Date   

Re: video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Mishi Choudhary
 

Of Course Dave! This is exactly what we need.

I hope all of you on this list received our invite and will be able to
attend. If you can't join us in person, you can catch the live stream at
https://softwarefreedom.org/events/2016/conference/live.html.

On 10/21/2016 12:57 PM, Marr, David wrote:
Mishi, thank you for the support and for inviting us to speak there. Will it be streamed? If so can you circulate a link?

Michael, looking forward to your participation as well. The spec was very much written to both scale down for small orgs, and scale up for large multinationals.

Dave

-----Original Message-----
From: Mishi Choudhary [mailto:mishi@softwarefreedom.org]
Sent: Friday, October 21, 2016 9:41 AM
To: Michael Weinberg <mweinberg@shapeways.com>; Marr, David <dmarr@qti.qualcomm.com>
Cc: openchain@lists.linuxfoundation.org
Subject: Re: [OpenChain] video of Jilayne's keynote on OpenChain from LinuxCon, now available.

From another lurker,

Thank you Jilayne for this great talk and to everyone who has been working on this extremely important project. I am very much looking forward to Dave and Eileen's presentation on OpenChain at SFLC's conference next week.

On 10/20/2016 12:03 PM, Michael Weinberg wrote:
As someone who talked to Jilayne a year ago and has been lurking on
this list ever since, I just wanted to jump in and say thank you to
everyone who has been doing so much work on this project. I'm the
entire legal department of a company doing a lot of work with OSS and
I'm super excited to find ways for us to plug into this entire system.
So THANK YOU to everyone involved! And, of course, now that I've
outed myself I will try and find ways that I can actually contribute as well.

-michael

On Wed, Oct 19, 2016 at 7:58 PM, Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>> wrote:

That was fast. Thanks Mike! We'll learn Wordpress soon...____

__ __

*From:*Michael Dolan [mailto:mdolan@linuxfoundation.org
<mailto:mdolan@linuxfoundation.org>]
*Sent:* Wednesday, October 19, 2016 4:11 PM
*To:* Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>>
*Cc:* Kate Stewart <kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>>;
openchain@lists.linuxfoundation.org
<mailto:openchain@lists.linuxfoundation.org>
*Subject:* Re: [OpenChain] video of Jilayne's keynote on OpenChain
from LinuxCon, now available.____

__ __

I just added it to the home page.____


____

---
Mike Dolan
VP of Strategic Programs
The Linux Foundation
Office: +1.330.460.3250 <tel:%2B1.330.460.3250> Cell:
+1.440.552.5322 <tel:%2B1.440.552.5322> Skype: michaelkdolan
mdolan@linuxfoundation.org <mailto:mdolan@linuxfoundation.org>
---____

__ __

On Wed, Oct 19, 2016 at 6:34 PM, Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>> wrote:____

Terrific. Can we link it to the www.openchainproject.org
<http://www.openchainproject.org> webpage?

Dave____


On Oct 19, 2016, at 2:59 PM, Kate Stewart
<kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>> wrote:____

For those who weren't able to be there in person, the video
is now available...____


<http://goog_567449059>____

https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_
<https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_>
____

__ __

Enjoy!____

__ __

Kate____

__ __

-- ____

Kate Stewart ____

Sr. Director of Strategic Programs, The Linux
Foundation____

Mobile: +1.512.657.3669 <tel:%2B1.512.657.3669>____

Email / Google Talk: kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>____

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain

<https://lists.linuxfoundation.org/mailman/listinfo/openchain>____


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain

<https://lists.linuxfoundation.org/mailman/listinfo/openchain>____

__ __


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain
<https://lists.linuxfoundation.org/mailman/listinfo/openchain>




--
Michael Weinberg
IP & General Counsel
Shapeways, Inc.
www.shapeways.com <http://www.shapeways.com>


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain
--
Warm Regards
Mishi Choudhary, Esq.
Legal Director
Software Freedom Law Center
1995 Broadway Floor 17| New York, NY-10023
Direct: +1-212-461-1912| Main: +1-212-461-1901| Fax: +1-212-580-0898 www.softwarefreedom.org



President and Executive Director
SFLC.IN
K-9, Second Floor, Jangpura Extn.| New Delhi-110014
Main: +91-11-43587126 | Fax: +91-11-24323530
www.sflc.in



The information contained in this email message is intended only for use
of the individual or entity named above. If the reader of this message
is not the intended recipient, or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please
immediately notify us by email, help@softwarefreedom.org, and destroy
the original message.
--
Warm Regards
Mishi Choudhary, Esq.
Legal Director
Software Freedom Law Center
1995 Broadway Floor 17| New York, NY-10023
Direct: +1-212-461-1912| Main: +1-212-461-1901| Fax: +1-212-580-0898
www.softwarefreedom.org



President and Executive Director
SFLC.IN
K-9, Second Floor, Jangpura Extn.| New Delhi-110014
Main: +91-11-43587126 | Fax: +91-11-24323530
www.sflc.in



The information contained in this email message is intended only for use
of the individual or entity named above. If the reader of this message
is not the intended recipient, or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please
immediately notify us by email, help@softwarefreedom.org, and destroy
the original message.


Re: video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Dave Marr
 

Mishi, thank you for the support and for inviting us to speak there. Will it be streamed? If so can you circulate a link?

Michael, looking forward to your participation as well. The spec was very much written to both scale down for small orgs, and scale up for large multinationals.

Dave

-----Original Message-----
From: Mishi Choudhary [mailto:mishi@softwarefreedom.org]
Sent: Friday, October 21, 2016 9:41 AM
To: Michael Weinberg <mweinberg@shapeways.com>; Marr, David <dmarr@qti.qualcomm.com>
Cc: openchain@lists.linuxfoundation.org
Subject: Re: [OpenChain] video of Jilayne's keynote on OpenChain from LinuxCon, now available.

From another lurker,

Thank you Jilayne for this great talk and to everyone who has been working on this extremely important project. I am very much looking forward to Dave and Eileen's presentation on OpenChain at SFLC's conference next week.

On 10/20/2016 12:03 PM, Michael Weinberg wrote:
As someone who talked to Jilayne a year ago and has been lurking on
this list ever since, I just wanted to jump in and say thank you to
everyone who has been doing so much work on this project. I'm the
entire legal department of a company doing a lot of work with OSS and
I'm super excited to find ways for us to plug into this entire system.
So THANK YOU to everyone involved! And, of course, now that I've
outed myself I will try and find ways that I can actually contribute as well.

-michael

On Wed, Oct 19, 2016 at 7:58 PM, Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>> wrote:

That was fast. Thanks Mike! We'll learn Wordpress soon...____

__ __

*From:*Michael Dolan [mailto:mdolan@linuxfoundation.org
<mailto:mdolan@linuxfoundation.org>]
*Sent:* Wednesday, October 19, 2016 4:11 PM
*To:* Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>>
*Cc:* Kate Stewart <kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>>;
openchain@lists.linuxfoundation.org
<mailto:openchain@lists.linuxfoundation.org>
*Subject:* Re: [OpenChain] video of Jilayne's keynote on OpenChain
from LinuxCon, now available.____

__ __

I just added it to the home page.____


____

---
Mike Dolan
VP of Strategic Programs
The Linux Foundation
Office: +1.330.460.3250 <tel:%2B1.330.460.3250> Cell:
+1.440.552.5322 <tel:%2B1.440.552.5322> Skype: michaelkdolan
mdolan@linuxfoundation.org <mailto:mdolan@linuxfoundation.org>
---____

__ __

On Wed, Oct 19, 2016 at 6:34 PM, Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>> wrote:____

Terrific. Can we link it to the www.openchainproject.org
<http://www.openchainproject.org> webpage?

Dave____


On Oct 19, 2016, at 2:59 PM, Kate Stewart
<kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>> wrote:____

For those who weren't able to be there in person, the video
is now available...____


<http://goog_567449059>____

https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_
<https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_>
____

__ __

Enjoy!____

__ __

Kate____

__ __

-- ____

Kate Stewart ____

Sr. Director of Strategic Programs, The Linux
Foundation____

Mobile: +1.512.657.3669 <tel:%2B1.512.657.3669>____

Email / Google Talk: kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>____

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain

<https://lists.linuxfoundation.org/mailman/listinfo/openchain>____


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain

<https://lists.linuxfoundation.org/mailman/listinfo/openchain>____

__ __


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain
<https://lists.linuxfoundation.org/mailman/listinfo/openchain>




--
Michael Weinberg
IP & General Counsel
Shapeways, Inc.
www.shapeways.com <http://www.shapeways.com>


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain
--
Warm Regards
Mishi Choudhary, Esq.
Legal Director
Software Freedom Law Center
1995 Broadway Floor 17| New York, NY-10023
Direct: +1-212-461-1912| Main: +1-212-461-1901| Fax: +1-212-580-0898 www.softwarefreedom.org



President and Executive Director
SFLC.IN
K-9, Second Floor, Jangpura Extn.| New Delhi-110014
Main: +91-11-43587126 | Fax: +91-11-24323530
www.sflc.in



The information contained in this email message is intended only for use
of the individual or entity named above. If the reader of this message
is not the intended recipient, or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please
immediately notify us by email, help@softwarefreedom.org, and destroy
the original message.


Re: video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Mishi Choudhary
 

From another lurker,

Thank you Jilayne for this great talk and to everyone who has been
working on this extremely important project. I am very much looking
forward to Dave and Eileen's presentation on OpenChain at SFLC's
conference next week.

On 10/20/2016 12:03 PM, Michael Weinberg wrote:
As someone who talked to Jilayne a year ago and has been lurking on this
list ever since, I just wanted to jump in and say thank you to everyone
who has been doing so much work on this project. I'm the entire legal
department of a company doing a lot of work with OSS and I'm super
excited to find ways for us to plug into this entire system. So THANK
YOU to everyone involved! And, of course, now that I've outed myself I
will try and find ways that I can actually contribute as well.

-michael

On Wed, Oct 19, 2016 at 7:58 PM, Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>> wrote:

That was fast. Thanks Mike! We’ll learn Wordpress soon…____

__ __

*From:*Michael Dolan [mailto:mdolan@linuxfoundation.org
<mailto:mdolan@linuxfoundation.org>]
*Sent:* Wednesday, October 19, 2016 4:11 PM
*To:* Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>>
*Cc:* Kate Stewart <kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>>;
openchain@lists.linuxfoundation.org
<mailto:openchain@lists.linuxfoundation.org>
*Subject:* Re: [OpenChain] video of Jilayne's keynote on OpenChain
from LinuxCon, now available.____

__ __

I just added it to the home page.____


____

---
Mike Dolan
VP of Strategic Programs
The Linux Foundation
Office: +1.330.460.3250 <tel:%2B1.330.460.3250> Cell:
+1.440.552.5322 <tel:%2B1.440.552.5322> Skype: michaelkdolan
mdolan@linuxfoundation.org <mailto:mdolan@linuxfoundation.org>
---____

__ __

On Wed, Oct 19, 2016 at 6:34 PM, Marr, David <dmarr@qti.qualcomm.com
<mailto:dmarr@qti.qualcomm.com>> wrote:____

Terrific. Can we link it to the www.openchainproject.org
<http://www.openchainproject.org> webpage?

Dave____


On Oct 19, 2016, at 2:59 PM, Kate Stewart
<kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>> wrote:____

For those who weren't able to be there in person, the video
is now available...____


<http://goog_567449059>____

https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_
<https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_>
____

__ __

Enjoy!____

__ __

Kate____

__ __

-- ____

Kate Stewart ____

Sr. Director of Strategic Programs, The Linux Foundation____

Mobile: +1.512.657.3669 <tel:%2B1.512.657.3669>____

Email / Google Talk: kstewart@linuxfoundation.org
<mailto:kstewart@linuxfoundation.org>____

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain
<https://lists.linuxfoundation.org/mailman/listinfo/openchain>____


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain
<https://lists.linuxfoundation.org/mailman/listinfo/openchain>____

__ __


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
<mailto:OpenChain@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/openchain
<https://lists.linuxfoundation.org/mailman/listinfo/openchain>




--
Michael Weinberg
IP & General Counsel
Shapeways, Inc.
www.shapeways.com <http://www.shapeways.com>


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain
--
Warm Regards
Mishi Choudhary, Esq.
Legal Director
Software Freedom Law Center
1995 Broadway Floor 17| New York, NY-10023
Direct: +1-212-461-1912| Main: +1-212-461-1901| Fax: +1-212-580-0898
www.softwarefreedom.org



President and Executive Director
SFLC.IN
K-9, Second Floor, Jangpura Extn.| New Delhi-110014
Main: +91-11-43587126 | Fax: +91-11-24323530
www.sflc.in



The information contained in this email message is intended only for use
of the individual or entity named above. If the reader of this message
is not the intended recipient, or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please
immediately notify us by email, help@softwarefreedom.org, and destroy
the original message.


What is the license of the openchain comformance specification 1.0 ?

Tomo Dote
 

I want to translate the specification into Japanese.
But I could not find the license of the specification.
Please tell me the license of that.

All I know is about the license of it is the FAQ page said "you can copy ...".

thanks


Creating a general FAQ for OpenChain

Shane Martin Coughlan <shane@...>
 

Dear all

We currently have a great website with a link to a FAQ. However, our current FAQ is Specification-centric. Check it out here:
https://www.openchainproject.org/faq
Mark, Miriam and the rest of the team discussed the utility of creating a more general FAQ for our landing page that then leads to specific FAQs for Specification, Curriculum and Conformance. I have taken the liberty of creating a draft for how this general FAQ may look as well as populating the Specification and Curriculum FAQs on the wiki:

What is OpenChain?

The OpenChain Project is focused on identifying common best practices that should be applied across a supply chain for efficient and effective compliance with Open Source licenses.

What is OpenChain’s mission?

The OpenChain Project's mission is to establish requirements to achieve effective management of Free and Open Source Software (FOSS) for software supply chain participants.

How does OpenChain work?

There are three parts to the OpenChain Project:
* OpenChain Specification
* OpenChain Curriculum
* OpenChain Conformance

The Specification is the heart of OpenChain. It describes the processes required to achieve effective management of Free and Open Source Software in the supply chain. OpenChain Curriculum provides training material to help companies meeting the Specification requirements. OpenChain Conformance helps companies check that they are adhering to the Specification requirements.

Where can I learn more about each aspect of OpenChain?

There are Frequently Asked Question (FAQ) pages for Specification, Curriculum and Conformance:
* https://wiki.linuxfoundation.org/openchain/specification-questions-and-answers
* https://wiki.linuxfoundation.org/openchain/curriculum-questions-and-answers
* https://wiki.linuxfoundation.org/openchain/conformance-questions-and-answers

Input, adjustments and improvements welcome!

