|
ISO/IEC DIS 18974 - Printable self-certification + One page overview
Dear all
There is a printable version of the DIS 18974 self-certification checklist here: https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Checklist/DIS-18974/en/DIS-18974-Self-Certification-Checklist-2.0-printout.pdf There is a new one page overview here (PDF): https://github.com/OpenChain-Project/Reference-Material/blob/master/Getting-Started/One-Page-Overview/DIS-18974/DIS-18974-one-pager-1.0.pdf PNG: https://github.com/OpenChain-Project/Reference-Material/blob/master/Getting-Started/One-Page-Overview/DIS-18974/DIS-18974-one-pager-1.0.png Feedback most welcome! Regards Shane — Shane Coughlan General Manager, OpenChain e: scoughlan@... p: +81 (0) 80 4035 8083 w: www.linuxfoundation.org Schedule a call: https://meetings.hubspot.com/scoughlan |
||||||||||||
|
|
||||||||||||
|
Re: [specification] Interesting new movement to include "security.txt" files in projects
Mike Linksvayer
Yes securitytext.org is for web sites/services, for example https://github.com/.well-known/security.txt SECURITY.* in a code repository typically alongside LICENSE -- though GitHub also looks in a couple other locations https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository -- I'm not aware of any commonplace or standard texts or structure but I may be ignorant. Anyway a few examples are https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md https://github.com/microsoft/repo-templates/blob/main/shared/SECURITY.md https://github.com/github/.github/blob/main/SECURITY.md Yes both .well-known in the website context and well known files in the codebase context arguably run risk of overpopulation, but it seems like making it easy to find out how to report security issues is quite important. Mike On Tue, Mar 21, 2023 at 4:18 AM Steve Kilbane <stephen.kilbane@...> wrote:
|
||||||||||||
|
|
||||||||||||
|
Re: [specification] Interesting new movement to include "security.txt" files in projects
My 2c's Honestly think that we are starting to overpopulate root project dirs. Not only LICENSE anymore, it goes for a number of files and this needs to have more control that what is today. Just for a few examples: CODE_OF_CONDUCT LICENSE README.(md,txt) contributing.md ... The list is already crowded and does not have a single common pattern. ( Note that i'm not even dealing with the fact that we have plenty of other files dev related, like linters, etc.. with their own config ) So, saying that, I'm really not against this new file as information is relevant, but we need to push as formal subfolder or similar idea to aggregate all this info. i.e, github put the things under .github, etc.. Having only README on top folder and something called as let's say as example, .project where we keep all this files, even more if some organization or company need to add specifics. Then my point is thumbs up for the idea, better start to think on how not to make project codes visually crowded. []'s On Tue, Mar 21, 2023 at 12:18 PM Steve Kilbane <stephen.kilbane@...> wrote:
|
||||||||||||
|
|
||||||||||||
|
Re: [specification] Interesting new movement to include "security.txt" files in projects
Is this JUST for web services? The location section focuses on a fixed URL rather than, say, a location within a source repo. But then, I've barely skimmed the document.
From:
specification@... <specification@...> on behalf of Shane Coughlan <scoughlan@...> [External] |
||||||||||||
|
|
||||||||||||
|
Interesting new movement to include "security.txt" files in projects
Jeff flagged this on our monthly call (2023-03-21)
https://securitytxt.org/ It is like LICENSE files but for security. What do you think? Have you heard about this? Useful in your workflow? |
||||||||||||
|
|
||||||||||||
|
Invitation: OpenChain Webinar #50 - An Overview of SPDX 3.0 @ Fri Mar 31, 2023 16:00 - 17:00 (JST) (main@lists.openchainproject.org)
|
||||||||||||
|
|
||||||||||||
|
Outcomes: OpenChain Monthly North America / Asia meeting - 2023-03-21
Our regular monthly meeting continued our work to edit the next generation of our license compliance and security assurance specifications. Our focus this time was on some open issues around the next generation of the Security Assurance Specification. The specific issues we covered:Add triage entry to specific situations where vulnerability not applicable: Outcome: improved language suggested, needs work to further tighten phrasing. Comments on the Known Vulnerability in the proposed Security Assurance Specification: Outcome: issue closed with adjustment to language in the specification. Current draft of next generation security specification here: Check out the details and the full recording and slides here: https://www.openchainproject.org/news/2023/03/21/openchain-monthly-meeting-north-america-asia-2023-03-21 |
||||||||||||
|
|
||||||||||||
|
Re: OpenChain @ OSPO Summit
Awesome! I think we have a lot of potential new users and - most important - community collaborators in China. I am really looking forward to what we will do together in the coming months.
toggle quoted message
Show quoted text
Regards Shane On Mar 21, 2023, at 16:06, Gaokun (King) via lists.openchainproject.org <king.gao=huawei.com@...> wrote: |
||||||||||||
|
|
||||||||||||
|
Re: OpenChain @ OSPO Summit
Gaokun (King)
Thank you for sharing this event, Shane.
I will be there as speaker like you.
Of course , I will introduce OpenChain Project in my presentation J
发件人: main@... [mailto:main@...]
代表
Shane Coughlan
|
||||||||||||
|
|
||||||||||||
|
OpenChain @ OSPO Summit
The OpenChain Project is delighted to be part of the OSPO Summit held in Beijing during March 2023. You can check out our speech from the event below.
https://www.openchainproject.org/news/2023/03/20/openchain-ospo-summit Learn more about the event: https://www.bagevent.com/event/8365674 
|
||||||||||||
|
|
||||||||||||
|
OpenChain Monthly North America / Asia call - editing the specifications - happening in five minutes - 2023-03-21 09:00 CST / 10:00 KST + JST
A reminder that our monthly North America / Asia call is taking place in a five minutes: 2023-03-21 at 09:00 CST / 10:00 KST+JST (01:00 UTC). That will be 18:00 Pacific on the 20th of March for our colleagues in North America. I look forward to seeing you at: https://zoom.us/j/4377592799 Slides attached. Check below for a quick recap of what we did on the last call and what we will do on this call.
Comments on the Known Vulnerability in the proposed Security Assurance Specification: We adjusted “obtain customer agreement”) as per this issue: Under the Competence category, add requirements: Some notes from Chris on the last meeting: In the meeting we discussed and approved the following changes: [Improvement] Add new term and refined term in Definitions Section 2.7 and 2.8 1. We discussed and approved the addition of the Term Mitigation as a new term in the definitions section for "remediation" and "mitigation" (Section 2.7 Remediate and 2.8 Mitigate). [Improvement] add the term "mitigate" to Section 3.1.5 as an available practice. 2. We discussed and approved the insertion of Mitigation as an additional practice into Section 3.1.5 that can be used if remediation is not possible or is determined to be unnecessary based on the use of the software deemed to be vulnerable. [Improvement] Include "mitigation" in Section 3.3.2 - Security Assurance 3. We discussed and approved the insertion of a new term mitigation into Section 3.3.2 as an available practice: For each identified Known Vulnerability assign a risk/impact score; Edited line 252 for clarity: For each detection and assigned score determine and document necessary remediation or mitigation steps suitable for the use-case of the software; Adjacent to this, we returned to a previously discussed improvement in the same section by deleting: “and get Customer Agreement at or above a previously determined level (i.e., all severity scores above 4.5 …);” And the moment of the concept to Line 254 in order to clarify that the owning organization is to clear the proposed resolution with the Customer only if that is a requirement from the customer. Added for clarity: obtain Customer Agreement that the proposed resolution is acceptable if necessary; at or above a previously determined level (i.e., all severity scores above 4.5 …)
|
||||||||||||
|
|
||||||||||||
|
COMING TOMORROW: OpenChain Monthly North America / Asia call - 2023-03-21 09:00 CST / 10:00 KST+JST (01:00 UTC)
Dear All
A reminder that our monthly North America / Asia call is taking place tomorrow, 2023-03-21, at 09:00 CST / 10:00 KST+JST (01:00 UTC). That will be 18:00 Pacific on the 20th of March for our colleagues in North America. Calendar invite attached. We are editing the next generation license compliance and security assurance specifications. On the North America / Europe call earlier this month we opened a new discussion on: Comments on the Known Vulnerability in the proposed Security Assurance Specification: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/19 We recapped / reviewed: Please add definitions for “remediate” and “mitigate”: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/22 Under the Competence category, add requirements#23: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/23 Add references to ISO/IEC Standards: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/24 We also opened this new issue: Add triage entry to specific situations where vulnerability not applicable: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/29 We have the following items pending for *this* call: = Security = We will return to… Add triage entry to specific situations where vulnerability not applicable: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/29 Comments on the Known Vulnerability in the proposed Security Assurance Specification: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/19 + Add program objectives https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/14 Clarify Stated Purpose (Github) and Scope (specification): https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/28 = Licensing = Consider adding definition of 'bill of materials’ https://github.com/OpenChain-Project/License-Compliance-Specification/issues/35 Move "Access" to be part of "Compliance Artifact Delivery” https://github.com/OpenChain-Project/License-Compliance-Specification/issues/53 I look forward to seeing you at: https://zoom.us/j/4377592799 Regards Shane |
||||||||||||
|
|
||||||||||||
|
Re: Introducing DIS 18974, The De Facto International Standard For Open Source Security Assurance
Christopher Wood
Shane
toggle quoted message
Show quoted text
Congratulations to the entire team who contributed to the development of the DIS 18974 Open Source Security Assurance specification. Best Chris On Mar 17, 2023, at 12:59 AM, Shane Coughlan <scoughlan@...> wrote: |
||||||||||||
|
|
||||||||||||
|
Introducing DIS 18974, The De Facto International Standard For Open Source Security Assurance
The OpenChain Security Assurance Specification 1.1 is now DIS 18974, OpenChain Security Assurance Specification. This de facto industry standard describes the key requirements of a quality open source security assurance program. It is currently in the JTC-1 PAS Transposition Process and is expected to graduate mid-2023 as an ISO/IEC standard. The ISO/IEC standard will be ISO/IEC 18974:2023, OpenChain Security Assurance Specification.
You can adopt DIS 18974, OpenChain Security Assurance Specification via self-certification (link below) or through one of the official Third-Party Certification Partners. Adoption of the OpenChain Security Assurance Specification 1.1 or DIS 18974, OpenChain Security Assurance Specification is also valid for ISO/IEC 18974:2023. https://www.openchainproject.org/featured/2023/03/16/introducing-dis-18974 |
||||||||||||
|
|
||||||||||||
|
CESI is the Latest OpenChain Partner and Third-Party Certifier
 China Electronics Standardization Institute (CESI) is the latest official partner of the OpenChain Project. From today, CESI is offering third-party certification around the standards produced by the OpenChain Project, with an initial focus on ISO/IEC 5230:2020, the International Standard for open source license compliance. “The OpenChain Project is delighted to deepen our collaboration with CESI,” says Shane Coughlan, OpenChain General Manager. “CESI has an exceptionally important role in helping the world’s most populous country engage with, leverage and innovate around open source. Their new status as an official partner of the OpenChain Project opens doors for more companies in China to begin using our standards, and to begin benefiting from increased efficiency in their supply chains.” “CESI is delighted to become an official partner of the OpenChain Project,” says Liyun Yang, Director of Cloud Computing Research Office. “We will offer third-party certification and assist in developing next generation versions of the OpenChain standards to help support Chinese companies, and the wider global supply chain.” About CESIFounded in July 1963, CESI is a nonprofit institution directly under the MII that is engaged in standardization, conformity assessment and measurement activities in the field of electronic information technologies. Authorized by government competent departments, CESI organizes the development of national and industry standards and participation in the international standardization activities in electronic information technologies. CESI provides product certification, quality system certification, experiments and tests, measurement and calibration as well as training for the public. The objective of CESI is to become a world-renowned, domestically authoritative institution for standardization and conformity assessment in the field of electronic information technologies. Learn MoreWant to share this news with others? It is on our website here: |
||||||||||||
|
|
||||||||||||
|
Looking for articles for IEEE Computer open source column
(Sorry for redundancy through crossposting.)
Hello everyone, I'm running out of good articles for IEEE Computer (for the open source expanded column). More information in this old call, now current again: https://dirkriehle.com/2022/05/23/call-for-article-proposals-for-open-source-expanded-column-in-ieee-computer-magazine/ Happy to answer any questions you may have. Probably your easiest way to a reputable outreach publication! Thanks, Dirk -- Confused about open source? Get clarity through https://bayave.com/training -- Website: https://dirkriehle.com - Twitter: @dirkriehle Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550 |
||||||||||||
|
|
||||||||||||
|
Re: OpenChain Newsletter #51
You are super welcome! Everyone, should we produce PDF versions in future as well? (And thank you Gerald ☺️) On Mar 15, 2023, at 21:01, Mattran, Mary <mary.mattran@...> wrote:
|
||||||||||||
|
|
||||||||||||
|
Re: OpenChain Newsletter #51
Perfect, thank you,Shane!
|
||||||||||||
|
|
||||||||||||
|
TÜV Nord Taiwan is the latest OpenChain Partner
TÜV Nord Taiwan is the latest official OpenChain Partner. TÜV NORD Taiwan was founded in 1988 and is one of the leading providers of quality, safety, information technology, and renewable energy solutions. The company has highly qualified employees and offers national and international customers the complete provide the one-stop service for local customers.
Learn more: https://www.openchainproject.org/featured/2023/03/15/tuv-nord-taiwan |
||||||||||||
|
|
||||||||||||
|
Re: OpenChain Newsletter #51
Of course!
toggle quoted message
Show quoted text
You will find it here: https://www.openchainproject.org/monthly-newsletter/2023/02/28/openchain-newsletter-51 Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan On Mar 14, 2023, at 20:51, Mattran, Mary <mary.mattran@...> wrote:
|
||||||||||||
|
|
