|
OpenChain 2.0 Self-Certification Questionnaire Update - Review before Thursday CoB Pacific
This is a big email. It is about taking the lessons learned on the Conformance Questionnaire Webinar held on the 3rd of August 2020 to improve our self-certification questionnaire. Lessons applicable to the questionnaire have been applied as discussed below. The practical side of this update has happened on GitHub. It refers to this branch: And this Pull Request for the Main branch: However, you do not need to visit GitHub to review what I have been doing. Below you will find: (1) The Updated Questions (and you can comment) (2) The Updated Questions Alongside Strikethrough of the Old Questions (3) A List of the Specific Commits on GitHub used The update focuses on the following: (a) Changing to active voice instead of passive voice (b) Removing words or constructs not necessary for understanding (c) Adjusting language to align more closely with the Specification (d) Correcting terminology not used in the Spec but used in the Questionnaire (e) Correcting typographical issues Here is the Specification 2.0 for reference: Below is the adjusted Self-Certification Questionnaire for review. Unless we have a blocking issue I would like to go live by Thursday CoB Pacific to ensure we can release the Self-Certification Walk-Through Video as soon as possible. Therefore, while all comments are welcome, requests for changes should be isolated to errors, if any. Goal 1: Do you have a documented policy governing the Open Source license compliance of the Supplied Software? Do you have a documented procedure to communicate the existence of the Open Source policy to all Software Staff Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program? Have you identified and documented the competencies required for each role? Have you documented the assessed competence for each Program participant? Have you documented the awareness of your Program participants on the following topics? The Open Source policy and where to find it; Relevant Open Source objectives; Contributions expected to ensure the effectiveness of the Program; The implications of failing to follow the Program requirements. Do you have a process for determining the scope of your Program? Do you have a written statement clearly defining the scope and limits of the Program? Do you have a documented procedure to review and document Open Source license obligations, restrictions and rights? Goal 2: Relevant Tasks Defined and Supported Have you assigned individual(s) responsibility for receiving external Open Source compliance inquiries? Is the external Open Source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)? Do you have a documented procedure for receiving and responding to Open Source compliance inquiries? Have you documented the persons, group or function supporting the Program role(s) identified? Have the identified Program roles been properly staffed and adequately funded? Has legal expertise to address internal and external Open Source compliance been identified? Do you have a documented procedure assigning internal responsibilities for Open Source compliance. Do you have a documented procedure for handling review and remediation of non-compliant cases? Goal 3: Open Source Content Review and Approval Do you have a documented procedure for identifying, tracking and archiving information about the Open Source components in a Supplied Software release? Do you have Open Source component records for Supplied Software which demonstrates the documented procedure was properly followed? Do you have a documented procedure that covers these common Open Source license use cases for Open Source components in the Supplied Software? Distribution in binary form; Distribution in source form; Containing modified Open Source; Containing Open Source with attribution requirements; Integration with other Open Source that may trigger copyleft obligations; Containing Open Source or other software under incompatible licenses for interaction with other components in the Supplied Software. Goal 4: Compliance Artifact Creation and Delivery Do you have a documented procedure describing the process ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses? Do you have a documented procedure for archiving copies of Compliance Artifacts for the Supplied Software? Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses? Goal 5: Understand Open Source Community Engagement Do you have a policy for contribution to Open Source projects on behalf of the organization? Do you have a documented procedure governing Open Source contributions? Do you have a documented procedure for making all Software Staff aware of the Open Source contribution policy? Goal 6: Adherence to the Specification Requirements Do you have documentation confirming that your Program meets all the requirements of this specification? Do you have documentation confirming that your Program conformance was reviewed within the last 18 months? Here are the changes line by line Goal 1: Do you have a documented policy governing the Open Source license compliance of the Supplied Software? Do you have a documented policy that governs open source