Regards

Shane


Re: video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Kelly Williams
 

Hi Michael,


That would be great!  You can find meeting details at https://wiki.linuxfoundation.org/openchain/start#meeting-details

 

The next meeting will be Monday, Nov. 7th.

 

Thanks,
Kelly

 

 

From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Michael Weinberg
Sent: Thursday, October 20, 2016 9:03 AM
To: Marr, David <dmarr@...>
Cc: openchain@...
Subject: Re: [OpenChain] video of Jilayne's keynote on OpenChain from LinuxCon, now available.

 

As someone who talked to Jilayne a year ago and has been lurking on this list ever since, I just wanted to jump in and say thank you to everyone who has been doing so much work on this project.  I'm the entire legal department of a company doing a lot of work with OSS and I'm super excited to find ways for us to plug into this entire system.  So THANK YOU to everyone involved!  And, of course, now that I've outed myself I will try and find ways that I can actually contribute as well.

-michael

 

On Wed, Oct 19, 2016 at 7:58 PM, Marr, David <dmarr@...> wrote:

That was fast.  Thanks Mike!  We’ll learn Wordpress soon…

 

From: Michael Dolan [mailto:mdolan@...]
Sent: Wednesday, October 19, 2016 4:11 PM
To: Marr, David <
dmarr@...>
Cc: Kate Stewart <
kstewart@...>; openchain@...
Subject: Re: [OpenChain] video of Jilayne's keynote on OpenChain from LinuxCon, now available.

 

I just added it to the home page.


---
Mike Dolan
VP of Strategic Programs
The Linux Foundation
Office:
+1.330.460.3250   Cell: +1.440.552.5322  Skype: michaelkdolan
mdolan@...
---

 

On Wed, Oct 19, 2016 at 6:34 PM, Marr, David <dmarr@...> wrote:

Terrific.  Can we link it to the www.openchainproject.org webpage?

Dave


On Oct 19, 2016, at 2:59 PM, Kate Stewart <kstewart@...> wrote:

For those who weren't able to be there in person,  the video is now available...

https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_

 

Enjoy!

 

Kate

 

-- 

Kate Stewart

Sr. Director of Strategic Programs,  The Linux Foundation

Mobile: +1.512.657.3669

Email / Google Talk: kstewart@...

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain


_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 


_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain




--

Michael Weinberg

IP & General Counsel

Shapeways, Inc.


Re: video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Michael Weinberg <mweinberg@...>
 

As someone who talked to Jilayne a year ago and has been lurking on this list ever since, I just wanted to jump in and say thank you to everyone who has been doing so much work on this project.  I'm the entire legal department of a company doing a lot of work with OSS and I'm super excited to find ways for us to plug into this entire system.  So THANK YOU to everyone involved!  And, of course, now that I've outed myself I will try and find ways that I can actually contribute as well.

-michael

On Wed, Oct 19, 2016 at 7:58 PM, Marr, David <dmarr@...> wrote:

That was fast.  Thanks Mike!  We’ll learn Wordpress soon…

 

From: Michael Dolan [mailto:mdolan@linuxfoundation.org]
Sent: Wednesday, October 19, 2016 4:11 PM
To: Marr, David <dmarr@...>
Cc: Kate Stewart <kstewart@...>; openchain@lists.linuxfoundation.org
Subject: Re: [OpenChain] video of Jilayne's keynote on OpenChain from LinuxCon, now available.

 

I just added it to the home page.


---
Mike Dolan
VP of Strategic Programs
The Linux Foundation
Office: +1.330.460.3250   Cell: +1.440.552.5322  Skype: michaelkdolan
mdolan@...
---

 

On Wed, Oct 19, 2016 at 6:34 PM, Marr, David <dmarr@...> wrote:

Terrific.  Can we link it to the www.openchainproject.org webpage?

Dave


On Oct 19, 2016, at 2:59 PM, Kate Stewart <kstewart@...> wrote:

For those who weren't able to be there in person,  the video is now available...

https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_

 

Enjoy!

 

Kate

 

-- 

Kate Stewart

Sr. Director of Strategic Programs,  The Linux Foundation

Mobile: +1.512.657.3669

Email / Google Talk: kstewart@...

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain




--
Michael Weinberg
IP & General Counsel
Shapeways, Inc.


Re: video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Dave Marr
 

That was fast.  Thanks Mike!  We’ll learn Wordpress soon…

 

From: Michael Dolan [mailto:mdolan@...]
Sent: Wednesday, October 19, 2016 4:11 PM
To: Marr, David <dmarr@...>
Cc: Kate Stewart <kstewart@...>; openchain@...
Subject: Re: [OpenChain] video of Jilayne's keynote on OpenChain from LinuxCon, now available.

 

I just added it to the home page.


---
Mike Dolan
VP of Strategic Programs
The Linux Foundation
Office: +1.330.460.3250   Cell: +1.440.552.5322  Skype: michaelkdolan
mdolan@...
---

 

On Wed, Oct 19, 2016 at 6:34 PM, Marr, David <dmarr@...> wrote:

Terrific.  Can we link it to the www.openchainproject.org webpage?

Dave


On Oct 19, 2016, at 2:59 PM, Kate Stewart <kstewart@...> wrote:

For those who weren't able to be there in person,  the video is now available...

https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_

 

Enjoy!

 

Kate

 

-- 

Kate Stewart

Sr. Director of Strategic Programs,  The Linux Foundation

Mobile: +1.512.657.3669

Email / Google Talk: kstewart@...

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain


_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 


Re: video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Michael Dolan <mdolan@...>
 

I just added it to the home page.

---
Mike Dolan
VP of Strategic Programs
The Linux Foundation
Office: +1.330.460.3250   Cell: +1.440.552.5322  Skype: michaelkdolan
mdolan@...
---


On Wed, Oct 19, 2016 at 6:34 PM, Marr, David <dmarr@...> wrote:
Terrific.  Can we link it to the www.openchainproject.org webpage?

Dave

On Oct 19, 2016, at 2:59 PM, Kate Stewart <kstewart@...> wrote:

For those who weren't able to be there in person,  the video is now available...
https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_

Enjoy!

Kate

-- 
Kate Stewart
Sr. Director of Strategic Programs,  The Linux Foundation
Email / Google Talk: kstewart@...
_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain



Re: video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Dave Marr
 

Terrific.  Can we link it to the www.openchainproject.org webpage?

Dave

On Oct 19, 2016, at 2:59 PM, Kate Stewart <kstewart@...> wrote:

For those who weren't able to be there in person,  the video is now available...
https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_

Enjoy!

Kate

-- 
Kate Stewart
Sr. Director of Strategic Programs,  The Linux Foundation
Mobile: +1.512.657.3669
Email / Google Talk: kstewart@...
_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain


video of Jilayne's keynote on OpenChain from LinuxCon, now available.

Kate Stewart
 

For those who weren't able to be there in person,  the video is now available...

https://www.youtube.com/watch?v=pW0yjdAWyns&index=4&list=PLbzoR-pLrL6ovByiWK-8ALCkZoCQAK-i_

Enjoy!

Kate

-- 
Kate Stewart
Sr. Director of Strategic Programs,  The Linux Foundation
Mobile: +1.512.657.3669
Email / Google Talk: kstewart@...


Conformance Check

Miriam Ballhausen <Miriam.Ballhausen@...>
 

Hi everyone,

 

please find attached the revised Conformance Check document. As discussed during the F2F, I added a third level for the numbering. Gary suggested to use lower case Roman numbers, which are now used. I am also in the process of uploading the PDF to the wiki. That should be done shortly.

 

Gary asked to work on the CSV file he created from now on. Changes could then easily be pushed to the server. I agree with Gary and think we should continue working on the CSV file (attached). However, we might have to transfer edits to a word or PDF document, that can then be uploaded.

 

Looking forward to our call on November 5.

 

Kind regards,

Miriam

 

 

Dr. Miriam Ballhausen

Legal Counsel

 

Telefon: +49 30 200 566 205

Mobil: +49 173 38 567 56
miriam.ballhausen@...

 

 

Alte Jakobstraße 85/86,
10179 Berlin
Deutschland

Telefonzentrale +49 30 200 566 0 Fax +49 30 200 566 1 


www.lumesse.de

 

 

Lumesse

 

 

Lumesse GmbH,
Sitz der Gesellschaft: Hamborner Straße 51, 40472 Düsseldorf
Amtsgericht Düsseldorf, HRB 40857
Geschäftsführer: Dr. Carsten Busch, Michael Hunt.

 


Re: OpenChain meeting today

Mark Gisi
 

Hi Jonas,

I do believe this makes sense in principle, but it may lead to confusion around the
OpenChain mark if this becomes wide spread and used for many different areas.
You make a very important point which is worth highlighting. The OpenChain mark is one of the greatest assets of the OpenChain project which needs to be managed carefully. We must take the meaning, role, scope of the mark into consideration when discussing extensions. "OpenChain Conformance", first and foremost, should covey that an organization maintains a thoughtful, disciplined and trusted license compliance program. Full stop. There was some discussion (although brief) that a given extension could potentially have its own specification or an *optional* section of the spec where an additional mark (or a mark belong to a family of OpenChain marks) could be used to convey that additional area of trust. Regardless, this is a topic that deserves much more discussion. Thanks for calling it out.

- Mark

-----Original Message-----
From: Jonas Oberg [mailto:jonas@morus.se]
Sent: Tuesday, October 18, 2016 12:13 AM
To: Gisi, Mark
Cc: Jeremiah Foster; Williams, Kelly; openchain@lists.linuxfoundation.org
Subject: Re: [OpenChain] OpenChain meeting today

Hi Mark, others,

by way of introduction first: for those of you who do not know me, I'm the executive director for the FSFE, but for my participation on this list, I'm speaking for Morus AB, a small consulting firm in Sweden which help companies in their understanding of FOSS.

Without committing to any one new extension, the idea is to set up a
framework where we could experiment (pilot) new types of program
requirements where one wants to establish trust around handling lots
of open source with respect to a given extension type (e.g., security,
export, …)
I do believe this makes sense in principle, but it may lead to confusion around the OpenChain mark if this becomes wide spread and used for many different areas.

Especially security does seem like a useful area to experiment with this on though, and I'd be interested in this. Whether such an experiment then leads to an extension of OpenChain or a certification in itself is probably a later question, and both are certainly possible.


--
Jonas Öberg, Styrelseordförande
Morus konsult AB | jonas@morus.se
E-mail is the fastest way to my attention


Re: OpenChain meeting today

Shane Martin Coughlan <shane@...>
 

Oh dear. What a typo.

"As always, the real goal is to make sure that even the smallest stakeholder in Open Source can introduce or complex with the type of best practices that the largest and most experienced entities have access to, and in the process we gradually transform the global supply chain. “

Should be

"As always, the real goal is to make sure that even the smallest stakeholder in Open Source can introduce or comply with the type of best practices that the largest and most experienced entities have access to, and in the process we gradually transform the global supply chain. “

Regards

Shane

On 2016 Oct 19, at 13:49, Shane Martin Coughlan <shane@opendawn.com> wrote:

Hi Jeremiah

On 2016 Oct 19, at 7:39, Jeremiah Foster <jeremiah.foster@pelagicore.com> wrote:
On Oct 18, 2016 11:17, "Marr, David" <dmarr@qti.qualcomm.com> wrote:
Those are all sensible points. As Mark indicated, as a group we’re far from saying that security ought to be brought into frame. Right now we’re just talking about whether a modular architecture to the specification might better allow for future extensibility. Can you join the next spec call? It will be at a time more compatible with Europe.
I agree with the modular architecture approach for OpenChain and I'm sorry if I'm unnecessarily slowing progress, that is not my intention. My intention is to ensure we have a separation of concerns in the security and the compliance domain. I believe the important and worthy goal of compliance certification is impossible in security since the domain is so much larger, more complex and has well financed actors -- all things that would jeopardize the value and may even bring liability to any standard that claims compliance or conformance.
As Mark and Dave said, at this juncture the idea is to discuss whether a modular architecture approach for OpenChain makes sense, and what may be included in a series of experimental modules that may later graduate to extensions of OpenChain for areas beyond compliance. Contribution processes, Security processes, Export Compliance and ISO 26262 (functional safety) were all included as possible avenues in our discussion of experimental modules.

I believe it is important to stress that we are not talking about "trying to justify an additional field in the already verbose SPDX output that might hold a hash to a CVE database entry.” As you correctly pointed out, security and compliance teams (and export or development teams) often operate separately inside organizations. However, I would equally stress that SPDX and OpenChain are two different things. OpenChain has had a wider scope from inception. More specifically, SPDX is a standard format for communicating the components, licenses and copyrights associated with software packages. Meanwhile, OpenChain’s mission is to establish requirements to achieve effective management of free/open source software (FOSS) for software supply chain participants.

In OpenChain we are always trying to describe the minimal process required to accomplish a goal around Open Source. In the first instance, we have created a specification describing the minimal process required for what is necessary for due diligence around compliance. Any extensions to OpenChain (or experimental modules that might take a later life of their own) would follow a similar pattern. When talking about security, the idea would not to be to attempt to describe a Software Development Security Domain (ref: http://resources.infosecinstitute.com/cissp-2015-update-software-development-security/) but rather to talk about the type of minimal process required to address security vulnerabilities around Open Source Software (ref:
https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html).

By the same thinking, any extensions to address Export Compliance focused on cryptography or ISO 26262 would not be intended to replace or compete with existing standards, but rather to describe the minimal set of processes we would expect to see around companies deploying Open Source software in these contexts. Anyone adhering to existing standards and best practices would essentially already surpass the minimal requirements laid out. As always, the real goal is to make sure that even the smallest stakeholder in Open Source can introduce or complex with the type of best practices that the largest and most experienced entities have access to, and in the process we gradually transform the global supply chain.

In conclusion, the question is really whether we explore processes beyond compliance. The consensus at our face-to-face was that such further development should not be part of the core specification, but may be worthwhile as extensions. This is not a firm decision that OpenChain should go beyond license compliance. We may come to consensus that OpenChain as a process specification should remain compliance-only and we would cease work on any extensions after a period of experimentation or - as Jonas referenced - such experimental modules may take on a life of their own as another process specification for minimal adherence to requirements for accomplishing other goals around Open Source.

