Date   

Tooling Work Group Meeting #44 2022-02-02

 

Check out the first meeting of one of the most active groups in the world: tooling :) This is where you want to be to learn about how user companies are addressing automation around open source.
https://www.openchainproject.org/news/2022/02/04/tooling-wg-44


IMPORTANT - Recording Catch Up: OpenChain Bi-Weekly Call 2022-01-31

 

On this call we had a significant discussion around OpenChain ISO/IEC 5230 in the security domain.
https://www.openchainproject.org/featured/2022/02/04/bi-weekly-2022-01-31

See what we have previously published in this domain:
https://www.openchainproject.org/security-guide

See the document we are editing here:
https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide/2.0


Recording Catch Up: OpenChain Partner Call 2022-01-27

 

Our usual partner call. We will be holding these every month of the 4th Thursday throughout 2022 to ensure everyone is in-sync.
https://www.openchainproject.org/news/2022/02/04/openchain-partner-call-2022-01-27


Recording Catch Up: Japan Work Group Meeting #22 – Virtual Meeting #9 2022-01-21

 

This meeting was held in Japanese:
https://www.openchainproject.org/news/2022/02/04/japan-wg-22-2

(Good to share with your teams in the country :) )


Re: Invitation: OpenChain Telco Work Group Meeting @ Monthly from 17:00 to 18:00 on the first Thursday from Thu Feb 3 to Thu Mar 3 (JST) (main@lists.openchainproject.org)

 

Good morning! Being a global project we always have something at a crazy time. :)

The good news is that Jimmy will be running regular telco meetings, and each time there will be one morning Europe time and late afternoon Europe time, so it should always work for dial-in from either Asia or North America.

On Feb 3, 2022, at 22:54, Christopher Wood <cvw01@...> wrote:

Good morning Shane
I am sorry that I missed the 2AM meeting. Guess I was sleeping while it snowed
Regards
Chris

On Feb 3, 2022, at 1:30 AM, Shane Coughlan <scoughlan@...> wrote:


You have been invited to the following event.
OpenChain Telco Work Group Meeting
When
Monthly from 17:00 to 18:00 on the first Thursday from Thu Feb 3 to Thu Mar 3 Japan Standard Time
Where
https://zoom.us/j/4377592799 (map)
Calendar
main@...
Who

scoughlan@... - creator

OpenChain Main

OpenChain Telco Work Group
more details »
~==========================~
You have been invited to a Zoom meeting:
https://zoom.us/j/4377592799

Meeting ID: 4377592799

One tap mobile:
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)
+13462487799,,4377592799# US (Houston)
+16465588656,,4377592799# US (New York)
+16699006833,,4377592799# US (San Jose)
+12532158782,,4377592799# US (Tacoma)
+18773690926,,4377592799# US
+18558801246,,4377592799# US
+14388097799,,4377592799# Canada
+15873281099,,4377592799# Canada
+16473744685,,4377592799# Canada
+16475580588,,4377592799# Canada
+17789072071,,4377592799# Canada
+12042727920,,4377592799# Canada
+18557038985,,4377592799# Canada

Dial by your location:
+1 3017158592 US (Washington DC)
+1 3126266799 US (Chicago)
+1 3462487799 US (Houston)
+1 6465588656 US (New York)
+1 6699006833 US (San Jose)
+1 2532158782 US (Tacoma)
+1 8773690926 US
+1 8558801246 US
+1 4388097799 Canada
+1 5873281099 Canada
+1 6473744685 Canada
+1 6475580588 Canada
+1 7789072071 Canada
+1 2042727920 Canada
+1 8557038985 Canada
Find your local number: https://zoom.us/zoomconference
~==========================~

Going (main@...)? All events in this series: Yes - Maybe - No more options »
Invitation from Google Calendar

You are receiving this courtesy email at the account main@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.

<mime-attachment.ics>
<invite.ics>


Re: OpenChain Self Certification

 

Thanks Gary. I will get the fix underway :)

On Feb 4, 2022, at 13:16, Gary O'Neall <gary@...> wrote:

I added an issue in the questionnaire repo to track this: https://github.com/OpenChain-Project/conformance-questionnaire/issues/70



Gary



From: Gary O'Neall <gary@...>
Sent: Thursday, February 3, 2022 8:07 PM
To: 'main@...' <main@...>
Subject: RE: [openchain] OpenChain Self Certification



Hi Jari,



Thanks for the additional information. I don’t believe anyone is working on this issue.



