In broad strokes:
(1) we decided to make it *very* clear this was not about variants of OpenChain ISO 5230 but rather about where companies can go next after adoption
(2) we decided to pull back from “quality grading” by the project and instead providing case studies and examples to help inspire companies

Check out the latest (and dramatically overhauled) edit here:
https://urldefense.com/v3/__https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc__;!!A3Ni8CS0y2Y!rSyuQmZ37tkXPfAEMCXKiRLUbYiVBKpseV5yI3tiH0QCwRW-ScqwcILPLBoN9cDiU-x-$

On Aug 23, 2021, at 23:06, Mark Gisi <mark.gisi@windriver.com> wrote:

One of the core guiding principles for the OpenChain Specification is to focus on the what and why of compliance (and avoid the how and when). This is highlighted in the introduction of the spec. That is avoid being prescriptive.

It was always understood that the OpenChain Project would foster the creation of various materials around best practices to educate how other companies achieve conformance. That is - to describe the prescriptive ways of others. This has not been done with any formal structure yet within the project. The proposed levels approach is the first attempt to do this which I commend. What I disagree with is mixing the specification to tightly with prescriptive ways because it undermines a core principle and purpose of the specification.

I suggest we create a complimentary best practice program/guide that encourages companies to consider various prescriptive levels. That is, have Best Practice Levels (bronze, silver, gold, …) but DON’T confuse it with the spec (which is: about what and why, practice neutral, non-prescriptive, …). For instance, have a program with its own logo (for example - see attached)

best,

Mark Gisi
Director, Open Source Program Office
Empowering Customers to Prosper using Open Source
(510) 749-2016





-----Original Message-----
From: specification@lists.openchainproject.org <specification@lists.openchainproject.org> On Behalf Of Shane Coughlan
Sent: Monday, August 23, 2021 1:43 AM
To: OpenChain Main <main@lists.openchainproject.org>
Cc: OpenChain Japan <japan-wg@lists.openchainproject.org>; OpenChain Korea <korea-wg@lists.openchainproject.org>; OpenChain Germany <germany-wg@lists.openchainproject.org>; OpenChain India <india-wg@lists.openchainproject.org>; OpenChain UK <uk-wg@lists.openchainproject.org>; OpenChain Partners <partners@lists.openchainproject.org>; OpenChain Automotive <openchain-automotive-work-group@groups.io>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>; OpenChain Specification <specification@lists.openchainproject.org>
Subject: [specification] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

[Please note: This e-mail is from an EXTERNAL e-mail address]

Dear all

During a recent OpenChain Japan Planning meeting we discussed the challenge of “next steps” in OpenChain ISO 5230 conformance. Our initial goal of adoption in the supply chain is well underway. Our basic concept of “raising all the boats” is working. But now it is time to talk in more detail about “raising the boats to where?”

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230.

Attached is a slide-deck exploring how this can be done. We will be discussing this in the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC. All welcome. No registration.
https://urldefense.com/v3/__https://zoom.us/j/4377592799__;!!A3Ni8CS0y2Y!rSyuQmZ37tkXPfAEMCXKiRLUbYiVBKpseV5yI3tiH0QCwRW-ScqwcILPLBoN9QooyMCh$

You can add comments to this document online:
https://urldefense.com/v3/__https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc__;!!A3Ni8CS0y2Y!rSyuQmZ37tkXPfAEMCXKiRLUbYiVBKpseV5yI3tiH0QCwRW-ScqwcILPLBoN9cDiU-x-$

Regards

Shane












<ocbp-logo.jpg>


Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

 

Thanks for the great feedback Kate and Mark (on this list) and loads of other people (on our call).

In broad strokes:
(1) we decided to make it *very* clear this was not about variants of OpenChain ISO 5230 but rather about where companies can go next after adoption
(2) we decided to pull back from “quality grading” by the project and instead providing case studies and examples to help inspire companies

Check out the latest (and dramatically overhauled) edit here:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

On Aug 23, 2021, at 23:06, Mark Gisi <mark.gisi@windriver.com> wrote:

One of the core guiding principles for the OpenChain Specification is to focus on the what and why of compliance (and avoid the how and when). This is highlighted in the introduction of the spec. That is avoid being prescriptive.

It was always understood that the OpenChain Project would foster the creation of various materials around best practices to educate how other companies achieve conformance. That is - to describe the prescriptive ways of others. This has not been done with any formal structure yet within the project. The proposed levels approach is the first attempt to do this which I commend. What I disagree with is mixing the specification to tightly with prescriptive ways because it undermines a core principle and purpose of the specification.

I suggest we create a complimentary best practice program/guide that encourages companies to consider various prescriptive levels. That is, have Best Practice Levels (bronze, silver, gold, …) but DON’T confuse it with the spec (which is: about what and why, practice neutral, non-prescriptive, …). For instance, have a program with its own logo (for example - see attached)

best,

Mark Gisi
Director, Open Source Program Office
Empowering Customers to Prosper using Open Source
(510) 749-2016





-----Original Message-----
From: specification@lists.openchainproject.org <specification@lists.openchainproject.org> On Behalf Of Shane Coughlan
Sent: Monday, August 23, 2021 1:43 AM
To: OpenChain Main <main@lists.openchainproject.org>
Cc: OpenChain Japan <japan-wg@lists.openchainproject.org>; OpenChain Korea <korea-wg@lists.openchainproject.org>; OpenChain Germany <germany-wg@lists.openchainproject.org>; OpenChain India <india-wg@lists.openchainproject.org>; OpenChain UK <uk-wg@lists.openchainproject.org>; OpenChain Partners <partners@lists.openchainproject.org>; OpenChain Automotive <openchain-automotive-work-group@groups.io>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>; OpenChain Specification <specification@lists.openchainproject.org>
Subject: [specification] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

[Please note: This e-mail is from an EXTERNAL e-mail address]

Dear all

During a recent OpenChain Japan Planning meeting we discussed the challenge of “next steps” in OpenChain ISO 5230 conformance. Our initial goal of adoption in the supply chain is well underway. Our basic concept of “raising all the boats” is working. But now it is time to talk in more detail about “raising the boats to where?”

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230.

Attached is a slide-deck exploring how this can be done. We will be discussing this in the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC. All welcome. No registration.
https://zoom.us/j/4377592799

You can add comments to this document online:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Regards

Shane












<ocbp-logo.jpg>


Re: [specification] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

Mark Gisi
 

One of the core guiding principles for the OpenChain Specification is to focus on the what and why of compliance (and avoid the how and when). This is highlighted in the introduction of the spec. That is avoid being prescriptive.

It was always understood that the OpenChain Project would foster the creation of various materials around best practices to educate how other companies achieve conformance. That is - to describe the prescriptive ways of others. This has not been done with any formal structure yet within the project. The proposed levels approach is the first attempt to do this which I commend. What I disagree with is mixing the specification to tightly with prescriptive ways because it undermines a core principle and purpose of the specification.

I suggest we create a complimentary best practice program/guide that encourages companies to consider various prescriptive levels. That is, have Best Practice Levels (bronze, silver, gold, …) but DON’T confuse it with the spec (which is: about what and why, practice neutral, non-prescriptive, …). For instance, have a program with its own logo (for example - see attached)

best,

Mark Gisi
Director, Open Source Program Office
Empowering Customers to Prosper using Open Source
(510) 749-2016

-----Original Message-----
From: specification@lists.openchainproject.org <specification@lists.openchainproject.org> On Behalf Of Shane Coughlan
Sent: Monday, August 23, 2021 1:43 AM
To: OpenChain Main <main@lists.openchainproject.org>
Cc: OpenChain Japan <japan-wg@lists.openchainproject.org>; OpenChain Korea <korea-wg@lists.openchainproject.org>; OpenChain Germany <germany-wg@lists.openchainproject.org>; OpenChain India <india-wg@lists.openchainproject.org>; OpenChain UK <uk-wg@lists.openchainproject.org>; OpenChain Partners <partners@lists.openchainproject.org>; OpenChain Automotive <openchain-automotive-work-group@groups.io>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>; OpenChain Specification <specification@lists.openchainproject.org>
Subject: [specification] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

[Please note: This e-mail is from an EXTERNAL e-mail address]

Dear all

During a recent OpenChain Japan Planning meeting we discussed the challenge of “next steps” in OpenChain ISO 5230 conformance. Our initial goal of adoption in the supply chain is well underway. Our basic concept of “raising all the boats” is working. But now it is time to talk in more detail about “raising the boats to where?”

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230.

Attached is a slide-deck exploring how this can be done. We will be discussing this in the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC. All welcome. No registration.
https://zoom.us/j/4377592799

You can add comments to this document online:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Regards

Shane


Re: OpenChain Bi-Weekly Work Group Meeting Today 2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

Kate Stewart
 

Hi Shane,
    Bit concerned about the slide mentioning the formats (SPDX, SWID, CycloneDX) - it's painting them as basically equivalent.   However when it comes to representing licensing information only SPDX is rich enough to semantically capture this info properly.   We're not highlighting this.  

    Since OpenChain is about licence compliance - not sure that if someone is not using SPDX it should be considered beyond bronze?    Thoughts?

Kate

On Mon, Aug 23, 2021 at 3:47 AM Shane Coughlan <scoughlan@...> wrote:
We will be discussing a very important topic at the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC.

You can dial-in here:
https://zoom.us/j/4377592799

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230. Here is a slide-deck suggesting how this can be done:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Need to confirm your timezone?
2021-08-23 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST





Submit A Talk For Open Compliance Summit 2021 - December 16, 2021

 

Open Compliance Summit is an exclusive event for Linux Foundation members and select invitees. It will take place on December 16, 2021.

You can submit your talk proposals here:
https://events.linuxfoundation.org/open-compliance-summit/program/cfp/


Open Compliance Summit 2021 Registration Now Open - December 16, 2021

 

Make a note for December 16, 2021.

Open Compliance Summit is an exclusive event for Linux Foundation members and select invitees. Attendance is limited to ensure ease of networking and collaboration.
The summit (like prior) will be held under Chatham House Rule. Please consent to this rule before you request an invitation.
https://events.linuxfoundation.org/open-compliance-summit/register/

Linux Foundation Members
Linux Foundation Members are eligible to receive a 20% discount. Please email events@linuxfoundation.org to request the LF Member discount code.


OpenChain Bi-Weekly Work Group Meeting Today 2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

We will be discussing a very important topic at the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC.

You can dial-in here:
https://zoom.us/j/4377592799

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230. Here is a slide-deck suggesting how this can be done:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Need to confirm your timezone?
2021-08-23 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST


Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

 

Dear all

During a recent OpenChain Japan Planning meeting we discussed the challenge of “next steps” in OpenChain ISO 5230 conformance. Our initial goal of adoption in the supply chain is well underway. Our basic concept of “raising all the boats” is working. But now it is time to talk in more detail about “raising the boats to where?”

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230.

Attached is a slide-deck exploring how this can be done. We will be discussing this in the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC. All welcome. No registration.
https://zoom.us/j/4377592799

You can add comments to this document online:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Regards

Shane


Coontec Adopts OpenChain ISO 5230

 

Coontec, a company focused on secure and effective embedded software, is the latest company to announce an OpenChain ISO 5230 conformant program.
https://www.openchainproject.org/news/2021/08/22/coontec-adopts-openchain-iso-5230


REMINDER: Download ISO/IEC 5230 for free from ISO (or buy it for 58 CHF)

 

You can get OpenChain ISO 5230 for free from the OpenChain website: www.openchainproject.org

However, some people want to download the ISO branded document. No problem! That’s free too if you go to the right place.

You can get a free copy of ISO/IEC 5230 from the Publicly Available Standards page:
https://standards.iso.org/ittf/PubliclyAvailableStandards/

Direct download link (you need to accept some terms):
https://standards.iso.org/ittf/PubliclyAvailableStandards/c081039_ISO_IEC_5230_2020(E).zip

You can also get the standard for 58 CHF through the normal ISO shop via our Main ISO page:
https://www.iso.org/standard/81039.html


QCT Announces OpenChain ISO 5230 Conformant Program

 

QCT, a global datacenter solution provider combining the efficiency of hyperscale hardware with infrastructure software, is the latest company to announce an OpenChain ISO 5230 conformant program. Learn more:
https://www.openchainproject.org/news/2021/08/19/qct-conformance

More about Quanta Cloud Technology (QCT)
Quanta Cloud Technology (QCT) is a global data center solution provider that combines the efficiency of hyperscale hardware with infrastructure software from a diversity of industry leaders to solve next-generation data center design and operational challenges. QCT serves cloud service providers, telecoms and enterprises running public, hybrid and private clouds.
Product lines include hyperconverged and software-defined data center solutions as well as servers, storage, switches and integrated racks with an ecosystem of hardware components and software partners. QCT designs, manufactures, integrates and services its offerings via its own global network. The parent of QCT is Quanta Computer, Inc., a Fortune Global 500 corporation.


Bureau Veritas Becomes The First OpenChain Certifier In The Great China Region

 

Bureau Veritas, a leading Testing, Inspection and Certification provider for the consumer and electrical/electronic products industry is pleased to announce a partnership with the OpenChain to become the fifth official OpenChain ISO 5230 third party certifier and is now able to assess and certify the open source program conformance to the OpenChain ISO/ IEC 5230 standard.

Learn more:
https://www.openchainproject.org/news/2021/08/17/bureau-veritas-certifier

141 - 160 of 4312