I believe we are all on the same page:
(1) Let’s not confuse compliance with other things
(2) Let’s keep the OpenChain specification clear and focused
(3) But let’s keep an open mind regarding other ways we can make a difference around Open Source in the supply chain

Regards

Shane


Re: OpenChain meeting today

Shane Martin Coughlan <shane@...>
 

Hi Jeremiah

On 2016 Oct 19, at 7:39, Jeremiah Foster <jeremiah.foster@pelagicore.com> wrote:
On Oct 18, 2016 11:17, "Marr, David" <dmarr@qti.qualcomm.com> wrote:
Those are all sensible points. As Mark indicated, as a group we’re far from saying that security ought to be brought into frame. Right now we’re just talking about whether a modular architecture to the specification might better allow for future extensibility. Can you join the next spec call? It will be at a time more compatible with Europe.
I agree with the modular architecture approach for OpenChain and I'm sorry if I'm unnecessarily slowing progress, that is not my intention. My intention is to ensure we have a separation of concerns in the security and the compliance domain. I believe the important and worthy goal of compliance certification is impossible in security since the domain is so much larger, more complex and has well financed actors -- all things that would jeopardize the value and may even bring liability to any standard that claims compliance or conformance.
As Mark and Dave said, at this juncture the idea is to discuss whether a modular architecture approach for OpenChain makes sense, and what may be included in a series of experimental modules that may later graduate to extensions of OpenChain for areas beyond compliance. Contribution processes, Security processes, Export Compliance and ISO 26262 (functional safety) were all included as possible avenues in our discussion of experimental modules.

I believe it is important to stress that we are not talking about "trying to justify an additional field in the already verbose SPDX output that might hold a hash to a CVE database entry.” As you correctly pointed out, security and compliance teams (and export or development teams) often operate separately inside organizations. However, I would equally stress that SPDX and OpenChain are two different things. OpenChain has had a wider scope from inception. More specifically, SPDX is a standard format for communicating the components, licenses and copyrights associated with software packages. Meanwhile, OpenChain’s mission is to establish requirements to achieve effective management of free/open source software (FOSS) for software supply chain participants.

In OpenChain we are always trying to describe the minimal process required to accomplish a goal around Open Source. In the first instance, we have created a specification describing the minimal process required for what is necessary for due diligence around compliance. Any extensions to OpenChain (or experimental modules that might take a later life of their own) would follow a similar pattern. When talking about security, the idea would not to be to attempt to describe a Software Development Security Domain (ref: http://resources.infosecinstitute.com/cissp-2015-update-software-development-security/) but rather to talk about the type of minimal process required to address security vulnerabilities around Open Source Software (ref:
https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html).

By the same thinking, any extensions to address Export Compliance focused on cryptography or ISO 26262 would not be intended to replace or compete with existing standards, but rather to describe the minimal set of processes we would expect to see around companies deploying Open Source software in these contexts. Anyone adhering to existing standards and best practices would essentially already surpass the minimal requirements laid out. As always, the real goal is to make sure that even the smallest stakeholder in Open Source can introduce or complex with the type of best practices that the largest and most experienced entities have access to, and in the process we gradually transform the global supply chain.

In conclusion, the question is really whether we explore processes beyond compliance. The consensus at our face-to-face was that such further development should not be part of the core specification, but may be worthwhile as extensions. This is not a firm decision that OpenChain should go beyond license compliance. We may come to consensus that OpenChain as a process specification should remain compliance-only and we would cease work on any extensions after a period of experimentation or - as Jonas referenced - such experimental modules may take on a life of their own as another process specification for minimal adherence to requirements for accomplishing other goals around Open Source.

I believe we are all on the same page:
(1) Let’s not confuse compliance with other things
(2) Let’s keep the OpenChain specification clear and focused
(3) But let’s keep an open mind regarding other ways we can make a difference around Open Source in the supply chain

Regards

Shane


Re: OpenChain meeting today

Jeremiah Foster <jeremiah.foster@...>
 

Hi,

On Oct 18, 2016 11:17, "Marr, David" <dmarr@...> wrote:
>
> Hi Jeremiah,
>
>  
>
> Those are all sensible points.  As Mark indicated, as a group we’re far from saying that security ought to be brought into frame.  Right now we’re just talking about whether a modular architecture to the specification might better allow for future extensibility.  Can you join the next spec call?  It will be at a time more compatible with Europe.

I'm now permanently in the US Penobscot Bay for sale Portland so far so good time zone so OpenChain times have been fine for me. I'm happy to join the next call.

I agree with the modular architecture approach for OpenChain and I'm sorry if I'm unnecessarily  slowing progress, that is not my intention. My intention is to ensure we have a separation of concerns in the security and the compliance domain. I believe the important and worthy goal of compliance certification is impossible in security since the domain is so much larger, more complex and has well financed actors -- all things that would jeopardize the value and may even bring liability to any standard that claims compliance or conformance.

I also hope my dear friend Jonas Öberg tolerates my vehemence. :-)

Regards,

Jeremiah

>  
>
> Dave


Re: OpenChain meeting today

Dave Marr
 

Hi Jeremiah,

 

Those are all sensible points.  As Mark indicated, as a group we’re far from saying that security ought to be brought into frame.  Right now we’re just talking about whether a modular architecture to the specification might better allow for future extensibility.  Can you join the next spec call?  It will be at a time more compatible with Europe.

 

Dave


Re: OpenChain meeting today

Jeremiah Foster <jeremiah.foster@...>
 



On Tue, Oct 18, 2016 at 12:13 AM, Jonas Oberg <jonas@...> wrote:
Hi Mark, others,

by way of introduction first: for those of you who do not know me,
I'm the executive director for the FSFE, but for my participation
on this list, I'm speaking for Morus AB, a small consulting firm
in Sweden which help companies in their understanding of FOSS.

> Without committing to any one new extension, the idea is to set up
> a framework where we could experiment (pilot) new types of program
> requirements where one wants to establish trust around handling lots
> of open source with respect to a given extension type (e.g., security,
> export, …)

I do believe this makes sense in principle, but it may lead to confusion
around the OpenChain mark if this becomes wide spread and used for many
different areas.

Especially security does seem like a useful area to experiment with this
on though, and I'd be interested in this. Whether such an experiment then
leads to an extension of OpenChain or a certification in itself is
probably a later question, and both are certainly possible.

​I agree this makes sense on principle, and many vendors will include this data, not least because it is of great interest now. But we're wandering into an area that has lots of standards, certifications, established practices, and tooling already. What is OpenChain planning to bring that those other organizations do not bring?

 It seems that OpenChain is trying to justify an additional field in the already verbose SPDX output that might hold a hash to a CVE database entry or so. In the companies that I work with, they feel that there needs to be a much more stark separation of concerns since the largest security issue is connectivity where license compliance has a very limited role to play. A link to some CVE is useless in compliance and the security team never sees it.

Security discussion in OpenChain feels like feature creep and is as bad as license proliferation that many of us have railed against for years. If vendors want to sell it, by all means, but it poses some risks to OpenChain if compliance is going to try to enter the security domain.

Regards,

Jeremiah​
 


Re: OpenChain meeting today

Jonas Oberg <jonas@...>
 

Hi Mark, others,

by way of introduction first: for those of you who do not know me,
I'm the executive director for the FSFE, but for my participation
on this list, I'm speaking for Morus AB, a small consulting firm
in Sweden which help companies in their understanding of FOSS.

Without committing to any one new extension, the idea is to set up
a framework where we could experiment (pilot) new types of program
requirements where one wants to establish trust around handling lots
of open source with respect to a given extension type (e.g., security,
export, …)
I do believe this makes sense in principle, but it may lead to confusion
around the OpenChain mark if this becomes wide spread and used for many
different areas.

Especially security does seem like a useful area to experiment with this
on though, and I'd be interested in this. Whether such an experiment then
leads to an extension of OpenChain or a certification in itself is
probably a later question, and both are certainly possible.


--
Jonas Öberg, Styrelseordförande
Morus konsult AB | jonas@morus.se
E-mail is the fastest way to my attention


Re: OpenChain meeting today

Mark Gisi
 

Hi Jeremiah,

 

>> I have some questions about the "extensions" of OpenChain

 

This is a new consideration that needs to be discussed. Without committing to any one new extension, the idea is to set up a framework where we could experiment (pilot) new types of program requirements where one wants to establish trust around handling lots of open source with respect to a given extension type (e.g., security, export, …) . For example, when delivering a solution a recipient  may want some level of assurance that the distributor has a sufficient process for managing security vulnerabilities for the open source included in that solution. That is, an OpenChain Security added-on option. It is an option in that not everyone using the spec needs to conform with that section of the spec. Only those that decide they want to certify their process to be trusted with respect to how they handle security vulnerabilities.

 

>> "? I ask because security is a software development domain, not a compliance or standards domain.

 

It will depend on how we define security. The current thinking is that a security option would focus on defining a standard set of requirements for a program that manages (tracks) security vulnerabilities in the open source software.

 

>> Is there more information on how and why OpenChain would incorporate the security topic?

 

Not yet. It is wide open and just a potential consideration. Your questions are very much in line with the discussion we need to have to determine if this approach makes sense or not.

 

Best,

- Mark

 

 

From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Jeremiah Foster
Sent: Monday, October 17, 2016 1:16 PM
To: Williams, Kelly
Cc: openchain@...
Subject: Re: [OpenChain] OpenChain meeting today

 

Hi,

 

I can't make the meeting today due to prior commitments for GENIVI. I have some questions about the "extensions" of OpenChain though -- is there more information on extending OpenChain to "security"? I ask because security is a software development domain, not a compliance or standards domain. Not least because security has to be holistic in the product and is a negative goal. 

 

Is there more information on how and why OpenChain would incorporate the security topic?

 

Thank you,

 

Jeremiah

 

On Mon, Oct 17, 2016 at 11:36 AM, Williams, Kelly <kellyw@...> wrote:

Hi Everyone,

 

Reminder the Spec and Curriculum meeting is today at 5pm PST.  Please find attached the slides. 

 

Join the call: https://www.uberconference.com/katestewart

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed

 

If you need to use a local phone number, please consult:

https://www.uberconference.com/international

for the specific country numbers.

 

1. Dial the local number based on your location.

2. Enter 512 910 4433, then #.

 

Thanks,

Kelly

 


_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain



 

--

Jeremiah C. Foster

GENIVI COMMUNITY MANAGER

 

Pelagicore AB

Ekelundsgatan 4, 6tr, SE-411 18
Gothenburg, Sweden

M: +1.860.772.9242

3801 - 3820 of 4312