The PDF is generated from the data in the conformance-questionnaire github repo.



All of the translations would need to be updated with the correct numbers.



If you or anyone on the list is comfortable with creating a pull request with the corrected numbers, I can review and merge which will automatically update the PDF.



Regards,
Gary







From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Thursday, February 3, 2022 9:36 AM
To: OpenChain Main <main@...>
Subject: Re: [openchain] OpenChain Self Certification



Gary et al





So, in the Conformance in Questions (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf), there is Spec Ref column and in that column, the references are pointing to OpenChain specification ver. 2.0. For 2.1, which is the current ISO standard, the numbering has changed.



Attached is an Excel sheet that I just put some examples of the 2.0 -> 2.1 numbering changes. As I mentioned at the moment the questionnaire uses 2.0 numbering not 2.1 and IMHO we should use the latest 2.1 specification version, which is the ISO 5230 standard.



BR,



Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto





On Thu, Feb 3, 2022 at 5:09 PM Gary O'Neall <gary@...> wrote:

Hi Jari,



Can you provide more specifics on where the inconsistency is? I just looked at the PDF in the link below it has the following text in the header:



This document contains a series of questions to determine whether a company has an OpenChain Conformant program. If each of these questions can be answered with a "yes" then that company meets all the requirements of conformance to the OpenChain Specification version 2.1 (functionally identical to ISO/IEC DIS 5230:2020(e)). If any of the questions are answered with a "no" then the company can clearly identify where additional investment is needed to improve the compliance process.



It could be an issue in one of the translations if you are looking at a language other than English.



Thanks,

Gary



From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Thursday, February 3, 2022 2:33 AM
To: OpenChain Main <main@...>
Subject: [openchain] OpenChain Self Certification



Hi All,



I just noticed that the printable version of self-certification document (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf) has Spec Refs to the OpenChain Spec 2.0 version and not the latest 2.1 (ISO 5230) version.



Is someone working on this already?



BR,



Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto



Re: OpenChain Self Certification

Gary O'Neall
 

I added an issue in the questionnaire repo to track this: https://github.com/OpenChain-Project/conformance-questionnaire/issues/70

 

Gary

 

From: Gary O'Neall <gary@...>
Sent: Thursday, February 3, 2022 8:07 PM
To: 'main@...' <main@...>
Subject: RE: [openchain] OpenChain Self Certification

 

Hi Jari,

 

Thanks for the additional information.  I don’t believe anyone is working on this issue.

 

The PDF is generated from the data in the conformance-questionnaire github repo.

 

All of the translations would need to be updated with the correct numbers.

 

If you or anyone on the list is comfortable with creating a pull request with the corrected numbers, I can review and merge which will automatically update the PDF.

 

Regards,
Gary

 

 

 

From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Thursday, February 3, 2022 9:36 AM
To: OpenChain Main <main@...>
Subject: Re: [openchain] OpenChain Self Certification

 

Gary et al

 

 

So, in the Conformance in Questions (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf), there is Spec Ref column and in that column, the references are pointing to OpenChain specification ver. 2.0.  For 2.1, which is the current ISO standard, the numbering has changed. 

 

Attached is an Excel sheet that I just put some examples of the 2.0 -> 2.1 numbering changes. As I mentioned at the moment the questionnaire uses 2.0 numbering not 2.1 and IMHO we should use the latest 2.1 specification version, which is the ISO 5230 standard. 

 

BR,

 

   Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto

 

 

On Thu, Feb 3, 2022 at 5:09 PM Gary O'Neall <gary@...> wrote:

Hi Jari,

 

Can you provide more specifics on where the inconsistency is?  I just looked at the PDF in the link below it has the following text in the header:

 

This document contains a series of questions to determine whether a company has an OpenChain Conformant program. If each of these questions can be answered with a "yes" then that company meets all the requirements of conformance to the OpenChain Specification version 2.1 (functionally identical to ISO/IEC DIS 5230:2020(e)). If any of the questions are answered with a "no" then the company can clearly identify where additional investment is needed to improve the compliance process.

