OpenChain agenda 11/2


Kelly Williams
 

Hi Everyone,

 

Here is the agenda for Monday’s call at 9am (Pacific).

 

       OSADL checklist demo (screen share may be used) (Miriam Ballhausen)

       Governance Proposal (Scott Nicholas)

 

Conference Number: +1 (415) 906-5657 Pin: 88326
UberConference URL: http://uberconference.com/mdolan

 

For international call instructions, please visit the website below. Please note you will have to enter the US Conference number as part of the instructions: http://www.uberconference.com/international/access

 

Screen share (if used): go to http://uberconference.com/mdolan

 

Regards,

Kelly

 


Kelly Williams
 

Governance proposal presentation attached. 

 

From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Williams, Kelly
Sent: Friday, October 30, 2015 10:10 AM
To: openchain@...
Subject: [OpenChain] OpenChain agenda 11/2

 

Hi Everyone,

 

Here is the agenda for Monday’s call at 9am (Pacific).

 

       OSADL checklist demo (screen share may be used) (Miriam Ballhausen)

       Governance Proposal (Scott Nicholas)

 

Conference Number: +1 (415) 906-5657 Pin: 88326
UberConference URL: http://uberconference.com/mdolan

 

For international call instructions, please visit the website below. Please note you will have to enter the US Conference number as part of the instructions: http://www.uberconference.com/international/access

 

Screen share (if used): go to http://uberconference.com/mdolan

 

Regards,

Kelly

 


Bruno Cornec
 

Hello,

Sorry couldn't join today as I was delivering a training.

I have a question wrt 3rd party certification. How are these positionned
compared to self-certification ? I remember that some of us were
reluctant in Dublin to create a new business around certification, so
has something changed in between ?

Best regards,
Bruno.

Williams, Kelly said on Mon, Nov 02, 2015 at 05:09:28PM +0000:

Governance proposal presentation attached.

From: openchain-bounces@lists.linuxfoundation.org [mailto:openchain-bounces@lists.linuxfoundation.org] On Behalf Of Williams, Kelly
Sent: Friday, October 30, 2015 10:10 AM
To: openchain@lists.linuxfoundation.org
Subject: [OpenChain] OpenChain agenda 11/2

Hi Everyone,

Here is the agenda for Monday's call at 9am (Pacific).

* OSADL checklist demo (screen share may be used) (Miriam Ballhausen)
* Governance Proposal (Scott Nicholas)

Conference Number: +1 (415) 906-5657 Pin: 88326
UberConference URL: http://uberconference.com/mdolan<https://www.google.com/url?q=http%3A%2F%2Fuberconference.com%2Fmdolan&usd=2&usg=AFQjCNEP2hma4AZyPpZsHEr3k48bTnSUCA>

For international call instructions, please visit the website below. Please note you will have to enter the US Conference number as part of the instructions: http://www.uberconference.com/international/access<https://www.google.com/url?q=http%3A%2F%2Fwww.uberconference.com%2Finternational%2Faccess&usd=2&usg=AFQjCNGP9qOL1k_x7goqtuqkmVJ2Gn-83w>

Screen share (if used): go to http://uberconference.com/mdolan<https://www.google.com/url?q=http%3A%2F%2Fuberconference.com%2Fmdolan&usd=2&usg=AFQjCNEP2hma4AZyPpZsHEr3k48bTnSUCA>

Regards,
Kelly

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain
--
Open Source Profession, Linux Community Lead WW http://hpintelco.net
HPE EMEA EG Open Source Technology Strategist http://hp.com/go/opensource
FLOSS projects: http://mondorescue.org http://project-builder.org
Musique ancienne? http://www.musique-ancienne.org http://www.medieval.org


Kelly Williams
 

Hi Everyone,

 

Thanks to those who joined the call on Monday.  The Supplier License Compliance Audit (SLCA) presentation is on the wiki- https://wiki.linuxfoundation.org/openchain/minutes.  We will pick up with the Governance proposal  on the next call.

 

Thanks,

Kelly

 

From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Williams, Kelly
Sent: Monday, November 02, 2015 9:09 AM
To: openchain@...
Cc: Scott Nicholas
Subject: Re: [OpenChain] OpenChain agenda 11/2

 

Governance proposal presentation attached. 

