Date   

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

In 30 minutes we are talking OpenChain ISO 5230 and security extension documentation:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09


REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

In 30 minutes we are talking OpenChain ISO 5230 and security extension documentation:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09


Webinar #26 – Open Hardware at CERN, FOSSLight Overview and Automating Yocto with SPDX

 

Webinar #26 – Open Hardware at CERN, FOSSLight Overview and Automating Yocto with SPDX
This was a massive webinar covering just over an hour. Highly recommended to catch the latest in open hardware and in open source automation.
https://www.openchainproject.org/news/2021/07/07/webinar-26

Want to check out all 25 previous webinars? You can find them here:
https://www.openchainproject.org/webinars


Re: [partners] Samsung Electronics Announces OpenChain ISO 5230 Conformance

Gilles Gravier
 

Amazing news!

Best regards,

Gilles Gravier
Director, Senior Strategy Advisor - Global Open Source Practice
Wipro Limited
M: +41 79 472 8437
in/gillesgravier  @gravax


From: partners@... <partners@...> on behalf of Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...>
Sent: Thursday 8 July 2021 06:08
To: OpenChain Main <main@...>
Cc: OpenChain Japan <japan-wg@...>; OpenChain Korea <korea-wg@...>; OpenChain Taiwan <taiwan-wg@...>; OpenChain Partners <partners@...>
Subject: [partners] Samsung Electronics Announces OpenChain ISO 5230 Conformance
 
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.


In one of our biggest announcements for 2021, Samsung Electronics announces adoption of OpenChain ISO 5230, the International Standard for open source compliance. They join a growing community of companies in the consumer electronics, automotive, cloud computing and telecommunications field in using this standard to manage supply chains. Learn more:
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openchainproject.org%2Ffeatured%2F2021%2F07%2F07%2Fsamsung-electronics-announces-openchain-iso-5230-conformance&amp;data=04%7C01%7Cgilles.gravier%40wipro.com%7Cd6fc0f636bf546206a2308d941c61fd4%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637613141472241388%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Fo4CRMyGlF3k4A8q3SFO%2BayulRgO75%2BAwTk71ZXlM44%3D&amp;reserved=0




'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: [partners] Samsung Electronics Announces OpenChain ISO 5230 Conformance

Andrew Katz
 

Spectacular news! Well done!

On 8 Jul 2021, at 05:08, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@lists.openchainproject.org> wrote:

In one of our biggest announcements for 2021, Samsung Electronics announces adoption of OpenChain ISO 5230, the International Standard for open source compliance. They join a growing community of companies in the consumer electronics, automotive, cloud computing and telecommunications field in using this standard to manage supply chains. Learn more:
https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openchainproject.org%2Ffeatured%2F2021%2F07%2F07%2Fsamsung-electronics-announces-openchain-iso-5230-conformance&;data=04%7C01%7C%7C82b59a67d6d04552385308d941c61ef2%7C5a14c3e63ae74ac1bcd92f1bcafd61dc%7C0%7C1%7C637613141441563566%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=oH33QxUb0pi5MfMeJY2OioMcTZZ8BA0FDimzNDEsxRQ%3D&amp;reserved=0





Andrew Katz
Partner
[LinkedIn icon]<https://www.linkedin.com/company/moorcrofts-llp> [Twitter icon] <https://twitter.com/moorcroftsllp>

[Logo] <https://moorcrofts.com/> Tel: 01628 470000
DDI: +44 (0) 1628 470003
Mob: +44 (0) 7970 835001
Email: Andrew.Katz@moorcrofts.com
Moorcrofts LLP | Thames House, Mere Park, Marlow | SL7 1PB, Bucks, GB
[Excellence]<https://moorcrofts.com/moorcrofts-deal-named-finalist-in-the-thames-valley-deal-awards/> [https://moorcrofts.com/wp-content/uploads/2020/10/uk-top-tier-firm-2021.png] <https://moorcrofts.com/moorcrofts-llp-strengthen-its-rankings-in-legal-500-uk/> [https://moorcrofts.com/wp-content/uploads/2020/09/Legal.png] <https://moorcrofts.com/moorcrofts-named-finalist-in-the-british-legal-awards-2019/>


