OpenChain


RUFFIN, MICHEL (MICHEL) <michel.ruffin@...>
 

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 


Dave Marr
 

Michel, welcome to the team, and thank you for the input! Are you able to join the call on Monday?  Really constructive feedback that would be good to discuss.

BTW I should note that all participants are presumptively participating in an independent role and their comments are not ascribed to their company/orgs unless they indicate a preference otherwise.

When we get to a version 1.0 perhaps the materials at that time can be brought back to folks' respective companies for discussion on potential adoption.

Dave

On Jul 16, 2015, at 2:30 PM, RUFFIN, MICHEL (MICHEL) <michel.ruffin@...> wrote:

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain


RUFFIN, MICHEL (MICHEL) <michel.ruffin@...>
 

I will try to do it next Monday, but not totally sure, I have a meeting with high exec in my company at 11 PDT and need to be ready, since I do the presentation.

 

I am allowed to speak officially on FOSS issues on the name of Alcatel-Lucent since I am in charge of our FOSS governance process since the beginning in 2002.

 

This make me think to a new comment on the criteria, there is no differentiation between small and big companies.  In a big company of 60 000 people with a huge turnover,  a lot of outsourcing, partners, suppliers how do you control the behavior of people. This should be reflected someway in the criteria.

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 

De : Marr, David [mailto:dmarr@...]
Envoyé : vendredi 17 juillet 2015 05:41
À : RUFFIN, MICHEL (MICHEL)
Cc : Hutchison, Jim; openchain@...
Objet : Re: [OpenChain] OpenChain

 

Michel, welcome to the team, and thank you for the input! Are you able to join the call on Monday?  Really constructive feedback that would be good to discuss.

 

BTW I should note that all participants are presumptively participating in an independent role and their comments are not ascribed to their company/orgs unless they indicate a preference otherwise.

When we get to a version 1.0 perhaps the materials at that time can be brought back to folks' respective companies for discussion on potential adoption.

Dave


On Jul 16, 2015, at 2:30 PM, RUFFIN, MICHEL (MICHEL) <michel.ruffin@...> wrote:

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain


Oliver Fendt
 

Hi all,

 

I will not be able to participate in the todays call. So I try the email approach.

 

Regarding the “trademark” discussion my view is in line with Jeremiah as follows:

Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:

“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”

 

 

@ Michel: it is very nice that you are now with OpenChain.

I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”

We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?

 

 

Have a nice Day

 

Oliver

 

Von: openchain-bounces@... [mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain

 

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 


RUFFIN, MICHEL (MICHEL) <michel.ruffin@...>
 

My comment is mainly addressing the time to set in place a complete governance process in a big company. You need to raise awareness, you need to put resource in place, you need to address all the situations: using, distributing FOSS, supplier contracts, meeting customer requirement, contributing to open source, managing outsourcing, managing Merge and acquisition, divestitures, managing SaaS and cloud computing, setting in place tools to automate things, having a set of lawyers competent on the topic, having recorded tutorial ready for anybody, managing European law versus American one, putting in place a package for new hired people in the company, ….

 

Today ALU is nearly having everything but we started in 2002!!! and we have weekly meeting Since 2007 with lawyers to address all kind of situation, new license, new technologies, …

 

So I would say step one is to raise awareness to R&D, to high exec, to legal and procurement, and to have the list of FOSS in your products available

In further steps you introduce tools like Blackduck or Palamida

In further steps you introduce tools such as code center Antelink, NextB, Nexus, …

 

Today in ALu we are working to check that the process is implemented everywhere correctly, we are putting in place tools to automate things (to reduce efforts) and we are defining a strategy to sponsor or contribute to FOSS.

 

But this takes times and we investe more and more resources on this and it is not easy to demonstrate the ROI. It is one thing to have a FOSS governance process that cover all aspects and a second thing to have it implemented everywhere. The most difficult is I think managing the turnover of people, the decentralization of activities  and the outsourcing.

 

Also a difficult aspect is decentralizing. Our process is decentralized we have 200 actives FOSS experts that can accept or reject FOSS according to license in all our organizations (We have trained around 350 people, this is the turnover aspect) and have the mission ot implement the process in their organization.  But I was the one that was doing the training (which is face to face and one week long), now we have decentralized this by having a trainer for each continent. Now I am thinking to decentralize some of the functions of our FOSS executive committee (because we meet every week but never go to the end of the agenda)

 

Note there are very few suppliers that refuse to accept our FOSs conditions (the document that I sent to openchain at the beginning), sometime what we do is to let them a certain period of time (3 to 6 months) to be compliant after the signature of the contract. But I agree this is very time consuming, a lot of conf call with the supplier to convince it need to do it. It is why I want to standardize these clause, not the legal text but the principle.

 

By the way Jeremiah are you the ex-OMG lawyer that I know?

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 

De : Fendt, Oliver [mailto:oliver.fendt@...]
Envoyé : lundi 20 juillet 2015 11:46
À : RUFFIN, MICHEL (MICHEL); hutch@...
Cc : openchain@...
Objet : AW: OpenChain

 

Hi all,

 

I will not be able to participate in the todays call. So I try the email approach.

 

Regarding the “trademark” discussion my view is in line with Jeremiah as follows:

Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:

“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”

 

 

@ Michel: it is very nice that you are now with OpenChain.

I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”

We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?

 

 

Have a nice Day

 

Oliver

 

Von: openchain-bounces@... [mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain

 

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 


Joseph Potvin
 

It appears that someone in this conversation has been tagged as advocating "some ISO regime that sues people over trademark". Let me correct that.

I have in the past, on this list, advocated our cooperation with the community around ISO 19600 Compliance management systems -- Guidelines. So let me attempt to reduce the confusion created by the parody of the so-called "ISO regime".

Let's consider two approaches:

OSADL License Compliance Audit (OSADL LCA)
https://www.osadl.org/License-Compliance-Audit.osadl-services-lca.0.html
Last year Siemens became "the first company authorized to label the audited product with the registered OSADL LCA hallmark, indicating to the purchasers of the product a high level of legal compliance when passing on the Open Source software contained in the product."
https://www.osadl.org/Single-View.111+M5a41822d074.0.html

ISO 19600:2014 Compliance management systems -- Guidelines
http://www.iso.org/iso/catalogue_detail?csnumber=62342
http://www.iso.org/iso/news.htm?refid=Ref1919
"two important decisions have been made that determine the content and format of ISO/CD 18386 [ISO 19600]:
a) It will be a guidance document and not a specification (requirements standard);
b) It will describe a compliance management system.
The first decision implies that ISO/CD 18386 [ISO 19600] is not intended for certification, but provides organizations with ‘good practice’ that they can fully or partly implement."
Source:  http://www.nen.nl/web/file?uuid=ee11eb45-59bb-41e5-805c-464ad42cfb98&owner=ea37f954-bd1b-41bd-bbf5-df167fd313d8

On the page about the OSADL License Compliance Audit, we find a chart of fees for certification, and if I read that correctly (Oliver, please correct me if I'm wrong, as that article is about your team's audit) the OSADL certification is product-based. For any organization with many products, that seem a rather pricey treadmill to be on!

On the other hand, the ISO 19600 approach is a ‘good practice’ that organizations can fully or partly implement. Furthermore, the suggestion by David Marr (tweaked by me) that "Use of the OpenChain logo is limited to company level designations intended for use in relation to organizations, not products... The OpenChain logo ... must be clearly associated with the organization, not the product" seems to align with the ISO 19600 approach at the organization, rather than the product-by-product level.

Therefore I offer the following two hypotheses:

1. Jeremiah actually supports the ISO 19600 approach, and he abhors the OSADL approach;
2. Oliver led Siemens to the OSADL appraoch, and now regretting that decision, supports the ISO 19600 approach

So, I think we all like the ISO 19600 approach, but I trust I'll be corrected if I'm confused!

As to the matter of how difficult or easy it should be to use a trademark of a compliance certification process, that's orthoganal to the choice in overall approach discussed above. But I think we're all aware that license proliferation has made compliance a headache. Any inter-organizational license compliance managment system will therefore be very challenging. But it seems to me the organization-based ISO approach is a lot more practical and sustainable than the product-based OSADL approach.

FWIW, In my own free/libre/open work of the past decade and a half, for the above reasons I've generally tended towards "unified" licenses for whole applications, and "permissive" licenses for generic components and reference implementations. But I might be using an "elastic" license for the first time in a project I currently coordinate.
  • Permissive licenses (MIT, Apache) carry no restrictions on re-licensing when blending source code for distribution.
  • Elastic licenses (Eclipse) require that the original source code and its direct derivatives remain under the original licenses, whereas any code that is added can be under any license(s).
  • Unified licenses (GPL, AGPL) require consistent licensing of software at the program level when blending code for distribution.
Source: This spectrum is described on pg 89 in my 2011 article here: http://www.irwinlaw.com/sites/default/files/attached/KP21%2004%20Potvin.pdf


Earlier Thread Summary:

[Jeremiah] "So companies going through certification can't use the logo or trademark? That seems a bit restrictive, especially during launch of the overall certification process when you really want to build brand awareness. Perhaps you have the Open Chain logo and you have a "Certified" logo for completing the ISO certification process. ... What sort of sanctions do you propose might happen should one claim their "product" as "certified"? You'd have to have some kind of meaningful leverage."

[Joseph] "Of course it's a bit restrictive. Isn't that the point of a certification process and certification mark? The sanctions, if necessary, would be most directly handled under normal trademark law.

[Jeremiah] "No. It should be about certifying a process that should be widely adopted with the fewest restrictions possible. ... I think this is completely the wrong approach. The whole point of Free Software is real freedom from this sort of legalistic nonsense. The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously"

[Joseph] Please see the OSI's Trademark Usage Guidelines ... You might also find the OSI-vs-OSHWA tussel about logos interesting

 

Joseph Potvin
Operations Manager | Gestionnaire des opérations
The Opman Company | La compagnie Opman
jpotvin@...
Mobile: 819-593-5983

On Mon, Jul 20, 2015 at 5:46 AM, Fendt, Oliver <oliver.fendt@...> wrote:

Hi all,

 

I will not be able to participate in the todays call. So I try the email approach.

 

Regarding the “trademark” discussion my view is in line with Jeremiah as follows:

Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:

“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”

 

 

@ Michel: it is very nice that you are now with OpenChain.

I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”

We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?

 

 

Have a nice Day

 

Oliver

 

Von: openchain-bounces@... [mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain

 

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 


_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain



Armijn Hemel - Tjaldur Software Governance Solutions <armijn@...>
 

On 20-07-15 14:50, Joseph Potvin wrote:

Therefore I offer the following two hypotheses:

1. Jeremiah actually supports the ISO 19600 approach, and he abhors
the OSADL approach;
2. Oliver led Siemens to the OSADL appraoch, and now regretting that
decision, supports the ISO 19600 approach
As one of the auditors involved in the OSADL audit I think you do not
understand the OSADL license audit approach, why it was developed, what
the experience of the auditors has been and what the next steps are.

So allow me to enlighten you.

When we developed the product audit (in 2012) there was no auditing
method for what we wanted to achieve. Of course there was already the
FSF certification program (see
https://www.fsf.org/licensing/compliancelab.html for more information)
but that is not what we wanted.

The product audit was scoped by *design* to keep it simple enough to
understand and explain, and easy to do within a short period of day (1
working day, with a bit of work before and after). Another reason to
scope it is that we can also compare results of audits, if needed.
Another important part of the design is to use open methods to make the
process repeatable for basically anyone who wants to.

The audit is performed on site, with one or two people of the
(development) team in the room during the audit and results are
discussed and explained in a continuous dialogue between and with the
auditors, as part of knowledge sharing.

At all audits we have done so far we find that it is actually good
enough as a test for compliance within a company/department/team and
discover processes that are wrong. Effectively we are using a scoped
*product* audit to uncover larger compliance *process* issues in a
company/department/team.

From the experiences from the product audits that we have done a process
audit is being developed and the knowledge is widely shared with whoever
wants to hear about it (like OpenChain from before day one).

Regarding pricing: yes, having every product and firmware audited is
expensive. For the companies the goal has not been getting the
certificate, but finding out how well they are doing with respect to
compliance.

Regarding your hypotheses:

* no one we have audited has regretted the decision. The audit is hard
to pass and we have uncovered real issues in companies and supply chains.
* I talk to Jeremiah every now and then at conferences and as far as I
know he *loves* the OSADL method

With the OSADL audit we proved that with an ultralightweight open method
(the algorithm behind the tooling that we use has been published at
plenty of conferences and I can explain the technical part of the audit
in under 1 minute) we can achieve a lot. It's open. There is no secret
sauce. It's simple. It's clean. And: it *exists* and *works*.

I hope this helps you put the OSADL license compliance audit in context.

armijn

--
Armijn Hemel, MSc
Tjaldur Software Governance Solutions


Davis, Mateo
 

As I can’t make today’s call either, let me add my 2 cents:

 

I see this as very similar to how SOMC has used ISO standards.  Some ISO standards we bothered getting certified for (expensive and time-consuming, but it was decided necessary for one reason or another).  Other ISO standards we adopt internally, but we are not certified.  We either a) decided it was not worth the expense of getting certified, even though we comply/follow, or b) we  know we aren’t 100% compliant, and the remaining 20% is more aspirational/future plans. 

 

I see Open Chain as potentially similar:  Those companies that want to get certified and can justify the cost will.  Those that don’t have the need/value won’t bother getting certified (but will still adopt as suits their needs). 

 

Thus, Open Chain can suit both Joseph’s and Jeremy’s purposes perfectly well.

 

The one thing is that we make sure the Open Chain specs are freely available – one of the annoying things about ISO standards is that they are hard to get your hands on/they want money to access them.  

 

Regarding use of the Logo, I see that as slightly superfluous to the real issue of certification.   We could allow certified companies to use the Logo certain ways.   Not really sure that that is necessary (SOMC is ISO certified, and we don’t use any logos to make that known . . . .).   So can’t say I have any preference one way or another regarding allowing use of the Logo itself.

 

BR,

Mateo    

 

Mateo Davis

Senior Legal Counsel

 

Sony Mobile Communications AB

Nya Vattentornet, SE-221 88 Lund, Sweden

Tel +46 1080 17843

Mobile:  +46 76 144 2137

sonymobile.com

 

Sony logotype_23px height_Email_144dpi

 

 

From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Joseph Potvin
Sent: den 20 juli 2015 14:51
To: Fendt, Oliver
Cc: openchain@...
Subject: Re: [OpenChain] OpenChain

 

It appears that someone in this conversation has been tagged as advocating "some ISO regime that sues people over trademark". Let me correct that.

I have in the past, on this list, advocated our cooperation with the community around ISO 19600 Compliance management systems -- Guidelines. So let me attempt to reduce the confusion created by the parody of the so-called "ISO regime".

Let's consider two approaches:


OSADL License Compliance Audit (OSADL LCA)
https://www.osadl.org/License-Compliance-Audit.osadl-services-lca.0.html
Last year Siemens became "the first company authorized to label the audited product with the registered OSADL LCA hallmark, indicating to the purchasers of the product a high level of legal compliance when passing on the Open Source software contained in the product."
https://www.osadl.org/Single-View.111+M5a41822d074.0.html

ISO 19600:2014 Compliance management systems -- Guidelines
http://www.iso.org/iso/catalogue_detail?csnumber=62342
http://www.iso.org/iso/news.htm?refid=Ref1919
"two important decisions have been made that determine the content and format of ISO/CD 18386 [ISO 19600]:
a) It will be a guidance document and not a specification (requirements standard);
b) It will describe a compliance management system.
The first decision implies that ISO/CD 18386 [ISO 19600] is not intended for certification, but provides organizations with ‘good practice’ that they can fully or partly implement."
Source:  http://www.nen.nl/web/file?uuid=ee11eb45-59bb-41e5-805c-464ad42cfb98&owner=ea37f954-bd1b-41bd-bbf5-df167fd313d8

On the page about the OSADL License Compliance Audit, we find a chart of fees for certification, and if I read that correctly (Oliver, please correct me if I'm wrong, as that article is about your team's audit) the OSADL certification is product-based. For any organization with many products, that seem a rather pricey treadmill to be on!

On the other hand, the ISO 19600 approach is a ‘good practice’ that organizations can fully or partly implement. Furthermore, the suggestion by David Marr (tweaked by me) that "Use of the OpenChain logo is limited to company level designations intended for use in relation to organizations, not products... The OpenChain logo ... must be clearly associated with the organization, not the product" seems to align with the ISO 19600 approach at the organization, rather than the product-by-product level.

Therefore I offer the following two hypotheses:

1. Jeremiah actually supports the ISO 19600 approach, and he abhors the OSADL approach;

2. Oliver led Siemens to the OSADL appraoch, and now regretting that decision, supports the ISO 19600 approach

So, I think we all like the ISO 19600 approach, but I trust I'll be corrected if I'm confused!

 

As to the matter of how difficult or easy it should be to use a trademark of a compliance certification process, that's orthoganal to the choice in overall approach discussed above. But I think we're all aware that license proliferation has made compliance a headache. Any inter-organizational license compliance managment system will therefore be very challenging. But it seems to me the organization-based ISO approach is a lot more practical and sustainable than the product-based OSADL approach.

FWIW, In my own free/libre/open work of the past decade and a half, for the above reasons I've generally tended towards "unified" licenses for whole applications, and "permissive" licenses for generic components and reference implementations. But I might be using an "elastic" license for the first time in a project I currently coordinate.

  • Permissive licenses (MIT, Apache) carry no restrictions on re-licensing when blending source code for distribution.
  • Elastic licenses (Eclipse) require that the original source code and its direct derivatives remain under the original licenses, whereas any code that is added can be under any license(s).
  • Unified licenses (GPL, AGPL) require consistent licensing of software at the program level when blending code for distribution.

Source: This spectrum is described on pg 89 in my 2011 article here: http://www.irwinlaw.com/sites/default/files/attached/KP21%2004%20Potvin.pdf

 

Earlier Thread Summary:

[Jeremiah] "So companies going through certification can't use the logo or trademark? That seems a bit restrictive, especially during launch of the overall certification process when you really want to build brand awareness. Perhaps you have the Open Chain logo and you have a "Certified" logo for completing the ISO certification process. ... What sort of sanctions do you propose might happen should one claim their "product" as "certified"? You'd have to have some kind of meaningful leverage."

[Joseph] "Of course it's a bit restrictive. Isn't that the point of a certification process and certification mark? The sanctions, if necessary, would be most directly handled under normal trademark law.

[Jeremiah] "No. It should be about certifying a process that should be widely adopted with the fewest restrictions possible. ... I think this is completely the wrong approach. The whole point of Free Software is real freedom from this sort of legalistic nonsense. The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously"

[Joseph] Please see the OSI's Trademark Usage Guidelines ... You might also find the OSI-vs-OSHWA tussel about logos interesting


 


Joseph Potvin
Operations Manager | Gestionnaire des opérations
The Opman Company | La compagnie Opman
jpotvin@...
Mobile: 819-593-5983

 

On Mon, Jul 20, 2015 at 5:46 AM, Fendt, Oliver <oliver.fendt@...> wrote:

Hi all,

 

I will not be able to participate in the todays call. So I try the email approach.

 

Regarding the “trademark” discussion my view is in line with Jeremiah as follows:

Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:

“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”

 

 

@ Michel: it is very nice that you are now with OpenChain.

I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”

We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?

 

 

Have a nice Day

 

Oliver

 

Von: openchain-bounces@... [mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain

 

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 


_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 


Claus-Peter Wiedemann
 

Open Chain: Framework/Processes OSADL: Quality of the result (work product, i.e. operational compliance)

Same as:
CMMI
Quality assurance

Two cups of tea. Not interchangable. Not to be confused.

Thanks
Claus-Peter

Am 20.07.2015 um 16:23 schrieb Armijn Hemel - Tjaldur Software Governance Solutions <armijn@tjaldur.nl>:

On 20-07-15 14:50, Joseph Potvin wrote:

Therefore I offer the following two hypotheses:

1. Jeremiah actually supports the ISO 19600 approach, and he abhors
the OSADL approach;
2. Oliver led Siemens to the OSADL appraoch, and now regretting that
decision, supports the ISO 19600 approach
As one of the auditors involved in the OSADL audit I think you do not
understand the OSADL license audit approach, why it was developed, what
the experience of the auditors has been and what the next steps are.

So allow me to enlighten you.

When we developed the product audit (in 2012) there was no auditing
method for what we wanted to achieve. Of course there was already the
FSF certification program (see
https://www.fsf.org/licensing/compliancelab.html for more information)
but that is not what we wanted.

The product audit was scoped by *design* to keep it simple enough to
understand and explain, and easy to do within a short period of day (1
working day, with a bit of work before and after). Another reason to
scope it is that we can also compare results of audits, if needed.
Another important part of the design is to use open methods to make the
process repeatable for basically anyone who wants to.

The audit is performed on site, with one or two people of the
(development) team in the room during the audit and results are
discussed and explained in a continuous dialogue between and with the
auditors, as part of knowledge sharing.

At all audits we have done so far we find that it is actually good
enough as a test for compliance within a company/department/team and
discover processes that are wrong. Effectively we are using a scoped
*product* audit to uncover larger compliance *process* issues in a
company/department/team.

From the experiences from the product audits that we have done a process
audit is being developed and the knowledge is widely shared with whoever
wants to hear about it (like OpenChain from before day one).

Regarding pricing: yes, having every product and firmware audited is
expensive. For the companies the goal has not been getting the
certificate, but finding out how well they are doing with respect to
compliance.

Regarding your hypotheses:

* no one we have audited has regretted the decision. The audit is hard
to pass and we have uncovered real issues in companies and supply chains.
* I talk to Jeremiah every now and then at conferences and as far as I
know he *loves* the OSADL method

With the OSADL audit we proved that with an ultralightweight open method
(the algorithm behind the tooling that we use has been published at
plenty of conferences and I can explain the technical part of the audit
in under 1 minute) we can achieve a lot. It's open. There is no secret
sauce. It's simple. It's clean. And: it *exists* and *works*.

I hope this helps you put the OSADL license compliance audit in context.

armijn

--
Armijn Hemel, MSc
Tjaldur Software Governance Solutions


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain


Oliver Fendt
 

Hi

Sorry for the late answer I was not really able answer earlier

 

Von: RUFFIN, MICHEL (MICHEL) [mailto:michel.ruffin@...]
Gesendet: Montag, 20. Juli 2015 14:04
An: Fendt, Oliver; hutch@...
Cc: openchain@...
Betreff: RE: OpenChain

 

My comment is mainly addressing the time to set in place a complete governance process in a big company. You need to raise awareness, you need to put resource in place, you need to address all the situations: using, distributing FOSS, supplier contracts, meeting customer requirement, contributing to open source, managing outsourcing, managing Merge and acquisition, divestitures, managing SaaS and cloud computing, setting in place tools to automate things, having a set of lawyers competent on the topic, having recorded tutorial ready for anybody, managing European law versus American one, putting in place a package for new hired people in the company, ….

 

[Oliver] yes I know to handle 3rd party software (no matter whether OSS of commercial of the shelf) in a correct manner affects the entire company including the Human Resource department because you need also job descriptions and of course the right trainings and a concept for which employees trainings are mandatory or optional, etc.

This brings me to another point these compliance processes is not caused by OSS. Every company which uses 3rd party software has to implement a license compliance process. There are only very view additional things to do in this process which are specific to OSS.

My intention with this statement is that to be fair in regard to OSS. I have often the impression that there is an “opinion” which sounds like “oh we have to do all this high effort license compliance stuff, because we use OSS” and this is simply not the truth. Every company which uses 3rd party software (or better to say software of which it holds not all rights) has to implement a license compliance process.

 

Today ALU is nearly having everything but we started in 2002!!! and we have weekly meeting Since 2007 with lawyers to address all kind of situation, new license, new technologies, …

 

So I would say step one is to raise awareness to R&D, to high exec, to legal and procurement, and to have the list of FOSS in your products available

In further steps you introduce tools like Blackduck or Palamida

In further steps you introduce tools such as code center Antelink, NextB, Nexus, …

 

[Oliver] I do not agree here. I would not require a supplier to license Blackduck and/or Palamida.

 

Today in ALu we are working to check that the process is implemented everywhere correctly, we are putting in place tools to automate things (to reduce efforts) and we are defining a strategy to sponsor or contribute to FOSS.

 

But this takes times and we investe more and more resources on this and it is not easy to demonstrate the ROI. It is one thing to have a FOSS governance process that cover all aspects and a second thing to have it implemented everywhere. The most difficult is I think managing the turnover of people, the decentralization of activities  and the outsourcing.

 

[Oliver] yes i can imagine because simply the tooling you have mentioned above is not that cheap.

 

Also a difficult aspect is decentralizing. Our process is decentralized we have 200 actives FOSS experts that can accept or reject FOSS according to license in all our organizations (We have trained around 350 people, this is the turnover aspect) and have the mission ot implement the process in their organization.  But I was the one that was doing the training (which is face to face and one week long), now we have decentralized this by having a trainer for each continent. Now I am thinking to decentralize some of the functions of our FOSS executive committee (because we meet every week but never go to the end of the agenda)

 

[Oliver] this  I do not really understand if you have e.g. one central DB were all the requested and approved components are listed with all their attributes, you can always control what’s going on.

 

Ciao

Oliver

 

 

Note there are very few suppliers that refuse to accept our FOSs conditions (the document that I sent to openchain at the beginning), sometime what we do is to let them a certain period of time (3 to 6 months) to be compliant after the signature of the contract. But I agree this is very time consuming, a lot of conf call with the supplier to convince it need to do it. It is why I want to standardize these clause, not the legal text but the principle.

 

By the way Jeremiah are you the ex-OMG lawyer that I know?

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 

De : Fendt, Oliver [mailto:oliver.fendt@...]
Envoyé : lundi 20 juillet 2015 11:46
À : RUFFIN, MICHEL (MICHEL); hutch@...
Cc : openchain@...
Objet : AW: OpenChain

 

Hi all,

 

I will not be able to participate in the todays call. So I try the email approach.

 

Regarding the “trademark” discussion my view is in line with Jeremiah as follows:

Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:

“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”

 

 

@ Michel: it is very nice that you are now with OpenChain.

I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”

We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?

 

 

Have a nice Day

 

Oliver

 

Von: openchain-bounces@... [mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain

 

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 


RUFFIN, MICHEL (MICHEL) <michel.ruffin@...>
 

[Oliver] yes I know to handle 3rd party software (no matter whether OSS of commercial of the shelf) in a correct manner affects the entire company including the Human Resource department because you need also job descriptions and of course the right trainings and a concept for which employees trainings are mandatory or optional, etc.

This brings me to another point these compliance processes is not caused by OSS. Every company which uses 3rd party software has to implement a license compliance process. There are only very view additional things to do in this process which are specific to OSS.

My intention with this statement is that to be fair in regard to OSS. I have often the impression that there is an “opinion” which sounds like “oh we have to do all this high effort license compliance stuff, because we use OSS” and this is simply not the truth. Every company which uses 3rd party software (or better to say software of which it holds not all rights) has to implement a license compliance process.

 

(Michel): the process to handle proprietary COTS is generally handled by procurement and supply chain, it is not so obvious with FOSS

 

 

So I would say step one is to raise awareness to R&D, to high exec, to legal and procurement, and to have the list of FOSS in your products available

In further steps you introduce tools like Blackduck or Palamida

In further steps you introduce tools such as code center Antelink, NextB, Nexus, …

 

[Oliver] I do not agree here. I would not require a supplier to license Blackduck and/or Palamida.

 

(Michel) as you said a lot of people still think it is open source so I can use it without consideration that the license must be respected.  It is true for ALU, for its suppliers, for its outsourcing development. The declarative approach (listing the FOSS used) is not enough, some people intoduce 100 lines of code from an open source) so we need to cross chaeck with tools. We do not impose that to suppliers, but in the future, ???? Note I cite 2 tools for scanning code, but there other competitors, nextB, Protocode, Antelink Openlogix (now owned by IBM)  and perhaps so I am not aware of.

 

 

[Oliver] yes i can imagine because simply the tooling you have mentioned above is not that cheap.

 

(michel) it is not really the tooling which is expensive but the experts trained to evaluate foss licenses, packaging the ALU products, using the tools, , and their training is expensive. The time for most people in the company to follow some basic trainings, … we have also a program with HR, Quality org, lawyers to empower the experts to do their job and to recognize them. All this is expensive.

 

Also a difficult aspect is decentralizing. Our process is decentralized we have 200 actives FOSS experts that can accept or reject FOSS according to license in all our organizations (We have trained around 350 people, this is the turnover aspect) and have the mission ot implement the process in their organization.  But I was the one that was doing the training (which is face to face and one week long), now we have decentralized this by having a trainer for each continent. Now I am thinking to decentralize some of the functions of our FOSS executive committee (because we meet every week but never go to the end of the agenda)

 

[Oliver] this  I do not really understand if you have e.g. one central DB were all the requested and approved components are listed with all their attributes, you can always control what’s going on.

 

(Michel) we have a central DB to gather IP issues with FOSS, but the people that fill this DB are decentralized, their trainers are also decentralized. Also decentralization allows awareness everywhere. I am convinced that only decentralized people and centralized information is a good solution for having a scalable governance process.

 

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 

De : Fendt, Oliver [mailto:oliver.fendt@...]
Envoyé : lundi 20 juillet 2015 11:46
À : RUFFIN, MICHEL (MICHEL); hutch@...
Cc : openchain@...
Objet : AW: OpenChain

 

Hi all,

 

I will not be able to participate in the todays call. So I try the email approach.

 

Regarding the “trademark” discussion my view is in line with Jeremiah as follows:

Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:

“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”

 

 

@ Michel: it is very nice that you are now with OpenChain.

I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”

We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?

 

 

Have a nice Day

 

Oliver

 

Von: openchain-bounces@... [mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain

 

FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward

 

Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place

 

Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent

 

My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.

 

A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..

Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …

Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…

 

And in all the process the resources to sustain it must be made available so everything  cannot be done at once.

 

ALU has gone to all this stages and we are still evolving

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 


Jim Hutchison
 

[hutch] To the extent that the application of OpenChain results in a collection of indications of how OpenChain is applied to a participant in a supply chain, these indications (artifacts of certification) could inform the downstream.  They/one might indicate that they determine licenses by controlling their in-take from up-stream.  They/one might indicate that they perform direct inspection, use tools, and/or benefit from third-party audits.  For some, a combination of these would perform best.  As we proceed into discussion of how OpenChain is applied to various sizes of supplier, it looks like we cannot simply conclude "yes" and "no", but there must also be information to share-forward.

I wholly agree with the benefit of these multiple approaches to training, as answers/analysis can have little quality when people do not understand the questions.  Hopefully we can quantify training in a way which builds appropriate downstream trust.

Regards,

Jim Hutchison

Qualcomm Technologies, Inc.


At 05:30 AM 7/24/2015, RUFFIN, MICHEL (MICHEL) wrote:
[Oliver] yes I know to handle 3rd party software (no matter whether OSS of commercial of the shelf) in a correct manner affects the entire company including the Human Resource department because you need also job descriptions and of course the right trainings and a concept for which employees trainings are mandatory or optional, etc.
This brings me to another point these compliance processes is not caused by OSS. Every company which uses 3rd party software has to implement a license compliance process. There are only very view additional things to do in this process which are specific to OSS.
My intention with this statement is that to be fair in regard to OSS. I have often the impression that there is an “opinion” which sounds like “oh we have to do all this high effort license compliance stuff, because we use OSS” and this is simply not the truth. Every company which uses 3rd party software (or better to say software of which it holds not all rights) has to implement a license compliance process.
 
(Michel): the process to handle proprietary COTS is generally handled by procurement and supply chain, it is not so obvious with FOSS
 
 
So I would say step one is to raise awareness to R&D, to high exec, to legal and procurement, and to have the list of FOSS in your products available
In further steps you introduce tools like Blackduck or Palamida
In further steps you introduce tools such as code center Antelink, NextB, Nexus, …
 
[Oliver] I do not agree here. I would not require a supplier to license Blackduck and/or Palamida.
 
(Michel) as you said a lot of people still think it is open source so I can use it without consideration that the license must be respected.  It is true for ALU, for its suppliers, for its outsourcing development. The declarative approach (listing the FOSS used) is not enough, some people intoduce 100 lines of code from an open source) so we need to cross chaeck with tools. We do not impose that to suppliers, but in the future, ???? Note I cite 2 tools for scanning code, but there other competitors, nextB, Protocode, Antelink Openlogix (now owned by IBM)  and perhaps so I am not aware of.
 
 
[Oliver] yes i can imagine because simply the tooling you have mentioned above is not that cheap.
 
(michel) it is not really the tooling which is expensive but the experts trained to evaluate foss licenses, packaging the ALU products, using the tools, , and their training is expensive. The time for most people in the company to follow some basic trainings, … we have also a program with HR, Quality org, lawyers to empower the experts to do their job and to recognize them. All this is expensive.
 
Also a difficult aspect is decentralizing. Our process is decentralized we have 200 actives FOSS experts that can accept or reject FOSS according to license in all our organizations (We have trained around 350 people, this is the turnover aspect) and have the mission ot implement the process in their organization.  But I was the one that was doing the training (which is face to face and one week long), now we have decentralized this by having a trainer for each continent. Now I am thinking to decentralize some of the functions of our FOSS executive committee (because we meet every week but never go to the end of the agenda)
 
[Oliver] this  I do not really understand if you have e.g. one central DB were all the requested and approved components are listed with all their attributes, you can always control what’s going on.
 
(Michel) we have a central DB to gather IP issues with FOSS, but the people that fill this DB are decentralized, their trainers are also decentralized. Also decentralization allows awareness everywhere. I am convinced that only decentralized people and centralized information is a good solution for having a scalable governance process.
 
 
Michel
Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France
 
De : Fendt, Oliver [ mailto:oliver.fendt@...]
Envoyé : lundi 20 juillet 2015 11:46
À : RUFFIN, MICHEL (MICHEL); hutch@...
Cc : openchain@...
Objet : AW: OpenChain
 
Hi all,
 
I will not be able to participate in the todays call. So I try the email approach.
 
Regarding the “trademark” discussion my view is in line with Jeremiah as follows:
Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:
“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”
 
 
@ Michel: it is very nice that you are now with OpenChain.
I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”
We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?
 
 
Have a nice Day
 
Oliver
 
Von: openchain-bounces@... [ mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain
 
FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward
 
Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place
 
Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent
 
My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.
 
A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..
Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …
Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…
 
And in all the process the resources to sustain it must be made available so everything  cannot be done at once.
 
ALU has gone to all this stages and we are still evolving
 
Michel
Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France
 


Jim Hutchison
 

Hello Michel,

Do you find that there could be value in attestation/certification by a part of group, which is the only part working on the released software headed up/down the chain?

Regards,

Jim Hutchison

Qualcomm Technologies, Inc.


At 12:51 PM 7/29/2015, Jim Hutchison wrote:
[hutch] To the extent that the application of OpenChain results in a collection of indications of how OpenChain is applied to a participant in a supply chain, these indications (artifacts of certification) could inform the downstream.  They/one might indicate that they determine licenses by controlling their in-take from up-stream.  They/one might indicate that they perform direct inspection, use tools, and/or benefit from third-party audits.  For some, a combination of these would perform best.  As we proceed into discussion of how OpenChain is applied to various sizes of supplier, it looks like we cannot simply conclude "yes" and "no", but there must also be information to share-forward.

I wholly agree with the benefit of these multiple approaches to training, as answers/analysis can have little quality when people do not understand the questions.  Hopefully we can quantify training in a way which builds appropriate downstream trust.

Regards,

Jim Hutchison

Qualcomm Technologies, Inc.

At 05:30 AM 7/24/2015, RUFFIN, MICHEL (MICHEL) wrote:
[Oliver] yes I know to handle 3rd party software (no matter whether OSS of commercial of the shelf) in a correct manner affects the entire company including the Human Resource department because you need also job descriptions and of course the right trainings and a concept for which employees trainings are mandatory or optional, etc.
This brings me to another point these compliance processes is not caused by OSS. Every company which uses 3rd party software has to implement a license compliance process. There are only very view additional things to do in this process which are specific to OSS.
My intention with this statement is that to be fair in regard to OSS. I have often the impression that there is an “opinion” which sounds like “oh we have to do all this high effort license compliance stuff, because we use OSS” and this is simply not the truth. Every company which uses 3rd party software (or better to say software of which it holds not all rights) has to implement a license compliance process.
 
(Michel): the process to handle proprietary COTS is generally handled by procurement and supply chain, it is not so obvious with FOSS
 
 
So I would say step one is to raise awareness to R&D, to high exec, to legal and procurement, and to have the list of FOSS in your products available
In further steps you introduce tools like Blackduck or Palamida
In further steps you introduce tools such as code center Antelink, NextB, Nexus, …
 
[Oliver] I do not agree here. I would not require a supplier to license Blackduck and/or Palamida.
 
(Michel) as you said a lot of people still think it is open source so I can use it without consideration that the license must be respected.  It is true for ALU, for its suppliers, for its outsourcing development. The declarative approach (listing the FOSS used) is not enough, some people intoduce 100 lines of code from an open source) so we need to cross chaeck with tools. We do not impose that to suppliers, but in the future, ???? Note I cite 2 tools for scanning code, but there other competitors, nextB, Protocode, Antelink Openlogix (now owned by IBM)  and perhaps so I am not aware of.
 
 
[Oliver] yes i can imagine because simply the tooling you have mentioned above is not that cheap.
 
(michel) it is not really the tooling which is expensive but the experts trained to evaluate foss licenses, packaging the ALU products, using the tools, , and their training is expensive. The time for most people in the company to follow some basic trainings, … we have also a program with HR, Quality org, lawyers to empower the experts to do their job and to recognize them. All this is expensive.
 
Also a difficult aspect is decentralizing. Our process is decentralized we have 200 actives FOSS experts that can accept or reject FOSS according to license in all our organizations (We have trained around 350 people, this is the turnover aspect) and have the mission ot implement the process in their organization.  But I was the one that was doing the training (which is face to face and one week long), now we have decentralized this by having a trainer for each continent. Now I am thinking to decentralize some of the functions of our FOSS executive committee (because we meet every week but never go to the end of the agenda)
 
[Oliver] this  I do not really understand if you have e.g. one central DB were all the requested and approved components are listed with all their attributes, you can always control what’s going on.
 
(Michel) we have a central DB to gather IP issues with FOSS, but the people that fill this DB are decentralized, their trainers are also decentralized. Also decentralization allows awareness everywhere. I am convinced that only decentralized people and centralized information is a good solution for having a scalable governance process.
 
 
Michel
Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France
 
De : Fendt, Oliver [ mailto:oliver.fendt@...]
Envoyé : lundi 20 juillet 2015 11:46
À : RUFFIN, MICHEL (MICHEL); hutch@...
Cc : openchain@...
Objet : AW: OpenChain
 
Hi all,
 
I will not be able to participate in the todays call. So I try the email approach.
 
Regarding the “trademark” discussion my view is in line with Jeremiah as follows:
Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:
“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”
 
 
@ Michel: it is very nice that you are now with OpenChain.
I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”
We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?
 
 
Have a nice Day
 
Oliver
 
Von: openchain-bounces@... [ mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain
 
FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward
 
Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place
 
Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent
 
My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.
 
A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..
Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …
Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…
 
And in all the process the resources to sustain it must be made available so everything  cannot be done at once.
 
ALU has gone to all this stages and we are still evolving
 
Michel
Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France
 
_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain


RUFFIN, MICHEL (MICHEL) <michel.ruffin@...>
 

I think that the openchain work requires a kind of certification

 

It can be done on two different ways

·         The CMMI way, we do internal audit to check our compliance and then external companies can audit us  by auditing a sample of the company products. This is a bit costly but might be requested by our customer in the future.

·         The second way is to do internal audit and publish on a dedicated web page hosted by the Linux foundation our declaration (this is the method we choose for certifying Carrier grade Linux in the past). This is based on confidence.

 

In any way ALU has a strong FOSS governance process, but it is difficult for me to know if it is implemented everywhere so What we have done is to make tutorial mandatory to follow, we also put that in the package for new hired people, the role of our FOSS experts is now described and recognized by our HR department, we are also putting in place a recognition program to be sure that they are empowered and I was thinking that next step would be to do internal audits. But our customers put more and more conditions on FOSS in their contract so perhaps I will not need to go to internal audits because our Business lines are very sensitive to customer requests, but this is perhaps specific to telecom because we have not too many customers, there is around 2000 Network operators in the world while some industries have million of customers, so the customer pressure is very low.

 

Now I also investigate to have a certificate of compliance per ALU product that we can provide to our customers with different levels

1)      the list of FOSS, their license etc. is available for the product

2)      1 + a tool like blacduck, palamida, protecode and their competitors have been run on the product and we can provide the tool report

3)      2 + all the R&D team has followed our FOSS tutorial

 

We have other projects to control the implementation, like tooling as much possible things so we can get automatic reports (ongoing but long, we will have to change some of our processes)

 

Hope this help, I will try to be on the call of the 21

 

Michel

Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff

Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France

 

De : Jim Hutchison [mailto:hutch@...]
Envoyé : lundi 14 septembre 2015 20:03
À : RUFFIN, MICHEL (MICHEL); Fendt, Oliver
Cc : openchain@...
Objet : Re: [OpenChain] OpenChain

 

Hello Michel,

Do you find that there could be value in attestation/certification by a part of group, which is the only part working on the released software headed up/down the chain?

Regards,

Jim Hutchison

Qualcomm Technologies, Inc.

At 12:51 PM 7/29/2015, Jim Hutchison wrote:

[hutch] To the extent that the application of OpenChain results in a collection of indications of how OpenChain is applied to a participant in a supply chain, these indications (artifacts of certification) could inform the downstream.  They/one might indicate that they determine licenses by controlling their in-take from up-stream.  They/one might indicate that they perform direct inspection, use tools, and/or benefit from third-party audits.  For some, a combination of these would perform best.  As we proceed into discussion of how OpenChain is applied to various sizes of supplier, it looks like we cannot simply conclude "yes" and "no", but there must also be information to share-forward.

I wholly agree with the benefit of these multiple approaches to training, as answers/analysis can have little quality when people do not understand the questions.  Hopefully we can quantify training in a way which builds appropriate downstream trust.

Regards,

Jim Hutchison

Qualcomm Technologies, Inc.

At 05:30 AM 7/24/2015, RUFFIN, MICHEL (MICHEL) wrote:

[Oliver] yes I know to handle 3rd party software (no matter whether OSS of commercial of the shelf) in a correct manner affects the entire company including the Human Resource department because you need also job descriptions and of course the right trainings and a concept for which employees trainings are mandatory or optional, etc.
This brings me to another point these compliance processes is not caused by OSS. Every company which uses 3rd party software has to implement a license compliance process. There are only very view additional things to do in this process which are specific to OSS.
My intention with this statement is that to be fair in regard to OSS. I have often the impression that there is an “opinion” which sounds like “oh we have to do all this high effort license compliance stuff, because we use OSS” and this is simply not the truth. Every company which uses 3rd party software (or better to say software of which it holds not all rights) has to implement a license compliance process.
 
(Michel): the process to handle proprietary COTS is generally handled by procurement and supply chain, it is not so obvious with FOSS
 
 
So I would say step one is to raise awareness to R&D, to high exec, to legal and procurement, and to have the list of FOSS in your products available
In further steps you introduce tools like Blackduck or Palamida
In further steps you introduce tools such as code center Antelink, NextB, Nexus, …
 
[Oliver] I do not agree here. I would not require a supplier to license Blackduck and/or Palamida.
 
(Michel) as you said a lot of people still think it is open source so I can use it without consideration that the license must be respected.  It is true for ALU, for its suppliers, for its outsourcing development. The declarative approach (listing the FOSS used) is not enough, some people intoduce 100 lines of code from an open source) so we need to cross chaeck with tools. We do not impose that to suppliers, but in the future, ???? Note I cite 2 tools for scanning code, but there other competitors, nextB, Protocode, Antelink Openlogix (now owned by IBM)  and perhaps so I am not aware of.
 
 
[Oliver] yes i can imagine because simply the tooling you have mentioned above is not that cheap.
 
(michel) it is not really the tooling which is expensive but the experts trained to evaluate foss licenses, packaging the ALU products, using the tools, , and their training is expensive. The time for most people in the company to follow some basic trainings, … we have also a program with HR, Quality org, lawyers to empower the experts to do their job and to recognize them. All this is expensive.
 
Also a difficult aspect is decentralizing. Our process is decentralized we have 200 actives FOSS experts that can accept or reject FOSS according to license in all our organizations (We have trained around 350 people, this is the turnover aspect) and have the mission ot implement the process in their organization.  But I was the one that was doing the training (which is face to face and one week long), now we have decentralized this by having a trainer for each continent. Now I am thinking to decentralize some of the functions of our FOSS executive committee (because we meet every week but never go to the end of the agenda)
 
[Oliver] this  I do not really understand if you have e.g. one central DB were all the requested and approved components are listed with all their attributes, you can always control what’s going on.
 
(Michel) we have a central DB to gather IP issues with FOSS, but the people that fill this DB are decentralized, their trainers are also decentralized. Also decentralization allows awareness everywhere. I am convinced that only decentralized people and centralized information is a good solution for having a scalable governance process.
 
 
Michel
Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France
 
De : Fendt, Oliver [ mailto:oliver.fendt@...]
Envoyé : lundi 20 juillet 2015 11:46
À : RUFFIN, MICHEL (MICHEL); hutch@...
Cc : openchain@...
Objet : AW: OpenChain
 
Hi all,
 
I will not be able to participate in the todays call. So I try the email approach.
 
Regarding the “trademark” discussion my view is in line with Jeremiah as follows:
Our goal shall be to make all our lives easier when it comes to license compliance etc. in the supply chain. We shall provide blue prints, best practices, assessment catalogues etc to others (in such a quality that we can say “…if you use this and that, or if you have successfully passed the assessment from xyz than everything if fine….”). We need a wide use and adoption of all out output. A very good means to maximize the adoption of own work by others it to share it under the conditions of an OSS license. I do not want to enable another business segment of consultants, with the work of OpenChain, squeezing money out of companies. This money should be invested in the compliance activities or in increasing the quality of software but not in paying consultants. Just like Jeremiah said:
“The focus of Open Chain should be in adopting the best practices that exist in the community, not trying to set up some ISO regime that sues people over trademark. Seriously, Open Chain needs to consider policies much more inline with Debian's trademark policy, that will bring the process closer to FOSS practices and out of this maladaptive corporate sphere which really misses the point.”
 
 
@ Michel: it is very nice that you are now with OpenChain.
I have read your comments and I do not agree to your view of …” Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place”
We struggle since years with companies which have no or a weak governance process ---and this causes a lot of effort time and cost a lot of money and nerves, because they are either not willing to provide the required information (bill of material, license texts, copyright holders, acknowledgements, source code and others) or they are simply not able to provide it. But they have to do it according to copyright law.  We really have to push to get out of this situation. I do not agree with a view of a smoother approach – shall we be fine with half of the required stuff or with old data?  In normal life nobody will approach you in a smooth way if you do not behave according to laws. Or did I misunderstand your comment?
 
 
Have a nice Day
 
Oliver
 
Von: openchain-bounces@... [ mailto:openchain-bounces@...] Im Auftrag von RUFFIN, MICHEL (MICHEL)
Gesendet: Donnerstag, 16. Juli 2015 23:07
An: hutch@...
Cc: openchain@...
Betreff: [OpenChain] OpenChain
 
FYI, I am now authorized to contribute to OpenChain in the name of Alcatel-Lucent world wide (sorry it took a while to get all the authorizations). I will try to participate to a meeting soon, but can I have 10 minutes to say, what I think is not ok and what should be done forward
 
Mainly what I think is not ok is that the first level criteria are too strong, you need to have a smoother approach for companies which have not or have a weak governance process in place
 
Concerning additional criteria, I have a lot of ideas that we are setting in place in Alcatel-Lucent
 
My dis-confort with the actual criteria is that there is a mix between low level criteria and high level criteria. In term of steps to reach a good governance process.
 
A governance process should start low: identify people enroll the lawyers, making a basic governance process, ..
Then raising attention in the company, refining the model to address suppliers, customers, outsourcing, …
Measuring the implementation of the process, coping with divestiture, contribution to open sources, SaaS…
 
And in all the process the resources to sustain it must be made available so everything  cannot be done at once.
 
ALU has gone to all this stages and we are still evolving
 
Michel
Michel.Ruffin@..., PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceau - France
 

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain