Date   

OpenChain Tooling Work Group Meeting #39

 


OpenChain Today and Tomorrow – COSCUP Keynote

 


Today is event recording catch-up day

 

Each recording will be clearly identified by the email subject line.


OpenChain Bi-Weekly Webinar - 2021-08-03 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

Today we are talking about 'Securing the Development & Supply Chain of Open Source Software (OSS)'

Join Zoom Meeting
https://zoom.us/j/4377592799

Meeting ID: 437 759 2799
One tap mobile
+13017158592,,4377592799# US (Washington DC)
+13126266799,,4377592799# US (Chicago)

Need to confirm your timezone?
OpenChain Bi-Weekly Webinar - 2021-08-03 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST


On our GitHub: "Formal statement format for project with no OSS BOM"

 

dineshr93: "Is there a formal statement to give to customers for the projects which has no OSS components.?
we cannot give confirmation that no OSS is being used because we cannot ensure 100% accuracy since there is always limitations to the tools. So we need come up with a statement which sets the tools limitations in place & also state that no OSS evidence has been found after performing the so & so scan.
I wanted to know does there are any statements already in place in Open chain. I searched here https://github.com/OpenChain-Project/Reference-Material but I did not find anything related to it.”

https://github.com/OpenChain-Project/Reference-Material/issues/9

My initial reply:
We do not provide a single "source of truth" statement for such a matter. It is really up to the in-house procurement and legal times.
Conceptually, it might be something like this:
The supplier confirms that the provided software has been audited and confirms that it contains no components under open source licenses."


Re: [taiwan-wg] We have another Chinese translation assistance on our GitHub - any extra thoughts welcome!

Lucien C.H. Lin - 林誠夏
 

Dear Shane,

I believe that has the "OpenChain Project" translated as "OpenChain項目" instead of the "OpenChain專案" suggested by PeterDaveHello is made by me, it is originally submitted for the Traditional Chinese version, not cited from the Simplified Chinese version in any way. Actually, back in the old days the first draft of the Simplified Chinese version was made by me as well, based on the Traditional one for the 1.1 spec. However, taking the "OpenChain專案" to replace the translation of the old one seems expressing better nowadays. If PeterDaveHello would like to submit his suggestion in pptx or in odp format to you or to the community, I would be very much glad to have it proofread again to get us an updated revision.

All the best and wish you a productive outcome at the COSCUP 2021 tomorrow!

:)

20210730 UTC+8 18:15 Lucien

Shane Coughlan <scoughlan@...> 於 2021年7月30日 週五 下午5:46寫道:

PeterDaveHello: "I just found that Pre-Release version of Traditional Chinese Supplier Education Pack on https://www.openchainproject.org/supplier-education-pack, which is very useful, but some terms at page 2, 40, 48, 54, 77, 80 & 81 of openchain-curriculum-for-2-0-zh-Hant.pptx, seem to be the usage of Simplified Chinese, not Traditional Chinese, "專案" would be more suitable than "項目" here.:

However, it's a Microsoft PowerPoint "pptx" file inside a zip file, doesn't seem to be easy to send a pull request for it with a reviewable diff comparison, how should I suggest or help the translation? Is there any data source that I can send a pull request to?"


My reply so far:

If you edit the PPTX file and submit it as a pull request, we can do community review and merge. It would be fantastic to have your contribution.


We have another Chinese translation assistance on our GitHub - any extra thoughts welcome!

 

PeterDaveHello: "I just found that Pre-Release version of Traditional Chinese Supplier Education Pack on https://www.openchainproject.org/supplier-education-pack, which is very useful, but some terms at page 2, 40, 48, 54, 77, 80 & 81 of openchain-curriculum-for-2-0-zh-Hant.pptx, seem to be the usage of Simplified Chinese, not Traditional Chinese, "專案" would be more suitable than "項目" here.:

However, it's a Microsoft PowerPoint "pptx" file inside a zip file, doesn't seem to be easy to send a pull request for it with a reviewable diff comparison, how should I suggest or help the translation? Is there any data source that I can send a pull request to?"

https://github.com/OpenChain-Project/Reference-Material/issues/8

My reply so far:

If you edit the PPTX file and submit it as a pull request, we can do community review and merge. It would be fantastic to have your contribution.


Re: Open Hardware: Chinese chip designers hope to topple Arm's Cortex-A76 with XiangShan RISC-V design

 

I suspect it will all shake out to health competition :)
IIRC Risc-V provides cores, but full SoC requires a lot of other IPR, and the mind even wanders to the possibility of future SoCs with hybrid Arm/R5 core arrays. The field is open. Some companies like Western Digital have been really visible in Risc-V, but what we can learn from the new push in China is really fascinating.

On Jul 30, 2021, at 18:02, Gilles Gravier via lists.openchainproject.org <gilles.gravier=wipro.com@lists.openchainproject.org> wrote:

Super interesting as RISC-V is open hardware, if I understand correctly... Having a strong implementation of it could indeed topple ARM...

Best regards,
<Outlook-uxsxrod4.gif>
Gilles Gravier
Director, Senior Strategy Advisor - Global Open Source Practice
Wipro Limited
M: +41 79 472 8437
in/gillesgravier @gravax

From: main@lists.openchainproject.org <main@lists.openchainproject.org> on behalf of Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@lists.openchainproject.org>
Sent: Friday 30 July 2021 10:59
To: OpenChain Main <main@lists.openchainproject.org>
Subject: [openchain] Open Hardware: Chinese chip designers hope to topple Arm's Cortex-A76 with XiangShan RISC-V design

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.


This has flown under the Western Media radar but may be significant in terms of open hardware licensing. Worth watching to keep track of execution.

“The Institute of Computing Technology at the Chinese Academy of Sciences (ICT CAS) has showcased progress on a fully open-source processor, designed around the RISC-V architecture, which it hopes will offer competition for Arm parts at the performance end of the market. Developed from the opening of a GitHub repository to booting Debian Linux in a matter of months, with work currently progressing on a higher-performance second iteration, XiangShan, or "Fragrant Hills", comes with bold promises […]”
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theregister.com%2F2021%2F07%2F06%2Fxiangshan_risc_v%2F&;data=04%7C01%7Cgilles.gravier%40wipro.com%7C19638bfc2ecc430f3e5708d95338574a%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637632323728656169%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=RrKw8KcmST%2ByJ94eq25mLJ0yLqGKceX3wPX303U3nD4%3D&amp;reserved=0




'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: Open Hardware: Chinese chip designers hope to topple Arm's Cortex-A76 with XiangShan RISC-V design

Gilles Gravier
 

Super interesting as RISC-V is open hardware, if I understand correctly... Having a strong implementation of it could indeed topple ARM...

Best regards,

Gilles Gravier
Director, Senior Strategy Advisor - Global Open Source Practice
Wipro Limited
M: +41 79 472 8437
in/gillesgravier  @gravax


From: main@... <main@...> on behalf of Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...>
Sent: Friday 30 July 2021 10:59
To: OpenChain Main <main@...>
Subject: [openchain] Open Hardware: Chinese chip designers hope to topple Arm's Cortex-A76 with XiangShan RISC-V design
 
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.


This has flown under the Western Media radar but may be significant in terms of open hardware licensing. Worth watching to keep track of execution.

“The Institute of Computing Technology at the Chinese Academy of Sciences (ICT CAS) has showcased progress on a fully open-source processor, designed around the RISC-V architecture, which it hopes will offer competition for Arm parts at the performance end of the market. Developed from the opening of a GitHub repository to booting Debian Linux in a matter of months, with work currently progressing on a higher-performance second iteration, XiangShan, or "Fragrant Hills", comes with bold promises […]”
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.theregister.com%2F2021%2F07%2F06%2Fxiangshan_risc_v%2F&amp;data=04%7C01%7Cgilles.gravier%40wipro.com%7C19638bfc2ecc430f3e5708d95338574a%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637632323728656169%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=RrKw8KcmST%2ByJ94eq25mLJ0yLqGKceX3wPX303U3nD4%3D&amp;reserved=0




'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Open Hardware: Chinese chip designers hope to topple Arm's Cortex-A76 with XiangShan RISC-V design

 

This has flown under the Western Media radar but may be significant in terms of open hardware licensing. Worth watching to keep track of execution.

“The Institute of Computing Technology at the Chinese Academy of Sciences (ICT CAS) has showcased progress on a fully open-source processor, designed around the RISC-V architecture, which it hopes will offer competition for Arm parts at the performance end of the market. Developed from the opening of a GitHub repository to booting Debian Linux in a matter of months, with work currently progressing on a higher-performance second iteration, XiangShan, or "Fragrant Hills", comes with bold promises […]”
https://www.theregister.com/2021/07/06/xiangshan_risc_v/


US National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems

 

From the White House:
"Protection of our Nation’s critical infrastructure is a responsibility of the government at the Federal, State, local, Tribal, and territorial levels and of the owners and operators of that infrastructure. The cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation. The degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.”

This memorandum contains the following sections (Section 2 and 4 appear most relevant to parties in this field):
Section 1. Policy.
Sec. 2. Industrial Control Systems Cybersecurity Initiative.
Sec. 3. Furthering the Industrial Control Systems Cybersecurity Initiative.
Sec. 4. Critical Infrastructure Cybersecurity Performance Goals.
Sec. 5. General Provisions.

https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/


Japanese Government (METI): Collection of Use Case Examples Compiled Regarding Management Methods for Utilizing Open Source Software and Ensuring Its Security

 

"The Ministry of Economy, Trade and Industry (METI) publishes a "Collection of Use Case Examples Regarding Management Methods for Utilizing OSS and Ensuring Its Security." The collection summarizes the points to note when utilizing open source software (OSS), and for each point, provides information including use case examples of companies that are conducting instructive initiatives.”

This information is all in English:
https://www.meti.go.jp/english/press/2021/0421_003.html


OpenChain Global Work Group Meeting 2021-07-26 - Full Recording

 

You can find the full recording of our most recent meeting here:
https://www.youtube.com/watch?v=okRa07dfokE&t=2s

As mentioned in my last email, focus was solely on the security guidance document for OpenChain ISO 5230.


IMPORTANT: OpenChain Security Assurance Reference Guide (ISO 5230 Security Assurance Reference Guide)

 

The security guidance guide for OpenChain ISO 5230 is nearly ready. This is the last call for comments.

This document will provide all that is necessary to apply OpenChain ISO 5230 to address security matters related to open source. It does not alter or adjust the standard itself. It is a “mapping” guide.

Here is the document in a format that allows you to add comments:
https://1drv.ms/w/s!AsXJVqby5kpnkSaMT5WBZwJBONuB

Here is the most recent call where we discussed specifics:
https://www.youtube.com/watch?v=okRa07dfokE

You have until the 10th of August to provide feedback, with the process ending during our regular Global Work Team call on that day. The document will be released on the 11th of August.

Regards

Shane


Shane Coughlan
General Manager, OpenChain
e: scoughlan@linuxfoundation.org
p: +81 (0) 80 4035 8083
w: www.linuxfoundation.org

Schedule a call:
https://meetings.hubspot.com/scoughlan


Re: [specification] [openchain] OpenChain Global Work Team Call - 2021-07-26 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

Awesome! Thanks Mark!

Everyone, we start in 30 minutes.

Don’t forget: we have a new dial in link here:

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan

On Jul 26, 2021, at 22:24, Mark Gisi <mark.gisi@...> wrote:



The current draft of the Security Assurance Reference Guide can be found here:

 

    https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide

 

best,

 

Mark Gisi
Director, Open Source Program Office

Empowering Customers to Prosper using Open Source

(510) 749-2016



 

From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Monday, July 26, 2021 2:44 AM
To: OpenChain Main <main@...>
Cc: OpenChain Germany <germany-wg@...>; OpenChain India <india-wg@...>; OpenChain UK <uk-wg@...>; OpenChain Partners <partners@...>; OpenChain Automotive <openchain-automotive-work-group@groups.io>
Subject: [openchain] OpenChain Global Work Team Call - 2021-07-26 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

We focus on the security extension again, and prepare to throw it open to general editing.

All welcome. No registration.

https://zoom.us/j/4377592799

Want to confirm your timezone?
2021-06-21 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


Re: OpenChain Global Work Team Call - 2021-07-26 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

Mark Gisi
 

The current draft of the Security Assurance Reference Guide can be found here:

 

    https://github.com/OpenChain-Project/SecurityAssuranceGuide/tree/main/Guide

 

best,

 

Mark Gisi
Director, Open Source Program Office

Empowering Customers to Prosper using Open Source

(510) 749-2016

Wind River



 

From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Monday, July 26, 2021 2:44 AM
To: OpenChain Main <main@...>
Cc: OpenChain Germany <germany-wg@...>; OpenChain India <india-wg@...>; OpenChain UK <uk-wg@...>; OpenChain Partners <partners@...>; OpenChain Automotive <openchain-automotive-work-group@groups.io>
Subject: [openchain] OpenChain Global Work Team Call - 2021-07-26 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

[Please note: This e-mail is from an EXTERNAL e-mail address]

We focus on the security extension again, and prepare to throw it open to general editing.

All welcome. No registration.

https://zoom.us/j/4377592799

Want to confirm your timezone?
2021-06-21 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


OpenChain Global Work Team Call - 2021-07-26 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

 

We focus on the security extension again, and prepare to throw it open to general editing.

All welcome. No registration.
https://zoom.us/j/4377592799

Want to confirm your timezone?
2021-06-21 - 14:00 UTC / 07:00 PST / 15:00 BST / 16:00 CEST / 19:30 IST / 22:00 CST / 23:00 KST / 23:00 JST

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


Software Bill of Materials Readiness Survey

 

Your assistance is requested (in Chinese, English, German, Japanese and Korean) to help us assess the current situation in the industry with respect to Software Bill of Materials. Your five minutes will provide invaluable data.
https://www.linuxfoundation.org/press-release/linux-foundation-research-announces-software-bill-of-materials-sbom-readiness-survey/

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


Japanese holiday

 

FYI, in case you are wondering why I and other members of our Japanese contingent may be slow on mail, it’s a National vacation Thursday and Friday 🙂

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


Re: Vote on our OpenChain ISO 5230 conformance logo - change or no change?

Chandana Rao
 

I prefer the existing one !

 

From: main@... <main@...> On Behalf Of Radha Sarma via lists.openchainproject.org
Sent: Thursday, July 22, 2021 6:04 AM
To: main@...
Subject: Re: [openchain] Vote on our OpenChain ISO 5230 conformance logo - change or no change?

 

CAUTION: This message is from an external sender

+1 Mary's comment.

On 22-07-2021 02:13, Jari Koivisto wrote:

+1 Mary's comment. 

--
Ms. Radha Sarma
COO
Luit Infotech Private Limited
Bangalore

Phone: +91 80 4206 1217
Cell: +91 9620411633
Skype: radha_sarma1

"Save Paper, Save Trees, Save Earth - Use LuitBiz DMS"

-- The information contained in this communication and any attachments is confidential and may be privileged, and is for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. Unless explicitly stated otherwise in the body of this communication or the attachment thereto (if any), the information is provided on an AS-IS basis without any express or implied warranties or liabilities. To the extent you are relying on this information, you are doing so at your own risk. If you are not the intended recipient, please notify the sender immediately by replying to this message and destroy all copies of this message and any attachments. Neither the sender nor the company/group of companies he or she represents shall be liable for the proper and complete transmission of the information contained in this communication, or for any delay in its receipt. -- The information contained in this communication and any attachments is confidential and may be privileged, and is for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. Unless explicitly stated otherwise in the body of this communication or the attachment thereto (if any), the information is provided on an AS-IS basis without any express or implied warranties or liabilities. To the extent you are relying on this information, you are doing so at your own risk. If you are not the intended recipient, please notify the sender immediately by replying to this message and destroy all copies of this message and any attachments. Neither the sender nor the company/group of companies he or she represents shall be liable for the proper and complete transmission of the information contained in this communication, or for any delay in its receipt.

121 - 140 of 4251