Registered in England & Wales OC 311818 Authorised and Regulated by the Solicitors Regulation Authority This email is confidential. If you are not the intended recipient, please let us know. we store email addresses and the names of addressees to assist with future correspondence. Please be aware of the increase in fraud and cyber crime. any email that appears to come from Moorcrofts LLP which provides different bank details or indicates a change of our bank details is unlikely to be genuine. You should not act on any information contained in the email or reply to it. Instead please contact us immediately to check our account details '. If the disclaimer can't be applied, attach the message to a new disclaimer message.

Moorcrofts LLP <https://moorcrofts.com/>


Samsung Electronics Announces OpenChain ISO 5230 Conformance

 

In one of our biggest announcements for 2021, Samsung Electronics announces adoption of OpenChain ISO 5230, the International Standard for open source compliance. They join a growing community of companies in the consumer electronics, automotive, cloud computing and telecommunications field in using this standard to manage supply chains. Learn more:
https://www.openchainproject.org/featured/2021/07/07/samsung-electronics-announces-openchain-iso-5230-conformance


REMINDER: OpenChain Bi-Weekly Webinar - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

OpenChain Bi-Weekly Webinar - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

On today's webinar we are going to cover two major topics.

First up we have 'An Overview of FOSSLight' by Kyoungae Kim of LG Electronics. FOSSLight is a newly released open source tool for open source compliance management that has been used internally in LG Electronics for several years:
https://fosslight.org
https://n.news.naver.com/article/001/0012435207

We continuing discussing tooling with 'Automated Yocto compliance built on SPDX: meta-doubleopen to Fossology to OSS Review Toolkit' by Mikko Murto of HH Partners.

All welcome.

Join Zoom Meeting
https://zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120
Passcode: 123456


OpenChain Bi-Weekly Webinar - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

OpenChain Bi-Weekly Webinar - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

On tomorrow’s webinar we are going to cover two major topics.

First up we have 'An Overview of FOSSLight' by Kyoungae Kim of LG Electronics. FOSSLight is a newly released open source tool for open source compliance management that has been used internally in LG Electronics for several years:
https://fosslight.org
https://n.news.naver.com/article/001/0012435207

We continuing discussing tooling with 'Automated Yocto compliance built on SPDX: meta-doubleopen to Fossology to OSS Review Toolkit' by Mikko Murto of HH Partners.

All welcome.

Join Zoom Meeting
https://zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120
Passcode: 123456


Re: Direct or indirect supplier?

Jan Thielscher
 

Probably just to prevent some misunderstanding or unnecessary fears:

The law, Dirk referred to, will be effective from 2023. Then it addresses companies with >3000 employees, from 2024 it will also address companies >1000 employees.
The focus is on human rights, it comprises direct as well as indirect suppliers - so this would not make much of a difference. But the requirements depend on several factors, one of them is the impact that the consuming company can have on the particular "violating supplier company".

The „violation“ is not based on  blacklisted countries! The „violation“ has to happen - systematically - within the particular supplier (direct or indirect) organisation. (e.g. coding kiddies, 20hrs a day in the dark and wet basement of the software provider might qualify)

I guess someone capable of contributing to open source, in general does not qualify for such a sort of „abuse“. ;-)
 
Mit freundlichem Gruß / kind regards
Jan Thielscher
 
T: +49 69 153 22 77 55
F: +49 69 153 22 77 51

Am 01.07.2021 um 16:50 schrieb Christopher Wood via lists.openchainproject.org <cvw01=sbcglobal.net@...>:

Dirk
That is a brilliant question. I would add to this that consideration of open source projects in general have many contributors.  Would that make a company contributing to the code-base “that may include individual contributors who reside in countries designated on the violators list”  at risk?  Remember that there is no requirement to vet contributions by nationality or residency?  This is a question that really requires a Legal opinion and perhaps a change to German law clarifying this.
Regards
Chris

Sent via carrier pigeon

On Jul 1, 2021, at 7:32 AM, Dirk Riehle <dirk@...> wrote:

On 01.07.21 13:35, Carlo Piana wrote:

I guess a German Lawyer should reply.
In general terms, as I have been pondering it on other accounts, I would suggest that making FOSS generally available does not qualify as a supplier relationship. One needs to have a development agreement or a support agreement for that. This could also include developing FOSS to be given at large.

It is also my guess that you need an explicit supply contract to establish the supplier relationship formally.

If you do it within a holding company (inner source) that formal relationship is established automatically, even if you don't put something down in writing. In open source, this is not the case AFAIK.

Morally, and the thrust of the law is a moral one, in-kind compensation or just the dependency still might create public backlash.

Cheers, Dirk



--
Confused about open source?
Get clarity through https://bayave.com/training
--
Website: https://dirkriehle.com - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550














Re: Direct or indirect supplier?

Christopher Wood
 

Dirk
That is a brilliant question. I would add to this that consideration of open source projects in general have many contributors. Would that make a company contributing to the code-base “that may include individual contributors who reside in countries designated on the violators list” at risk? Remember that there is no requirement to vet contributions by nationality or residency? This is a question that really requires a Legal opinion and perhaps a change to German law clarifying this.
Regards
Chris

Sent via carrier pigeon

On Jul 1, 2021, at 7:32 AM, Dirk Riehle <dirk@riehle.org> wrote:

On 01.07.21 13:35, Carlo Piana wrote:

I guess a German Lawyer should reply.
In general terms, as I have been pondering it on other accounts, I would suggest that making FOSS generally available does not qualify as a supplier relationship. One needs to have a development agreement or a support agreement for that. This could also include developing FOSS to be given at large.
It is also my guess that you need an explicit supply contract to establish the supplier relationship formally.

If you do it within a holding company (inner source) that formal relationship is established automatically, even if you don't put something down in writing. In open source, this is not the case AFAIK.

Morally, and the thrust of the law is a moral one, in-kind compensation or just the dependency still might create public backlash.

Cheers, Dirk



--
Confused about open source?
Get clarity through https://bayave.com/training
--
Website: https://dirkriehle.com - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550






Re: Direct or indirect supplier?

Dirk Riehle
 

On 01.07.21 13:35, Carlo Piana wrote:

I guess a German Lawyer should reply.
In general terms, as I have been pondering it on other accounts, I would suggest that making FOSS generally available does not qualify as a supplier relationship. One needs to have a development agreement or a support agreement for that. This could also include developing FOSS to be given at large.
It is also my guess that you need an explicit supply contract to establish the supplier relationship formally.

If you do it within a holding company (inner source) that formal relationship is established automatically, even if you don't put something down in writing. In open source, this is not the case AFAIK.

Morally, and the thrust of the law is a moral one, in-kind compensation or just the dependency still might create public backlash.

Cheers, Dirk



--
Confused about open source?
Get clarity through https://bayave.com/training
--
Website: https://dirkriehle.com - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550


Re: Direct or indirect supplier?

Carlo Piana
 

----- Original Message -----
From: "Dirk Riehle" <dirk@riehle.org>
To: "main@lists.openchainproject.org" <main@lists.openchainproject.org>
Sent: Thursday, 1 July, 2021 13:26:51
Subject: [openchain] Direct or indirect supplier?
Hi,

Germany has a new law about diligence in the supply chain, basically to watch
out that no supplier violates human rights.

We like to talk about open source projects being suppliers, but I'm not sure
that legally speaking this is true.

As a consequence, what is the relationship between a company contributing to
an open source project with the company using it? Is that a direct supplier
relationship? An indirect one? None at all?

Thanks, Dirk
Dirk,

I guess a German Lawyer should reply.

In general terms, as I have been pondering it on other accounts, I would suggest that making FOSS generally available does not qualify as a supplier relationship. One needs to have a development agreement or a support agreement for that. This could also include developing FOSS to be given at large.

Just my two eurocents.

Cheers

Carlo


Direct or indirect supplier?

Dirk Riehle
 

Hi,

Germany has a new law about diligence in the supply chain, basically to watch out that no supplier violates human rights.

We like to talk about open source projects being suppliers, but I'm not sure that legally speaking this is true.

As a consequence, what is the relationship between a company contributing to an open source project with the company using it? Is that a direct supplier relationship? An indirect one? None at all?

Thanks, Dirk

--
Confused about open source?
Get clarity through https://bayave.com/training
--
Website: https://dirkriehle.com - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550


OpenChain Korea Work Group Meeting #10 - Full Recording

 

You can find all the sections of the event carefully edited by Soim right here:
https://openchain-project.github.io/OpenChain-KWG/en/meeting/10th/


Re: Root of competence

Martin Yagi
 

Hi Steve,

 

That’s a great question, and thinking about it, I’d be in a similar position if I was looking for formal compliance.

 

I’d also add “designed/wrote the Company Open Source Policy and Procedures” as evidence for my own competence (I wrote the policy, so I decide what is ok!). I also have talked about Open Source Compliance at Intellectual Property conferences.

 

It would be good to know others’ thoughts on this bootstrapping. 😉

 

Best regards,

 

Martin Yagi

Intellectual Property Manager|

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 29 June 2021 08:52
To: main@...
Subject: Re: [openchain] Root of competence

 

Thanks, Martin. In that context, your comments make sense.

 

I'm specifically looking for a starting point: assuming no-one in the org has any formal/external training yet, how does one show competence for the *first* trainer in the org, the one who would then be providing training to the others in the org?

 

It could be argued that working through the OpenChain curriculum and adapting it to the local org's needs is equivalent to receiving that training, but I don't want to start out with a flawed assumption. And while it would have been necessary in the past to say "my years of personal experience are sufficient" because there wasn't any alternative, I don't know that that's good enough now. Hence taking the temperature of the group.

 

steve

 

From: main@... <main@...> On Behalf Of Martin Yagi
Sent: 29 June 2021 08:25
To: main@...
Subject: Re: [openchain] Root of competence

 

[External]

 

Dear all,

 

I may have misunderstood the original question, my comment was around “training the trainers” and/or keeping the “experts” up to date. I don’t think there is much formal training available for that purpose and would certainly welcome any other thoughts in this area.

 

In terms of general training, I use some LinkedIn Learning modules (because as a company we currently have licenses) and some OpenChain reference materials. I supplement both of these with more targeted examples, use-cases, anecdotes, company specific terms&procedures, etc.

 

I would recommend using the above materials, to make something bite sized and utilising all modern methods of delivery (i.e. videos, quizes) if available virtually. The OpenChain Reference Training sub-group is making great progress towards improved materials.

 

Best regards,

 

Martin Yagi

Intellectual Property Manager|

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 29 June 2021 08:06
To: main@...
Subject: Re: [openchain] Root of competence

 

Thanks, Christopher,

 

> Several of the open source organizations, including OpenChain have published training curriculum or materials

> that would provide a peer-reviewed foundational knowledge which when combined with individual experience would

> provide evidence that you meet technical criteria. 

 

As noted, I'd probably base our own training on the OpenChain materials. Can you be specific about the other materials you mention?

 

Thanks,

 

steve

 

From: main@... <main@...> On Behalf Of Christopher Wood
Sent: 24 June 2021 19:39
To:
main@...
Subject: Re: [openchain] Root of competence

 

[External]

 

Steve

My observation based on 20+ years in this space is that training by a recognized organization using a designed curriculum is far better than just going to meetings and attending conferences.  Most individuals would have some (or great) difficulty in sifting the wheat from the chaff (opinions and not necessarily facts) offered by the various presenters in this complex and evolving field.  Several of the open source organizations, including OpenChain have published training curriculum or materials that would provide a peer-reviewed foundational knowledge which when combined with individual experience would provide evidence that you meet technical criteria.  Some of the Software Composition Analysis (SCA) vendors do offer "auditing" training on their tools where a certification that you have completed the training is provided (if you want to be  the go-to person in your organization).

These are my thoughts and do not reflect the positions of anyone else.

Best Regards

Chris Wood PhD CISSP

On Thursday, June 24, 2021, 10:21:09 AM CDT, Martin Yagi <martin.yagi@...> wrote:

 

 

Dear Steve,

 

I count my ongoing “training” as attending webinars, industry events, etc.

 

Best regards,

 

Martin Yagi

Intellectual Property Manager|

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 24 June 2021 16:18
To:
main@...
Subject: [openchain] Root of competence

 

Hi all,

 

One of the key points in OpenChain is that program participants are trained in order to have sufficient competency for their role. In my org, I'd probably be one of the key trainers, and would likely be developing the courses (most likely based on the great work going on in the education team). But I haven't had training – just years to the grindstone in an organically-growing compliance team. How's this normally handled? Is it just recognised that someone is the local expert, or is it necessary/recommended that I'd get external training in order to be able to self-certify as competent before spreading the Word to the rest of the org? If the latter, recommendations gratefully accepted…

 

Thanks,

 

steve

 

 
   First Light Fusion Ltd.
   p: 01865 807 670
   a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU

    

This email and any attachments are confidential. Find more legal information here.

 
   First Light Fusion Ltd.
   p: 01865 807 670
   a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU

    

This email and any attachments are confidential. Find more legal information here.

 
  
First Light Fusion Ltd.
   p: 01865 807 670
   a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU

    

This email and any attachments are confidential. Find more legal information here.


Re: Root of competence

Steve Kilbane
 

Thanks, Martin. In that context, your comments make sense.

 

I'm specifically looking for a starting point: assuming no-one in the org has any formal/external training yet, how does one show competence for the *first* trainer in the org, the one who would then be providing training to the others in the org?

 

It could be argued that working through the OpenChain curriculum and adapting it to the local org's needs is equivalent to receiving that training, but I don't want to start out with a flawed assumption. And while it would have been necessary in the past to say "my years of personal experience are sufficient" because there wasn't any alternative, I don't know that that's good enough now. Hence taking the temperature of the group.

 

steve

 

From: main@... <main@...> On Behalf Of Martin Yagi
Sent: 29 June 2021 08:25
To: main@...
Subject: Re: [openchain] Root of competence

 

[External]

 

Dear all,

 

I may have misunderstood the original question, my comment was around “training the trainers” and/or keeping the “experts” up to date. I don’t think there is much formal training available for that purpose and would certainly welcome any other thoughts in this area.

 

In terms of general training, I use some LinkedIn Learning modules (because as a company we currently have licenses) and some OpenChain reference materials. I supplement both of these with more targeted examples, use-cases, anecdotes, company specific terms&procedures, etc.

 

I would recommend using the above materials, to make something bite sized and utilising all modern methods of delivery (i.e. videos, quizes) if available virtually. The OpenChain Reference Training sub-group is making great progress towards improved materials.

 

Best regards,

 

Martin Yagi

Intellectual Property Manager|

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 29 June 2021 08:06
To: main@...
Subject: Re: [openchain] Root of competence

 

Thanks, Christopher,

 

> Several of the open source organizations, including OpenChain have published training curriculum or materials

> that would provide a peer-reviewed foundational knowledge which when combined with individual experience would

> provide evidence that you meet technical criteria. 

 

As noted, I'd probably base our own training on the OpenChain materials. Can you be specific about the other materials you mention?

 

Thanks,

 

steve

 

From: main@... <main@...> On Behalf Of Christopher Wood
Sent: 24 June 2021 19:39
To:
main@...
Subject: Re: [openchain] Root of competence

 

[External]

 

Steve

My observation based on 20+ years in this space is that training by a recognized organization using a designed curriculum is far better than just going to meetings and attending conferences.  Most individuals would have some (or great) difficulty in sifting the wheat from the chaff (opinions and not necessarily facts) offered by the various presenters in this complex and evolving field.  Several of the open source organizations, including OpenChain have published training curriculum or materials that would provide a peer-reviewed foundational knowledge which when combined with individual experience would provide evidence that you meet technical criteria.  Some of the Software Composition Analysis (SCA) vendors do offer "auditing" training on their tools where a certification that you have completed the training is provided (if you want to be  the go-to person in your organization).

These are my thoughts and do not reflect the positions of anyone else.

Best Regards

Chris Wood PhD CISSP

On Thursday, June 24, 2021, 10:21:09 AM CDT, Martin Yagi <martin.yagi@...> wrote:

 

 

Dear Steve,

 

I count my ongoing “training” as attending webinars, industry events, etc.

 

Best regards,

 

Martin Yagi

Intellectual Property Manager|

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 24 June 2021 16:18
To:
main@...
Subject: [openchain] Root of competence

 

Hi all,

 

One of the key points in OpenChain is that program participants are trained in order to have sufficient competency for their role. In my org, I'd probably be one of the key trainers, and would likely be developing the courses (most likely based on the great work going on in the education team). But I haven't had training – just years to the grindstone in an organically-growing compliance team. How's this normally handled? Is it just recognised that someone is the local expert, or is it necessary/recommended that I'd get external training in order to be able to self-certify as competent before spreading the Word to the rest of the org? If the latter, recommendations gratefully accepted…

 

Thanks,

 

steve

 

 
   First Light Fusion Ltd.
   p: 01865 807 670
   a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU

    

This email and any attachments are confidential. Find more legal information here.

 
   First Light Fusion Ltd.
   p: 01865 807 670
   a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU

    

This email and any attachments are confidential. Find more legal information here.


Re: Root of competence

Martin Yagi
 

Dear all,

 

I may have misunderstood the original question, my comment was around “training the trainers” and/or keeping the “experts” up to date. I don’t think there is much formal training available for that purpose and would certainly welcome any other thoughts in this area.

 

In terms of general training, I use some LinkedIn Learning modules (because as a company we currently have licenses) and some OpenChain reference materials. I supplement both of these with more targeted examples, use-cases, anecdotes, company specific terms&procedures, etc.

 

I would recommend using the above materials, to make something bite sized and utilising all modern methods of delivery (i.e. videos, quizes) if available virtually. The OpenChain Reference Training sub-group is making great progress towards improved materials.

 

Best regards,

 

Martin Yagi

Intellectual Property Manager|

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 29 June 2021 08:06
To: main@...
Subject: Re: [openchain] Root of competence

 

Thanks, Christopher,

 

> Several of the open source organizations, including OpenChain have published training curriculum or materials

> that would provide a peer-reviewed foundational knowledge which when combined with individual experience would

> provide evidence that you meet technical criteria. 

 

As noted, I'd probably base our own training on the OpenChain materials. Can you be specific about the other materials you mention?

 

Thanks,

 

steve

 

From: main@... <main@...> On Behalf Of Christopher Wood
Sent: 24 June 2021 19:39
To:
main@...
Subject: Re: [openchain] Root of competence

 

[External]

 

Steve

My observation based on 20+ years in this space is that training by a recognized organization using a designed curriculum is far better than just going to meetings and attending conferences.  Most individuals would have some (or great) difficulty in sifting the wheat from the chaff (opinions and not necessarily facts) offered by the various presenters in this complex and evolving field.  Several of the open source organizations, including OpenChain have published training curriculum or materials that would provide a peer-reviewed foundational knowledge which when combined with individual experience would provide evidence that you meet technical criteria.  Some of the Software Composition Analysis (SCA) vendors do offer "auditing" training on their tools where a certification that you have completed the training is provided (if you want to be  the go-to person in your organization).

These are my thoughts and do not reflect the positions of anyone else.

Best Regards

Chris Wood PhD CISSP

On Thursday, June 24, 2021, 10:21:09 AM CDT, Martin Yagi <martin.yagi@...> wrote:

 

 

Dear Steve,

 

I count my ongoing “training” as attending webinars, industry events, etc.

 

Best regards,

 

Martin Yagi

Intellectual Property Manager|

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 24 June 2021 16:18
To:
main@...
Subject: [openchain] Root of competence

 

Hi all,

 

One of the key points in OpenChain is that program participants are trained in order to have sufficient competency for their role. In my org, I'd probably be one of the key trainers, and would likely be developing the courses (most likely based on the great work going on in the education team). But I haven't had training – just years to the grindstone in an organically-growing compliance team. How's this normally handled? Is it just recognised that someone is the local expert, or is it necessary/recommended that I'd get external training in order to be able to self-certify as competent before spreading the Word to the rest of the org? If the latter, recommendations gratefully accepted…

 

Thanks,

 

steve

 

 
   First Light Fusion Ltd.
   p: 01865 807 670
   a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU

    

This email and any attachments are confidential. Find more legal information here.

 
  
First Light Fusion Ltd.
   p: 01865 807 670
   a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU

    

This email and any attachments are confidential. Find more legal information here.


Re: Root of competence

Steve Kilbane
 

Thanks, Christopher,

 

> Several of the open source organizations, including OpenChain have published training curriculum or materials

> that would provide a peer-reviewed foundational knowledge which when combined with individual experience would

> provide evidence that you meet technical criteria. 

 

As noted, I'd probably base our own training on the OpenChain materials. Can you be specific about the other materials you mention?

 

Thanks,

 

steve

 

From: main@... <main@...> On Behalf Of Christopher Wood
Sent: 24 June 2021 19:39
To: main@...
Subject: Re: [openchain] Root of competence

 

[External]

 

Steve

My observation based on 20+ years in this space is that training by a recognized organization using a designed curriculum is far better than just going to meetings and attending conferences.  Most individuals would have some (or great) difficulty in sifting the wheat from the chaff (opinions and not necessarily facts) offered by the various presenters in this complex and evolving field.  Several of the open source organizations, including OpenChain have published training curriculum or materials that would provide a peer-reviewed foundational knowledge which when combined with individual experience would provide evidence that you meet technical criteria.  Some of the Software Composition Analysis (SCA) vendors do offer "auditing" training on their tools where a certification that you have completed the training is provided (if you want to be  the go-to person in your organization).

These are my thoughts and do not reflect the positions of anyone else.

Best Regards

Chris Wood PhD CISSP

On Thursday, June 24, 2021, 10:21:09 AM CDT, Martin Yagi <martin.yagi@...> wrote:

 

 

Dear Steve,

 

I count my ongoing “training” as attending webinars, industry events, etc.

 

Best regards,

 

Martin Yagi

Intellectual Property Manager|

 

 

From: main@... <main@...> On Behalf Of Steve Kilbane via lists.openchainproject.org
Sent: 24 June 2021 16:18
To: main@...
Subject: [openchain] Root of competence

 

Hi all,

 

One of the key points in OpenChain is that program participants are trained in order to have sufficient competency for their role. In my org, I'd probably be one of the key trainers, and would likely be developing the courses (most likely based on the great work going on in the education team). But I haven't had training – just years to the grindstone in an organically-growing compliance team. How's this normally handled? Is it just recognised that someone is the local expert, or is it necessary/recommended that I'd get external training in order to be able to self-certify as competent before spreading the Word to the rest of the org? If the latter, recommendations gratefully accepted…

 

Thanks,

 

steve

 

 
   First Light Fusion Ltd.
   p: 01865 807 670
   a: Unit 10, Oxford Industrial Park, Mead Road, Yarnton, Kidlington, Oxford, OX5 1QU

    

This email and any attachments are confidential. Find more legal information here.


OpenChain Fourth Monday Work Team Call - 2021-06-28 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

This will be a talk through and vote on where OpenChain goes next

All welcome. No registration.
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Want to confirm your timezone?
2021-06-21 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


SBOM Readiness Survey

Jennifer McGinnis <jmcginnis@...>
 

Hello OpenChain,

The Linux Foundation's SBOM Readiness Survey has just been announced on their blog and social media channels. This is a major, important new initiative for the Linux Foundation.

Please take a few moments to read more about it and complete it if possible:



Thank you!




--
Jenni McGinnis
Projects Coordinator | The Linux Foundation
Assisting with RISC-V International, OpenChain, TARS, & OpenFabrics Alliance

201 - 220 of 4252