 

From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of Williams, Kelly
Sent: Friday, October 30, 2015 10:10 AM
To: openchain@...
Subject: [OpenChain] OpenChain agenda 11/2

 

Hi Everyone,

 

Here is the agenda for Monday’s call at 9am (Pacific).

 

       OSADL checklist demo (screen share may be used) (Miriam Ballhausen)

       Governance Proposal (Scott Nicholas)

 

Conference Number: +1 (415) 906-5657 Pin: 88326
UberConference URL:
http://uberconference.com/mdolan

 

For international call instructions, please visit the website below. Please note you will have to enter the US Conference number as part of the instructions: http://www.uberconference.com/international/access

 

Screen share (if used): go to http://uberconference.com/mdolan

 

Regards,

Kelly

 


Mark Gisi
 

? I remember that some of us were reluctant in Dublin to create a
new business around certification, so has something changed in between ?
The OpenChain discussion at LinuxCon North America went in a slightly different direction. Here is a summary of what I recall. For those who attended the Seattle meeting please don't hesitate to correct and/or augment.

It would be helpful to make a distinction between two concepts: "OpenChain Compliance" and "OpenChain Certification". A statement about achieving OpenChain Compliance means *one claims* they have met the requirements of the OpenChain standard. OpenChain Certified means an authorized third party verified that the organization has met the OpenChain requirements. Nothing prevents an organization from claiming they are OpenChain Compliant. However, an organization should not be allowed to use the "Certified" designation unless they have been formally audited and cleared by an authorized third party. The details of how an organization would qualify to be authorized to certify others was not discussed in detail. The creation of a trademark to develop brand integrity was discussed. It was acknowledged that the OpenChain working group would need to raise funds to support an authorization/certification program. One avenue of funding discussed was by offering an annual OpenChain membership fee for corporations that had a strong interest in a certification program. No interest then no funding. No funding then no program.

It was also discussed that a software supplier should be able to hire a third party consultant to assist them in implementing processes that enable them to satisfy the requirements of the OpenChain standard to achieve OpenChain Compliance. The assisting third party should not be allowed to formally certify an organization they assisted due to a conflict of interest (even if third party was authorized to do so). If the software supplier also seeks certification, they would need to work with a second neutral OpenChain authorized third party to verify they have met all the requirements.

It was identified that the success of the OpenChain initiative depended on at least two objectives: the ability
1) for smaller suppliers to participate at little or no cost;
2) to support a credible certification path (accountability) for corporations that demand it.

All in all - it was generally agreed that OpenChain should *not* attempt to boil the ocean by initially launching a multi-tier certification program. Having an initial basic set of requirements that an organization can use to *self-audit* to claim "OpenChain Compliance" would be sufficient. It was considered important to leave the door open to permit a more formal accountable certification program that could grow organically (potentially supported by a trademark). For now we should use terms like "self-audit" or self-checked" in place of "self-certified". A certification program would need to be funded by companies that insist on accountability for the "promise of quality" of the compliance artifacts they receive from their suppliers.

- Mark

Mark Gisi | Wind River | Director, IP & Open Source
Tel (510) 749-2016 | Fax (510) 749-4552

-----Original Message-----
From: openchain-bounces@lists.linuxfoundation.org [mailto:openchain-bounces@lists.linuxfoundation.org] On Behalf Of Bruno Cornec
Sent: Monday, November 02, 2015 10:44 AM
To: Williams, Kelly
Cc: openchain@lists.linuxfoundation.org; Scott Nicholas
Subject: Re: [OpenChain] OpenChain agenda 11/2

Hello,

Sorry couldn't join today as I was delivering a training.

I have a question wrt 3rd party certification. How are these positionned compared to self-certification ? I remember that some of us were reluctant in Dublin to create a new business around certification, so has something changed in between ?

Best regards,
Bruno.

Williams, Kelly said on Mon, Nov 02, 2015 at 05:09:28PM +0000:

Governance proposal presentation attached.

From: openchain-bounces@lists.linuxfoundation.org
[mailto:openchain-bounces@lists.linuxfoundation.org] On Behalf Of
Williams, Kelly
Sent: Friday, October 30, 2015 10:10 AM
To: openchain@lists.linuxfoundation.org
Subject: [OpenChain] OpenChain agenda 11/2

Hi Everyone,

Here is the agenda for Monday's call at 9am (Pacific).

* OSADL checklist demo (screen share may be used) (Miriam Ballhausen)
* Governance Proposal (Scott Nicholas)

Conference Number: +1 (415) 906-5657 Pin: 88326 UberConference URL:
http://uberconference.com/mdolan<https://www.google.com/url?q=http%3A%2
F%2Fuberconference.com%2Fmdolan&usd=2&usg=AFQjCNEP2hma4AZyPpZsHEr3k48bT
nSUCA>

For international call instructions, please visit the website below.
Please note you will have to enter the US Conference number as part of
the instructions:
http://www.uberconference.com/international/access<https://www.google.c
om/url?q=http%3A%2F%2Fwww.uberconference.com%2Finternational%2Faccess&u
sd=2&usg=AFQjCNGP9qOL1k_x7goqtuqkmVJ2Gn-83w>

Screen share (if used): go to
http://uberconference.com/mdolan<https://www.google.com/url?q=http%3A%2
F%2Fuberconference.com%2Fmdolan&usd=2&usg=AFQjCNEP2hma4AZyPpZsHEr3k48bT
nSUCA>

Regards,
Kelly

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain

--
Open Source Profession, Linux Community Lead WW http://hpintelco.net
HPE EMEA EG Open Source Technology Strategist http://hp.com/go/opensource
FLOSS projects: http://mondorescue.org http://project-builder.org
Musique ancienne? http://www.musique-ancienne.org http://www.medieval.org _______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain


RUFFIN, MICHEL (MICHEL) <michel.ruffin@...>
 

Thanks a lot Mark for this detailed explanation.
I totally support this approach

Certification can be necessary for big companies and might be requested by our customers, but it has a cost.
So compliance claiming is a good way to enroll smaller companies, that cannot afford a third party audit.

Now there is another way that can explore (not incompatible to compliance and certificate) for small companies.

In Alcatel-Lucent we classify our suppliers in 3 categories regarding FOSS issues: trusted suppliers, reliable suppliers and unreliable suppliers.

For trusted suppliers, we do not check a lot of things, just asking for the list of FOSS (version, license, nature of FOSS) and we have in our contract with them some guarantees.

For reliable suppliers. We perfome a test on the list of FOSS they provide to us and can determin they are responsive, aware, that information is correct, etc. (so we do a minimum check and we know we can rely on them) so after in our process we are asking less to them, but we are still doing some checking.

For unreliable suppliers we do the same as for reliable supplier and note that there are some mistakes. Then we check everything.

The two last categories are generally small companies, but for reliable companies we could issue a kind of testimony that they have a correct process.

Food for through, this needs more thinking, but it is perhaps a valid third option that will cost nothing (not that in the first category "trusted suppliers" today we have around 10 companies and a program to develop this)

Michel
Michel.Ruffin@Alcatel-Lucent.com, PhD
Software Coordination Manager, COO - Business transformation
Distinguished Member of Technical Staff
Tel +33 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceaux - France

-----Message d'origine-----
De : openchain-bounces@lists.linuxfoundation.org [mailto:openchain-bounces@lists.linuxfoundation.org] De la part de Gisi, Mark
Envoyé : lundi 9 novembre 2015 03:19
À : Bruno Cornec; Williams, Kelly
Cc : openchain@lists.linuxfoundation.org; Scott Nicholas
Objet : Re: [OpenChain] OpenChain agenda 11/2

? I remember that some of us were reluctant in Dublin to create a new
business around certification, so has something changed in between ?
The OpenChain discussion at LinuxCon North America went in a slightly different direction. Here is a summary of what I recall. For those who attended the Seattle meeting please don't hesitate to correct and/or augment.

It would be helpful to make a distinction between two concepts: "OpenChain Compliance" and "OpenChain Certification". A statement about achieving OpenChain Compliance means *one claims* they have met the requirements of the OpenChain standard. OpenChain Certified means an authorized third party verified that the organization has met the OpenChain requirements. Nothing prevents an organization from claiming they are OpenChain Compliant. However, an organization should not be allowed to use the "Certified" designation unless they have been formally audited and cleared by an authorized third party. The details of how an organization would qualify to be authorized to certify others was not discussed in detail. The creation of a trademark to develop brand integrity was discussed. It was acknowledged that the OpenChain working group would need to raise funds to support an authorization/certification program. One avenue of funding discussed was by offering an annual OpenChain member ship fee for corporations that had a strong interest in a certification program. No interest then no funding. No funding then no program.

It was also discussed that a software supplier should be able to hire a third party consultant to assist them in implementing processes that enable them to satisfy the requirements of the OpenChain standard to achieve OpenChain Compliance. The assisting third party should not be allowed to formally certify an organization they assisted due to a conflict of interest (even if third party was authorized to do so). If the software supplier also seeks certification, they would need to work with a second neutral OpenChain authorized third party to verify they have met all the requirements.

It was identified that the success of the OpenChain initiative depended on at least two objectives: the ability
1) for smaller suppliers to participate at little or no cost;
2) to support a credible certification path (accountability) for corporations that demand it.

All in all - it was generally agreed that OpenChain should *not* attempt to boil the ocean by initially launching a multi-tier certification program. Having an initial basic set of requirements that an organization can use to *self-audit* to claim "OpenChain Compliance" would be sufficient. It was considered important to leave the door open to permit a more formal accountable certification program that could grow organically (potentially supported by a trademark). For now we should use terms like "self-audit" or self-checked" in place of "self-certified". A certification program would need to be funded by companies that insist on accountability for the "promise of quality" of the compliance artifacts they receive from their suppliers.

- Mark

Mark Gisi | Wind River | Director, IP & Open Source Tel (510) 749-2016 | Fax (510) 749-4552

-----Original Message-----
From: openchain-bounces@lists.linuxfoundation.org [mailto:openchain-bounces@lists.linuxfoundation.org] On Behalf Of Bruno Cornec
Sent: Monday, November 02, 2015 10:44 AM
To: Williams, Kelly
Cc: openchain@lists.linuxfoundation.org; Scott Nicholas
Subject: Re: [OpenChain] OpenChain agenda 11/2

Hello,

Sorry couldn't join today as I was delivering a training.

I have a question wrt 3rd party certification. How are these positionned compared to self-certification ? I remember that some of us were reluctant in Dublin to create a new business around certification, so has something changed in between ?

Best regards,
Bruno.

Williams, Kelly said on Mon, Nov 02, 2015 at 05:09:28PM +0000:

Governance proposal presentation attached.

From: openchain-bounces@lists.linuxfoundation.org
[mailto:openchain-bounces@lists.linuxfoundation.org] On Behalf Of
Williams, Kelly
Sent: Friday, October 30, 2015 10:10 AM
To: openchain@lists.linuxfoundation.org
Subject: [OpenChain] OpenChain agenda 11/2

Hi Everyone,

Here is the agenda for Monday's call at 9am (Pacific).

* OSADL checklist demo (screen share may be used) (Miriam Ballhausen)
* Governance Proposal (Scott Nicholas)

Conference Number: +1 (415) 906-5657 Pin: 88326 UberConference URL:
http://uberconference.com/mdolan<https://www.google.com/url?q=http%3A%2
F%2Fuberconference.com%2Fmdolan&usd=2&usg=AFQjCNEP2hma4AZyPpZsHEr3k48bT
nSUCA>

For international call instructions, please visit the website below.
Please note you will have to enter the US Conference number as part of
the instructions:
http://www.uberconference.com/international/access<https://www.google.c
om/url?q=http%3A%2F%2Fwww.uberconference.com%2Finternational%2Faccess&u
sd=2&usg=AFQjCNGP9qOL1k_x7goqtuqkmVJ2Gn-83w>

Screen share (if used): go to
http://uberconference.com/mdolan<https://www.google.com/url?q=http%3A%2
F%2Fuberconference.com%2Fmdolan&usd=2&usg=AFQjCNEP2hma4AZyPpZsHEr3k48bT
nSUCA>

Regards,
Kelly

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain

--
Open Source Profession, Linux Community Lead WW http://hpintelco.net
HPE EMEA EG Open Source Technology Strategist http://hp.com/go/opensource
FLOSS projects: http://mondorescue.org http://project-builder.org
Musique ancienne? http://www.musique-ancienne.org http://www.medieval.org _______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain
_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain