Date   

OpenChain Japan Work Group All Member Meeting #19 – Virtual Meeting #6 – 2021-05-26 – Full Recording

 

OpenChain Japan Work Group All Member Meeting #19 – Virtual Meeting #6 – 2021-05-26 – Full Recording:
https://www.openchainproject.org/news/2021/07/15/japan-work-group-19


Bosch Announces Rollout Of An OpenChain ISO 5230 Framework For Open Source Compliance

 

Some very big news from Bosch today: while parts of the organization already have OpenChain ISO 5230 conformant programs, there is a target of having whole organization conformance by end of year. This will make Bosch the second company in the world to seek whole entity conformance, and the first at the core of the automotive supply chain. Learn more:
https://www.openchainproject.org/featured/2021/07/13/bosch-iso-conformance


EXTERNAL ARTICLE: 'Does GPLv2 Include an ‘Installation Information’ Obligation? A Textual & Historical Analysis'

 

Interesting article from McCoySmith in the JOLTS law and technology journal: 'Does GPLv2 Include an ‘Installation Information’ Obligation? A Textual & Historical Analysis' - https://jolts.world/index.php/jolts/article/view/149/270


Global Work Team meeting 2021-07-13: OpenChain ISO 5230 in a security context - Our Guidance Document Is Nearly Ready - Check out our live edit

 

Global Work Team meeting 2021-07-13: OpenChain ISO 5230 in a security context - Our Guidance Document Is Nearly Ready - Check out our live edit
https://www.youtube.com/watch?v=Jp3K-K0Ghb0


Fixing weird orphaned OpenChain event invites in your calendar

 

Some people have reported orphaned calendar invites for OpenChain events happening on a different schedule to our actual events.

I checked with LF Staff, particularly Rachel, who created these orphan invites. She deleted them from the LF calendar when she left end of March, but for some people they appear have to have stuck around in your calendars. The issue is that since this time, we have adjusted the schedule of our meetings.

To solve the issue conclusively, please search for rbraun@linuxfoundation.org in the calendar and delete all those invites. They don’t exist in the LF infrastructure anymore and the only invites to follow are those on the global calendar. You can find the global calendar and its subscription links here:
https://www.openchainproject.org/community

Sorry about this, but hope this fix assists.

Regards

Shane


Re: REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

Hi Chris!

This talk will be published on the site shortly. I’ll be pinging the list with the link.

This second Monday fits into a tough time for the US, IIRC it’s about 23:00 Pacific. The alternate webinar on fourth Monday is a more palatable 07:00 Pacific 🙂

Regards

Shane

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan

On Jul 13, 2021, at 20:40, Christopher Wood <cvw01@sbcglobal.net> wrote:

Good morning Shane
Would it be possible to get recordings of these webinars? I can’t seem to be able to wake up here at 1:30 AM to attend a webinar at 2 AM Central Daylight time in the US and it seems that all the interesting work is discussed then.
Best regards
Chris

Sent via carrier pigeon

On Jul 13, 2021, at 12:33 AM, Shane Coughlan <scoughlan@linuxfoundation.org> wrote:

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

In 30 minutes we are talking OpenChain ISO 5230 and security extension documentation:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09








Re: REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

Christopher Wood
 

Good morning Shane
Would it be possible to get recordings of these webinars? I can’t seem to be able to wake up here at 1:30 AM to attend a webinar at 2 AM Central Daylight time in the US and it seems that all the interesting work is discussed then.
Best regards
Chris

Sent via carrier pigeon

On Jul 13, 2021, at 12:33 AM, Shane Coughlan <scoughlan@linuxfoundation.org> wrote:

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

In 30 minutes we are talking OpenChain ISO 5230 and security extension documentation:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09




NITA Releases Minimum Elements for a Software Bill of Materials

Steve Kilbane
 

"Today, the Department of Commerce and NTIA are publishing a report on the minimum elements for an SBOM. The report builds on the work of NTIA’s SBOM multistakeholder process as well as the responses to a request for comments issued in June."

 

https://www.ntia.gov/blog/2021/ntia-releases-minimum-elements-software-bill-materials

 

steve

 


Re: [japan-wg] REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

We are going live now. ISO 5230 and security extensions is the topic:
https://zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09


REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-13 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

In 30 minutes we are talking OpenChain ISO 5230 and security extension documentation:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09


REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

REMINDER: OpenChain Bi-Weekly Work Group Call - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

In 30 minutes we are talking OpenChain ISO 5230 and security extension documentation:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09


Webinar #26 – Open Hardware at CERN, FOSSLight Overview and Automating Yocto with SPDX

 

Webinar #26 – Open Hardware at CERN, FOSSLight Overview and Automating Yocto with SPDX
This was a massive webinar covering just over an hour. Highly recommended to catch the latest in open hardware and in open source automation.
https://www.openchainproject.org/news/2021/07/07/webinar-26

Want to check out all 25 previous webinars? You can find them here:
https://www.openchainproject.org/webinars


Re: [partners] Samsung Electronics Announces OpenChain ISO 5230 Conformance

Gilles Gravier
 

Amazing news!

Best regards,

Gilles Gravier
Director, Senior Strategy Advisor - Global Open Source Practice
Wipro Limited
M: +41 79 472 8437
in/gillesgravier  @gravax


From: partners@... <partners@...> on behalf of Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...>
Sent: Thursday 8 July 2021 06:08
To: OpenChain Main <main@...>
Cc: OpenChain Japan <japan-wg@...>; OpenChain Korea <korea-wg@...>; OpenChain Taiwan <taiwan-wg@...>; OpenChain Partners <partners@...>
Subject: [partners] Samsung Electronics Announces OpenChain ISO 5230 Conformance
 
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.


In one of our biggest announcements for 2021, Samsung Electronics announces adoption of OpenChain ISO 5230, the International Standard for open source compliance. They join a growing community of companies in the consumer electronics, automotive, cloud computing and telecommunications field in using this standard to manage supply chains. Learn more:
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openchainproject.org%2Ffeatured%2F2021%2F07%2F07%2Fsamsung-electronics-announces-openchain-iso-5230-conformance&amp;data=04%7C01%7Cgilles.gravier%40wipro.com%7Cd6fc0f636bf546206a2308d941c61fd4%7C258ac4e4146a411e9dc879a9e12fd6da%7C1%7C0%7C637613141472241388%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Fo4CRMyGlF3k4A8q3SFO%2BayulRgO75%2BAwTk71ZXlM44%3D&amp;reserved=0




'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: [partners] Samsung Electronics Announces OpenChain ISO 5230 Conformance

Andrew Katz
 

Spectacular news! Well done!

On 8 Jul 2021, at 05:08, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@lists.openchainproject.org> wrote:

In one of our biggest announcements for 2021, Samsung Electronics announces adoption of OpenChain ISO 5230, the International Standard for open source compliance. They join a growing community of companies in the consumer electronics, automotive, cloud computing and telecommunications field in using this standard to manage supply chains. Learn more:
https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openchainproject.org%2Ffeatured%2F2021%2F07%2F07%2Fsamsung-electronics-announces-openchain-iso-5230-conformance&;data=04%7C01%7C%7C82b59a67d6d04552385308d941c61ef2%7C5a14c3e63ae74ac1bcd92f1bcafd61dc%7C0%7C1%7C637613141441563566%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=oH33QxUb0pi5MfMeJY2OioMcTZZ8BA0FDimzNDEsxRQ%3D&amp;reserved=0





Andrew Katz
Partner
[LinkedIn icon]<https://www.linkedin.com/company/moorcrofts-llp> [Twitter icon] <https://twitter.com/moorcroftsllp>

[Logo] <https://moorcrofts.com/> Tel: 01628 470000
DDI: +44 (0) 1628 470003
Mob: +44 (0) 7970 835001
Email: Andrew.Katz@moorcrofts.com
Moorcrofts LLP | Thames House, Mere Park, Marlow | SL7 1PB, Bucks, GB
[Excellence]<https://moorcrofts.com/moorcrofts-deal-named-finalist-in-the-thames-valley-deal-awards/> [https://moorcrofts.com/wp-content/uploads/2020/10/uk-top-tier-firm-2021.png] <https://moorcrofts.com/moorcrofts-llp-strengthen-its-rankings-in-legal-500-uk/> [https://moorcrofts.com/wp-content/uploads/2020/09/Legal.png] <https://moorcrofts.com/moorcrofts-named-finalist-in-the-british-legal-awards-2019/>


Registered in England & Wales OC 311818 Authorised and Regulated by the Solicitors Regulation Authority This email is confidential. If you are not the intended recipient, please let us know. we store email addresses and the names of addressees to assist with future correspondence. Please be aware of the increase in fraud and cyber crime. any email that appears to come from Moorcrofts LLP which provides different bank details or indicates a change of our bank details is unlikely to be genuine. You should not act on any information contained in the email or reply to it. Instead please contact us immediately to check our account details '. If the disclaimer can't be applied, attach the message to a new disclaimer message.

Moorcrofts LLP <https://moorcrofts.com/>


Samsung Electronics Announces OpenChain ISO 5230 Conformance

 

In one of our biggest announcements for 2021, Samsung Electronics announces adoption of OpenChain ISO 5230, the International Standard for open source compliance. They join a growing community of companies in the consumer electronics, automotive, cloud computing and telecommunications field in using this standard to manage supply chains. Learn more:
https://www.openchainproject.org/featured/2021/07/07/samsung-electronics-announces-openchain-iso-5230-conformance


REMINDER: OpenChain Bi-Weekly Webinar - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

OpenChain Bi-Weekly Webinar - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

On today's webinar we are going to cover two major topics.

First up we have 'An Overview of FOSSLight' by Kyoungae Kim of LG Electronics. FOSSLight is a newly released open source tool for open source compliance management that has been used internally in LG Electronics for several years:
https://fosslight.org
https://n.news.naver.com/article/001/0012435207

We continuing discussing tooling with 'Automated Yocto compliance built on SPDX: meta-doubleopen to Fossology to OSS Review Toolkit' by Mikko Murto of HH Partners.

All welcome.

Join Zoom Meeting
https://zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120
Passcode: 123456


OpenChain Bi-Weekly Webinar - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

 

OpenChain Bi-Weekly Webinar - 2021-07-06 at 06:00 UTC / 07:00 BST / 08:00 CEST / 11:30 IST / 14:00 CST / 15:00 KST+JST

On tomorrow’s webinar we are going to cover two major topics.

First up we have 'An Overview of FOSSLight' by Kyoungae Kim of LG Electronics. FOSSLight is a newly released open source tool for open source compliance management that has been used internally in LG Electronics for several years:
https://fosslight.org
https://n.news.naver.com/article/001/0012435207

We continuing discussing tooling with 'Automated Yocto compliance built on SPDX: meta-doubleopen to Fossology to OSS Review Toolkit' by Mikko Murto of HH Partners.

All welcome.

Join Zoom Meeting
https://zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120
Passcode: 123456


Re: Direct or indirect supplier?

Jan Thielscher
 

Probably just to prevent some misunderstanding or unnecessary fears:

The law, Dirk referred to, will be effective from 2023. Then it addresses companies with >3000 employees, from 2024 it will also address companies >1000 employees.
The focus is on human rights, it comprises direct as well as indirect suppliers - so this would not make much of a difference. But the requirements depend on several factors, one of them is the impact that the consuming company can have on the particular "violating supplier company".

The „violation“ is not based on  blacklisted countries! The „violation“ has to happen - systematically - within the particular supplier (direct or indirect) organisation. (e.g. coding kiddies, 20hrs a day in the dark and wet basement of the software provider might qualify)

I guess someone capable of contributing to open source, in general does not qualify for such a sort of „abuse“. ;-)
 
Mit freundlichem Gruß / kind regards
Jan Thielscher
 
T: +49 69 153 22 77 55
F: +49 69 153 22 77 51

Am 01.07.2021 um 16:50 schrieb Christopher Wood via lists.openchainproject.org <cvw01=sbcglobal.net@...>:

Dirk
That is a brilliant question. I would add to this that consideration of open source projects in general have many contributors.  Would that make a company contributing to the code-base “that may include individual contributors who reside in countries designated on the violators list”  at risk?  Remember that there is no requirement to vet contributions by nationality or residency?  This is a question that really requires a Legal opinion and perhaps a change to German law clarifying this.
Regards
Chris

Sent via carrier pigeon

On Jul 1, 2021, at 7:32 AM, Dirk Riehle <dirk@...> wrote:

On 01.07.21 13:35, Carlo Piana wrote:

I guess a German Lawyer should reply.
In general terms, as I have been pondering it on other accounts, I would suggest that making FOSS generally available does not qualify as a supplier relationship. One needs to have a development agreement or a support agreement for that. This could also include developing FOSS to be given at large.

It is also my guess that you need an explicit supply contract to establish the supplier relationship formally.

If you do it within a holding company (inner source) that formal relationship is established automatically, even if you don't put something down in writing. In open source, this is not the case AFAIK.

Morally, and the thrust of the law is a moral one, in-kind compensation or just the dependency still might create public backlash.

Cheers, Dirk



--
Confused about open source?
Get clarity through https://bayave.com/training
--
Website: https://dirkriehle.com - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550














Re: Direct or indirect supplier?

Christopher Wood
 

Dirk
That is a brilliant question. I would add to this that consideration of open source projects in general have many contributors. Would that make a company contributing to the code-base “that may include individual contributors who reside in countries designated on the violators list” at risk? Remember that there is no requirement to vet contributions by nationality or residency? This is a question that really requires a Legal opinion and perhaps a change to German law clarifying this.
Regards
Chris

Sent via carrier pigeon

On Jul 1, 2021, at 7:32 AM, Dirk Riehle <dirk@riehle.org> wrote:

On 01.07.21 13:35, Carlo Piana wrote:

I guess a German Lawyer should reply.
In general terms, as I have been pondering it on other accounts, I would suggest that making FOSS generally available does not qualify as a supplier relationship. One needs to have a development agreement or a support agreement for that. This could also include developing FOSS to be given at large.
It is also my guess that you need an explicit supply contract to establish the supplier relationship formally.

If you do it within a holding company (inner source) that formal relationship is established automatically, even if you don't put something down in writing. In open source, this is not the case AFAIK.

Morally, and the thrust of the law is a moral one, in-kind compensation or just the dependency still might create public backlash.

Cheers, Dirk



--
Confused about open source?
Get clarity through https://bayave.com/training
--
Website: https://dirkriehle.com - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550






Re: Direct or indirect supplier?

Dirk Riehle
 

On 01.07.21 13:35, Carlo Piana wrote:

I guess a German Lawyer should reply.
In general terms, as I have been pondering it on other accounts, I would suggest that making FOSS generally available does not qualify as a supplier relationship. One needs to have a development agreement or a support agreement for that. This could also include developing FOSS to be given at large.
It is also my guess that you need an explicit supply contract to establish the supplier relationship formally.

If you do it within a holding company (inner source) that formal relationship is established automatically, even if you don't put something down in writing. In open source, this is not the case AFAIK.

Morally, and the thrust of the law is a moral one, in-kind compensation or just the dependency still might create public backlash.

Cheers, Dirk



--
Confused about open source?
Get clarity through https://bayave.com/training
--
Website: https://dirkriehle.com - Twitter: @dirkriehle
Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550

181 - 200 of 4241