license compliance of the Supplied Software distribution (e.g., via training, internal wiki, or other practical communication method)? Do you have a documented procedure to communicate the existence of the Open Source policy to all Software Staff Do you have a documented procedure that communicates the existence of the open source policy to all Software Staff? Have you identified the roles and responsibilities that affect the performance and effectiveness of the Program? Have you identified the roles and the corresponding responsibilities that affect the performance and effectiveness of the Program? Have you identified and documented the competencies required for each role? Have you identified and documented the competencies required for each role? Have you documented the assessed competence for each Program participant? Have you documented evidence of assessed competence for each Program participant? Have you documented the awareness of your Program participants on the following topics? The Open Source policy and where to find it; Relevant Open Source objectives; Contributions expected to ensure the effectiveness of the Program; The implications of failing to follow the Program requirements. Do you have evidence documenting the awareness of your personnel of the following topics? The open source policy and where to find it, The relevant open source objectives, The contributions expected to ensure the effectiveness of the Program, The implications of failing to follow the Program requirements, Do you have a process for determining the scope of your Program? Do you have a process for determining the scope of your Program? Do you have a written statement clearly defining the scope and limits of the Program? Do you have a written statement that clearly defines the scope and limits of the Program? Do you have a documented procedure to review and document Open Source license obligations, restrictions and rights? Do you have a process for reviewing open source license obligations, restrictions and rights? Do you have a documented procedure to review and document the obligations, restrictions and rights? Goal 2: Relevant Tasks Defined and Supported Have you assigned individual(s) responsibility for receiving external Open Source compliance inquiries? Have you assigned individual(s) responsible for receiving external open source compliance inquiries (\"Open Source Liaison\")? Is the external Open Source compliance contact publicly identified (e.g. via an email address or the Linux Foundation Open Compliance Directory)? Is the Open Source Liaison function publicly identified (e.g. via an email address and/or the Linux Foundation\u0027s Open Compliance Directory)? Do you have a documented procedure for receiving and responding to Open Source compliance inquiries? Do you have a documented procedure that assigns responsibility for receiving and responding to open source compliance inquiries? Have you documented the persons, group or function supporting the Program role(s) identified? Have you documented the persons, group or function supporting the Program role(s) identified? Have the identified Program roles been properly staffed and adequately funded? Have the identified Program roles been properly staffed and has adequate funding provided? Has legal expertise to address internal and external Open Source compliance been identified? Is legal expertise pertaining to internal and external open source compliance identified? Do you have a documented procedure assigning internal responsibilities for Open Source compliance. Do you have a documented procedure assigning internal responsibilities for Open Source compliance. Do you have a documented procedure for handling review and remediation of non-compliant cases? Do you have a documented procedure for handling review and remediation of non-compliant cases? Goal 3: Open Source Content Review and Approval Do you have a documented procedure for identifying, tracking and archiving information about the Open Source components in a Supplied Software release? Do you have a documented procedure for identifying, tracking and archiving information about the collection of open source components from which a Supplied Software release is comprised? Do you have Open Source component records for Supplied Software which demonstrates the documented procedure was properly followed? Do you have open source component records for each Supplied Software release which demonstrates the documented procedure was properly followed? Do you have a documented procedure that covers these common Open Source license use cases for Open Source components in the Supplied Software? Distribution in binary form; Distribution in source form; Containing modified Open Source; Containing Open Source with attribution requirements; Integration with other Open Source that may trigger copyleft obligations; Containing Open Source or other software under incompatible licenses for interaction with other components in the Supplied Software. Have you implemented a procedure that handles at least the following common open source license use cases for the open source components of each supplied Supplied Software release? distributed in binary form; distributed in source form; integrated with other open source such that it may trigger copyleft obligations; contains modified open source; contains open source or other software under an incompatible license interacting with other components within the Supplied Software; contains open source with attribution requirements. Goal 4: Compliance Artifact Creation and Delivery Do you have a documented procedure describing the process ensuring the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses? Do you have a documented procedure that describes a process that ensures the Compliance Artifacts are distributed with Supplied Software as required by the Identified Licenses? Do you have a documented procedure for archiving copies of Compliance Artifacts for the Supplied Software? Do you archive copies of the Compliance Artifacts of the Supplied Software? Are the Compliance Artifacts archived at least as long as the Supplied Software is offered and as required by the Identified Licenses? Are the copies of the Compliance Artifacts archived for at least as long as the Supplied Software is offered or as required by the Identified Licenses (whichever is longer)? Goal 5: Understand Open Source Community Engagement Do you have a policy for contribution to Open Source projects on behalf of the organization? Do you have a policy that governs contributions to open source projects on behalf of the organization? Do you have a documented procedure governing Open Source contributions? Do you have a documented procedure that governs Open Source contributions? Do you have a documented procedure for making all Software Staff aware of the Open Source contribution policy? Do you have a documented procedure that makes all Software Staff aware of the existence of the Open Source contribution policy? Goal 6: Adherence to the Specification Requirements Do you have documentation confirming that your Program meets all the requirements of this specification? Do you have documentation confirming that your Program meets all the requirements of this specification? Do you have documentation confirming that your Program conformance was reviewed within the last 18 months? Do you have documentation confirming that your Program conformance was reviewed within the last 18 months? Here are the changes as per GitHub Updated Question 1(a) for clarity … d114034 Updated Question 1(b) for clarity 17c5bca Updated Question 1(c) for clarity ec468ff Updated Question 1(d) for clarity 4fa152d Corrected 1(d), reverted because of double-check with spec 7a3f70e Improved 1(e) for clarity 3f6b2ae Improved 1(f) for clarity 8b51cf0 Updated 1(f)ii for clarity 0878235 Updated 1(f)iii for clarity 71b01ec Updated 1(h) for clarity dff6cb9 Updated 1(i) to clarify conflation between "process" and "procedure" … … 76033ba Improved 2(a) for clarity 0200570 Fixed "open source" to Open Source throughout as this is a defined te… … e501444 Improved Question 2(b) for clarity 6b12c98 Improved 2(c) for clarity and to bring it closer to the precise words… … 91e6ad6 Improved 2(e) for clarity 061c387 Improved 2(f) for clarity and to bring the wording closer to the spec 71cf4f6 Further improvement to 2(f) for clarity b1eaa18 Improved 3(a) for clarity 800b25c Improved 3(b) for clarity e3aa6c9 Improved 3(c) for clarity abde070 Updated 3.c.i to active voice for clarity b795769 Updated 3.c.ii to active voice for clarity 64b1bdd Updated Updated 3.c.iii to active voice for clarity, also reduced unn… … ca882cb Fixed 3(c) because it used the term "at least" these use cases but th… … 1ae5a99 Updated 3.c.iv to active voice f253c0b Updated 3.c.v to active voice and for clarity fa4b8ac Updated 3.c.vi to active voice 62ceb8f Re-ordered questions under 3(c).X to make a better read path … d2256e7 Changed 4.a to active voice 6fc0fb6 Improved 4.b to bring it closer to the actual wording of the Spec 0683ad0 Improved 4.d for clarity (using AND instead of OR as the effect of AN… … 5f3fcbe Tweaked for clarity 5fead24 Improved 5.a to bring it closer to the wording of the spec 0d60b84 Updated 5.b to active voice 3587ad4 Updated legacy error with numbering (4.d to 4.c as no 4.c existed prior) 3936cf9 Updated 5.c to active voice and for clarity 750cde1 Updated bullet list formatting to match the rest of the document 0715c0a Corrected typo (. instead of ?) in 2.g 0f875a7
|
|
|
|
Re: OpenChain 2.0 Self-Certification Questionnaire Update - Review before Thursday CoB Pacific
Great comments already coming in here:
toggle quoted messageShow quoted text
https://github.com/OpenChain-Project/conformance-questionnaire/pull/47
On Aug 5, 2020, at 7:56, Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
Reminder: OpenChain Automotive Work Group - Europe / Asia Virtual Workshop - Tomorrow (19th) at 9am London - 10am Berlin - 4pm Beijing/Taipei - 5pm Seoul/Tokyo
The OpenChain Automotive Work Group will hold a Europe / Asia Virtual Workshop on the 19th of August @ 10:00 CEST / 17:00 Japan and Korea. This event will be chaired by Masato Endo from Toyota. It will be our final Automotive meeting before the release of the OpenChain ISO standard circa Late September / Early October. All welcome.
Join Zoom Meeting https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 Meeting ID: 999 012 0120 Passcode: 123456 One tap mobile +16699006833,,9990120120#,,,,,,0#,,123456# US (San Jose) +12532158782,,9990120120#,,,,,,0#,,123456# US (Tacoma) Find your local number: https://us02web.zoom.us/u/kMNHHXxlG
|
|
|
|
Re: [japan-wg] Reminder: OpenChain Automotive Work Group - Europe / Asia Virtual Workshop - Tomorrow (19th) at 9am London - 10am Berlin - 4pm Beijing/Taipei - 5pm Seoul/Tokyo
Check below for Endo San’s message about our meeting today 😊
toggle quoted messageShow quoted text
On Aug 19, 2020, at 10:26, Endo, Masato <masato_endo@...> wrote:
|
|
|
|
OpenChain Webinar
Andrew Katz
Hi All
I’m presenting an introduction to OpenChain on Bright Talk at 5:00pm UK Time tomorrow, in conjunction with Synopsis/Black Duck. Feel free to join me: https://www.brighttalk.com/webcast/13983/421263
All the best
Andrew
|
|
|
|
Re: OpenChain Webinar
Wonderful! Is there a recording?
toggle quoted messageShow quoted text
On Aug 19, 2020, at 23:31, Andrew Katz <andrew.katz@...> wrote:
|
|
|
|
Re: OpenChain Webinar
Andrew Katz
toggle quoted messageShow quoted text
|
|
|
|
Re: OpenChain Webinar
Thanks Andrew!
toggle quoted messageShow quoted text
On Aug 21, 2020, at 19:29, Andrew Katz <andrew.katz@...> wrote:
|
|
|
|
OpenChain - Reducing Risk and Friction in the Supply Chain - Webinar with Moorcrofts and Synopsys
We just had another partner-lead webinar featuring Andrew Katz, Moorcrofts & Matt Jacobs, Synopsys. Check it out here (registration required):
https://www.brighttalk.com/webcast/13983/421263 Abstract: OpenChain standardizes license compliance requirements around the use of open source software in the supply chain. Customers purchasing from an OpenChain compliant company know that the software has been developed in line with a set of documented and tested procedures and that all the relevant meta data (SBOMs and compliance notices) is available. So what does that mean for you? Join us for a live webinar to learn why companies like Scania (Volkswagen group), Cisco, ARM, Facebook, Uber, Google, Microsoft, Sony and Qualcomm rely on OpenChain. We’ll cover: •The history of OpenChain, steps to compliance and overall benefits •How OpenChain scales, and works for companies large and small •What happens when the 2.1 specification becomes an ISO standard in September 2020
|
|
|
|
Reminder: Open Compliance Summit - Virtual Event @ 1st December - Call for Papers Open
Reminder: the Open Compliance Summit - the only global event dedicated to open source compliance - will take place December 1st. Are you doing cool things in this space? The call for papers is open:
https://events.linuxfoundation.org/open-compliance-summit/program/cfp/ 
|
|
|
|
OpenChain Inter-Regional Panel for OCS
Fukuchi San had a great idea for the OpenChain compliance summit. Let’s have an inter-regional panel to cover the following topics:
Why did you start a regional WG? What are the outcomes in this year? What are the next challenges with the ISO standard? How can we collaborate with other regional WG in the next year? Volunteers please! Let’s try and get five people before the weekend!
|
|
|
|
OpenChain Merchandise - Expanded! Lots of new local places added
Our zero-profit shop got a big upgrade today. In no particular order, the follow localized merchandise was added:
Finland Sweden Norway Denmark The Netherlands France Swiss French Swiss German Swiss Italian Swiss Rumantsch USA Wales Scotland Ireland Spain Italy Everything at: https://openchainproject.threadless.com/ Source code for the images here: https://github.com/OpenChain-Project/Image-Assets/tree/master/Official/Threadless-Merchandise Got another place you want added? Let me know in this thread.
|
|
|
|
OpenChain Merchandise - Get Some for Free
We have a marketing budget for our country and international teams. Right now I have $25 USD of merchandise per head for 400 people (including shipping). This is a big thank you for everyone who helped make OpenChain what it is. Here is the allocation of the award funds based on the subscriber numbers to various country and global lists:  It is up to each team to decide if they want a special process for claiming individual gifts. The global process will be simple. Please contact Rachel (operations@...) and let her know what you want. She will assemble a spreadsheet to track everything and we will order as each batch fills up. Want to update my working data on the allocations? Did I get a number wrong? You can edit it live here. https://1drv.ms/x/s!AsXJVqby5kpnj39NeJ_yDeAUZbN4
|
|
|
|
OpenChain Webinar #11 – First Monday of September at 9am Pacific – Open Source Issues Remediation + Community Bridge and SPDX Online Tools
Make a memo! Set a reminder! This is going to be a great webinar.
Join us on September 7 at 9am Pacific as Jari Koivisto talks about Open Source Issues Remediation. Gary O’Neall and Rohit Lodha will talk about Community Bridge and SPDX Online Tools. Join Our Webinar https://zoom.us/j/9990120120 Password 123456 This is part of the bi-weekly OpenChain Webinar series. We feature international speakers on a wide range of topics related to open source compliance challenges and solutions. Learn more and review all the previous webinars here: https://www.openchainproject.org/webinars-interviews
|
|
|
|
OpenChain Procurement Document - Final Text and First Draft Leaflet
We are finally there!
Final Text here: https://1drv.ms/w/s!AsXJVqby5kpnkALZ44-ty0tQhYyQ And here is the First Draft Leaflet: https://github.com/OpenChain-Project/Reference-Material/blob/master/Sales-Procurement-Leaflet/OpenChain%20for%20Sales%20and%20Procurement%20Departments%20Leafet%20Draft%201.pdf Source here (including SVG and Photoshop): https://github.com/OpenChain-Project/Reference-Material/tree/master/Sales-Procurement-Leaflet Feedback welcome. We can refine until mid-September, and after that point we definitely need to lock down ahead of ISO release. Regards Shane
|
|
|
|
Re: OpenChain Procurement Document - Final Text and First Draft Leaflet
Everyone, here is the second draft leaflet:
toggle quoted messageShow quoted text
https://github.com/OpenChain-Project/Reference-Material/blob/master/Sales-Procurement-Leaflet/OpenChain%20for%20Sales%20and%20Procurement%20Departments%20Leafet%20Draft%202.pdf
On Aug 28, 2020, at 16:12, Shane Coughlan <scoughlan@...> wrote:
|
|
|
|
New European conference in Oct
Wanted to give you a heads up about this event in case you are interested in speaking / attending:
https://docs.google.com/document/d/1h0nb6cKMuphSQHV5wV4UUjCRBJkIbU-u-LFt2Po4DXA/edit
|
|
|
|
Re: [openchain] New European conference in Oct
I’m looping one of the organizers into this thread.
toggle quoted messageShow quoted text
On Sep 4, 2020, at 13:34, Jeremiah C. Foster <jfoster@...> wrote:
|
|
|
|
Re: OpenChain Procurement Document - Final Text and First Draft Leaflet
OK everyone, if there are no further comments, our leaflet will be official published Tuesday.
toggle quoted messageShow quoted text
On Sep 1, 2020, at 9:28, Shane Coughlan via lists.openchainproject.org <scoughlan=linuxfoundation.org@...> wrote:
|
|
|
|
Second OpenChain UK Work Group Meeting Announced - September 30 from 2pm UK Time
 This meeting will build on the success of the inaugural meeting in July which attracted a stellar roster of speakers, including: Shane Coughlan (Linux Foundation), Kate Stewart (Linux Foundation), Hiroyuki Fukuchi (Sony), Andrew Katz (Orcro), Sami Atabani (Arm),Thomas Steenbergen (HERE Technologies) and Mirko Boehm, as well as a diverse range of delegates from around the world.
|
|
|