|
Re: Invitation: OpenChain Telco Work Group Meeting @ Monthly from 17:00 to 18:00 on the first Thursday from Thu Feb 3 to Thu Mar 3 (JST) (main@lists.openchainproject.org)
Christopher Wood
Good morning Shane I am sorry that I missed the 2AM meeting. Guess I was sleeping while it snowed Regards Chris
On Feb 3, 2022, at 1:30 AM, Shane Coughlan <scoughlan@...> wrote:
|
||||||||||||||||
|
|
||||||||||||||||
|
OpenChain Self Certification
Jari Koivisto
Hi All, I just noticed that the printable version of self-certification document (https://openchain-project.github.io/conformance-questionnaire/questionnaire.pdf) has Spec Refs to the OpenChain Spec 2.0 version and not the latest 2.1 (ISO 5230) version. Is someone working on this already? BR, Jari --- Jari Koivisto E-mail: jari.p.koivisto@... Mobile: +41 78 7479791 Skype: jari.p.koivisto LinkedIn: http://www.linkedin.com/in/jarikoivisto
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: [telco] Tomorrows Telco Group meeting
toggle quoted messageShow quoted text
On Feb 3, 2022, at 16:28, Gergely Csatari <gergely.csatari@...> wrote:
|
||||||||||||||||
|
|
||||||||||||||||
|
Invitation: OpenChain Telco Work Group Meeting @ Monthly from 17:00 to 18:00 on the first Thursday from Thu Feb 3 to Thu Mar 3 (JST) (main@lists.openchainproject.org)
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: Meaning of Open Source license in 2.1.1
Mark Gisi
Jan’s description is consistent with my interpretation. If there is general confusion over the meaning of “Open Source compliance inquiry” – I would recommend someone file an issue here: https://github.com/OpenChain-Project/Specification/issues
We can consider using alternative wording or adding a question/answer in the spec FAQ.
- Mark
Mark Gisi Empowering Customers to Prosper using Open Source (510) 749-2016
From: main@... <main@...>
On Behalf Of Jan Thielscher
[Please note: This e-mail is from an EXTERNAL e-mail address] Hi Gergely,
my understanding is that it addresses the handling of the inbound questions concerning the open source parts of the Supplied Software.
Assume you are using some GPLv2 licensed code and offer to hand over the sources attached with that license. You will need an interface with the external world, to receive and reliable process the request.
The same applies to questions - and here you do good to make sure the process is well known across the organisation - by potential notifications of infringements through the Supplied Software. Assume someone wants to contact you, because he thinks, the Supplied Software is non-compliant with his view, how the components should be treated/handled/documented… Having a sound procedure in place allowing to record, understand and securely process this inquiry will help to protect the company from potential damage.
I hope this answers your question?
Mit freundlichem Gruß / kind regards
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: Meaning of Open Source license in 2.1.1
Jan Thielscher
Hi Gergely,
toggle quoted messageShow quoted text
my understanding is that it addresses the handling of the inbound questions concerning the open source parts of the Supplied Software.
Assume you are using some GPLv2 licensed code and offer to hand over the sources attached with that license. You will need an interface with the external world, to receive and reliable process the request.
The same applies to questions - and here you do good to make sure the process is well known across the organisation - by potential notifications of infringements through the Supplied Software. Assume someone wants to contact you, because he thinks,
the Supplied Software is non-compliant with his view, how the components should be treated/handled/documented… Having a sound procedure in place allowing to record, understand and securely process this inquiry will help to protect the company from potential
damage.
I hope this answers your question?
Mit freundlichem Gruß / kind regards
Jan Thielscher T: +49 69 153 22 77 55 F: +49 69 153 22 77 51
|
||||||||||||||||
|
|
||||||||||||||||
|
Meaning of Open Source license in 2.1.1
Gergely Csatari
Hi,
I’m trying to interpret the requirements of 2.1.1 and I have problems finding out the meaning of “Open Source compliance inquiry”. It is not defined in the document. Can someone please clarify its meaning?
Thanks, Gergely
|
||||||||||||||||
|
|
||||||||||||||||
|
Frequent Misunderstandings of OSS licenses V7.1
ouchi yoshiko
Hello.
The other day, JAPAN WG FAQ-SG published "Common misunderstandings related to OSS license V7", and we received a request to add a link to each QA slide from the index. Therefore, we have published a new version with links as V7.1. We hope you find it useful. https://github.com/OpenChain-Project/OpenChain-JWG/tree/master/Education_Material/FAQ Regards, Yoshiko Ouchi
|
||||||||||||||||
|
|
||||||||||||||||
|
OpenChain Security Assurance Reference Specification - DRAFT 2.0
As discussed on our last call, some changes reflecting our conceptual approach (up for discussion):
https://github.com/OpenChain-Project/SecurityAssuranceGuide/blob/main/Guide/2.0/OpenChainSecurityAssuranceGuide.2.0-DRAFT.docx From the introduction: The OpenChain Project is working towards a supply chain where open source is delivered with trusted and consistent compliance information. We maintain OpenChain ISO/IEC 5230:2020, the International Standard for open source license compliance. Adjacent to this the project maintains a large international community, extensive reference materials, and working groups addressing various domain issues. We support discussions around security, export control, M&A and other topics. OpenChain ISO/IEC 5230:2020 is a process management specification that identifies inbound, internal and outbound inflection points where a process, policy or training should exist. The identification and tracking of software used and deployed is an inherent part of getting this right, and this also allows our standard to also be useful for security or export control. We noticed that OpenChain ISO/IEC 5230:2020 was being used quite often in deployment discussions and we wanted to support our broader community around these use-cases. The reference specification you are now reading is focused on the security domain. It is intended to identify and describe the key requirements of a quality Security Assurance Program in the context of using Open Source Software. This early iteration of the document focuses on a narrow subset of primary concern: checking Open Source Software against publicly known security vulnerabilities like CVEs, GitHub/GitLab vulnerability reports, and so on. This document focused on the “what” and “why” aspects of a quality Security Assurance Program rather than delving into to “how” and “when.” This is a conscious decision to ensure flexibility for companies of any size and in any market to use this reference specification. This approach, along with the types of processes identified, is built on more than half a decade of practical global feedback around the creation and management of such programs. The end result is that a company can frame a program that precisely fits their supply chain requirements, scoped to a single product or a complete legal entity, and take this solution to market quickly and effectively. The scope of this reference specification may expand over time based on community feedback. This introduction describes the reference specification’s purpose. Section 2 defines key terms used throughout this document. Section 3 defines the requirements that a Program must satisfy to achieve a core level of Security Assurance. Each requirement consists of one or more verification materials (i.e., records) that must be produced to satisfy the requirement. Verification materials are not required to be made public, though an organization may choose to provide them to others, potentially under a Non-Disclosure Agreement (NDA). This reference specification is licensed under Creative Commons Attribution License 4.0 (CC-BY-4.0). Because it takes the form of a Reference Specification, and is therefore intended to fit into the mental model applied to specification creation, it is not designed to be modified outside of the formal editing track. You can take part in editing this document via the OpenChain Project bi-weekly calls. You can learn about joining these calls and our other activities here: https://www.openchainproject.org/community
|
||||||||||||||||
|
|
||||||||||||||||
|
Happy New Year!
As we enter the year of the Tiger I want to wish everyone fortune and happiness.
新年好, 恭喜发财 and 새해 복 많이 받으세요! 
|
||||||||||||||||
|
|
||||||||||||||||
|
Our biweekly meeting takes place in around one hour
Reminder:
toggle quoted messageShow quoted text
Our biweekly meeting takes place in around one hour. Agenda: Forthcoming summits Security + the specification What you (as users) want to see from the partner ecosystem Dial in: https://zoom.us/j/4377592799
On Jan 31, 2022, at 17:30, Shane Coughlan <scoughlan@...> wrote:
|
||||||||||||||||
|
|
||||||||||||||||
|
OpenChain Bi-Weekly Meeting - 14:00 UTC 2022-01-31 (today) - 06:00 PST / 14:00 BST / 15:00 CET / 19:00 IST / 22:00 CST / 23:00 KST+JST
Our regular bi-weekly meeting takes place today. We will be talking about:
Forthcoming summits Security + the specification What you (as users) want to see from the partner ecosystem Dial in: https://zoom.us/j/4377592799 Check your time 14:00 UTC 2022-01-31 (today) - 06:00 PST / 14:00 BST / 15:00 CET / 19:00 IST / 22:00 CST / 23:00 KST+JST
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: “A Bug in Early Creative Commons Licenses Has Enabled a New Breed of Superpredator”
McCoy Smith
The “immediate termination on breach” clause of GPLv2 was, in part, being used in the McHardy litigations (just settled for good) in Germany. Some more detailed analysis here: https://jolts.world/index.php/jolts/article/view/128/246 It’s also why the cooperation commitment for GPLv2 was done: https://opensource.com/article/18/11/gpl-cooperation-commitment
There’s another debate to be had about the notice requirements of various licenses (which is the peg on which this particular CC litigant hangs their hat), and how compliance for that is done, and to what extent that’s all that valuable. I tend to think at some point License Zero type licenses (not the current ones, but different flavors of future ones, which could include copyleft) will look more attractive
From: main@... <main@...> On Behalf Of Steve Kilbane
Sent: Friday, January 28, 2022 1:56 AM To: main@... Subject: Re: [openchain] “A Bug in Early Creative Commons Licenses Has Enabled a New Breed of Superpredator”
If I'm understanding this correctly, the key aspect here is that a breach leads to termination of rights without opportunity of remedy. Isn't that relatively common in open source licenses, not just the Creative Commons ones?
I acknowledge that, as Cory describes, it's easy to create large quantities of media (e.g. stock photos) that is directly owned by a copyleft troll, as bait. But doesn't the problem also apply to open source software? While it's harder to software packages that will be so easily picked up by sufficient users to make the effort worthwhile, I can think of a couple of attacks here:
The attacker could fork a popular package under a permissive license, make minor changes, and re-release with a subtle renaming under a compatible license w/o remedy period.
More perniciously, the attacker could contribute changes to the original package which made use of media under the CC licenses or other licenses with a similar problem.
steve
Very little open source *code* is under Creative Commons licenses. However, a lot of open source *documentation* is under Creative Commons licenses. Therefore, we should keep an eye on this matter. “Copyleft trolls, robosigning, and Pixsy” Shane Coughlan OpenChain General Manager +818040358083 Book a meeting:
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: “A Bug in Early Creative Commons Licenses Has Enabled a New Breed of Superpredator”
If I'm understanding this correctly, the key aspect here is that a breach leads to termination of rights without opportunity of remedy. Isn't that relatively common in open source licenses, not just the Creative Commons ones?
I acknowledge that, as Cory describes, it's easy to create large quantities of media (e.g. stock photos) that is directly owned by a copyleft troll, as bait. But doesn't the problem also apply to open source software? While it's harder to software packages that will be so easily picked up by sufficient users to make the effort worthwhile, I can think of a couple of attacks here:
The attacker could fork a popular package under a permissive license, make minor changes, and re-release with a subtle renaming under a compatible license w/o remedy period.
More perniciously, the attacker could contribute changes to the original package which made use of media under the CC licenses or other licenses with a similar problem.
steve
From: main@... <main@...>
On Behalf Of Shane Coughlan
Very little open source *code* is under Creative Commons licenses. However, a lot of open source *documentation* is under Creative Commons licenses. Therefore, we should keep an eye on this matter. “Copyleft trolls, robosigning, and Pixsy” Shane Coughlan OpenChain General Manager +818040358083 Book a meeting:
|
||||||||||||||||
|
|
||||||||||||||||
|
External: The EU Open Source Policy Summit
An OFE production on the 4th of February:
https://summit.openforumeurope.org/ Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
|
||||||||||||||||
|
|
||||||||||||||||
|
Diversion: our virtual Christmas party
For those who missed it, we were hanging out on a virtual island (thank you Korea Community) and sharing stories about trains.
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: [germany-wg] [openchain] FAQ: Common Misunderstandings about OSS Licensing (English and Japanese
This is incredible! Thank you all and I am really looking forward to next steps here. Naturally we will want to share the results far and wide.
toggle quoted messageShow quoted text
On Jan 26, 2022, at 21:31, Astrid Spura <office@...> wrote:
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: [germany-wg] [openchain] FAQ: Common Misunderstandings about OSS Licensing (English and Japanese
Astrid Spura <office@...>
Thank you very much for offering help! Reviewing translation would be great. I will get in touch in time.
toggle quoted messageShow quoted text
Best regards, Astrid Am 25.01.22 um 19:53 schrieb Jan Thielscher:
😊 ... so count me in as well... --
Astrid Spura, Compliance & Kommunikation Astrid.Spura@... Open Source Automation Development Lab (OSADL) eG Im Neuenheimer Feld 583, 69120 Heidelberg Telefon: 06221 98504-0, Telefax: 06221 98504-80 office@... http://www.osadl.org https://youtu.be/18RgBp9X6ss Sitz des Unternehmens: Heidelberg Genossenschaftsregister Nr. 700048 beim Amtsgericht Mannheim Aufsichtsratsvorsitzender: Axel Berghoff Vorstände: Andreas Orzelski, Rainer Thieringer Steuer-Nr. 32080/02883, USt-Id DE249975743
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: [germany-wg] [openchain] FAQ: Common Misunderstandings about OSS Licensing (English and Japanese
Jan Thielscher
😊 ... so count me in as well...
Von:
main@... <main@...> im Auftrag von Stefanie Pors via lists.openchainproject.org <stefanie.pors=intel.com@...> Hi Stefan, Astrid,
-----Original Message-----
From: germany-wg@... <germany-wg@...> On Behalf Of Stefan Thanheiser Sent: Dienstag, 25. Januar 2022 18:38 To: main@...; germany-wg@... Subject: Re: [germany-wg] [openchain] FAQ: Common Misunderstandings about OSS Licensing (English and Japanese Hi Astrid, please count me in for the translation into German (if you need more helping hands/brains). I also could offer https://github.com/OCSpecGermanTranslation as collaboration space. Are there more volunteers (maybe from the 'old' specification translation group 😉 )? Regards, Stefan Stefan Thanheiser Atruvia AG --- Servicefeld Qualität IT-Sicherheit Einkauf, Tribe Einkauf, Chapter Software Asset & Lizenzmanagement --- Telefon +49 721 4004-1860 Mobil +49 170 3304133 E-Mail stefan.thanheiser@... Atruvia AG | www.atruvia.de AG Frankfurt a. M. HRB 102381 | Sitz der Gesellschaft: Frankfurt a. M. | USt-IdNr. DE 143582320 Vorstand: Martin Beyer (Vorstandssprecher), Ulrich Coenen (Vorstandssprecher), Daniela Bücker, Birgit Frohnhoff, Jörg Staff, Ralf Teufel Vorsitzender des Aufsichtsrats: Jürgen Brinkmann -----Ursprüngliche Nachricht----- Von: main@... <main@...> Im Auftrag von Astrid Spura Gesendet: Dienstag, 25. Januar 2022 16:38 An: main@... Cc: OpenChain Japan <japan-wg@...> Betreff: Re: [openchain] FAQ: Common Misunderstandings about OSS Licensing (English and Japanese Dear Shane, dear all, > The OpenChain Japan work group has released a new revision of its FAQ regarding frequent misunderstandings around open source licenses. This FAQ is available in English and Japanese, and assistance in translating it into other languages is very welcome. We would be happy to help with translation into German language. If there is already work in progress, please get in touch, so that we can share the workload. > It is important to note that this document is based on real world experiences distilled into very practical knowledge. We are fortunate to have had many companies contribute to it, and it holds great potential to assist the supply chain. Yes, well done. We appreciate the work. The issues mentioned are comparable with our experiences. > You can get over on GitHub > > https://github.com/OpenChain-Project/OpenChain-JWG/tree/master/Educati > on_Material/FAQ Thanks. We will let you know as soon as the German version will be ready. Best regards, Astrid -- Astrid Spura, Compliance & Communication Astrid.Spura@... Open Source Automation Development Lab (OSADL) eG Im Neuenheimer Feld 583, D-69120 Heidelberg, Germany Phone: +49(6221)98504-0, Fax: +49(6221)98504-80 office@... http://www.osadl.org https://youtu.be/z0MiLwP_n40 Location of the company: Heidelberg, Germany Cooperative register #700048 at the district court of Mannheim Chairman of the Supervisory Board: Axel Berghoff Directors: Andreas Orzelski, Rainer Thieringer Tax number 32080/02883, VAT Id-No DE249975743 Intel Germany GmbH & Co. KG Registered Address: Lilienthalstraße 15 D-85579 Neubiberg Germany Tel +49 89 89 89 97-0 www.intel.com Registered Office: Neubiberg Commercial Register: Amtsgericht München HRA 94167 Limited Partner (Kommanditist): Lantiq Intermediate Holdco S.à r.l General Partner (Komplementär): Intel Germany Holding GmbH Registered Office: Neubiberg Commercial Register: Amtsgericht München HRB 180523 Managing Directors (Geschäftsführung): Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
|
||||||||||||||||
|
|
||||||||||||||||
|
Re: [germany-wg] [openchain] FAQ: Common Misunderstandings about OSS Licensing (English and Japanese
Hi Stefan, Astrid,
toggle quoted messageShow quoted text
Happy to provide a pair of German reviewing eyes as well. (Stefan, the "ping" on the *old* group worked 😉) Greetings Steffi Stefanie Pors GAT EMEA – Intel Legal Department
-----Original Message-----
From: germany-wg@... <germany-wg@...> On Behalf Of Stefan Thanheiser Sent: Dienstag, 25. Januar 2022 18:38 To: main@...; germany-wg@... Subject: Re: [germany-wg] [openchain] FAQ: Common Misunderstandings about OSS Licensing (English and Japanese Hi Astrid, please count me in for the translation into German (if you need more helping hands/brains). I also could offer https://github.com/OCSpecGermanTranslation as collaboration space. Are there more volunteers (maybe from the 'old' specification translation group 😉 )? Regards, Stefan Stefan Thanheiser Atruvia AG --- Servicefeld Qualität IT-Sicherheit Einkauf, Tribe Einkauf, Chapter Software Asset & Lizenzmanagement --- Telefon +49 721 4004-1860 Mobil +49 170 3304133 E-Mail stefan.thanheiser@... Atruvia AG | www.atruvia.de AG Frankfurt a. M. HRB 102381 | Sitz der Gesellschaft: Frankfurt a. M. | USt-IdNr. DE 143582320 Vorstand: Martin Beyer (Vorstandssprecher), Ulrich Coenen (Vorstandssprecher), Daniela Bücker, Birgit Frohnhoff, Jörg Staff, Ralf Teufel Vorsitzender des Aufsichtsrats: Jürgen Brinkmann -----Ursprüngliche Nachricht----- Von: main@... <main@...> Im Auftrag von Astrid Spura Gesendet: Dienstag, 25. Januar 2022 16:38 An: main@... Cc: OpenChain Japan <japan-wg@...> Betreff: Re: [openchain] FAQ: Common Misunderstandings about OSS Licensing (English and Japanese Dear Shane, dear all, The OpenChain Japan work group has released a new revision of its FAQ regarding frequent misunderstandings around open source licenses. This FAQ is available in English and Japanese, and assistance in translating it into other languages is very welcome.We would be happy to help with translation into German language. If there is already work in progress, please get in touch, so that we can share the workload. It is important to note that this document is based on real world experiences distilled into very practical knowledge. We are fortunate to have had many companies contribute to it, and it holds great potential to assist the supply chain.Yes, well done. We appreciate the work. The issues mentioned are comparable with our experiences. You can get over on GitHubThanks. We will let you know as soon as the German version will be ready. Best regards, Astrid -- Astrid Spura, Compliance & Communication Astrid.Spura@... Open Source Automation Development Lab (OSADL) eG Im Neuenheimer Feld 583, D-69120 Heidelberg, Germany Phone: +49(6221)98504-0, Fax: +49(6221)98504-80 office@... http://www.osadl.org https://youtu.be/z0MiLwP_n40 Location of the company: Heidelberg, Germany Cooperative register #700048 at the district court of Mannheim Chairman of the Supervisory Board: Axel Berghoff Directors: Andreas Orzelski, Rainer Thieringer Tax number 32080/02883, VAT Id-No DE249975743 Intel Germany GmbH & Co. KG Registered Address: Lilienthalstraße 15 D-85579 Neubiberg Germany Tel +49 89 89 89 97-0 www.intel.com Registered Office: Neubiberg Commercial Register: Amtsgericht München HRA 94167 Limited Partner (Kommanditist): Lantiq Intermediate Holdco S.à r.l General Partner (Komplementär): Intel Germany Holding GmbH Registered Office: Neubiberg Commercial Register: Amtsgericht München HRB 180523 Managing Directors (Geschäftsführung): Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
|
||||||||||||||||
|
|
