Date   

Re: Interview Request: OpenChain Certification

Dave Marr
 

Hi Celina,

 

Thank you for your email and for sharing your research objective. 

 

If you would kindly supply your email, interested people could contact you off list for possible interviews.

 

Once your paper is published it would be interesting to see, perhaps you might consider sharing it on the list at that point.

 

Best,

Dave


From: main@... <main@...> on behalf of Celina Brils via lists.openchainproject.org <celinabrils=googlemail.com@...>
Sent: Wednesday, November 10, 2021 4:55:20 AM
To: main@... <main@...>
Subject: [openchain] Interview Request: OpenChain Certification

 

WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.

Hello, 

 

my name is Celina Brils and I’m a graduate student at the Technical University Munich in Germany. I am currently writing my final thesis about OSS Compliance Certification, especially the OpenChain certification, at the chair of Prof. Dr. Henkel. 

 

I already talked to some representatives of companies who did the OpenChain Certification (thanks again!) but still need participants for my study. 

Therefore, I would be extremely grateful if you would participate in an interview about that topic. 

 

My research mainly focuses on the background, motives and processes related to the OpenChain certification. I am particularly interested in the experiences and insights of companies who already did the certification or are planning to do the certification in the future. 

With my study, I hope to raise awareness on the topic of open source compliance and the whole OpenSource Project.  

 

If you would be open to participate, it would be perfect if you could give me 2-3 date proposals.

 

Please let me know if you have any further questions. 

Again, I would really appreciate your help here. 

 

Thank you and best regards, 

Celina Brils 


Interview Request: OpenChain Certification

celinabrils@...
 

Hello, 

my name is Celina Brils and I’m a graduate student at the Technical University Munich in Germany. I am currently writing my final thesis about OSS Compliance Certification, especially the OpenChain certification, at the chair of Prof. Dr. Henkel. 

I already talked to some representatives of companies who did the OpenChain Certification (thanks again!) but still need participants for my study. 
Therefore, I would be extremely grateful if you would participate in an interview about that topic. 

My research mainly focuses on the background, motives and processes related to the OpenChain certification. I am particularly interested in the experiences and insights of companies who already did the certification or are planning to do the certification in the future. 
With my study, I hope to raise awareness on the topic of open source compliance and the whole OpenSource Project.  

If you would be open to participate, it would be perfect if you could give me 2-3 date proposals.

Please let me know if you have any further questions. 
Again, I would really appreciate your help here. 

Thank you and best regards, 
Celina Brils 


Re: IMPORTANT: Next Automation Case Study: Virtual Supply Chain Proof of Concept on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST

Sebastian Crane
 

Dear Shane,

We are going to focus our effort on the virtual supply chain
demonstration in late November, so the prior section of the case
study (multiple tool overview) is deferred. This is to ensure Max
has plenty of time to prepare and because the virtual supply chain -
by definition - will demonstrate various tools in play.

The event will take place on November 24th at 09:00 UTC / 10:00 CET
/ 17:00 CST / 18:00 KST + JST. The event is in our global calendar
Thank you! I'm very much looking forward to this. It's been great to
see the demonstrations of various software composition analysis tools
during the recent case studies.

Last month's presentation on Tern was very interesting to me, and I've
been impressed at how comprehensive the program's output is. As others
here are most likely also interested in container scanning, I'd like
to take the opportunity to share with this list the excellent white
paper, 'Docker Containers for Legal Professionals' which was published
last year by the Linux Foundation:

https://www.linuxfoundation.org/wp-content/uploads/Docker-Containers-for-Legal-Professionals-Whitepaper_042420.pdf

It's very well written and should be a nice guide with which to start
using tools such as Tern for license compliance in containerised
applications.

Best wishes,

Sebastian


Re: Regional Traction: 2,100 Eyes on Japanese FAQ

ouchi yoshiko
 

nico-san、Martin-san、

Thank you for pointing out the error in the FAQ.
We have checked it and found that Yes/No was inconsistent as you pointed out.
We are currently reviewing the next version, which will be published around the end of next month.
We would like to issue the next version with the corrected points.

I hope this FAQ will be useful for you.

Best regards,

yoshiko ohuchi

-----Original Message-----
From: main@... <main@...> On Behalf Of Martin Yagi
Sent: Tuesday, November 9, 2021 7:07 PM
To: main@...
Cc: OpenChain Japan <japan-wg@...>; japan-sg-faq@...
Subject: Re: [openchain] Regional Traction: 2,100 Eyes on Japanese FAQ

Dear all,

Thanks for this; it’s a great resource and, I think, some of the points should be incorporated into reference training material/course as it evolves.

Along with the comment about slide 27 from nico that I agree with, I think there is a similar issue with slide 35:

"In the product incorporating this OSS, do I need to worry about license_B?". Headline answer is "no" but for this point it is "yes".

Best regards,

Martin Yagi
Intellectual Property Manager|


-----Original Message-----
From: main@... <main@...> On Behalf Of Nicolas Toussaint via lists.openchainproject.org
Sent: 09 November 2021 08:57
To: main@...
Cc: OpenChain Japan <japan-wg@...>; japan-sg-faq@...
Subject: Re: [openchain] Regional Traction: 2,100 Eyes on Japanese FAQ

Hi,

That's a great contribution, many thanks to the Japan work group, and Shane for sharing!

I would like to share a remark on slide 27 that got my attention:
The formulations of the top and blue-box questions are formulated in a contradictory way
- Do I need to consider each license when I recognize OSS dependencies?
- [...] can I ignore the licenses of the OSS components [...]

So the answer NO applies to the second, but I guess YES should be applied to the first question ?

nico

--

Nicolas Toussaint - Open Source Expert
OBS - Orange Business Services - Lyon, France
Tel: +33 608 763 559

On 09/11/2021 08:08, Shane Coughlan wrote:
Some very cool news from the Japan work group.

The FAQ sub-group chaired by Ouchi San has released a version of their
FAQ in English 👍

And since we last spoke a week ago the Japanese FAQ has been
downloaded another 500 times. 🎉

The English version:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Educati
on_Material/FAQ/Misunderstandings_of_OSS_licenses_CC0.pptx

Japanese:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Educati
on_Material/FAQ/OSS%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E9%96
%A2%E9%80%A3%E3%81%A7%E3%82%88%E3%81%8F%E3%81%82%E3%82%8B%E8%AA%A4%E8%
A7%A3_CC0.pptx

On Nov 2, 2021, at 19:12, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:

The OpenChain Project often highlights global news. However, it is important to remember that the majority of activity is truly distributed around the world, especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US work groups. Today we are taking a moment to shine a spotlight on a specific example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is focused on providing answers to frequently asked questions, chaired by Ouchi San from Fujitsu. The FAQ document produced by the group has been downloaded over 2,100 times so far, demonstrating the extent of information dissemination in a specific geography.

If you have a Japanese office (or you represent a Japanese company), please be aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All welcome.

・日時:11月8日(月) 15:00〜17:30
・チャタムハウスルールを採用しています。
(誰が言ったかは口外禁止、得た情報は自由利用可)
・オンライン会議(Zoom):
 Zoom のURLはFAQ-SGのSLACKに掲載予定です。
 (Japan WGのSLACKとは異なります)

以下のメーリングリストへご連絡願います。
https://lists.openchainproject.org/g/japan-sg-faq/messages






_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.






[https://firstlightfusion.com/assets/first-light-fusion-square-logo-footer.png]


First Light Fusion Ltd.
p: 01865 807 670
a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU



This email and any attachments are confidential. Find more legal information here<http://firstlightfusion.com/confidentiality/>.

[https://firstlightfusion.com/wp-content/uploads/2020/08/cyberessentials_certification-mark-plus_colour.png]


IMPORTANT: Next Automation Case Study: Virtual Supply Chain Proof of Concept on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST

 

Heads up everyone.

We are going to focus our effort on the virtual supply chain demonstration in late November, so the prior section of the case study (multiple tool overview) is deferred. This is to ensure Max has plenty of time to prepare and because the virtual supply chain - by definition - will demonstrate various tools in play.

The event will take place on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST. The event is in our global calendar:

We will hold it as usual in our Zoom room:

This is a prelude to our Facebook case study and our summary of the initial four month case study in early and mid December.

If you have any questions you can ask them in this thread :)


Re: Regional Traction: 2,100 Eyes on Japanese FAQ

Martin Yagi
 

Dear all,

Thanks for this; it’s a great resource and, I think, some of the points should be incorporated into reference training material/course as it evolves.

Along with the comment about slide 27 from nico that I agree with, I think there is a similar issue with slide 35:

"In the product incorporating this OSS, do I need to worry about license_B?". Headline answer is "no" but for this point it is "yes".

Best regards,

Martin Yagi
Intellectual Property Manager|

-----Original Message-----
From: main@... <main@...> On Behalf Of Nicolas Toussaint via lists.openchainproject.org
Sent: 09 November 2021 08:57
To: main@...
Cc: OpenChain Japan <japan-wg@...>; japan-sg-faq@...
Subject: Re: [openchain] Regional Traction: 2,100 Eyes on Japanese FAQ

Hi,

That's a great contribution, many thanks to the Japan work group, and Shane for sharing!

I would like to share a remark on slide 27 that got my attention:
The formulations of the top and blue-box questions are formulated in a contradictory way
- Do I need to consider each license when I recognize OSS dependencies?
- [...] can I ignore the licenses of the OSS components [...]

So the answer NO applies to the second, but I guess YES should be applied to the first question ?

nico

--

Nicolas Toussaint - Open Source Expert
OBS - Orange Business Services - Lyon, France
Tel: +33 608 763 559

On 09/11/2021 08:08, Shane Coughlan wrote:
Some very cool news from the Japan work group.

The FAQ sub-group chaired by Ouchi San has released a version of their
FAQ in English 👍

And since we last spoke a week ago the Japanese FAQ has been
downloaded another 500 times. 🎉

The English version:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Educati
on_Material/FAQ/Misunderstandings_of_OSS_licenses_CC0.pptx

Japanese:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Educati
on_Material/FAQ/OSS%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E9%96
%A2%E9%80%A3%E3%81%A7%E3%82%88%E3%81%8F%E3%81%82%E3%82%8B%E8%AA%A4%E8%
A7%A3_CC0.pptx

On Nov 2, 2021, at 19:12, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:

The OpenChain Project often highlights global news. However, it is important to remember that the majority of activity is truly distributed around the world, especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US work groups. Today we are taking a moment to shine a spotlight on a specific example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is focused on providing answers to frequently asked questions, chaired by Ouchi San from Fujitsu. The FAQ document produced by the group has been downloaded over 2,100 times so far, demonstrating the extent of information dissemination in a specific geography.

If you have a Japanese office (or you represent a Japanese company), please be aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All welcome.

・日時:11月8日(月) 15:00〜17:30
・チャタムハウスルールを採用しています。
(誰が言ったかは口外禁止、得た情報は自由利用可)
・オンライン会議(Zoom):
 Zoom のURLはFAQ-SGのSLACKに掲載予定です。
 (Japan WGのSLACKとは異なります)

以下のメーリングリストへご連絡願います。
https://lists.openchainproject.org/g/japan-sg-faq/messages






_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.






[https://firstlightfusion.com/assets/first-light-fusion-square-logo-footer.png]


First Light Fusion Ltd.
p: 01865 807 670
a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU



This email and any attachments are confidential. Find more legal information here<http://firstlightfusion.com/confidentiality/>.

[https://firstlightfusion.com/wp-content/uploads/2020/08/cyberessentials_certification-mark-plus_colour.png]


Re: Regional Traction: 2,100 Eyes on Japanese FAQ

Nicolas Toussaint
 

Hi,

That's a great contribution, many thanks to the Japan work group, and Shane for sharing!

I would like to share a remark on slide 27 that got my attention:
The formulations of the top and blue-box questions are formulated in a contradictory way
- Do I need to consider each license when I recognize OSS dependencies?
- [...] can I ignore the licenses of the OSS components [...]

So the answer NO applies to the second, but I guess YES should be applied to the first question ?

nico

--

Nicolas Toussaint - Open Source Expert
OBS - Orange Business Services - Lyon, France
Tel: +33 608 763 559

On 09/11/2021 08:08, Shane Coughlan wrote:
Some very cool news from the Japan work group.

The FAQ sub-group chaired by Ouchi San has released a version of their FAQ in English 👍

And since we last spoke a week ago the Japanese FAQ has been downloaded another 500 times. 🎉

The English version:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/Misunderstandings_of_OSS_licenses_CC0.pptx

Japanese:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/OSS%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E9%96%A2%E9%80%A3%E3%81%A7%E3%82%88%E3%81%8F%E3%81%82%E3%82%8B%E8%AA%A4%E8%A7%A3_CC0.pptx

On Nov 2, 2021, at 19:12, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:

The OpenChain Project often highlights global news. However, it is important to remember that the majority of activity is truly distributed around the world, especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US work groups. Today we are taking a moment to shine a spotlight on a specific example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is focused on providing answers to frequently asked questions, chaired by Ouchi San from Fujitsu. The FAQ document produced by the group has been downloaded over 2,100 times so far, demonstrating the extent of information dissemination in a specific geography.

If you have a Japanese office (or you represent a Japanese company), please be aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All welcome.

・日時:11月8日(月) 15:00〜17:30
・チャタムハウスルールを採用しています。
(誰が言ったかは口外禁止、得た情報は自由利用可)
・オンライン会議(Zoom):
 Zoom のURLはFAQ-SGのSLACKに掲載予定です。
 (Japan WGのSLACKとは異なります)

以下のメーリングリストへご連絡願います。
https://lists.openchainproject.org/g/japan-sg-faq/messages





_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: Regional Traction: 2,100 Eyes on Japanese FAQ

 

Some very cool news from the Japan work group.

The FAQ sub-group chaired by Ouchi San has released a version of their FAQ in English 👍

And since we last spoke a week ago the Japanese FAQ has been downloaded another 500 times. 🎉

The English version:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/Misunderstandings_of_OSS_licenses_CC0.pptx

Japanese:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/OSS%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E9%96%A2%E9%80%A3%E3%81%A7%E3%82%88%E3%81%8F%E3%81%82%E3%82%8B%E8%AA%A4%E8%A7%A3_CC0.pptx

On Nov 2, 2021, at 19:12, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:

The OpenChain Project often highlights global news. However, it is important to remember that the majority of activity is truly distributed around the world, especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US work groups. Today we are taking a moment to shine a spotlight on a specific example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is focused on providing answers to frequently asked questions, chaired by Ouchi San from Fujitsu. The FAQ document produced by the group has been downloaded over 2,100 times so far, demonstrating the extent of information dissemination in a specific geography.

If you have a Japanese office (or you represent a Japanese company), please be aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All welcome.

・日時:11月8日(月) 15:00〜17:30
・チャタムハウスルールを採用しています。
(誰が言ったかは口外禁止、得た情報は自由利用可)
・オンライン会議(Zoom):
 Zoom のURLはFAQ-SGのSLACKに掲載予定です。
 (Japan WGのSLACKとは異なります)

以下のメーリングリストへご連絡願います。
https://lists.openchainproject.org/g/japan-sg-faq/messages




The OpenChain PlayBooks - Getting Started

 

We have started work on the OpenChain PlayBooks, full decision-making examples for companies adopting OpenChain. After discussion on the work team call, we want to get the first part of these playbooks out for December 16th, the Open Compliance Summit.

We have provisionally chosen the “medium company” playbook. The document editing link is below and you are encouraged to take a look and help expand our framework material. For your reference, here is the complete introduction to the playbook document to explain context:

Introduction

The OpenChain PlayBooks are intended to help you understand the types of decisions made by managers in companies adopting OpenChain ISO/IEC 5230:2020. We cover examples of the decision-process in small, medium and large companies. Our examples are based on companies (a) in the technology industry, (b) in the middle of the supply chain and (c) shipping physical products containing software.

This may sound specific. However, the intention is to provide a thinking-tool for your company. Whether you are in the technology, finance, cloud, infrastructure or automotive industry (or any other), you will face similar challenges and solutions. The same applies whether you are in the middle of the supply chain or at its end, and whether you are shipping hardware or software. Our chosen examples cover a lot of ground.

There may be situations where you would like more examples for more specific industries. This is where the OpenChain community comes in. You can join our mailing lists, our webinars, our group calls and our regional work groups to discuss challenges with your peers and in your native language. You can get started here:
https://www.openchainproject.org/community


The OpenChain PlayBooks:
https://docs.google.com/document/d/1GK0-d5vy_mN8gzAuS5XQ6vYM8_BePvO088WYV0eRF7M/edit?usp=sharing


REMINDER OpenChain Work Teams Call - 2021-11-09 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

Our regular global work teams call starts in just under two hours.

Today we are going to focus on scheduling development of our playbooks and key translations of documentation to help our community.

Join Zoom Meeting
https://zoom.us/j/4377592799

Meeting ID: 437 759 2799
One tap mobile
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)

Need to confirm your timezone?
2021-11-09 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Mark Gisi
 

Hi Tak,

 

>>   "There is no registration procedure such as in §3.6.2 of OpenChain Specification."

 

That is correct - conformance is obtained once an organization has satisfied all the requirements (verification materials). This is achieved by guide requirement 3.4.2.1. I can make the case that – although registration  is a helpful aid, it is not a requirement for spec conformance. That is – there are no verification materials that require registration. What spec conformance validation ensures is that evidence exists for each of the verification material requirements. That is achieved by 3.6.2.1.

 

>> §3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.

 

That is correct. There is no requirement to publish or make the evidence public. In fact, most will likely not choose that path. However, an organization is required to maintain digital evidence that all the requirements have been met. It is conceivable that if a supplier claims conformance, that their customer may request to see the evidence. Whether the evidence is provided to a customer is up to the negotiations between the two parties and likely subject to an NDA (assuming they agree).

 

Best,

Mark

 

 

 

From: main@... <main@...> On Behalf Of takashi1.ninjouji@...
Sent: Wednesday, November 3, 2021 3:02 PM
To: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Thanks a lot, Mark!

 

My understanding is getting better than before :)

 

>> there is no specific way to declare conformance to this guide.

 

I should correct my above comment because what intends the following:

  "There is no registration procedure such as in §3.6.2 of OpenChain Specification."

 

 

> At this point, companies will be able to present their evidence of conformance to any 

> party (e.g., key customers). It is not mandatory to make the evidence public, but it is

>  possible if you choose to do so.

 

 

§3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.

 

In supply and consumption, no wonder there is more interest in SBOM.

 

I hope that the community and industry can build a consensus on the quality of SBOMs together. So, I guess it is important to discuss SBOM format, compliance workflows, and automation processes for this purpose.

 

 

BR,

Tak

 


差出人: main@... <main@...> Mark Gisi <mark.gisi@...> の代理で送信
送信日時: 2021113 15:32
宛先: Takashi NINJOUJI <takashi.ninjouji@...>; Shane Coughlan <scoughlan@...>
CC: main@... <main@...>
件名: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

Hi Tak,

 

>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

One can declare conformance with the guide. According to section 3.4.2:

ÿ          3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation.

Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.

 

>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.

 

Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.

 

Please let us know if you would like additional clarification.

 

best,

Mark

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM
To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Cc: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Re: [japan-wg] Regional Traction: 2,100 Eyes on Japanese FAQ

Hiro Fukuchi
 

Shane and all,

The OpenChain Japan Work Group operates seven sub-groups, one of which is
focused on providing answers to frequently asked questions, chaired by Ouchi San
from Fujitsu. The FAQ document produced by the group has been downloaded over
2,100 times so far, demonstrating the extent of information dissemination in a
specific geography.
Ouchi-san's group has also published the English version of the FAQ.
You can read it here:
English:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/Misunderstandings_of_OSS_licenses_CC0.pptx

Japanese:
https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/OSS%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E9%96%A2%E9%80%A3%E3%81%A7%E3%82%88%E3%81%8F%E3%81%82%E3%82%8B%E8%AA%A4%E8%A7%A3_CC0.pptx

---
Hiro Fukuchi (Hiroyuki.Fukuchi@...)
Sony

-----Original Message-----
From: japan-wg@...
<japan-wg@...> On Behalf Of Shane Coughlan
Sent: Tuesday, November 2, 2021 7:12 PM
To: OpenChain Main <main@...>
Cc: OpenChain Japan <japan-wg@...>;
japan-sg-faq@...
Subject: [japan-wg] Regional Traction: 2,100 Eyes on Japanese FAQ

The OpenChain Project often highlights global news. However, it is important to
remember that the majority of activity is truly distributed around the world,
especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US
work groups. Today we are taking a moment to shine a spotlight on a specific
example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is
focused on providing answers to frequently asked questions, chaired by Ouchi San
from Fujitsu. The FAQ document produced by the group has been downloaded over
2,100 times so far, demonstrating the extent of information dissemination in a
specific geography.

If you have a Japanese office (or you represent a Japanese company), please be
aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All
welcome.

・日時:11月8日(月) 15:00〜17:30
・チャタムハウスルールを採用しています。
(誰が言ったかは口外禁止、得た情報は自由利用可)
・オンライン会議(Zoom):
 Zoom のURLはFAQ-SGのSLACKに掲載予定です。
 (Japan WGのSLACKとは異なります)

以下のメーリングリストへご連絡願います。

https://urldefense.com/v3/__https://lists.openchainproject.org/g/japan-sg-faq
/messages__;!!JmoZiZGBv3RvKRSx!p4-SY5VExUQaozP19Boqve9dCje52dJ_BvA
QPeHQLTqblQ-A17Ke1l510UgNWm2obw_K$ [lists[.]openchainproject[.]org]



Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

takashi1.ninjouji@...
 

Thanks a lot, Mark!

My understanding is getting better than before :)

>> there is no specific way to declare conformance to this guide.

I should correct my above comment because what intends the following:
  "There is no registration procedure such as in §3.6.2 of OpenChain Specification."


> At this point, companies will be able to present their evidence of conformance to any 
> party (e.g., key customers). It is not mandatory to make the evidence public, but it is
>  possible if you choose to do so.


§3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.

In supply and consumption, no wonder there is more interest in SBOM.

I hope that the community and industry can build a consensus on the quality of SBOMs together. So, I guess it is important to discuss SBOM format, compliance workflows, and automation processes for this purpose.


BR,
Tak


差出人: main@... <main@...> が Mark Gisi <mark.gisi@...> の代理で送信
送信日時: 2021年11月3日 15:32
宛先: Takashi NINJOUJI <takashi.ninjouji@...>; Shane Coughlan <scoughlan@...>
CC: main@... <main@...>
件名: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
 

Hi Tak,

 

>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

One can declare conformance with the guide. According to section 3.4.2:

ÿ          3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation.

Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.

 

>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.

 

Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.

 

Please let us know if you would like additional clarification.

 

best,

Mark

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM
To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Cc: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Mark Gisi
 

Hi Chris,

 

>> Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?

 

We introduced the security assurance guide as a separate deliverable initially to reduce friction to adoption of both the spec and security guide. We did not want to have a company feel obligated to conform with both to achieve either one. However, having noted that, they were designed to be highly similar in spirit and format, and easily achieved together should a company choose (or a customer requires it). That is, they are separate but highly complementary. The long term objective is to create trust in open source by working toward creating a suite of highly complementary conformance specifications (e.g., license compliance, security, quality, export compliance, …) such that an organization can choose the ones that best fit their needs. For that reason we are trying to avoid creating a single monolithic specification.

 

Let us know if that does not completely address your concern.

 

best,

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: main@... <main@...> On Behalf Of Christopher Wood
Sent: Tuesday, November 2, 2021 3:43 PM
To: main@...
Cc: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello

Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?

Thanks 

Chris



On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:



Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Mark Gisi
 

Hi Tak,

 

>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

One can declare conformance with the guide. According to section 3.4.2:

ÿ          3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation.

Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.

 

>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.

 

Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.

 

Please let us know if you would like additional clarification.

 

best,

Mark

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM
To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Cc: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Christopher Wood
 

Hello
Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?
Thanks 
Chris

On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:


Hello Mark and Shane,

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

(2) 
In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.


 Are all of the above OK?

Best Regards
Tak



On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

Regards

Shane 

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:


Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Takashi Ninjouji
 

Hello Mark and Shane,

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

(2) 
In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.


 Are all of the above OK?

Best Regards
Tak



On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

Regards

Shane 

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:


OpenChain Japan Work Group Meeting #21 – 2021-10-20

 

Full recording (Japanese) available here. Excellent on-boarding point for your Japanese team or suppliers:
https://www.openchainproject.org/news/2021/11/02/jp-wg-21


Regional Traction: 2,100 Eyes on Japanese FAQ

 

The OpenChain Project often highlights global news. However, it is important to remember that the majority of activity is truly distributed around the world, especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US work groups. Today we are taking a moment to shine a spotlight on a specific example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is focused on providing answers to frequently asked questions, chaired by Ouchi San from Fujitsu. The FAQ document produced by the group has been downloaded over 2,100 times so far, demonstrating the extent of information dissemination in a specific geography.

If you have a Japanese office (or you represent a Japanese company), please be aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All welcome.

・日時:11月8日(月) 15:00〜17:30
・チャタムハウスルールを採用しています。
(誰が言ったかは口外禁止、得た情報は自由利用可)
・オンライン会議(Zoom):
 Zoom のURLはFAQ-SGのSLACKに掲載予定です。
 (Japan WGのSLACKとは異なります)

以下のメーリングリストへご連絡願います。
https://lists.openchainproject.org/g/japan-sg-faq/messages


FW: [education] Event: Web based training finalization #cal-invite

Balakrishna Mukundaraj
 

Web based training finalization

When:
Friday, November 5, 2021
3:00pm to 4:00pm
(UTC+05:30) Asia/Kolkata
Repeats: Weekly on Friday, 2 times

Where:
Zoom meeting

Organizer: Balakrishna

View Event

Description:
Hello,

Let's all join in and complete short remaining tasks of web based training.

As discussed in previous meeting 1st training will be chapters 1-5, training final review date 30 November., public release date by 16th of December.
2nd training release will be chapter 6-8 final review date first week of February.

Join Zoom Meeting
https://zoom.us/j/4377592799

Meeting ID: 437 759 2799

481 - 500 of 4758