|
Re: Interview Request: OpenChain Certification
Dave Marr
Hi Celina,
Thank you for your email and for sharing your research objective.
If you would kindly supply your email, interested people could contact you off list for possible interviews.
Once your paper is published it would be interesting to see, perhaps you might consider sharing it on the list at that point.
Best, Dave
From: main@... <main@...> on behalf of Celina Brils via lists.openchainproject.org <celinabrils=googlemail.com@...>
Sent: Wednesday, November 10, 2021 4:55:20 AM To: main@... <main@...> Subject: [openchain] Interview Request: OpenChain Certification
WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros. Hello,
my name is Celina Brils and I’m a graduate student at the Technical University Munich in Germany. I am currently writing my final thesis about OSS Compliance Certification, especially the OpenChain certification, at the chair of Prof. Dr. Henkel.
I already talked to some representatives of companies who did the OpenChain Certification (thanks again!) but still need participants for my study. Therefore, I would be extremely grateful if you would participate in an interview about that topic.
My research mainly focuses on the background, motives and processes related to the OpenChain certification. I am particularly interested in the experiences and insights of companies who already did the certification or are planning to do the certification in the future. With my study, I hope to raise awareness on the topic of open source compliance and the whole OpenSource Project.
If you would be open to participate, it would be perfect if you could give me 2-3 date proposals.
Please let me know if you have any further questions. Again, I would really appreciate your help here.
Thank you and best regards, Celina Brils
|
|
|
|
Interview Request: OpenChain Certification
celinabrils@...
Hello, my name is Celina Brils and I’m a graduate student at the Technical University Munich in Germany. I am currently writing my final thesis about OSS Compliance Certification, especially the OpenChain certification, at the chair of Prof. Dr. Henkel. I already talked to some representatives of companies who did the OpenChain Certification (thanks again!) but still need participants for my study. Therefore, I would be extremely grateful if you would participate in an interview about that topic. My research mainly focuses on the background, motives and processes related to the OpenChain certification. I am particularly interested in the experiences and insights of companies who already did the certification or are planning to do the certification in the future. With my study, I hope to raise awareness on the topic of open source compliance and the whole OpenSource Project. If you would be open to participate, it would be perfect if you could give me 2-3 date proposals. Please let me know if you have any further questions. Again, I would really appreciate your help here. Thank you and best regards, Celina Brils
|
|
|
|
Re: IMPORTANT: Next Automation Case Study: Virtual Supply Chain Proof of Concept on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST
Dear Shane,
We are going to focus our effort on the virtual supply chainThank you! I'm very much looking forward to this. It's been great to see the demonstrations of various software composition analysis tools during the recent case studies. Last month's presentation on Tern was very interesting to me, and I've been impressed at how comprehensive the program's output is. As others here are most likely also interested in container scanning, I'd like to take the opportunity to share with this list the excellent white paper, 'Docker Containers for Legal Professionals' which was published last year by the Linux Foundation: https://www.linuxfoundation.org/wp-content/uploads/Docker-Containers-for-Legal-Professionals-Whitepaper_042420.pdf It's very well written and should be a nice guide with which to start using tools such as Tern for license compliance in containerised applications. Best wishes, Sebastian
|
|
|
|
Re: Regional Traction: 2,100 Eyes on Japanese FAQ
ouchi yoshiko
nico-san、Martin-san、
toggle quoted messageShow quoted text
Thank you for pointing out the error in the FAQ. We have checked it and found that Yes/No was inconsistent as you pointed out. We are currently reviewing the next version, which will be published around the end of next month. We would like to issue the next version with the corrected points. I hope this FAQ will be useful for you. Best regards, yoshiko ohuchi
-----Original Message-----
From: main@... <main@...> On Behalf Of Martin Yagi Sent: Tuesday, November 9, 2021 7:07 PM To: main@... Cc: OpenChain Japan <japan-wg@...>; japan-sg-faq@... Subject: Re: [openchain] Regional Traction: 2,100 Eyes on Japanese FAQ Dear all, Thanks for this; it’s a great resource and, I think, some of the points should be incorporated into reference training material/course as it evolves. Along with the comment about slide 27 from nico that I agree with, I think there is a similar issue with slide 35: "In the product incorporating this OSS, do I need to worry about license_B?". Headline answer is "no" but for this point it is "yes". Best regards, Martin Yagi Intellectual Property Manager| -----Original Message----- From: main@... <main@...> On Behalf Of Nicolas Toussaint via lists.openchainproject.org Sent: 09 November 2021 08:57 To: main@... Cc: OpenChain Japan <japan-wg@...>; japan-sg-faq@... Subject: Re: [openchain] Regional Traction: 2,100 Eyes on Japanese FAQ Hi, That's a great contribution, many thanks to the Japan work group, and Shane for sharing! I would like to share a remark on slide 27 that got my attention: The formulations of the top and blue-box questions are formulated in a contradictory way - Do I need to consider each license when I recognize OSS dependencies? - [...] can I ignore the licenses of the OSS components [...] So the answer NO applies to the second, but I guess YES should be applied to the first question ? nico -- Nicolas Toussaint - Open Source Expert OBS - Orange Business Services - Lyon, France Tel: +33 608 763 559 On 09/11/2021 08:08, Shane Coughlan wrote: Some very cool news from the Japan work group. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. [https://firstlightfusion.com/assets/first-light-fusion-square-logo-footer.png] First Light Fusion Ltd. p: 01865 807 670 a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU This email and any attachments are confidential. Find more legal information here<http://firstlightfusion.com/confidentiality/>. [https://firstlightfusion.com/wp-content/uploads/2020/08/cyberessentials_certification-mark-plus_colour.png]
|
|
|
|
IMPORTANT: Next Automation Case Study: Virtual Supply Chain Proof of Concept on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST
Heads up everyone.
We are going to focus our effort on the virtual supply chain demonstration in late November, so the prior section of the case study (multiple tool overview) is deferred. This is to ensure Max has plenty of time to prepare and because the virtual supply chain - by definition - will demonstrate various tools in play. The event will take place on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST. The event is in our global calendar: We will hold it as usual in our Zoom room: This is a prelude to our Facebook case study and our summary of the initial four month case study in early and mid December. If you have any questions you can ask them in this thread :) 
|
|
|
|
Re: Regional Traction: 2,100 Eyes on Japanese FAQ
Martin Yagi
Dear all,
toggle quoted messageShow quoted text
Thanks for this; it’s a great resource and, I think, some of the points should be incorporated into reference training material/course as it evolves. Along with the comment about slide 27 from nico that I agree with, I think there is a similar issue with slide 35: "In the product incorporating this OSS, do I need to worry about license_B?". Headline answer is "no" but for this point it is "yes". Best regards, Martin Yagi Intellectual Property Manager|
-----Original Message-----
From: main@... <main@...> On Behalf Of Nicolas Toussaint via lists.openchainproject.org Sent: 09 November 2021 08:57 To: main@... Cc: OpenChain Japan <japan-wg@...>; japan-sg-faq@... Subject: Re: [openchain] Regional Traction: 2,100 Eyes on Japanese FAQ Hi, That's a great contribution, many thanks to the Japan work group, and Shane for sharing! I would like to share a remark on slide 27 that got my attention: The formulations of the top and blue-box questions are formulated in a contradictory way - Do I need to consider each license when I recognize OSS dependencies? - [...] can I ignore the licenses of the OSS components [...] So the answer NO applies to the second, but I guess YES should be applied to the first question ? nico -- Nicolas Toussaint - Open Source Expert OBS - Orange Business Services - Lyon, France Tel: +33 608 763 559 On 09/11/2021 08:08, Shane Coughlan wrote: Some very cool news from the Japan work group. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. [https://firstlightfusion.com/assets/first-light-fusion-square-logo-footer.png] First Light Fusion Ltd. p: 01865 807 670 a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU This email and any attachments are confidential. Find more legal information here<http://firstlightfusion.com/confidentiality/>. [https://firstlightfusion.com/wp-content/uploads/2020/08/cyberessentials_certification-mark-plus_colour.png]
|
|
|
|
Re: Regional Traction: 2,100 Eyes on Japanese FAQ
Hi,
That's a great contribution, many thanks to the Japan work group, and Shane for sharing! I would like to share a remark on slide 27 that got my attention: The formulations of the top and blue-box questions are formulated in a contradictory way - Do I need to consider each license when I recognize OSS dependencies? - [...] can I ignore the licenses of the OSS components [...] So the answer NO applies to the second, but I guess YES should be applied to the first question ? nico -- Nicolas Toussaint - Open Source Expert OBS - Orange Business Services - Lyon, France Tel: +33 608 763 559 On 09/11/2021 08:08, Shane Coughlan wrote: Some very cool news from the Japan work group. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
|
|
|
|
Re: Regional Traction: 2,100 Eyes on Japanese FAQ
Some very cool news from the Japan work group.
toggle quoted messageShow quoted text
The FAQ sub-group chaired by Ouchi San has released a version of their FAQ in English 👍 And since we last spoke a week ago the Japanese FAQ has been downloaded another 500 times. 🎉 The English version: https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/Misunderstandings_of_OSS_licenses_CC0.pptx Japanese: https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/OSS%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E9%96%A2%E9%80%A3%E3%81%A7%E3%82%88%E3%81%8F%E3%81%82%E3%82%8B%E8%AA%A4%E8%A7%A3_CC0.pptx
On Nov 2, 2021, at 19:12, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:
|
|
|
|
The OpenChain PlayBooks - Getting Started
We have started work on the OpenChain PlayBooks, full decision-making examples for companies adopting OpenChain. After discussion on the work team call, we want to get the first part of these playbooks out for December 16th, the Open Compliance Summit.
We have provisionally chosen the “medium company” playbook. The document editing link is below and you are encouraged to take a look and help expand our framework material. For your reference, here is the complete introduction to the playbook document to explain context: Introduction The OpenChain PlayBooks are intended to help you understand the types of decisions made by managers in companies adopting OpenChain ISO/IEC 5230:2020. We cover examples of the decision-process in small, medium and large companies. Our examples are based on companies (a) in the technology industry, (b) in the middle of the supply chain and (c) shipping physical products containing software. This may sound specific. However, the intention is to provide a thinking-tool for your company. Whether you are in the technology, finance, cloud, infrastructure or automotive industry (or any other), you will face similar challenges and solutions. The same applies whether you are in the middle of the supply chain or at its end, and whether you are shipping hardware or software. Our chosen examples cover a lot of ground. There may be situations where you would like more examples for more specific industries. This is where the OpenChain community comes in. You can join our mailing lists, our webinars, our group calls and our regional work groups to discuss challenges with your peers and in your native language. You can get started here: https://www.openchainproject.org/community The OpenChain PlayBooks: https://docs.google.com/document/d/1GK0-d5vy_mN8gzAuS5XQ6vYM8_BePvO088WYV0eRF7M/edit?usp=sharing
|
|
|
|
REMINDER OpenChain Work Teams Call - 2021-11-09 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST
Our regular global work teams call starts in just under two hours.
Today we are going to focus on scheduling development of our playbooks and key translations of documentation to help our community. Join Zoom Meeting https://zoom.us/j/4377592799 Meeting ID: 437 759 2799 One tap mobile +13017158592,,4377592799# US (Washington DC) +13126266799,,4377592799# US (Chicago) Need to confirm your timezone? 2021-11-09 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
|
|
|
|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Mark Gisi
Hi Tak,
>> "There is no registration procedure such as in §3.6.2 of OpenChain Specification."
That is correct - conformance is obtained once an organization has satisfied all the requirements (verification materials). This is achieved by guide requirement 3.4.2.1. I can make the case that – although registration is a helpful aid, it is not a requirement for spec conformance. That is – there are no verification materials that require registration. What spec conformance validation ensures is that evidence exists for each of the verification material requirements. That is achieved by 3.6.2.1.
>> §3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.
That is correct. There is no requirement to publish or make the evidence public. In fact, most will likely not choose that path. However, an organization is required to maintain digital evidence that all the requirements have been met. It is conceivable that if a supplier claims conformance, that their customer may request to see the evidence. Whether the evidence is provided to a customer is up to the negotiations between the two parties and likely subject to an NDA (assuming they agree).
Best, Mark
From: main@... <main@...>
On Behalf Of takashi1.ninjouji@...
Sent: Wednesday, November 3, 2021 3:02 PM To: main@... Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
[Please note: This e-mail is from an EXTERNAL e-mail address] Thanks a lot, Mark!
My understanding is getting better than before :)
>> there is no specific way to declare conformance to this guide.
I should correct my above comment because what intends the following: "There is no registration procedure such as in §3.6.2 of OpenChain Specification."
> At this point, companies will be able to present their evidence of conformance to any > party (e.g., key customers). It is not mandatory to make the evidence public, but it is > possible if you choose to do so.
§3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.
In supply and consumption, no wonder there is more interest in SBOM.
I hope that the community and industry can build a consensus on the quality of SBOMs together. So, I guess it is important to discuss SBOM format, compliance workflows, and automation processes for this purpose.
BR, Tak
差出人:
main@... <main@...>
が Mark Gisi <mark.gisi@...>
の代理で送信
Hi Tak,
>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.
One can declare conformance with the guide. According to section 3.4.2: ÿ 3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation. Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.
>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.
Please let us know if you would like additional clarification.
best, Mark
Mark Gisi Empowering Engineers & Customers to Prosper using Open Source (510) 749-2016
From: Takashi NINJOUJI <takashi.ninjouji@...>
[Please note: This e-mail is from an EXTERNAL e-mail address] Hello Mark and Shane,
I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.
(2) In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Best Regards Tak
On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
Re: [japan-wg] Regional Traction: 2,100 Eyes on Japanese FAQ
Hiro Fukuchi
Shane and all,
The OpenChain Japan Work Group operates seven sub-groups, one of which isOuchi-san's group has also published the English version of the FAQ. You can read it here: English: https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/Misunderstandings_of_OSS_licenses_CC0.pptx Japanese: https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/Education_Material/FAQ/OSS%E3%83%A9%E3%82%A4%E3%82%BB%E3%83%B3%E3%82%B9%E9%96%A2%E9%80%A3%E3%81%A7%E3%82%88%E3%81%8F%E3%81%82%E3%82%8B%E8%AA%A4%E8%A7%A3_CC0.pptx --- Hiro Fukuchi (Hiroyuki.Fukuchi@...) Sony -----Original Message-----
|
|
|
|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
takashi1.ninjouji@...
Thanks a lot, Mark!
My understanding is getting better than before :)
>> there is no specific way to declare conformance to this guide.
I should correct my above comment because what intends the following:
"There is no registration procedure such as in §3.6.2 of OpenChain Specification."
> At this point, companies will be able to present their evidence of conformance to any
> party (e.g., key customers). It is not mandatory to make the evidence public, but it is
> possible if you choose to do so.
§3.4 of this guide corresponds to §3.6 of the OpenChain specification; if so, this clause does not necessarily mean intending to publish evidence.
BR,
Tak
差出人: main@... <main@...> が Mark Gisi <mark.gisi@...> の代理で送信
送信日時: 2021年11月3日 15:32 宛先: Takashi NINJOUJI <takashi.ninjouji@...>; Shane Coughlan <scoughlan@...> CC: main@... <main@...> 件名: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested Hi Tak,
>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.
One can declare conformance with the guide. According to section 3.4.2: ÿ 3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation. Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.
>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.
Please let us know if you would like additional clarification.
best, Mark
Mark Gisi Empowering Engineers & Customers to Prosper using Open Source (510) 749-2016
From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...> Cc: main@... Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
[Please note: This e-mail is from an EXTERNAL e-mail address] Hello Mark and Shane,
I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.
(2) In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Best Regards Tak
On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Mark Gisi
Hi Chris,
>> Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?
We introduced the security assurance guide as a separate deliverable initially to reduce friction to adoption of both the spec and security guide. We did not want to have a company feel obligated to conform with both to achieve either one. However, having noted that, they were designed to be highly similar in spirit and format, and easily achieved together should a company choose (or a customer requires it). That is, they are separate but highly complementary. The long term objective is to create trust in open source by working toward creating a suite of highly complementary conformance specifications (e.g., license compliance, security, quality, export compliance, …) such that an organization can choose the ones that best fit their needs. For that reason we are trying to avoid creating a single monolithic specification.
Let us know if that does not completely address your concern.
best,
Mark Gisi Empowering Engineers & Customers to Prosper using Open Source (510) 749-2016
From: main@... <main@...>
On Behalf Of Christopher Wood
Sent: Tuesday, November 2, 2021 3:43 PM To: main@... Cc: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...> Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
[Please note: This e-mail is from an EXTERNAL e-mail address] Hello Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item? Thanks Chris
|
|
|
|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Mark Gisi
Hi Tak,
>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.
One can declare conformance with the guide. According to section 3.4.2: ÿ 3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation. Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.
>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.
Please let us know if you would like additional clarification.
best, Mark
Mark Gisi Empowering Engineers & Customers to Prosper using Open Source (510) 749-2016
From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...> Cc: main@... Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
[Please note: This e-mail is from an EXTERNAL e-mail address] Hello Mark and Shane,
I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.
(2) In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.
Best Regards Tak
On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Christopher Wood
Hello Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item? Thanks Chris
On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:
|
|
|
|
Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested
Takashi Ninjouji
Hello Mark and Shane, I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something: My understandings are: (1) This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately. (2) In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant. Are all of the above OK? Best Regards Tak
On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
OpenChain Japan Work Group Meeting #21 – 2021-10-20
Full recording (Japanese) available here. Excellent on-boarding point for your Japanese team or suppliers:
https://www.openchainproject.org/news/2021/11/02/jp-wg-21
|
|
|
|
Regional Traction: 2,100 Eyes on Japanese FAQ
The OpenChain Project often highlights global news. However, it is important to remember that the majority of activity is truly distributed around the world, especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US work groups. Today we are taking a moment to shine a spotlight on a specific example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is focused on providing answers to frequently asked questions, chaired by Ouchi San from Fujitsu. The FAQ document produced by the group has been downloaded over 2,100 times so far, demonstrating the extent of information dissemination in a specific geography. If you have a Japanese office (or you represent a Japanese company), please be aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All welcome. ・日時:11月8日(月) 15:00〜17:30 ・チャタムハウスルールを採用しています。 (誰が言ったかは口外禁止、得た情報は自由利用可) ・オンライン会議(Zoom): Zoom のURLはFAQ-SGのSLACKに掲載予定です。 (Japan WGのSLACKとは異なります) 以下のメーリングリストへご連絡願います。 • https://lists.openchainproject.org/g/japan-sg-faq/messages
|
|
|
|
FW: [education] Event: Web based training finalization
#cal-invite
Balakrishna Mukundaraj
Web based training finalization When: Where: Organizer: Balakrishna Description:
|
|
|
