Date   

Re: EXTERNAL: Re: [openchain] OpenChain Specification Chair Election Period Now Open

Wood, Chris <chris.wood@...>
 

 

Hello OpenChain team

Allow me to introduce myself to those who do not know me.  I am Dr. Chris Wood and I have been working for the past 30 years in the software assurance arena and 20 years specifically with open-source licensing.  For my Company I was a member of the original team who created a licensing scanner that enabled our business to conduct deep software scanning capability across all software languages for both open source and commercial software.  I personally ran the team for 17 years who performed the software analysis and then reviewed the proposed compliance actions with Legal Counsel to either approve or reject them.  During development we created an automated tool to produce the software bill of materials (SBOMS) which includes: component names, a copy of every license, notice, and provided author(s) attributions where requested.  These SBOMS were provided to the customer (internal and external). 

I have been actively participating in the OpenChain project since approximately 2017 and have contributed substantial review and substance to both the license governance and the software security guide specifications.

 

Thank you for considering me as a candidate, it would be my honor to serve the team in any capacity where needed.

Dr. Chris Wood CISSP

--------------------------------------------------------------------------------------------------------------------------------------------------------

On Wed, Nov 16, 2022 at 10:04 AM Shane Coughlan <scoughlan@...> wrote:

Steve, Helio, Jacob and Chris, I would like to invite you to share a brief bio of yourself in this thread to help our potential votes to understand who you are. Given our wide community, not everyone makes our calls, and may not know you from your active contributions there and on GitHub, etc.

> On Nov 16, 2022, at 9:59, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:
>
> OpenChain Specification Chair Election Period Now Open
>
> The OpenChain Project is running an election for co-chairs of the Specification Work Group. The election period is from today (2022-11-16) until 2022-11-22 Close of Business UTC.
> Here are our current nominees:
>     • Steve Kilbane, Analog Devices
>     • Helio Chissini de Castro, CARIAD
>     • Jacob Wilson, Gemini
>     • Chris Wood, Lockheed Martin
> Everyone is invited to vote for their preferred chairs. Here is how:
>     • You have two votes.
>     • One is licensing focused (Steve or Helio) and one is security focused (Jacob or Chris).
>     • You can vote by (a) signing up to our Specification mailing list (because this mailing list is our single source of truth for specification work) and (b) sending an email to operations@... with the subject “Specification Chair Elections” and the following content:
> My name is NAME and my votes are as follows:
> NAME for licensing
> NAME for security
> Regards
> YOUR NAME
> Some notes:
>     • The email address ending your vote must be subscribed to the specification mailing list.
>     • Any vote not provided in this format will be invalid.
>     • You can vote for yourself.
>     • You can only submit your votes once.
> More Details
> How we are running this election is split into two lengthy descriptions below. We are striving to do two things:
>     • Create an open election process
>     • Address the potential we have to have multiple domain experts sharing work
> Because this is our first major election for Specification Chair, the process may have some rough edges. If there are any critical issues, we will address them.
> How We Are Running The Elections
> The OpenChain Governing Board is formally considering who should be appointed by the board for the position(s) of OpenChain Specification Chairperson, and invites the broader OpenChain community to provide their perspective.
> In this process, the broader OpenChain community will have nominees proposed and voted on to provide a recommendation. That recommendation will be passed to the OpenChain Governing Board for review, approval and ratification at their next meeting.
> The specific process on behalf of the community is to undertake a voting process after a period of nomination. The community will vote in the following manner:
> Votes for chairpeople will be sent by email to operations@...(received by the OpenChain General Manager and Project Manager).
> Each member of our specification@ can cast *one* vote. All members of main@ are entitled to join specification@. The requirement to join the specification list is to maintain that list as the “single source of truth” for our specification-editing and other core specification work.
> The votes will be tallied by the General Manager and prepared for the OpenChain Governing Board to review.
> The tally will be reported to the OpenChain governing board. Their feedback and final decision will be provided to the community-at-large after their next formal governing board meeting.
> For the 2022 OpenChain Specification Work Group elections the following notes are provided:
> (1) we are operationally splitting the specification work group into two work groups: licensing and security, reflecting our two specifications in-market.
> (2) for *this* specific election, we will split the election into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
> (3) this means everyone on specification@ should vote for:
> (i) their preferred choice for license work group chair;
> (I) their preferred choice for security work group chair.
> (4) these votes may be cast between the 16th and 22nd of November 2022.
> (5) the OpenChain Governing Board will receive the tally of votes expressing community feedback, and will review it formally at their next meeting on the 8th of December 2022.
> (6) it is expected that at this juncture the community will receive a response from the OpenChain Governing Board regarding their decision(s) around specification chairperson(s) circa 9th December 2022, and our new specification chairs will begin their term of office prior to 2023.
> This process may be adjusted at any time by the governing board, and feedback to improve the process is always welcome, with the optic of ensuring that we continually refine the process as time progresses.
> For This Specific Election
> For the nomination period, we happen to have two people well versed in license compliance (Steve and Helio) and two people with a security background (Jacob and Chris). This suggest that our co-chair election – for *this* specific election, should break into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
> However, for clarity, the intent is not to split the development of our licensing and security specifications into two different paths. The intent is that both chairs will work on both specifications by helping to collect community feedback and so on, with this feedback being provided to the Steering Committee for formal review and ratification if and when we decide to produce new versions of our standards.


