Date   

Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Mark Gisi
 

Hi Chris,

 

>> Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?

 

We introduced the security assurance guide as a separate deliverable initially to reduce friction to adoption of both the spec and security guide. We did not want to have a company feel obligated to conform with both to achieve either one. However, having noted that, they were designed to be highly similar in spirit and format, and easily achieved together should a company choose (or a customer requires it). That is, they are separate but highly complementary. The long term objective is to create trust in open source by working toward creating a suite of highly complementary conformance specifications (e.g., license compliance, security, quality, export compliance, …) such that an organization can choose the ones that best fit their needs. For that reason we are trying to avoid creating a single monolithic specification.

 

Let us know if that does not completely address your concern.

 

best,

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: main@... <main@...> On Behalf Of Christopher Wood
Sent: Tuesday, November 2, 2021 3:43 PM
To: main@...
Cc: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello

Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?

Thanks 

Chris



On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:



Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Mark Gisi
 

Hi Tak,

 

>> there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

One can declare conformance with the guide. According to section 3.4.2:

ÿ          3.4.2.1 A document affirming the Program meets all the requirements of this guide, within the past 18 months of obtaining conformance validation.

Although it is true they are separate, they are highly complimentary. Once a company can gather up evidence that demonstrates that each of the requirements (verification materials) have been met including a document for verification artifact 3.4.2.1 above, one can claim conformance from the date of that document. At that point the company would be able to present evidence to any party (at their choice) to demonstrate conformance (e.g., major customer). Although it is NOT a requirement to publish the evidence – they would be capable should they choose to do so.

 

>> if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.

 

Yes, that is very achievable. Although they each require a separate preparation and archiving of evidence (verifications materials) – they can be performed in parallel. Even if an organization achieved conformance with the spec 6 months prior to the security assurance guide, they can both be renewed in the future at the same time. There is no need to wait 18 months. An organization can choose to verify conformance annually (e.g., every January) – which represents a best practice. The 18 month requirement was included as a minimum baseline to make sure an organization keeps their evidence (i.e., their policies, procedures and documents) current.

 

Please let us know if you would like additional clarification.

 

best,

Mark

 

Mark Gisi
Director, Open Source Program Office

Empowering Engineers & Customers to Prosper using Open Source

(510) 749-2016

Wind River

 

From: Takashi NINJOUJI <takashi.ninjouji@...>
Sent: Tuesday, November 2, 2021 3:16 PM
To: Gisi, Mark <Mark.Gisi@...>; Shane Coughlan <scoughlan@...>
Cc: main@...
Subject: Re: [openchain] OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

Hello Mark and Shane,

 

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 

This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

 

(2) 

In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.



 Are all of the above OK?

 

Best Regards

Tak

 

 

 

On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

 

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

 

Regards

 

Shane 

 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Christopher Wood
 

Hello
Is there some way to incorporate this guide into the basic OpenChain Specification as an added conformance item?
Thanks 
Chris

On Nov 2, 2021, at 5:16 PM, Takashi Ninjouji <takashi.ninjouji@...> wrote:


Hello Mark and Shane,

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

(2) 
In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.


 Are all of the above OK?

Best Regards
Tak



On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

Regards

Shane 

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:


Re: OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

Takashi Ninjouji
 

Hello Mark and Shane,

I'm translating §3.4 of the Security Assurance Reference Guide ("this guide") into Japanese, but I need to confirm something:
My understandings are:

(1) 
This guide focuses on security assurance and can be operated independently of the OpenChain Specification. However, there is no specific way to declare conformance to this guide. And each duration will be managed separately.

(2) 
In practice, if a program already OpenChain conformant is newly this guide conformant, it may be possible to renew this guide conformant in conjunction with the subsequent OpenChain conformant.


 Are all of the above OK?

Best Regards
Tak



On Tue, Oct 26, 2021 at 1:07 PM Shane Coughlan <scoughlan@...> wrote:
As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

Regards

Shane 

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:


OpenChain Japan Work Group Meeting #21 – 2021-10-20

 

Full recording (Japanese) available here. Excellent on-boarding point for your Japanese team or suppliers:
https://www.openchainproject.org/news/2021/11/02/jp-wg-21


Regional Traction: 2,100 Eyes on Japanese FAQ

 

The OpenChain Project often highlights global news. However, it is important to remember that the majority of activity is truly distributed around the world, especially in our local China, Japan, Korea, Taiwan, India, Germany, UK and US work groups. Today we are taking a moment to shine a spotlight on a specific example in Japan.
The OpenChain Japan Work Group operates seven sub-groups, one of which is focused on providing answers to frequently asked questions, chaired by Ouchi San from Fujitsu. The FAQ document produced by the group has been downloaded over 2,100 times so far, demonstrating the extent of information dissemination in a specific geography.

If you have a Japanese office (or you represent a Japanese company), please be aware that the FAQ sub-group meets on the 8th of November at 15:00 JST. All welcome.

・日時:11月8日(月) 15:00〜17:30
・チャタムハウスルールを採用しています。
(誰が言ったかは口外禁止、得た情報は自由利用可)
・オンライン会議(Zoom):
 Zoom のURLはFAQ-SGのSLACKに掲載予定です。
 (Japan WGのSLACKとは異なります)

以下のメーリングリストへご連絡願います。
https://lists.openchainproject.org/g/japan-sg-faq/messages


FW: [education] Event: Web based training finalization #cal-invite

Balakrishna Mukundaraj
 

Web based training finalization

When:
Friday, November 5, 2021
3:00pm to 4:00pm
(UTC+05:30) Asia/Kolkata
Repeats: Weekly on Friday, 2 times

Where:
Zoom meeting

Organizer: Balakrishna

View Event

Description:
Hello,

Let's all join in and complete short remaining tasks of web based training.

As discussed in previous meeting 1st training will be chapters 1-5, training final review date 30 November., public release date by 16th of December.
2nd training release will be chapter 6-8 final review date first week of February.

Join Zoom Meeting
https://zoom.us/j/4377592799

Meeting ID: 437 759 2799


Re: REMINDER OpenChain Bi-Weekly Webinar - 2021-11-02 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

Our meeting begins in about ten minutes.

Please note: this is a webinar for people completely new to the OpenChain Project. It features a walkthrough of the website and so on.

On Nov 2, 2021, at 13:12, Shane Coughlan <scoughlan@...> wrote:

Our regular webinar starts in just under two hours.

Today we are going to record a “newbies” guide to the OpenChain website and resources. This is intended to help support companies that are just learning about us in countries like China, Japan and Korea.

Join Zoom Meeting
https://zoom.us/j/4377592799

Meeting ID: 437 759 2799
One tap mobile
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)

Need to confirm your timezone?
OpenChain Bi-Weekly Webinar - 2021-11-02 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


REMINDER OpenChain Bi-Weekly Webinar - 2021-11-02 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

Our regular webinar starts in just under two hours.

Today we are going to record a “newbies” guide to the OpenChain website and resources. This is intended to help support companies that are just learning about us in countries like China, Japan and Korea.

Join Zoom Meeting
https://zoom.us/j/4377592799

Meeting ID: 437 759 2799
One tap mobile
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)

Need to confirm your timezone?
OpenChain Bi-Weekly Webinar - 2021-11-02 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


Education Work Group Meeting 2021-10-29

 

We discussed the final steps necessary to turn this document into an online course. Balakrishna (our chair) has finalized details with the LF Training Team. They can release a version of the course for December 16th if we (a) close open comments on Chapters 1~5 and provide the final deliverable by end of November. Most of the work is done on Chapters 1~3, so our focus will be on filling out Chapters 4~5 in the short term, and then reverting to the early chapters for final review.
Join the Education Work Group at this mailing list:


Case Study: Open Source Compliance Automation and Interoperability #4 - How TERN (a container scanner) works both with the graphical tool and when used on its own.

 

The OpenChain automation case study about using open source tools for open source compliance runs between September and December 2021. It is the largest case study ever undertaken in this space. The outcome of attending will include better knowledge of options for automation around open source compliance, a better understanding of interoperability in the space, and an awareness of how to engage with the field in a turn-key manner.

Part #4 explores how TERN (a container scanner) works both with the graphical tool and when used on its own.
https://www.openchainproject.org/featured/2021/10/29/automation-case-study-4


CAICT Becomes OpenChain Partner, Launches Third Party Certification

 

One of the biggest announcements this year for the OpenChain Project: CAICT - a research institute under the Chinese Ministry of Industry and Information Technology - has become a partner and will offer third party certification support for OpenChain ISO/IEC 5230 in the Chinese market. 


Re: Update on web-based training and Open Chain ref-Playbook

Balakrishna Mukundaraj
 

Hello All,

We have education board update call in 15 mins.

Interested participants please join.


Mit freundlichen Grüßen / Best regards

Mukundaraj Balakrishna

Information co-ordination (RBEI/ECA5)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com
Tel. +91 80 6657-5938 | Mobile +91-96207-91838 | Fax +91 80 6617-0711 | Balakrishna.Mukundraj@...

Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000;
Chairman of the Supervisory Board: Franz Fehrenbach; Managing Directors: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Christian Fischer, Dr. Stefan Hartung,
Dr. Markus Heyn, Harald Kröger, Rolf Najork

-----Original Appointment-----
From: education@... Group <education@...>
Sent: Tuesday, October 26, 2021 10:38 AM
To: education@... Group
Subject: Update on web-based training and Open Chain ref-Playbook
When: Friday, October 29, 2021 11:00 AM-12:00 PM (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi.
Where: Zoom call

Hello all,

We would like to give you an update on the status of our pending web based training.

And with this call we would like to kick-off the reference playbook mentioned during our previous calls.

Please join us:

https://zoom.us/j/4377592799 ( https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fzoom.us%2Fj%2F4377592799&data=04%7C01%7Cbalakrishna.mukundraj%40in.bosch.com%7C39f12a61010c43123ad408d98d49eeea%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637696170947556461%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fyPp0%2FTR4WPu63gD5qJjSxn%2FHBBkCoMadIrk7pi%2F8h0%3D&reserved=0 )

https://zoom.us/j/4377592799 ( https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fzoom.us%2Fj%2F4377592799&data=04%7C01%7Cbalakrishna.mukundraj%40in.bosch.com%7C39f12a61010c43123ad408d98d49eeea%7C0ae51e1907c84e4bbb6d648ee58410f4%7C0%7C0%7C637696170947556461%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fyPp0%2FTR4WPu63gD5qJjSxn%2FHBBkCoMadIrk7pi%2F8h0%3D&reserved=0 )


REMINDER: Automation Case Study: TERN and Containers today (27th) at 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

A reminder that we go live in one hour. The event will be recorded but attending the live session is recommended.

On Oct 27, 2021, at 12:21, Shane Coughlan <scoughlan@...> wrote:

OpenChain Automation Case Study: TERN and Containers today (27th) at 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST.

This is part of our on-going global case study regarding automation ease-of-use and effectiveness demonstrated via a new global GUI and deep-dives on specific tools used.

No registration required.


Automation Case Study: TERN and Containers today (27th) at 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

OpenChain Automation Case Study: TERN and Containers today (27th) at 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST.

This is part of our on-going global case study regarding automation ease-of-use and effectiveness demonstrated via a new global GUI and deep-dives on specific tools used.

No registration required.


Re: [education] Community call to action: website review

 

Great stuff! 👍

Thank you 😊

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan

On Oct 27, 2021, at 2:14, Trent Allgood <trentallgood@...> wrote:


Only positive feedback from me, I had a hard time finding the standard and some of the resources in the old website, now it's easy to find.

Great work!

On Mon, Oct 25, 2021 at 10:25 PM Balakrishna Mukundraj via lists.openchainproject.org <balakrishna.mukundraj=in.bosch.com@...> wrote:

The update looks cool 😊

 

Mit freundlichen Grüßen / Best regards

Mukundaraj Balakrishna


Information co-ordination (RBEI/ECA5)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com
Tel. +91 80 6657-5938 | Mobile +91-96207-91838 | Fax +91 80 6617-0711 | Balakrishna.Mukundraj@...


Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000;
Chairman of the Supervisory Board: Franz Fehrenbach; Managing Directors: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Christian Fischer, Dr. Stefan Hartung,
Dr. Markus Heyn, Harald Kröger, Rolf Najork

From: education@... <education@...> On Behalf Of Shane Coughlan via lists.openchainproject.org
Sent: Tuesday, October 26, 2021 9:35 AM
To: OpenChain Main <main@...>
Cc: OpenChain Education <education@...>
Subject: [education] Community call to action: website review

 

Hey everyone

 

The website has been updated to improve discoverability. However, is it easier for *you* to discover what you need? Feedback super welcome:

 

Regards

 

Shane 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


Re: [education] Community call to action: website review

Trent Allgood
 

Only positive feedback from me, I had a hard time finding the standard and some of the resources in the old website, now it's easy to find.

Great work!

On Mon, Oct 25, 2021 at 10:25 PM Balakrishna Mukundraj via lists.openchainproject.org <balakrishna.mukundraj=in.bosch.com@...> wrote:

The update looks cool 😊

 

Mit freundlichen Grüßen / Best regards

Mukundaraj Balakrishna


Information co-ordination (RBEI/ECA5)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com
Tel. +91 80 6657-5938 | Mobile +91-96207-91838 | Fax +91 80 6617-0711 | Balakrishna.Mukundraj@...


Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000;
Chairman of the Supervisory Board: Franz Fehrenbach; Managing Directors: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Christian Fischer, Dr. Stefan Hartung,
Dr. Markus Heyn, Harald Kröger, Rolf Najork

From: education@... <education@...> On Behalf Of Shane Coughlan via lists.openchainproject.org
Sent: Tuesday, October 26, 2021 9:35 AM
To: OpenChain Main <main@...>
Cc: OpenChain Education <education@...>
Subject: [education] Community call to action: website review

 

Hey everyone

 

The website has been updated to improve discoverability. However, is it easier for *you* to discover what you need? Feedback super welcome:

 

Regards

 

Shane 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


OpenChain Global Work Group Meeting 2021-10-25

 

We talk Security Assurance Reference Guide. Updated version coming soon? Looks like it. Learn more:
https://www.openchainproject.org/news/2021/10/25/global-wg-2021-10-25


Re: [education] Community call to action: website review

Balakrishna Mukundaraj
 

The update looks cool 😊

 

Mit freundlichen Grüßen / Best regards

Mukundaraj Balakrishna


Information co-ordination (RBEI/ECA5)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com
Tel. +91 80 6657-5938 | Mobile +91-96207-91838 | Fax +91 80 6617-0711 | Balakrishna.Mukundraj@...


Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart, HRB 14000;
Chairman of the Supervisory Board: Franz Fehrenbach; Managing Directors: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Christian Fischer, Dr. Stefan Hartung,
Dr. Markus Heyn, Harald Kröger, Rolf Najork

From: education@... <education@...> On Behalf Of Shane Coughlan via lists.openchainproject.org
Sent: Tuesday, October 26, 2021 9:35 AM
To: OpenChain Main <main@...>
Cc: OpenChain Education <education@...>
Subject: [education] Community call to action: website review

 

Hey everyone

 

The website has been updated to improve discoverability. However, is it easier for *you* to discover what you need? Feedback super welcome:

 

Regards

 

Shane 

Shane Coughlan

OpenChain General Manager

+818040358083

Book a meeting:


OpenChain Security Assurance Reference Guide - Public Sharing - Feedback Requested

 

As discussed on our global work team calls, the security assurance reference guide has a dedicated page here:

Is the material - particularly that contained in the FAQ - enough to guide understanding and use? Feedback most welcome.

Regards

Shane 

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan