Date   

Re: OpenChain Bi-Weekly Work Group Meeting Today 2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

Kate Stewart
 

Hi Shane,
    Bit concerned about the slide mentioning the formats (SPDX, SWID, CycloneDX) - it's painting them as basically equivalent.   However when it comes to representing licensing information only SPDX is rich enough to semantically capture this info properly.   We're not highlighting this.  

    Since OpenChain is about licence compliance - not sure that if someone is not using SPDX it should be considered beyond bronze?    Thoughts?

Kate

On Mon, Aug 23, 2021 at 3:47 AM Shane Coughlan <scoughlan@...> wrote:
We will be discussing a very important topic at the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC.

You can dial-in here:
https://zoom.us/j/4377592799

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230. Here is a slide-deck suggesting how this can be done:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Need to confirm your timezone?
2021-08-23 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST





Submit A Talk For Open Compliance Summit 2021 - December 16, 2021

 

Open Compliance Summit is an exclusive event for Linux Foundation members and select invitees. It will take place on December 16, 2021.

You can submit your talk proposals here:
https://events.linuxfoundation.org/open-compliance-summit/program/cfp/


Open Compliance Summit 2021 Registration Now Open - December 16, 2021

 

Make a note for December 16, 2021.

Open Compliance Summit is an exclusive event for Linux Foundation members and select invitees. Attendance is limited to ensure ease of networking and collaboration.
The summit (like prior) will be held under Chatham House Rule. Please consent to this rule before you request an invitation.
https://events.linuxfoundation.org/open-compliance-summit/register/

Linux Foundation Members
Linux Foundation Members are eligible to receive a 20% discount. Please email events@linuxfoundation.org to request the LF Member discount code.


OpenChain Bi-Weekly Work Group Meeting Today 2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

We will be discussing a very important topic at the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC.

You can dial-in here:
https://zoom.us/j/4377592799

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230. Here is a slide-deck suggesting how this can be done:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Need to confirm your timezone?
2021-08-23 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST


Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

 

Dear all

During a recent OpenChain Japan Planning meeting we discussed the challenge of “next steps” in OpenChain ISO 5230 conformance. Our initial goal of adoption in the supply chain is well underway. Our basic concept of “raising all the boats” is working. But now it is time to talk in more detail about “raising the boats to where?”

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230.

Attached is a slide-deck exploring how this can be done. We will be discussing this in the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC. All welcome. No registration.
https://zoom.us/j/4377592799

You can add comments to this document online:
https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc

Regards

Shane


Coontec Adopts OpenChain ISO 5230

 

Coontec, a company focused on secure and effective embedded software, is the latest company to announce an OpenChain ISO 5230 conformant program.
https://www.openchainproject.org/news/2021/08/22/coontec-adopts-openchain-iso-5230


REMINDER: Download ISO/IEC 5230 for free from ISO (or buy it for 58 CHF)

 

You can get OpenChain ISO 5230 for free from the OpenChain website: www.openchainproject.org

However, some people want to download the ISO branded document. No problem! That’s free too if you go to the right place.

You can get a free copy of ISO/IEC 5230 from the Publicly Available Standards page:
https://standards.iso.org/ittf/PubliclyAvailableStandards/

Direct download link (you need to accept some terms):
https://standards.iso.org/ittf/PubliclyAvailableStandards/c081039_ISO_IEC_5230_2020(E).zip

You can also get the standard for 58 CHF through the normal ISO shop via our Main ISO page:
https://www.iso.org/standard/81039.html


QCT Announces OpenChain ISO 5230 Conformant Program

 

QCT, a global datacenter solution provider combining the efficiency of hyperscale hardware with infrastructure software, is the latest company to announce an OpenChain ISO 5230 conformant program. Learn more:
https://www.openchainproject.org/news/2021/08/19/qct-conformance

More about Quanta Cloud Technology (QCT)
Quanta Cloud Technology (QCT) is a global data center solution provider that combines the efficiency of hyperscale hardware with infrastructure software from a diversity of industry leaders to solve next-generation data center design and operational challenges. QCT serves cloud service providers, telecoms and enterprises running public, hybrid and private clouds.
Product lines include hyperconverged and software-defined data center solutions as well as servers, storage, switches and integrated racks with an ecosystem of hardware components and software partners. QCT designs, manufactures, integrates and services its offerings via its own global network. The parent of QCT is Quanta Computer, Inc., a Fortune Global 500 corporation.


Bureau Veritas Becomes The First OpenChain Certifier In The Great China Region

 

Bureau Veritas, a leading Testing, Inspection and Certification provider for the consumer and electrical/electronic products industry is pleased to announce a partnership with the OpenChain to become the fifth official OpenChain ISO 5230 third party certifier and is now able to assess and certify the open source program conformance to the OpenChain ISO/ IEC 5230 standard.

Learn more:
https://www.openchainproject.org/news/2021/08/17/bureau-veritas-certifier


OpenChain China Work Group Meeting #6 - formal announcement of Huawei Platinum Membership / Board Seat @ OpenChain

 


OpenChain Global Work Team Call 2021-08-10 - full recording

 

This was the last major edit session of our now-published security reference guide. Recording here:
https://www.openchainproject.org/news/2021/08/11/global-work-team-2021-08-10


OpenChain Interview #15: Community and Execution in building an ISO standard

 

The OpenChain Interview Series continues with a deep-dive into the strategic background of creation and release of IEC/ISO 5230, the International Standard for open source license compliance. We are very lucky to welcome Max Sills, ex-Google and currently Square, to share part of his multi-year journey in building one of the largest governance communities in the world.
https://www.openchainproject.org/openchain-interview-15

Check out all our previous interviews here:
https://www.openchainproject.org/interviews


Huawei Joins The Governing Board Of The OpenChain Project / 华为加入OpenChain项目董事会

 


Huawei, a global leader in technology and open source, has joined the board of the OpenChain Project. Alongside 20 other global companies such as Qualcomm, Google, Siemens and Toyota, Huawei will work to align the supply chain behind OpenChain ISO 5230, the International Standard for quality open source compliance.

“Huawei is delighted to join the OpenChain Project . Huawei adheres open collaboration and innovation, has long been committed to establishing a compliance management system that aligns with industry best practices, and incorporating compliance management into end-to-end business activities and processes. ” Wang Yousheng, Director of Open Source & Developer Dept, Huawei. ““Huawei will be an active member in OpenChain Project , hopes through constantly enhancing mutual understanding, cooperation and trust with global developer and open source communities, to build a more secure and trustworthy open source software chain together.“

“China is the center of innovation across many types of technology, including open source,” says Shane Coughlan, OpenChain General Manager. “Huawei’s leadership in this space has helped build bridges across the world. Their decision to join the governing board of the OpenChain Project is  further evidence of this, and will be pivotable in taking OpenChain ISO 5230 to the next level. This will benefit every company using open source, a shared undertaking we approach with both excitement and respect.”

华为,作为全球信息技术和开源领域的领导者之一,加入了OpenChain项目的董事会。华为将同高通、谷歌、西门、丰田等其它20个全球企业一起努力协调开源软件供应链,以支持为高质量的开源软件合规而制定的 “OpenChain ISO 5230”国际标准。

“华为很高兴加入OpenChain 项目。华为坚持开放式合作与创新,同时长期致力于建立符合业界最佳实践的合规管理体系,并坚持将合规管理端到端地落实到业务活动及流程中。”华为开源与开发者部部长王有生说到:“华为将积极参与OpenChain项目,希望与全球开发者、开源社区一起,持续增强彼此的理解与互信合作,共建更加安全可信的开源软件供应链。”

“中国如今已是包括开源技术在内的多种技术的创新中心。”OpenChain的总经理Shane Coughlan说到:“华为在开源领域的领导地位,已帮助这一领域在全球范围内建立起了桥梁。他们加入OpenChain项目的董事会的决定进一步证明了这点,并将在把OpenChain ISO 5230标准提升到一个更高的水平的过程中发挥重要作用。这将使每家使用开源的公司都受益,这是我们既兴奋又尊重的共同事业。”

About Huawei

Founded in 1987, Huawei is a leading global provider of information and communications technology (ICT) infrastructure and smart devices. We have approximately 197,000 employees and we operate in over 170 countries and regions, serving more than three billion people around the world.
Huawei’s mission is to bring digital to every person, home and organization for a fully connected, intelligent world. To this end, we will: drive ubiquitous connectivity and promote equal access to networks to lay the foundation for the intelligent world; provide the ultimate computing power to deliver ubiquitous cloud and intelligence; build powerful digital platforms to help all industries and organizations become more agile, efficient, and dynamic; redefine user experience with AI, offering consumers more personalized and intelligent experiences across all scenarios, including home, travel, office, entertainment, and fitness & health.

关于华为

华为创立于1987年,是全球领先的ICT(信息与通信)基础设施和智能终端提供商。目前华为约有19.7万员工,业务遍及170多个国家和地区,服务全球30多亿人口。
华为致力于把数字世界带入每个人、每个家庭、每个组织,构建万物互联的智能世界:让无处不在的联接,成为人人平等的权利,成为智能世界的前提和基础;为世界提供最强算力,让云无处不在,让智能无所不及;所有的行业和组织,因强大的数字平台而变得敏捷、高效、生机勃勃;通过AI重新定义体验,让消费者在家居、出行、办公、影音娱乐、运动健康等全场景获得极致的个性化智慧体验。


OpenChain Webinar Today 2021-08-16 @ 14:00 UTC - Heads up on a very cool part of our forthcoming webinar. Carlo Piana and Alberto Pianon will open the door on a new frontier for OpenChain. Welcome to practical application in projects.

 

Heads up on a very cool part of our webinar today. Carlo Piana and Alberto Pianon will open the door on a new frontier for OpenChain. Welcome to practical application in projects.
'OpenChain beyond companies: How OpenHarmony and Openeuler have applied OpenChain ISO 5230 for process management'

And as mentioned earlier:

Helpful Engineering will discuss open innovation in the pandemic response with a focus on governance. Their case study will include a case study of an open source license violation (unpacking the situation, not naming names). 

Join the call:
https://zoom.us/j/4377592799

Need to confirm your timezone?
2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST


OpenChain Webinar Today 2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

OpenChain Webinar Today:

We have a bit of a treat today. Helpful Engineering will discuss open innovation in the pandemic response with a focus on governance. Their case study will include a case study of an open source license violation (unpacking the situation, not naming names).

Learn more about this organization:
https://helpfulengineering.org/

Join the call:
https://zoom.us/j/4377592799

Need to confirm your timezone?
2021-08-16 @ 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST


OpenChain ISO 5230 – Security Assurance Reference Guide Now Available

 

The OpenChain Project has a mission to establish trust in the Open Source from which Software Solutions are built. The International Standard OpenChain ISO 5230 addresses this matter from the perspective around open source license compliance. Many of the same processes are equally applicable to open source security and for this reason we are providing guidance regarding how they can be applied.

The OpenChain Security Assurance Reference Guide 1.0 has a similar format to OpenChain ISO 5230. It can be regarded as a map enabling a user to transpose the proven processes of ISO 5230 to the security domain. This first iteration of the reference guide focuses on the core process of identifying and addressing “known vulnerabilities.” Over time we will evolve the guide to refine its effectiveness.

The OpenChain Security Assurance Reference Guide should be understood as a method to complement rather than compete with security specific standards. It is quite possible that an organization is compliant with another given standard will automatically meet all the processes outlined in the OpenChain Security Assurance Reference Guide. This is by design.

As the OpenChain Project adds additional reference guides over time (e.g., quality, export compliance, malware and functional safety) the value of OpenChain ISO 5230 will grow. This work – as with all activity inside the OpenChain Project – will be undertaken by the community of user companies for the benefit of the community.

Get The Reference Guide
https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide/1.0

Send Feedback To The Specification Team
https://lists.openchainproject.org/g/specification


Re: FINAL REMINDER: OpenChain Security Guidance Document - Last Call

Mark Gisi
 

Hi Nicole,

Thanks for the feedback. We briefly discussed your concern during the Specification working group meeting yesterday.

I know we'd like to focus on the open source part,
The Specification working group's mission is:
Establishing trust in the Open Source from which Software Solutions are built

but as realistically there are software components shipped down the supply chain that exist of both open source
and added self-developed code, shouldn't we at least add somewhere that people need to be aware of the
existing application specific security standards?
It is true the focus is on the open source part of the hybrid solutions you referred to. Most software solutions of at least moderate complexity will typically include some % of open source. In many cases (IoT devices, SaaS) it could be between 70-90%. We initially focus on the core process of identifying "known vulnerabilities" in the open source part because it typically represents a large % and that is where much of the data about vulnerabilities exists. That is where most companies start from and invest most of their effort in. Being able to detect vulnerabilities in the self-developed code (i.e., the non-open source part) is a more complex problem with much less public data and hence lower return on investment.

Because our focus is about establishing trust in open source the initial focus should contribute to that. We anticipate we will broaden the scope overtime based on community feedback (such as yours).

62443 anyway, why bother with the OpenChain security addendum at all...
OpenChain will likely complement as opposed to compete with many other standards. It is quite possible that an organization is compliant with another given standard that will automatically make them compliant with the OpenChain security addendum. That is ok - a supplier can claim compliant with both standards (something many suppliers like to do). Because the lion share of the software of many suppliers is comprised of open source, OEMs/manufacturers have become very interested in the health and well-being of the open source part. The key is for a manufacturer to obtain assurance that their suppliers are handling open source correctly (with respect to license compliance and security assurance). As OpenChain adds additional assurances overtime (e.g., quality, export compliance, malware and functional safety) the more valuable the OpenChain compliance suite becomes. That is - OpenChain will be able to provide a one stop shop for open source assurance (trust) which is a powerful value proposition.

I'd love to discuss this in today's call, but unfortunately I'm already off to another appointment...
We look forward to your future participation. These are the kinds of concerns we need to be discussing.

best,
Mark

Mark Gisi
Director, Open Source Program Office
Empowering Customers to Prosper using Open Source
(510) 749-2016





-----Original Message-----
From: main@lists.openchainproject.org <main@lists.openchainproject.org> On Behalf Of Nicole Pappler
Sent: Monday, August 9, 2021 10:57 PM
To: OpenChain Specification <specification@lists.openchainproject.org>; main@lists.openchainproject.org
Subject: Re: [openchain] FINAL REMINDER: OpenChain Security Guidance Document - Last Call

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hi all,

I went through the security addendum, and what I'm now really wondering is, shouldn't we address the existence of the other existing security standards? Like IEC 62443 or ISO 21434? I know we'd like to focus on the open source part, but as realistically there are software components shipped down the supply chain that exist of both open source and added self-developed code, shouldn't we at least add somewhere that people need to be aware of the existing applicatition specific security standards? That they need to evaluate if they are applicable to their scope? Not sure if we should make it a hard requirement, but I'm afraid that completely ignoring existing standards would weaken the OpenChain statement here - as people might say, I have to adhere to to IEC/ISO
62443 anyway, why bother with the OpenChain security addendum at all...

I'd love to discuss this in today's call, but unfortunatly I'm already of to another appointment...

Cheers,

Nicole


Am 10.08.21 um 07:40 schrieb Shane Coughlan:
We begin in 20 minutes :)

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00
UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:
https://zoom.us/j/4377592799

The finished document will be released this week. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.




--
——————————————————————————————————————
Nicole Pappler
email: nicole.pappler@PAPPSTARpromotion.de
mobile: +49 15156078183

PAPPSTARpromotion GmbH
Nürnberger Str. 2
91717 Wassertrüdingen
Germany

Sitz der Gesellschaft: Wassertrüdingen Registergericht: Amtsgericht Ansbach, HRB 7127
Geschäftsführer: Prof. Dr. Andreas Bärwald http://www.PAPPSTARpromotion.de


Re: FINAL REMINDER: OpenChain Security Guidance Document - Last Call

Nicole Pappler
 

Hi all,

I went through the security addendum, and what I'm now really wondering is, shouldn't we address the existence of the other existing security standards? Like IEC 62443 or ISO 21434? I know we'd like to focus on the open source part, but as realistically there are software components shipped down the supply chain that exist of both open source and added self-developed code, shouldn't we at least add somewhere that people need to be aware of the existing applicatition specific security standards? That they need to evaluate if they are applicable to their scope? Not sure if we should make it a hard requirement, but I'm afraid that completely ignoring existing standards would weaken the OpenChain statement here - as people might say, I have to adhere to to IEC/ISO 62443 anyway, why bother with the OpenChain security addendum at all...

I'd love to discuss this in today's call, but unfortunatly I'm already of to another appointment...

Cheers,

Nicole


Am 10.08.21 um 07:40 schrieb Shane Coughlan:

We begin in 20 minutes :)

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:
https://zoom.us/j/4377592799

The finished document will be released this week. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.



--
——————————————————————————————————————
Nicole Pappler
email: nicole.pappler@PAPPSTARpromotion.de
mobile: +49 15156078183

PAPPSTARpromotion GmbH
Nürnberger Str. 2
91717 Wassertrüdingen
Germany

Sitz der Gesellschaft: Wassertrüdingen Registergericht: Amtsgericht Ansbach, HRB 7127
Geschäftsführer: Prof. Dr. Andreas Bärwald
http://www.PAPPSTARpromotion.de


FINAL REMINDER: OpenChain Security Guidance Document - Last Call

 

We begin in 20 minutes :)

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:
https://zoom.us/j/4377592799

The finished document will be released this week. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.


REMINDER: OpenChain Security Guidance Document - Last Call - OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-08-10 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

We are finalizing this document:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

In this Zoom room:
https://zoom.us/j/4377592799

The finished document will be released tomorrow. It will provide context to all users of OpenChain ISO 5230 on application in the context of security.

81 - 100 of 4241