REMINDER: We are encouraging our community to self-certify to the OpenChain Security Assurance Specification

 

Oh my gosh. It happened again. Fixed (again), this time properly. 😅

==

Security Assurance Specification Ready For Use

- The OpenChain Security Assurance Specification 1.1 is available today as a de facto industry standard.
- We support adoption via a self-certification checklist and questionnaire.
- We are preparing for submission to ISO/IEC via JTC-1 Publicly Available Specification (PAS) Transposition Process.
- We expect this to become an ISO/IEC Standard circa mid-2023.
- Self-certification now will automatically conform to the ISO/IEC Standard.
- It also helps provide very useful feedback for our community.

Check Conformance In Two Minutes

You can use our new security assurance self-certification checklist:

https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Checklist/Security-Assurance-1.1/en/Security-Assurance-1-1-Checklist-Version-2.md

Or you can use our new security assurance self-certification questionnaire:

https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Questionnaire/Security-Assurance-1.1/en/Security-Assurance-1-1-Questionnaire-Version-1.md

Are you already conformant? Let Shane know at scoughlan@...


REMINDER: We are encouraging our community to self-certify to the OpenChain Security Assurance Specification

 

Issue with links in previous mail. Fixed below. Apologies. Copy/paste error.

==

Security Assurance Specification Ready For Use

- The OpenChain Security Assurance Specification 1.1 is available today as a de facto industry standard.
- We support adoption via a self-certification checklist and questionnaire.
- We are preparing for submission to ISO/IEC via JTC-1 Publicly Available Specification (PAS) Transposition Process.
- We expect this to become an ISO/IEC Standard circa mid-2023.
- Self-certification now will automatically conform to the ISO/IEC Standard.
- It also helps provide very useful feedback for our community.

Check Conformance In Two Minutes

You can use our new security assurance self-certification checklist:

https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Checklist/Security-Assurance- 1.1/en/Security-Assurance-1-1-Checklist-Version-2.md

Or you can use our new security assurance self-certification questionnaire:

https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Questionnaire/Security- Assurance-1.1/en/Security-Assurance-1-1-Questionnaire-Version-1.md

Are you already conformant? Let Shane know at scoughlan@...


REMINDER: We are encouraging our community to self-certify to the OpenChain Security Assurance Specification

 

Security Assurance Specification Ready For Use

- The OpenChain Security Assurance Specification 1.1 is available today as a de facto industry standard.
- We support adoption via a self-certification checklist and questionnaire.
- We are preparing for submission to ISO/IEC via JTC-1 Publicly Available Specification (PAS) Transposition Process.
- We expect this to become an ISO/IEC Standard circa mid-2023.
- Self-certification now will automatically conform to the ISO/IEC Standard.
- It also helps provide very useful feedback for our community.

Check Conformance In Two Minutes

You can use our new security assurance self-certification checklist:

https://github.com/OpenChain-Project/Reference- Material/blob/master/Self-Certification/Checklist/Security-Assurance- 1.1/en/Security-Assurance-1-1-Checklist-Version-2.md

Or you can use our new security assurance self-certification questionnaire:

https://github.com/OpenChain-Project/Reference- Material/blob/master/Self-Certification/Questionnaire/Security- Assurance-1.1/en/Security-Assurance-1-1-Questionnaire-Version-1.md

Are you already conformant? Let Shane know at scoughlan@...


Re: OpenChain Specification Chair Election Period Now Open

Helio Chissini de Castro
 

Hello everyone

So, little introduction, and since Shane already linked the linkedin profile, let's make it more synthetic ( or not ).

I'm now Software Technologies Lead and Process at Cariad SE, and working in several topics in the compliance area.

In the last 4 years in my previous company I started in parallel the topics of compliance to my current project at that time, and this grew up on me to the part that became my today's job at Cariad.

I've been playing with OpenSource for more time than I can remember (25+ years), and "survived" all the evolutions in my so-called career, from the research labs usage, to university, to governments first adoptions, to the initial industry onboard ( tech ) to the current state, which lead to the next final step..

I honestly believe we will reach the point that "Open Source is dead !"

Why ? Because we reach overall dominance, no company anymore can bear or develop or use a software closed on the verge to become irrelevant, dead on the water projects or dangerously being on security issues that it can't control.

Being costs, security, long term survival, doesn't matter the reason, no company as big or smaller will question open source, they will embrace it as the normal, and then open source will not be more the exception, but the rule.

And there we go, since this is the normal, compliance and security became more relevant as the most important part after development even

Leading them to the reason why I am here, to improve what we have and provide better solutions to such important work.

Thanks ( and sorry for the "small" bio" )


On Wed, Nov 16, 2022 at 10:04 AM Shane Coughlan <scoughlan@...> wrote:
Steve, Helio, Jacob and Chris, I would like to invite you to share a brief bio of yourself in this thread to help our potential votes to understand who you are. Given our wide community, not everyone makes our calls, and may not know you from your active contributions there and on GitHub, etc.

> On Nov 16, 2022, at 9:59, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:
>
> OpenChain Specification Chair Election Period Now Open
>
> The OpenChain Project is running an election for co-chairs of the Specification Work Group. The election period is from today (2022-11-16) until 2022-11-22 Close of Business UTC.
> Here are our current nominees:
>     • Steve Kilbane, Analog Devices
>     • Helio Chissini de Castro, CARIAD
>     • Jacob Wilson, Gemini
>     • Chris Wood, Lockheed Martin
> Everyone is invited to vote for their preferred chairs. Here is how:
>     • You have two votes.
>     • One is licensing focused (Steve or Helio) and one is security focused (Jacob or Chris).
>     • You can vote by (a) signing up to our Specification mailing list (because this mailing list is our single source of truth for specification work) and (b) sending an email to operations@... with the subject “Specification Chair Elections” and the following content:
> My name is NAME and my votes are as follows:
> NAME for licensing
> NAME for security
> Regards
> YOUR NAME
> Some notes:
>     • The email address ending your vote must be subscribed to the specification mailing list.
>     • Any vote not provided in this format will be invalid.
>     • You can vote for yourself.
>     • You can only submit your votes once.
> More Details
> How we are running this election is split into two lengthy descriptions below. We are striving to do two things:
>     • Create an open election process
>     • Address the potential we have to have multiple domain experts sharing work
> Because this is our first major election for Specification Chair, the process may have some rough edges. If there are any critical issues, we will address them.
> How We Are Running The Elections
> The OpenChain Governing Board is formally considering who should be appointed by the board for the position(s) of OpenChain Specification Chairperson, and invites the broader OpenChain community to provide their perspective.
> In this process, the broader OpenChain community will have nominees proposed and voted on to provide a recommendation. That recommendation will be passed to the OpenChain Governing Board for review, approval and ratification at their next meeting.
> The specific process on behalf of the community is to undertake a voting process after a period of nomination. The community will vote in the following manner:
> Votes for chairpeople will be sent by email to operations@...(received by the OpenChain General Manager and Project Manager).
> Each member of our specification@ can cast *one* vote. All members of main@ are entitled to join specification@. The requirement to join the specification list is to maintain that list as the “single source of truth” for our specification-editing and other core specification work.
> The votes will be tallied by the General Manager and prepared for the OpenChain Governing Board to review.
> The tally will be reported to the OpenChain governing board. Their feedback and final decision will be provided to the community-at-large after their next formal governing board meeting.
> For the 2022 OpenChain Specification Work Group elections the following notes are provided:
> (1) we are operationally splitting the specification work group into two work groups: licensing and security, reflecting our two specifications in-market.
> (2) for *this* specific election, we will split the election into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
> (3) this means everyone on specification@ should vote for:
> (i) their preferred choice for license work group chair;
> (I) their preferred choice for security work group chair.
> (4) these votes may be cast between the 16th and 22nd of November 2022.
> (5) the OpenChain Governing Board will receive the tally of votes expressing community feedback, and will review it formally at their next meeting on the 8th of December 2022.
> (6) it is expected that at this juncture the community will receive a response from the OpenChain Governing Board regarding their decision(s) around specification chairperson(s) circa 9th December 2022, and our new specification chairs will begin their term of office prior to 2023.
> This process may be adjusted at any time by the governing board, and feedback to improve the process is always welcome, with the optic of ensuring that we continually refine the process as time progresses.
> For This Specific Election
> For the nomination period, we happen to have two people well versed in license compliance (Steve and Helio) and two people with a security background (Jacob and Chris). This suggest that our co-chair election – for *this* specific election, should break into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
> However, for clarity, the intent is not to split the development of our licensing and security specifications into two different paths. The intent is that both chairs will work on both specifications by helping to collect community feedback and so on, with this feedback being provided to the Steering Committee for formal review and ratification if and when we decide to produce new versions of our standards.


Re: [specification] [openchain] OpenChain Specification Chair Election Period Now Open

Steve Kilbane
 

Sure.

 

I’ve been at Analog Devices Inc (ADI) in Edinburgh, Scotland for over 20 years; before that I worked for another company that handled industrial automation engineering, and which got shuffled around a number of the larger players in that field.

 

For most of my time at Analog Devices, I’ve worked in the Development Tools group in the Automotive business unit, first as a compiler developer, later as the team manager, wrangling the releases of our development tools which contain multiple proprietary and open-source development tools, and getting increasingly dragged into the license-compliance world. I’ve been closely involved in license compliance within ADI for over ten years, now.

 

We kicked off our OSPO at the start of the year, with me leading, and we’re still working our way through getting everything up and running. I’ve been tracking OpenChain since the 2018 Open Source Summit in Edinburgh, and following the UK WG and the Automotive and Telco SIGs. I’ve been looking forward to the Export Control SIG kicking off for a while now.

 

More informally: yes, it’s Scotland, so there are occasional kilts, and I’ve been studying and teaching historical swordsmanship for two decades. I *do* have a bag of swords in the office, but only because it’s a convenient place to keep them, near the class venue. That’s definitely the reason. Yep.

 

steve

 

From: specification@... <specification@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Wednesday, 16 November 2022 at 09:04
To: OpenChain Main <main@...>
Cc: OpenChain Specification <specification@...>, Kilbane, Stephen <Stephen.Kilbane@...>, Wood, Chris <chris.wood@...>, Helio Chissini de Castro <heliocastro@...>, Jacob Wilson <jacobdjwilson@...>
Subject: Re: [specification] [openchain] OpenChain Specification Chair Election Period Now Open

[External]

Steve, Helio, Jacob and Chris, I would like to invite you to share a brief bio of yourself in this thread to help our potential votes to understand who you are. Given our wide community, not everyone makes our calls, and may not know you from your active contributions there and on GitHub, etc.

> On Nov 16, 2022, at 9:59, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:
>
> OpenChain Specification Chair Election Period Now Open
>
> The OpenChain Project is running an election for co-chairs of the Specification Work Group. The election period is from today (2022-11-16) until 2022-11-22 Close of Business UTC.
> Here are our current nominees:
>     • Steve Kilbane, Analog Devices
>     • Helio Chissini de Castro, CARIAD
>     • Jacob Wilson, Gemini
>     • Chris Wood, Lockheed Martin
> Everyone is invited to vote for their preferred chairs. Here is how:
>     • You have two votes.
>     • One is licensing focused (Steve or Helio) and one is security focused (Jacob or Chris).
>     • You can vote by (a) signing up to our Specification mailing list (because this mailing list is our single source of truth for specification work) and (b) sending an email to operations@... with the subject “Specification Chair Elections” and the following content:
> My name is NAME and my votes are as follows:
> NAME for licensing
> NAME for security
> Regards
> YOUR NAME
> Some notes:
>     • The email address ending your vote must be subscribed to the specification mailing list.
>     • Any vote not provided in this format will be invalid.
>     • You can vote for yourself.
>     • You can only submit your votes once.
> More Details
> How we are running this election is split into two lengthy descriptions below. We are striving to do two things:
>     • Create an open election process
>     • Address the potential we have to have multiple domain experts sharing work
> Because this is our first major election for Specification Chair, the process may have some rough edges. If there are any critical issues, we will address them.
> How We Are Running The Elections
> The OpenChain Governing Board is formally considering who should be appointed by the board for the position(s) of OpenChain Specification Chairperson, and invites the broader OpenChain community to provide their perspective.
> In this process, the broader OpenChain community will have nominees proposed and voted on to provide a recommendation. That recommendation will be passed to the OpenChain Governing Board for review, approval and ratification at their next meeting.
> The specific process on behalf of the community is to undertake a voting process after a period of nomination. The community will vote in the following manner:
> Votes for chairpeople will be sent by email to operations@...(received by the OpenChain General Manager and Project Manager).
> Each member of our specification@ can cast *one* vote. All members of main@ are entitled to join specification@. The requirement to join the specification list is to maintain that list as the “single source of truth” for our specification-editing and other core specification work.
> The votes will be tallied by the General Manager and prepared for the OpenChain Governing Board to review.
> The tally will be reported to the OpenChain governing board. Their feedback and final decision will be provided to the community-at-large after their next formal governing board meeting.
> For the 2022 OpenChain Specification Work Group elections the following notes are provided:
> (1) we are operationally splitting the specification work group into two work groups: licensing and security, reflecting our two specifications in-market.
> (2) for *this* specific election, we will split the election into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
> (3) this means everyone on specification@ should vote for:
> (i) their preferred choice for license work group chair;
> (I) their preferred choice for security work group chair.
> (4) these votes may be cast between the 16th and 22nd of November 2022.
> (5) the OpenChain Governing Board will receive the tally of votes expressing community feedback, and will review it formally at their next meeting on the 8th of December 2022.
> (6) it is expected that at this juncture the community will receive a response from the OpenChain Governing Board regarding their decision(s) around specification chairperson(s) circa 9th December 2022, and our new specification chairs will begin their term of office prior to 2023.
> This process may be adjusted at any time by the governing board, and feedback to improve the process is always welcome, with the optic of ensuring that we continually refine the process as time progresses.
> For This Specific Election
> For the nomination period, we happen to have two people well versed in license compliance (Steve and Helio) and two people with a security background (Jacob and Chris). This suggest that our co-chair election – for *this* specific election, should break into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
> However, for clarity, the intent is not to split the development of our licensing and security specifications into two different paths. The intent is that both chairs will work on both specifications by helping to collect community feedback and so on, with this feedback being provided to the Steering Committee for formal review and ratification if and when we decide to produce new versions of our standards.
>






Re: OpenChain Specification Chair Election Period Now Open

 

Steve, Helio, Jacob and Chris, I would like to invite you to share a brief bio of yourself in this thread to help our potential votes to understand who you are. Given our wide community, not everyone makes our calls, and may not know you from your active contributions there and on GitHub, etc.

On Nov 16, 2022, at 9:59, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:

OpenChain Specification Chair Election Period Now Open

The OpenChain Project is running an election for co-chairs of the Specification Work Group. The election period is from today (2022-11-16) until 2022-11-22 Close of Business UTC.
Here are our current nominees:
• Steve Kilbane, Analog Devices
• Helio Chissini de Castro, CARIAD
• Jacob Wilson, Gemini
• Chris Wood, Lockheed Martin
Everyone is invited to vote for their preferred chairs. Here is how:
• You have two votes.
• One is licensing focused (Steve or Helio) and one is security focused (Jacob or Chris).
• You can vote by (a) signing up to our Specification mailing list (because this mailing list is our single source of truth for specification work) and (b) sending an email to operations@... with the subject “Specification Chair Elections” and the following content:
My name is NAME and my votes are as follows:
NAME for licensing
NAME for security
Regards
YOUR NAME
Some notes:
• The email address ending your vote must be subscribed to the specification mailing list.
• Any vote not provided in this format will be invalid.
• You can vote for yourself.
• You can only submit your votes once.
More Details
How we are running this election is split into two lengthy descriptions below. We are striving to do two things:
• Create an open election process
• Address the potential we have to have multiple domain experts sharing work
Because this is our first major election for Specification Chair, the process may have some rough edges. If there are any critical issues, we will address them.
How We Are Running The Elections
The OpenChain Governing Board is formally considering who should be appointed by the board for the position(s) of OpenChain Specification Chairperson, and invites the broader OpenChain community to provide their perspective.
In this process, the broader OpenChain community will have nominees proposed and voted on to provide a recommendation. That recommendation will be passed to the OpenChain Governing Board for review, approval and ratification at their next meeting.
The specific process on behalf of the community is to undertake a voting process after a period of nomination. The community will vote in the following manner:
Votes for chairpeople will be sent by email to operations@...(received by the OpenChain General Manager and Project Manager).
Each member of our specification@ can cast *one* vote. All members of main@ are entitled to join specification@. The requirement to join the specification list is to maintain that list as the “single source of truth” for our specification-editing and other core specification work.
The votes will be tallied by the General Manager and prepared for the OpenChain Governing Board to review.
The tally will be reported to the OpenChain governing board. Their feedback and final decision will be provided to the community-at-large after their next formal governing board meeting.
For the 2022 OpenChain Specification Work Group elections the following notes are provided:
(1) we are operationally splitting the specification work group into two work groups: licensing and security, reflecting our two specifications in-market.
(2) for *this* specific election, we will split the election into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
(3) this means everyone on specification@ should vote for:
(i) their preferred choice for license work group chair;
(I) their preferred choice for security work group chair.
(4) these votes may be cast between the 16th and 22nd of November 2022.
(5) the OpenChain Governing Board will receive the tally of votes expressing community feedback, and will review it formally at their next meeting on the 8th of December 2022.
(6) it is expected that at this juncture the community will receive a response from the OpenChain Governing Board regarding their decision(s) around specification chairperson(s) circa 9th December 2022, and our new specification chairs will begin their term of office prior to 2023.
This process may be adjusted at any time by the governing board, and feedback to improve the process is always welcome, with the optic of ensuring that we continually refine the process as time progresses.
For This Specific Election
For the nomination period, we happen to have two people well versed in license compliance (Steve and Helio) and two people with a security background (Jacob and Chris). This suggest that our co-chair election – for *this* specific election, should break into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
However, for clarity, the intent is not to split the development of our licensing and security specifications into two different paths. The intent is that both chairs will work on both specifications by helping to collect community feedback and so on, with this feedback being provided to the Steering Committee for formal review and ratification if and when we decide to produce new versions of our standards.


OpenChain Specification Chair Election Period Now Open

 

OpenChain Specification Chair Election Period Now Open


The OpenChain Project is running an election for co-chairs of the Specification Work Group. The election period is from today (2022-11-16) until 2022-11-22 Close of Business UTC.

Here are our current nominees:

Everyone is invited to vote for their preferred chairs. Here is how:

  1. You have two votes.
  2. One is licensing focused (Steve or Helio) and one is security focused (Jacob or Chris).
  3. You can vote by (a) signing up to our Specification mailing list (because this mailing list is our single source of truth for specification work) and (b) sending an email to operations@... with the subject “Specification Chair Elections” and the following content:

My name is NAME and my votes are as follows:
NAME for licensing
NAME for security
Regards
YOUR NAME

Some notes:

  1. The email address ending your vote must be subscribed to the specification mailing list.
  2. Any vote not provided in this format will be invalid.
  3. You can vote for yourself.
  4. You can only submit your votes once.

More Details

How we are running this election is split into two lengthy descriptions below. We are striving to do two things:

  1. Create an open election process
  2. Address the potential we have to have multiple domain experts sharing work

Because this is our first major election for Specification Chair, the process may have some rough edges. If there are any critical issues, we will address them.

How We Are Running The Elections

The OpenChain Governing Board is formally considering who should be appointed by the board for the position(s) of OpenChain Specification Chairperson, and invites the broader OpenChain community to provide their perspective.

In this process, the broader OpenChain community will have nominees proposed and voted on to provide a recommendation. That recommendation will be passed to the OpenChain Governing Board for review, approval and ratification at their next meeting.

The specific process on behalf of the community is to undertake a voting process after a period of nomination. The community will vote in the following manner:

Votes for chairpeople will be sent by email to operations@...(received by the OpenChain General Manager and Project Manager).

Each member of our specification@ can cast *one* vote. All members of main@ are entitled to join specification@. The requirement to join the specification list is to maintain that list as the “single source of truth” for our specification-editing and other core specification work.

The votes will be tallied by the General Manager and prepared for the OpenChain Governing Board to review.

The tally will be reported to the OpenChain governing board. Their feedback and final decision will be provided to the community-at-large after their next formal governing board meeting.

For the 2022 OpenChain Specification Work Group elections the following notes are provided:
(1) we are operationally splitting the specification work group into two work groups: licensing and security, reflecting our two specifications in-market.
(2) for *this* specific election, we will split the election into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.
(3) this means everyone on specification@ should vote for:
(i) their preferred choice for license work group chair;
(I) their preferred choice for security work group chair.
(4) these votes may be cast between the 16th and 22nd of November 2022.
(5) the OpenChain Governing Board will receive the tally of votes expressing community feedback, and will review it formally at their next meeting on the 8th of December 2022.
(6) it is expected that at this juncture the community will receive a response from the OpenChain Governing Board regarding their decision(s) around specification chairperson(s) circa 9th December 2022, and our new specification chairs will begin their term of office prior to 2023.

This process may be adjusted at any time by the governing board, and feedback to improve the process is always welcome, with the optic of ensuring that we continually refine the process as time progresses.

For This Specific Election

For the nomination period, we happen to have two people well versed in license compliance (Steve and Helio) and two people with a security background (Jacob and Chris). This suggest that our co-chair election – for *this* specific election, should break into two threads: one license biased (two nominees) and one security biased (two nominees). The result will be two chairs to fill the co-chair positions after approval by the OpenChain Governing Board.

However, for clarity, the intent is not to split the development of our licensing and security specifications into two different paths. The intent is that both chairs will work on both specifications by helping to collect community feedback and so on, with this feedback being provided to the Steering Committee for formal review and ratification if and when we decide to produce new versions of our standards.


OpenChain Monthly Meeting 2022-11-15 (Asia and USA) – Full Recording

 

During the most recent OpenChain Monthly Meeting 2022-11-15 (Asia and USA) we live-edited two suggestions for future versions of our license compliance and security assurance standards. In addition, we covered all the latest news in our space, and discussed how we can continually improve our collaboration with other projects doing related work. See the full recording and review the slide deck at this link:
https://www.openchainproject.org/news/2022/11/15/monthly-meeting-2022-11-15

The live-edited suggestion related to the licensing standard:
https://github.com/OpenChain-Project/License-Compliance-Specification/issues/59

The live-edited suggestion related to the security standard:
https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/9


Re: Topic for discussion: how do we link different Bill of Materials?

Jacob Wilson
 

This is a great point, and one which I believe has been evolving over time. SAST, DAST, IAST, and RASP outputs similarly all show code analysis at different stages of the software build and distribution process. I would say for storage a Software Artifact Repository is the industry standard for code scanning and will most likely continue for SBOM results, but the combination of results will vary based on organizational policies, procedures, regulators, and other market factors. 

If I put my computer forensics hat on, traceability and non-tampered evidence collection are paramount. Having the same piece of information at multiple stages of the software build and distribution process is informative in itself. Combination of the results may harm the overall goal. From a pragmatic perspective this is a significant data storage and analysis challenge.

Tying things together, I believe the SBOM consideration material you have made is great and brings light to an important issue. I also believe it fits together remarkably well with the 'SCA tooling evaluation metrics' project mentioned in yesterday's monthly call. Perhaps these stakeholders can work together?

On Tue, Nov 15, 2022 at 6:47 AM Shane Coughlan <scoughlan@...> wrote:
Kobota San has raised an interesting topic for discussion. Attached see slides with an overview.

Summary: there are various different types of SBOM involved in preparing various types of product. For example, Build SBOM, Binary SBOM, Source SBOM.

What is the best way to combine these for final records?

Thoughts and suggestions?








Re: Reminder: Export Control Work Group - First Meeting 22nd of November 2022

 

Dear all

Please accept my sincere apologies. I initially shared an incorrect calendar invitation for this meeting.

The meeting takes place at the time and date of the attached calendar invitation.

Regards

Shane

On Nov 15, 2022, at 12:06, Shane Coughlan <scoughlan@...> wrote:

A reminder that the first meeting of the Export Control Work Group will take place on the 22nd of November. Calendar invite attached.

Meeting agenda:

(1) Introductions
(2) Overview of why export control matters from the perspective of open source and compliance
(3) Open discussion about how our community can contribute to the field

Zoom meeting:
https://zoom.us/j/93456802267

You can join our Export Control mailing list here:
https://lists.openchainproject.org/g/export-control-wg

<export-control-meeting-1.png>
<OpenChain Export Control Work Group Monthly Meeting.ics>


Topic for discussion: how do we link different Bill of Materials?

 

Kobota San has raised an interesting topic for discussion. Attached see slides with an overview.

Summary: there are various different types of SBOM involved in preparing various types of product. For example, Build SBOM, Binary SBOM, Source SBOM.

What is the best way to combine these for final records?

Thoughts and suggestions?


New OpenChain Public Policy Work Group

 

The OpenChain Project has a mission to build trust in the supply chain and a focus on issues related to open source licensing, security and related topics. We maintain an ISO/IEC process standard for open source license compliance, a de facto process standard for Security Assurance, and we have a huge library of reference and training material.

To ensure that people working in the sphere of public policy can access our community knowledge (and to ensure our community can access their knowledge), we are starting a Public Policy Work Group. We will meet every few months via Zoom to discuss developments in overarching open source policy around the world.

Everyone is invited to be part of this and to contribute their experience. Our goal is to keep everyone informed of key developments, provide a space to discuss best practices, and – ultimately – to help further our mission to make a trusted open source supply chain that spans the world.

Join the Public Policy Work Group mailing list to get started:
https://lists.openchainproject.org/g/public-policy-wg

(or just send a subscription email to public-policy-wg+subscribe@...)

We will announce our first event in the coming weeks. It is provisionally scheduled for early December.

Share a link to this announcement:
https://www.openchainproject.org/news/2022/11/15/public-policy-work-group


Reminder: Export Control Work Group - First Meeting 22nd of November 2022

 

A reminder that the first meeting of the Export Control Work Group will take place on the 22nd of November. Calendar invite attached.

Meeting agenda:

(1) Introductions
(2) Overview of why export control matters from the perspective of open source and compliance
(3) Open discussion about how our community can contribute to the field

Zoom meeting:
https://zoom.us/j/93456802267

You can join our Export Control mailing list here:
https://lists.openchainproject.org/g/export-control-wg


OpenChain structure - do we also want to include a mindmap on the website?

 

A reminder that we have a new description of our community structure to make things easier to understand (image and also attached in more detail as PowerPoint).

There is a MindMap version as well. Should we put that on the website? Attached as SVG and HTML for reference.

Regards

Shane


Re: OpenChain Monthly Call (Asia) at 01:00 UTC (09:00 CST / 10:00 KST + JST)

 

Our monthly call for Asia will begin in 5 minutes:
https://zoom.us/j/4377592799

We expect to edit two issues on this call.

One is related to the licensing standard:
https://github.com/OpenChain-Project/License-Compliance-Specification/issues/59

The other is related to the security standard:
https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/9

On Nov 14, 2022, at 17:53, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:

Reminder: our monthly community call for Asia will be taking place tomorrow (2022-11-15) at 01:00 UTC (09:00 CST / 10:00 KST + JST).

We will be live editing issues around our licensing standard, our security standard, and our reference material. Full agenda end of mail.

People from everywhere else are very welcome to join too! We realize the timezone is terrible for Europe. We have a separate monthly call designed for Europe / USA. It takes place on the First Tuesday of every month.

This call is open to every individual and company regardless of their membership of Linux Foundation or the OpenChain Project. It provides a forum to bring together the various things the OpenChain community is doing around the world, from building our family of standard (licensing compliance and now security compliance), assisting with tooling, SBOMs and OSPOs, and facilitating industry specific discussions in areas like telco and automotive.

Agenda
1. Introductions
2. Specification (process standards) news
3. SBOM news
4. OSPO news
5. Automation news
6. Community feedback and comments - issues for standards and core supporting material
7. Community feedback and comments - issues for reference and supporting material
8. Community feedback and comments - issues to support other projects
9. Any other business
10. Close of meeting

This meeting is held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799






Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan





<OpenChain Monthly Community Call - 09-00 CST (01-00 UTC) on .ics>


OpenChain Monthly Call (Asia) at 01:00 UTC (09:00 CST / 10:00 KST + JST)

 

Reminder: our monthly community call for Asia will be taking place tomorrow (2022-11-15) at 01:00 UTC (09:00 CST / 10:00 KST + JST).

We will be live editing issues around our licensing standard, our security standard, and our reference material. Full agenda end of mail.

People from everywhere else are very welcome to join too! We realize the timezone is terrible for Europe. We have a separate monthly call designed for Europe / USA. It takes place on the First Tuesday of every month.

This call is open to every individual and company regardless of their membership of Linux Foundation or the OpenChain Project. It provides a forum to bring together the various things the OpenChain community is doing around the world, from building our family of standard (licensing compliance and now security compliance), assisting with tooling, SBOMs and OSPOs, and facilitating industry specific discussions in areas like telco and automotive.

Agenda
1. Introductions
2. Specification (process standards) news
3. SBOM news
4. OSPO news
5. Automation news
6. Community feedback and comments - issues for standards and core supporting material
7. Community feedback and comments - issues for reference and supporting material
8. Community feedback and comments - issues to support other projects
9. Any other business
10. Close of meeting

This meeting is held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799






Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


OpenChain Automotive Mini-Summit 2022 – Full Recording

 

The OpenChain Automotive Work Group held a mini-summit on the 11th of November 2022. This event was focused on outlining the key items of interest for the industry in our sphere, and then discussing how we will address them in 2023. It was a short summit (only one hour) so time was tight, and it is clear that we have plenty to do as we begin regular quarterly meetings circa February 2023.

Check out the full recording here:
https://www.openchainproject.org/featured/2022/11/14/automotive-mini-summit-2022-recording


External Webinar: Open Source Exchange by Revenera – 2022-11-15 @ 12:00 Central US

 

(Shane Coughlan, OpenChain GM, will be “taking the stage alongside Heather Meeker, Russ Eling and others)

== Formally speaking ==

Transform Your Software Supply Chain Maturity

Organizations can no longer ignore the threat landscape of potential security and software compliance issues leading to negative financial impact. It’s in your best interest to create a strategy to control the risk—take proactive steps to secure the software supply chain.

Join Revenera and a panel of experts to discuss:
• Trends in open source and third-party software management
• Ongoing regulatory changes such as the evolving Executive Order from the U.S. government
• What’s next in terms of communicating vulnerabilities through tools such as VDR and VEX
• The criticality of implementing a Software Bill of Materials (SBOM) and what organizations should be doing
• Real world security assurance with OpenChain best practices
• What’s happening in the software supply chain in industries such as government, automotive, and medical device manufacturing

Register and join for free here:
https://info.revenera.com/SCA-EVNT-OpenSourceExchange-SBOM-SupplyChain-2022


Automation Work Group Catch Up

 

The OpenChain Automation Work Group has continued its busy schedule. Below you can find recordings of two recent meetings and details of how to join our mailing list and to attend future meetings. This is an excellent place to keep up-to-date with discussions about the types of workflow and the type of options you have for automation around ISO/IEC 5230 for license compliance or the Security Assurance Specification for security.

Meeting on Nov 2nd
https://conf.fsfe.org/presentation/7510c962420cd700b3f46fdc312b8bfe8ec9a608-1667375988157/meeting.mp4

Meeting on Oct 5th
https://conf.fsfe.org/presentation/7510c962420cd700b3f46fdc312b8bfe8ec9a608-1664956795265/meeting.mp4

Our mailing list
https://groups.io/g/oss-based-compliance-tooling

The OpenChain Community Calendar
https://www.openchainproject.org/get-started/participate