 

It could be an issue in one of the translations if you are looking at a language other than English.

 

Thanks,

Gary

 

From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Thursday, February 3, 2022 2:33 AM
To: OpenChain Main <main@...>
Subject: [openchain] OpenChain Self Certification

 

Hi All,

 

I just noticed that the printable version of self-certification document (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf) has Spec Refs to the OpenChain Spec 2.0 version and not the latest 2.1 (ISO 5230) version. 

 

Is someone working on this already?

 

BR,

 

   Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto


Re: OpenChain Self Certification

Gary O'Neall
 

Hi Jari,

 

Thanks for the additional information.  I don’t believe anyone is working on this issue.

 

The PDF is generated from the data in the conformance-questionnaire github repo.

 

All of the translations would need to be updated with the correct numbers.

 

If you or anyone on the list is comfortable with creating a pull request with the corrected numbers, I can review and merge which will automatically update the PDF.

 

Regards,
Gary

 

 

 

From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Thursday, February 3, 2022 9:36 AM
To: OpenChain Main <main@...>
Subject: Re: [openchain] OpenChain Self Certification

 

Gary et al

 

 

So, in the Conformance in Questions (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf), there is Spec Ref column and in that column, the references are pointing to OpenChain specification ver. 2.0.  For 2.1, which is the current ISO standard, the numbering has changed. 

 

Attached is an Excel sheet that I just put some examples of the 2.0 -> 2.1 numbering changes. As I mentioned at the moment the questionnaire uses 2.0 numbering not 2.1 and IMHO we should use the latest 2.1 specification version, which is the ISO 5230 standard. 

 

BR,

 

   Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto

 

 

On Thu, Feb 3, 2022 at 5:09 PM Gary O'Neall <gary@...> wrote:

Hi Jari,

 

Can you provide more specifics on where the inconsistency is?  I just looked at the PDF in the link below it has the following text in the header:

 

This document contains a series of questions to determine whether a company has an OpenChain Conformant program. If each of these questions can be answered with a "yes" then that company meets all the requirements of conformance to the OpenChain Specification version 2.1 (functionally identical to ISO/IEC DIS 5230:2020(e)). If any of the questions are answered with a "no" then the company can clearly identify where additional investment is needed to improve the compliance process.

 

It could be an issue in one of the translations if you are looking at a language other than English.

 

Thanks,

Gary

 

From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Thursday, February 3, 2022 2:33 AM
To: OpenChain Main <main@...>
Subject: [openchain] OpenChain Self Certification

 

Hi All,

 

I just noticed that the printable version of self-certification document (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf) has Spec Refs to the OpenChain Spec 2.0 version and not the latest 2.1 (ISO 5230) version. 

 

Is someone working on this already?

 

BR,

 

   Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto


Re: OpenChain Self Certification

Jari Koivisto
 

Gary et al


So, in the Conformance in Questions (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf), there is Spec Ref column and in that column, the references are pointing to OpenChain specification ver. 2.0.  For 2.1, which is the current ISO standard, the numbering has changed. 

Attached is an Excel sheet that I just put some examples of the 2.0 -> 2.1 numbering changes. As I mentioned at the moment the questionnaire uses 2.0 numbering not 2.1 and IMHO we should use the latest 2.1 specification version, which is the ISO 5230 standard. 

BR,

   Jari

---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto



On Thu, Feb 3, 2022 at 5:09 PM Gary O'Neall <gary@...> wrote:

Hi Jari,

 

Can you provide more specifics on where the inconsistency is?  I just looked at the PDF in the link below it has the following text in the header:

 

This document contains a series of questions to determine whether a company has an OpenChain Conformant program. If each of these questions can be answered with a "yes" then that company meets all the requirements of conformance to the OpenChain Specification version 2.1 (functionally identical to ISO/IEC DIS 5230:2020(e)). If any of the questions are answered with a "no" then the company can clearly identify where additional investment is needed to improve the compliance process.

 

It could be an issue in one of the translations if you are looking at a language other than English.

 

Thanks,

Gary

 

From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Thursday, February 3, 2022 2:33 AM
To: OpenChain Main <main@...>
Subject: [openchain] OpenChain Self Certification

 

Hi All,

 

I just noticed that the printable version of self-certification document (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf) has Spec Refs to the OpenChain Spec 2.0 version and not the latest 2.1 (ISO 5230) version. 

 

Is someone working on this already?

 

BR,

 

   Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto


Re: OpenChain Self Certification

Gary O'Neall
 

Hi Jari,

 

Can you provide more specifics on where the inconsistency is?  I just looked at the PDF in the link below it has the following text in the header:

 

This document contains a series of questions to determine whether a company has an OpenChain Conformant program. If each of these questions can be answered with a "yes" then that company meets all the requirements of conformance to the OpenChain Specification version 2.1 (functionally identical to ISO/IEC DIS 5230:2020(e)). If any of the questions are answered with a "no" then the company can clearly identify where additional investment is needed to improve the compliance process.

 

It could be an issue in one of the translations if you are looking at a language other than English.

 

Thanks,

Gary

 

From: main@... <main@...> On Behalf Of Jari Koivisto
Sent: Thursday, February 3, 2022 2:33 AM
To: OpenChain Main <main@...>
Subject: [openchain] OpenChain Self Certification

 

Hi All,

 

I just noticed that the printable version of self-certification document (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf) has Spec Refs to the OpenChain Spec 2.0 version and not the latest 2.1 (ISO 5230) version. 

 

Is someone working on this already?

 

BR,

 

   Jari


---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto


Re: Invitation: OpenChain Telco Work Group Meeting @ Monthly from 17:00 to 18:00 on the first Thursday from Thu Feb 3 to Thu Mar 3 (JST) (main@lists.openchainproject.org)

Christopher Wood
 

Good morning Shane
I am sorry that I missed the 2AM meeting. Guess I was sleeping while it snowed   
Regards
Chris

On Feb 3, 2022, at 1:30 AM, Shane Coughlan <scoughlan@...> wrote:



You have been invited to the following event.

OpenChain Telco Work Group Meeting

When
Monthly from 17:00 to 18:00 on the first Thursday from Thu Feb 3 to Thu Mar 3 Japan Standard Time
Where
https://zoom.us/j/4377592799 (map)
Calendar
main@...
Who
scoughlan@... - creator
OpenChain Main
OpenChain Telco Work Group
~==========================~
You have been invited to a Zoom meeting:

https://zoom.us/j/4377592799

Meeting ID: 4377592799

One tap mobile:
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)
+13462487799,,4377592799# US (Houston)
+16465588656,,4377592799# US (New York)
+16699006833,,4377592799# US (San Jose)
+12532158782,,4377592799# US (Tacoma)
+18773690926,,4377592799# US
+18558801246,,4377592799# US
+14388097799,,4377592799# Canada
+15873281099,,4377592799# Canada
+16473744685,,4377592799# Canada
+16475580588,,4377592799# Canada
+17789072071,,4377592799# Canada
+12042727920,,4377592799# Canada
+18557038985,,4377592799# Canada

Dial by your location:
+1 3017158592 US (Washington DC)
+1 3126266799 US (Chicago)
+1 3462487799 US (Houston)
+1 6465588656 US (New York)
+1 6699006833 US (San Jose)
+1 2532158782 US (Tacoma)
+1 8773690926 US
+1 8558801246 US
+1 4388097799 Canada
+1 5873281099 Canada
+1 6473744685 Canada
+1 6475580588 Canada
+1 7789072071 Canada
+1 2042727920 Canada
+1 8557038985 Canada
Find your local number: https://zoom.us/zoomconference
~==========================~

Going (main@...)?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account main@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.


OpenChain Self Certification

Jari Koivisto
 

Hi All,

I just noticed that the printable version of self-certification document (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf) has Spec Refs to the OpenChain Spec 2.0 version and not the latest 2.1 (ISO 5230) version. 

Is someone working on this already?

BR,

   Jari

---
Jari Koivisto
E-mail: jari.p.koivisto@...
Mobile: +41 78 7479791
Skype: jari.p.koivisto
LinkedIn: http://www.linkedin.com/in/jarikoivisto


Re: [telco] Tomorrows Telco Group meeting

 

Telco meeting underway right now:


On Feb 3, 2022, at 16:28, Gergely Csatari <gergely.csatari@...> wrote:



Hi,

 

Uh-oh, for some reason I do not see these meetings in the calendar [1]. Can you please advise how to get an invite?

 

Thanks,

Gergely

 

[1]: https://lists.openchainproject.org/g/telco/calendar

 

From: telco@... <telco@...> On Behalf Of Jimmy Ahlberg via lists.openchainproject.org
Sent: Wednesday, February 2, 2022 11:00 PM
To: telco@...
Subject: [telco] Tomorrows Telco Group meeting

 

Dear Telco group subscribers, welcome all to tomorrows Telco Group meeting.

 

I would like to share with you a bit of the thinking that currently exists around the Telco Group as well as our tentative agenda for tomorrow.

 

In the meetings we ran last year we exchanged experiences and best practices around open source in the telco field, my sincere thanks to everyone who so freely shared of their experiences and wisdom to the group. I for one learned a lot and have a lot more to learn still. Going forward we will have our meetings regularly at the first Thursday of each month, one meeting in the morning (for those of us based in Europe) and one in the afternoon so that we ensure that everyone has a chance to participate regardless of time zone. We can change this cadence later and have ad hoc meetings as needed but this way we have a standing appointment in the calendar. At least initially we will run the meetings with identical agendas, so no one should feel obliged to join both meetings, even if you are welcome to do so if you want to.

 

Last year we also discussed in our meetings and in emails some concrete things we could do in the telco sector to simplify open source management in our industry. The conclusion was that it seems that documenting harmonizing best practices for SBoM management was a low hanging fruit we could reach for. There exists great tools already such as SPDX, Cyclone DX, the OpenChain specification itself, the idea is not to reinvent these wheels but rather to see what we can build on top of that that would be of use to our industry. The group and this list remains a place to exchange experiences and best practices,

we should not lose track of that. At the same time, we are from the telco industry, standardization, harmonization, and interoperability is part of our DNA so I think this more actionable work is a natural expression of this.

 

With this in mind I would like to propose the following agenda for our meeting tomorrow.

 

  1. Welcome & “round the table” introduction of who is who.
  2. Agree on cornerstone principles for our work on “Telco Standard SBoM” going forward. (below are my proposals, if  you would like to add further suggestion feel free to do so during the meeting or over email).
    1. We do not aim to change the OpenChain specification or fork it.
    2. To implement the “Telco standard for SBoM” you need not be OpenChain conformant.
    3. The solution in its entirety needs to adhere to the US federal requirements.
  3. Is there a need for a formal Terms Of Reference style document?
  4. Work items: The suggestion is that we discuss some of the major points that was brought up during our brainstorming sessions.
    1. SBoM Dataformat: Suggestions so far include that the “Telco standard for SBoM” should mandate SPDX in its latest version, SPDX in its ISO format, Cyclone DX (no version suggested), or that we remain agnostic to the issue of dataformat.
    2. File format (What should we use for the machine readable SBoM, one format or many? What format should we use for the human readable version?) Do we want to support that these on a voluntary basis are transactable separately from the binary/source?
    3. Timing, when should the SBoM be delivered?
    4. Template contract clauses to reference our “Telco Standard for SBoM”/playbooks.
    5. Any other additions to the above?
  5. AoB.
  6. Close of the meeting.

 

Feel free to suggest alterations to this agenda if you think there are other things that are more urgent to discuss.

 

Looking forward to seeing you all virtually at any of the meetings tomorrow.

 

Best Regards Jimmy Ahlberg

 

 

Jimmy Ahlberg LL.M

Director Open Source Policy

 

Group Function Technology Standards & Industry Initiatives

 

Phone: +46107198055

Mobile: +46725838055

jimmy.ahlberg@...

 

Ericsson

Lindholmspiren 11

417 56, Göteborg

Sweden

ericsson.com

 

 

Our commitment to Technology for Good and Diversity and Inclusion contributes to positive change.
Follow us on: Facebook LinkedIn Twitter

Legal entity:
ERICSSON AB registration number 556056-6258, registered office in Stockholm.
This communication is confidential. Our email terms: www.ericsson.com/en/legal/privacy/email-disclaimer

 


Invitation: OpenChain Telco Work Group Meeting @ Monthly from 17:00 to 18:00 on the first Thursday from Thu Feb 3 to Thu Mar 3 (JST) (main@lists.openchainproject.org)

 

You have been invited to the following event.

OpenChain Telco Work Group Meeting

When
Monthly from 17:00 to 18:00 on the first Thursday from Thu Feb 3 to Thu Mar 3 Japan Standard Time
Where
https://zoom.us/j/4377592799 (map)
Calendar
main@...
Who
scoughlan@... - creator
OpenChain Main
OpenChain Telco Work Group
~==========================~
You have been invited to a Zoom meeting:

https://zoom.us/j/4377592799

Meeting ID: 4377592799

One tap mobile:
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)
+13462487799,,4377592799# US (Houston)
+16465588656,,4377592799# US (New York)
+16699006833,,4377592799# US (San Jose)
+12532158782,,4377592799# US (Tacoma)
+18773690926,,4377592799# US
+18558801246,,4377592799# US
+14388097799,,4377592799# Canada
+15873281099,,4377592799# Canada
+16473744685,,4377592799# Canada
+16475580588,,4377592799# Canada
+17789072071,,4377592799# Canada
+12042727920,,4377592799# Canada
+18557038985,,4377592799# Canada

Dial by your location:
+1 3017158592 US (Washington DC)
+1 3126266799 US (Chicago)
+1 3462487799 US (Houston)
+1 6465588656 US (New York)
+1 6699006833 US (San Jose)
+1 2532158782 US (Tacoma)
+1 8773690926 US
+1 8558801246 US
+1 4388097799 Canada
+1 5873281099 Canada
+1 6473744685 Canada
+1 6475580588 Canada
+1 7789072071 Canada
+1 2042727920 Canada
+1 8557038985 Canada
Find your local number: https://zoom.us/zoomconference
~==========================~

Going (main@...)?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account main@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.


Re: Meaning of Open Source license in 2.1.1

Mark Gisi
 

Jan’s description is consistent with my interpretation. If there is general confusion over the meaning of “Open Source compliance inquiry” – I would recommend someone file an issue here:

    https://github.com/OpenChain-Project/Specification/issues

 

We can consider using alternative wording or adding a question/answer in the spec FAQ.

 

- Mark

 

Mark Gisi
Director, Open Source Program Office

Empowering Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: main@... <main@...> On Behalf Of Jan Thielscher
Sent: Wednesday, February 2, 2022 2:52 AM
To: main@...
Subject: Re: [openchain] Meaning of Open Source license in 2.1.1

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hi Gergely,

 

my understanding is that it addresses the handling of the inbound questions concerning the open source parts of the Supplied Software.

 

Assume you are using some GPLv2 licensed code and offer to hand over the sources attached with that license. You will need an interface with the external world, to receive and reliable process the request.

 

The same applies to questions - and here you do good to make sure the process is well known across the organisation -  by potential notifications of infringements through the Supplied Software. Assume someone wants to contact you, because he thinks, the Supplied Software is non-compliant with his view, how the components should be treated/handled/documented… Having a sound procedure in place allowing to record, understand and securely process this inquiry will help to protect the company from potential damage.

 

I hope this answers your question? 

 

Mit freundlichem Gruß / kind regards
Jan Thielscher
 
T: +49 69 153 22 77 55
F: +49 69 153 22 77 51



Am 02.02.2022 um 11:42 schrieb Gergely Csatari via lists.openchainproject.org <gergely.csatari=nokia.com@...>:

 

Hi, 

 

I’m trying to interpret the requirements of 2.1.1 and I have problems finding out the meaning of “Open Source compliance inquiry”. It is not defined in the document. Can someone please clarify its meaning?

 

Thanks, 

Gergely

 


Re: Meaning of Open Source license in 2.1.1

Jan Thielscher
 

Hi Gergely,

my understanding is that it addresses the handling of the inbound questions concerning the open source parts of the Supplied Software.

Assume you are using some GPLv2 licensed code and offer to hand over the sources attached with that license. You will need an interface with the external world, to receive and reliable process the request.

The same applies to questions - and here you do good to make sure the process is well known across the organisation -  by potential notifications of infringements through the Supplied Software. Assume someone wants to contact you, because he thinks, the Supplied Software is non-compliant with his view, how the components should be treated/handled/documented… Having a sound procedure in place allowing to record, understand and securely process this inquiry will help to protect the company from potential damage.

I hope this answers your question? 

Mit freundlichem Gruß / kind regards
Jan Thielscher
 
T: +49 69 153 22 77 55
F: +49 69 153 22 77 51

Am 02.02.2022 um 11:42 schrieb Gergely Csatari via lists.openchainproject.org <gergely.csatari=nokia.com@...>:

Hi, 
 
I’m trying to interpret the requirements of 2.1.1 and I have problems finding out the meaning of “Open Source compliance inquiry”. It is not defined in the document. Can someone please clarify its meaning?
 
Thanks, 
Gergely


Meaning of Open Source license in 2.1.1

Gergely Csatari
 

Hi,

 

I’m trying to interpret the requirements of 2.1.1 and I have problems finding out the meaning of “Open Source compliance inquiry”. It is not defined in the document. Can someone please clarify its meaning?

 

Thanks,

Gergely


Frequent Misunderstandings of OSS licenses V7.1

ouchi yoshiko
 

Hello.
The other day, JAPAN WG FAQ-SG published "Common misunderstandings related to OSS license V7", and we received a request to add a link to each QA slide from the index.
Therefore, we have published a new version with links as V7.1.

We hope you find it useful.
https://github.com/OpenChain-Project/OpenChain-JWG/tree/master/Education_Material/FAQ

Regards,
Yoshiko Ouchi


OpenChain Security Assurance Reference Specification - DRAFT 2.0

 

As discussed on our last call, some changes reflecting our conceptual approach (up for discussion):
https://github.com/OpenChain-Project/SecurityAssuranceGuide/blob/main/Guide/2.0/OpenChainSecurityAssuranceGuide.2.0-DRAFT.docx

From the introduction:

The OpenChain Project is working towards a supply chain where open source is delivered with trusted and consistent compliance information. We maintain OpenChain ISO/IEC 5230:2020, the International Standard for open source license compliance. Adjacent to this the project maintains a large international community, extensive reference materials, and working groups addressing various domain issues. We support discussions around security, export control, M&A and other topics.

OpenChain ISO/IEC 5230:2020 is a process management specification that identifies inbound, internal and outbound inflection points where a process, policy or training should exist. The identification and tracking of software used and deployed is an inherent part of getting this right, and this also allows our standard to also be useful for security or export control.

We noticed that OpenChain ISO/IEC 5230:2020 was being used quite often in deployment discussions and we wanted to support our broader community around these use-cases. The reference specification you are now reading is focused on the security domain. It is intended to identify and describe the key requirements of a quality Security Assurance Program in the context of using Open Source Software. This early iteration of the document focuses on a narrow subset of primary concern: checking Open Source Software against publicly known security vulnerabilities like CVEs, GitHub/GitLab vulnerability reports, and so on.

This document focused on the “what” and “why” aspects of a quality Security Assurance Program rather than delving into to “how” and “when.” This is a conscious decision to ensure flexibility for companies of any size and in any market to use this reference specification. This approach, along with the types of processes identified, is built on more than half a decade of practical global feedback around the creation and management of such programs. The end result is that a company can frame a program that precisely fits their supply chain requirements, scoped to a single product or a complete legal entity, and take this solution to market quickly and effectively.

The scope of this reference specification may expand over time based on community feedback.

This introduction describes the reference specification’s purpose. Section 2 defines key terms used throughout this document. Section 3 defines the requirements that a Program must satisfy to achieve a core level of Security Assurance. Each requirement consists of one or more verification materials (i.e., records) that must be produced to satisfy the requirement. Verification materials are not required to be made public, though an organization may choose to provide them to others, potentially under a Non-Disclosure Agreement (NDA).

This reference specification is licensed under Creative Commons Attribution License 4.0 (CC-BY-4.0). Because it takes the form of a Reference Specification, and is therefore intended to fit into the mental model applied to specification creation, it is not designed to be modified outside of the formal editing track. You can take part in editing this document via the OpenChain Project bi-weekly calls. You can learn about joining these calls and our other activities here:

https://www.openchainproject.org/community


Happy New Year!

 

As we enter the year of the Tiger I want to wish everyone fortune and happiness. 
新年好, 恭喜发财 and 새해 복 많이 받으세요!

601 - 620 of 5035