Date   

Re: OpenChain UK Workgroup Meeting - 26th January 2023

Andrew K
 

Hi All
I'm looking forward to seeing many of you later, in person and virtually, at today's meeting at 15:00UTC/GMT. The proposed agenda is as follows:

  1. Welcome
  2. Introductions and news from the UKWG (10 mins)
  3. News update from Shane Coughlan (10 mins)
  4. Intro to Bytesize Training from Martin Yagi + discussion (20 mins)
  5. Transparency around firmware provenance at ARM from Yogesh Deshpande + discussion (20 mins)
  6. Developing a concrete set of example compliance materials - led by Andrew Katz and the meeting (45 mins)
  7. AOB, Meeting roundup, and next steps (15 mins)
Any questions or queries, please let us know. If you're not already signed up, you can still join virtually, The Eventbrite form is closed, but if you respond to this email, we will send you the Zoom link. 

All the best


Andrew


Re: [openchain] OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday

 

Hi Chris

The call will be at 17:00 Pacific / 19:00 Central on January 16th (Monday) for the US :)
https://zoom.us/j/4377592799

Shane

On Jan 16, 2023, at 23:14, Christopher Wood <cvw01@...> wrote:

Good morning, evening, or?
So this meeting is to take place at 01:00 in Europe on Tuesday. When my calendar adjusts the date it becomes 9:00 AM US CT. That does not make sense, what am I missing as time Buddy doesn’t agree and I haven’t finished my first cup of coffee. 01:00 UTC = 19:00 (7PM) here in the CT zone.
Best Regards
Chris

On Jan 16, 2023, at 1:27 AM, Shane Coughlan <scoughlan@...> wrote:

My apologies. This will be our “USA / Asia” call, not our Europe / Asia call. It will be 01:00 in Europe, so the meeting is only for true die-hard process fans on that continent.

On Jan 16, 2023, at 16:25, scoughlan@... wrote:

 A reminder that our Europe / Asia monthly call takes place tomorrow at 09:00 CST (10:00 KST and JST). In this meeting we will review the outcomes from the recent USA / Europe call, including some pretty big suggestions around the next generations of the specifications. Your input will also be requested about other ideas and comments listed on GitHub. This meeting is recommended for all parties interested in developing the next iteration of our ISO standard for open source license compliance, and all parties interested in what the second iteration of the open source security assurance standard will look like.
Join here:
https://zoom.us/j/4377592799OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday
Tuesday Jan 17, 2023 ⋅ 10:00 – 11:00 (Japan Standard Time)
This is the OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday. It explains what the OpenChain Project community is doing around the world. You will find both global and industry-specific discussions with a focus on summary or strategy. This is also where we edit our license compliance and security assurance standards.

This call is open to every individual and company regardless of their membership of Linux Foundation or the OpenChain Project.

Agenda
• Introductions
• Specification (our process standards) news
• SBOM news
• Security News
• OSPO news
• Automation news
• Community feedback and comments - issues for standards and core supporting material
• Community feedback and comments - issues for reference and supporting material
• Any other business
• Close of meeting

This meeting is held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799

Check your timezone:
PDT United States Pacific UTC-07:00
UTC Coordinated Universal Time UTC
CET Central European Time UTC+01:00
IST India Standard Time UTC+05:30
CST China Standard Time UTC+08:00
KST Korea Standard Time UTC+09:00
JST Japan Standard Time UTC+09:00

Compare timezones:
https://www.worldtimebuddy.com

Join via one tap mobile:
+86 10 8783 3177,,4377592799# Mainland China
+33 1 8699 5831,,4377592799# France
+49 69 7104 9922,,4377592799# Germany
+81 524 564 439,,4377592799# Japan
+82 2 3143 9612,,4377592799# Korea
+91 80 71 279 440,,4377592799# India
+886 (2) 7741 7473,,4377592799# Taiwan
+44 330 088 5830,,4377592799# UK
+13017158592,,4377592799# USA

Find your local country number:
https://zoom.us/u/awFnORNiA
Meeting ID: 437 759 2799
Guests
main@...
governing@...
telco@...
partners@...
korea-wg@...
japan-wg@...
oss-based-compliance-tooling@groups.io
education@...
openchain-automotive-work-group@groups.io
india-wg@...
taiwan-wg@...
germany-wg@...
uk-wg@...
dirkriehle@...
Gilles Gravier
jacobdjwilson@...
nabu.hirabayashi@...
balakrishna1838@...
sean@...
masato_endo@...
lin.sunze@...
nathank@...
jeff@...
seth@...
marcel.kurzmann@...
opensource@...
vladimir.slavov@...
rhilary@...
smcilroy@...
mark.gisi@...
Nathan Kumagai
michele.narbonne@...
mike.bowen@...


Re: OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday

 

My apologies. This will be our “USA / Asia” call, not our Europe / Asia call. It will be 01:00 in Europe, so the meeting is only for true die-hard process fans on that continent.

On Jan 16, 2023, at 16:25, scoughlan@... wrote:

 OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday
 

A reminder that our Europe / Asia monthly call takes place tomorrow at 09:00 CST (10:00 KST and JST). In this meeting we will review the outcomes from the recent USA / Europe call, including some pretty big suggestions around the next generations of the specifications. Your input will also be requested about other ideas and comments listed on GitHub. This meeting is recommended for all parties interested in developing the next iteration of our ISO standard for open source license compliance, and all parties interested in what the second iteration of the open source security assurance standard will look like.

Join here:
https://zoom.us/j/4377592799

OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday
Tuesday Jan 17, 2023 ⋅ 10:00 – 11:00 (Japan Standard Time)
This is the OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday. It explains what the OpenChain Project community is doing around the world. You will find both global and industry-specific discussions with a focus on summary or strategy. This is also where we edit our license compliance and security assurance standards.

This call is open to every individual and company regardless of their membership of Linux Foundation or the OpenChain Project. 

Agenda
  1. Introductions 
  2. Specification (our process standards) news 
  3. SBOM news
  4. Security News
  5. OSPO news
  6. Automation news 
  7. Community feedback and comments - issues for standards and core supporting material
  8. Community feedback and comments - issues for reference and supporting material
  9. Any other business
  10. Close of meeting

This meeting is held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799

Check your timezone:
PDT United States Pacific UTC-07:00
UTC Coordinated Universal Time UTC
CET Central European Time UTC+01:00
IST India Standard Time UTC+05:30
CST China Standard Time UTC+08:00
KST Korea Standard Time UTC+09:00
JST Japan Standard Time UTC+09:00

Compare timezones:
https://www.worldtimebuddy.com

Join via one tap mobile:
+86 10 8783 3177,,4377592799# Mainland China
+33 1 8699 5831,,4377592799# France
+49 69 7104 9922,,4377592799# Germany
+81 524 564 439,,4377592799# Japan
+82 2 3143 9612,,4377592799# Korea
+91 80 71 279 440,,4377592799# India
+886 (2) 7741 7473,,4377592799# Taiwan
+44 330 088 5830,,4377592799# UK
+13017158592,,4377592799# USA

Find your local country number:
https://zoom.us/u/awFnORNiA
Meeting ID: 437 759 2799


OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday

 

OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday
 

A reminder that our Europe / Asia monthly call takes place tomorrow at 09:00 CST (10:00 KST and JST). In this meeting we will review the outcomes from the recent USA / Europe call, including some pretty big suggestions around the next generations of the specifications. Your input will also be requested about other ideas and comments listed on GitHub. This meeting is recommended for all parties interested in developing the next iteration of our ISO standard for open source license compliance, and all parties interested in what the second iteration of the open source security assurance standard will look like.

Join here:
https://zoom.us/j/4377592799

OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday
Tuesday Jan 17, 2023 ⋅ 10:00 – 11:00 (Japan Standard Time)
This is the OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday. It explains what the OpenChain Project community is doing around the world. You will find both global and industry-specific discussions with a focus on summary or strategy. This is also where we edit our license compliance and security assurance standards.

This call is open to every individual and company regardless of their membership of Linux Foundation or the OpenChain Project. 

Agenda
  1. Introductions 
  2. Specification (our process standards) news 
  3. SBOM news
  4. Security News
  5. OSPO news
  6. Automation news 
  7. Community feedback and comments - issues for standards and core supporting material
  8. Community feedback and comments - issues for reference and supporting material
  9. Any other business
  10. Close of meeting

This meeting is held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799

Check your timezone:
PDT United States Pacific UTC-07:00
UTC Coordinated Universal Time UTC
CET Central European Time UTC+01:00
IST India Standard Time UTC+05:30
CST China Standard Time UTC+08:00
KST Korea Standard Time UTC+09:00
JST Japan Standard Time UTC+09:00

Compare timezones:
https://www.worldtimebuddy.com

Join via one tap mobile:
+86 10 8783 3177,,4377592799# Mainland China
+33 1 8699 5831,,4377592799# France
+49 69 7104 9922,,4377592799# Germany
+81 524 564 439,,4377592799# Japan
+82 2 3143 9612,,4377592799# Korea
+91 80 71 279 440,,4377592799# India
+886 (2) 7741 7473,,4377592799# Taiwan
+44 330 088 5830,,4377592799# UK
+13017158592,,4377592799# USA

Find your local country number:
https://zoom.us/u/awFnORNiA
Meeting ID: 437 759 2799


Next OpenChain UK Work Group Meeting on 26th January

 

The Eventbrite booking form for the next OpenChain UK Workgroup meeting, taking place on 26th January 2023 is now live.

Date: 26th January 2023 

Time: 15:00 – 17:00 UTC

Venue: Both virtual and physical. You can select your preference on the booking form.

The physical meeting will take place at the offices of Analog Devices in Hayes, West London (near Heathrow) at the Old Vinyl Factory, 5 Pressing Lane, Hayes UB3 1EP. 

Many thanks to Steve Kilbane for making the space available for us at his company’s offices. 

To confirm your place either in person or virtually so that we can guage numbers, please complete the Eventbrite booking form.


OpenChain UK Workgroup Meeting - 26th January 2023

Marie Parkinson
 

Hi,

The Eventbrite booking form for the next OpenChain UK Workgroup meeting, taking place on 26th January 2023 is now live.

Date: 26th January 2023 

Time: 15:00 - 17:00

Venue: Both virtual and physical. You can select your preference on the booking form.

The physical meeting will take place at the offices of Analog Devices in Hayes, West London (near Heathrow) at the Old Vinyl Factory, 5 Pressing Lane, Hayes UB3 1EP. 

Many thanks to Steve Kilbane for making the space available for us at his company's offices. 

To confirm your place either in person or virtually so that we can guage numbers, please complete the Eventbrite booking form.


OpenChain UK Workgroup Meeting - 26th January 2023

Andrew K
 

Hi All 

 

Happy New Year!

 

We’re delighted to announce that the next meeting of the OpenChain UK workgroup will take place on 26th January 2023 at 3pm at the offices of Analog Devices in Hayes, West London (near Heathrow) at the Old Vinyl Factory, 5 Pressing Lane, Hayes, UB3 1EP. Many thanks to Steve Kilbane for making the space available for us at his company’s offices. The meeting will also be available to join virtually.  We have scheduled 2 hours from 3pm to 5pm. 

 

We’re planning on launching an exciting new initiative. Since meeting at the OpenSource Summit in Dublin back in September last year, it's becoming clear that it would be helpful to the OpenChain community at large to produce some end-to-end reference materials showing how example real world projects can be developed, built and distributed in a compliant way, and how compliance artefacts can be generated for the project which ensure that on deployment, all the relevant materials are made available.

 

The idea is to move away from abstract questions to concrete examples of a project, covering the tooling actually used, the compliance artifacts actually generated, and how they are actually made available to recipients of the code.

 

Ideally, we’d like to create a reference for a number of projects, distributed in the following different ways:

  • Standard app-on-a-desktop-or-server
  • Distribution through an app store
  • Distribution in a container
  • Distribution in an embedded system
  • Distribution through a third party (e.g. supplier provides software to a customer as a binary, which is then embedded into a device and distributed to the end user, requiring different compliance artifacts). 

We will use this as an opportunity to demonstrate good practice (or best practice), so compliance artifacts should be machine readable, for example, and, where appropriate, comply with SPDX standards (https://spdx.dev/), and repos which are made available could also, where appropriate, comply with REUSE standards https://reuse.software/). 

 

This is a pretty ambitious task, so we suggest that we start with a reasonably straightforward project (distribution of a standard desktop app: the list above is in a rough order of complexity, easiest first). We can also, as mini-projects with easily attainable goals, take a simple repo, and issue pull requests with the aim of bringing it into compliance.

 

We’ve already started working on this behind the scenes and want to present our thoughts at the meeting. 

 

As a project which is complementary to this, Yogesh Despande from ARM will demonstrate how ARM has have been working alongside Google in increasing transparency in the compliance process for firmware development. 

 

In addition, Martin Yagi has been working on some great training materials including bitesize training videos and you can see an example of his work here:

https://drive.google.com/file/d/1Px8Ffs_sTmNWKWvCAObRDJ_VL1Tl43yN/view?usp=sharing

 

He will provide some more information on the history of this initiative, his plans for the future, and how the OpenChain UK community could get involved. 

 

We can also give you news about the next meeting to follow later in the year.  David Buckhurst from the BBC who has been kind enough to offer us space for our second meeting of the year at the BBC at Media City in Salford. This one is provisionally set for 28th March, and further details will follow. 

 

As you can see, we have some great activity going on, the launch of some excellent initiatives and exciting potential for 2023!

 

We’ll be sending more information shortly about the meeting on 26th January, together with an Eventbrite invitation so that we can gauge numbers (virtually and in person). Save the date!

 

All the best

 

 

 

Andrew



Andrew Katz

Orcro Limited

+44 1628 470003

+44 7970 835001

orcro.co.uk

 

83-85 Baker Street, Marylebone, London W1U 6AG
Thames House, Mere Park, Dedmere Road, Marlow, Bucks SL7 1PB (registered office)

Orcro Limited is a limited company registered in England and Wales under Number 11173406. VAT number: GB 289 7831 32. Orcro Limited is not regulated as a law firm and does not provide legal advice, but has a relationship with Moorcrofts LLP. We are happy to work with either Moorcrofts LLP or your own chosen legal advisers. Individuals’ qualifications are as set out in their bio page. Reference to an individual as a lawyer, solicitor or paralegal does not mean that they are acting in that capacity as an Orcro staff member.

 

Data protection: we process your personal data to keep in touch with you, to carry out work for you or your organisation, for internal administration (including employment) for regulatory purposes and for limited marketing purposes (for which you can require us to stop at any time). For more information see https://orcro.co.uk/privacy-summary/ or contact team@...

 


Jimmy Ahlberg is the new OpenChain Governing Board Chair

 

The OpenChain Project has invested resources throughout 2022 towards improving the sustainability and continuity of our project. As part of this, the OpenChain Project Governing Board decided to initiate a chairperson election. This initiative was lead by David Marr of Qualcomm, our founding chairperson, and was designed to introduce processes for a predictable cycle of leadership rotation at the very top of the project management structure.

Jimmy Ahlberg of Ericsson was duly elected OpenChain Project Governing Board Chair on the 8th of December by his peers, the voting members of the OpenChain Project Governing Board. The board is made up of one voting representative from each of the Platinum Member companies. We currently have 24 Platinum Members spread across three continents, providing one of the most geographically diverse boards in our industry.

The OpenChain Board Chair is a pivotal position. As with everything in this project, it is a position that offers influence but not control, though in this case the influence is specifically targeted towards our long-term strategic future. Jimmy has been elected for a period of three years.

As the steward of two industry standards, one of which already has an ISO/IEC grant, the OpenChain Project Governing Board has a responsibility to ensure stability and sustainability. From fiscal decisions to overarching strategy, they meet once a quarter to assess our status and future steps. Because this is an open source project, their decisions are not taken in isolation. Our community has tremendous latitude and influence on this project, and our board has tremendous respect for what that means.

Jimmy is stepping into the role with the continued support of David and the rest of the OpenChain Project Governing Board, and our fundamental strategy remains consistent. This said, we expect and look forward to Jimmy making his mark as new chairperson, and innovating around our top-level strategy based on his insight, experience and corporate background.

If you have questions, comments or suggestions directed towards Jimmy, don’t hesitate to connect with him on one of our monthly calls, via our mailing lists or by direct mail. The leadership of the OpenChain Project is here to serve you, the community seeking to build trust in the supply chain.

To end this lengthy post, please note that the OpenChain Project Governing Board formally thanks David Marr for his exceptional work in founding and growing this project. He first brought people together to discuss the concept of standardization around open source license compliance eight years ago, and it takes a special type of determination and community-building to turn that into an executed ISO/IEC standard. It is also thanks to David that we have expanded our activities based on community feedback to other aspects of a trusted supply chain. His impact has been and continues to be immeasurable.

Check out the news with photos at this link:
https://www.openchainproject.org/news/2022/12/12/jimmy-ahlberg-governing-board-chair


OpenChain Advent Calendar 2022 Now Out!

 

The annual OpenChain Advent Calendar is now out! It is the 4th year of our calendar and our 100th article will be published on Christmas Day, the 25th of December 2022. Following advent tradition, the articles will be revealed daily, and then it is time for us to take a break, eat nice food, and watch our favorite movies.

This calendar is maintained by our Japan Work Group and lead by Watanabe San from Hitachi Solutions with help from Fukuchi San of Sony and many more. You can access it at this link:
https://qiita.com/advent-calendar/2022/openchainjapanwg

Do you want to jump to the first article? Sure! It is from Shane Coughlan, OpenChain General Manager, and is available in both English and Japanese. Watanabe San created the Japanese translation:
https://qiita.com/AyumiWatanabe/items/832146867fde6560f2d1

OpenChain JWG Advent Calendar初日のShaneからの
メッセージは大変力強いものでした。
是非多くの方に読んで頂ければと思います。

アドベントカレンダー:
https://qiita.com/advent-calendar/2022/openchainjapanwg

Shaneのメッセージ:
https://qiita.com/AyumiWatanabe/items/832146867fde6560f2d1

「さまざまなオープンソースのプロセス管理の課題を
抱えるすべての組織が、コミュニティによってシェア
されたソリューションを見つけられるようにしたいと
考えています。
多くの参考資料のメンテナンスを継続し、ピアサポート
(仲間同士の助け合い)を提供するため、時にローカル
言語で運営される、大規模なグローバルコミュニティの
活動を継続していきます。」


Invitation: OpenChain Monthly Community Call - 09:00 PST (16:00 UTC) ... @ Monthly from 17:00 to 18:00 on the first Tuesday (CET) (uk-wg@lists.openchainproject.org)

 

OpenChain Monthly Community Call - 09:00 PST (16:00 UTC) on 1st Tuesday
This is the OpenChain Monthly Community Call - 09:00 PST (16:00 UTC) on 1st Tuesday. It is open to every individual and company regardless of their membership of Linux Foundation or the OpenChain Proj
 
This is the OpenChain Monthly Community Call - 09:00 PST (16:00 UTC) on 1st Tuesday. It is open to every individual and company regardless of their membership of Linux Foundation or the OpenChain Project. It provides a forum to bring together the various things the OpenChain community is doing around the world, from building our family of standard (licensing compliance and now security compliance), assisting with tooling, SBOMs and OSPOs, and facilitating industry specific discussions in areas like telco and automotive.

Agenda
  1. Introductions 
  2. Specification (process standards) news 
  3. SBOM news
  4. OSPO news
  5. Automation news 
  6. Community feedback and comments - issues for standards and core supporting material
  7. Community feedback and comments - issues for reference and supporting material
  8. Community feedback and comments - issues to support other projects
  9. Any other business
  10. Close of meeting

This meeting is held in the OpenChain Project Zoom room:
https://zoom.us/j/4377592799

Check your timezone:
PDT United States Pacific UTC-07:00
UTC Coordinated Universal Time UTC
CET Central European Time UTC+01:00
IST India Standard Time UTC+05:30
CST China Standard Time UTC+08:00
KST Korea Standard Time UTC+09:00
JST Japan Standard Time UTC+09:00

Compare timezones:
https://www.worldtimebuddy.com

Join via one tap mobile:
+86 10 8783 3177,,4377592799# Mainland China
+33 1 8699 5831,,4377592799# France
+49 69 7104 9922,,4377592799# Germany
+81 524 564 439,,4377592799# Japan
+82 2 3143 9612,,4377592799# Korea
+91 80 71 279 440,,4377592799# India
+886 (2) 7741 7473,,4377592799# Taiwan
+44 330 088 5830,,4377592799# UK
+13017158592,,4377592799# USA

Find your local country number:
https://zoom.us/u/awFnORNiA
Meeting ID: 437 759 2799

When

Monthly from 17:00 to 18:00 on the first Tuesday (Central European Time - Paris)
RSVP for uk-wg@... for all events in this series

Invitation from Google Calendar

You are receiving this email because you are an attendee on the event. To stop receiving future updates for this event, decline this event.

Forwarding this invitation could allow any recipient to send a response to the organizer, be added to the guest list, invite others regardless of their own invitation status, or modify your RSVP. Learn more


OpenChain Monthly Community Call - 09:00 PST (16:00 UTC) on 1st Tuesday

 

This is a reminder that our monthly call takes place today (November 1st) at 09:00 PST (16:00 UTC).

We will be:

Formally announcing Specification Work Group chairperson elections
Starting the process for editing Generation 3 of License Specification (ISO/IEC 5230)
Starting the process for editing Generation 2 of the Security Assurance Specification
Working on Education material, especially items like playbooks and supplier education

This is a call with live editing, so attending makes an immediate impact on how we promote trust in the supply chain.

Everyone can join here:
https://zoom.us/j/4377592799

== Formal Agenda ==

• Introductions
• Specification (process standards) news
• SBOM news
• OSPO news
• Automation news
• Community feedback and comments - issues for standards and core supporting material
• Community feedback and comments - issues for reference and supporting material
• Community feedback and comments - issues to support other projects
• Any other business
• Close of meeting

Regards

Shane


Shane Coughlan
General Manager, OpenChain
e: scoughlan@...
p: +81 (0) 80 4035 8083
w: www.linuxfoundation.org

Schedule a call:
https://meetings.hubspot.com/scoughlan


Re: Plans for the UK workgroup

 

Please do loop me into the call invite :)

Perhaps send to the list?

On Oct 25, 2022, at 15:52, Steve Kilbane <stephen.kilbane@...> wrote:

<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; font-size:10.0pt; font-family:"Calibri",sans-serif;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} span.EmailStyle19 {mso-style-type:personal-reply; font-family:"Calibri",sans-serif; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.WordSection1 {page:WordSection1;} --> Hi Andrew,
Yes, a chat next week is a possibility.
steve
From: uk-wg@... <uk-wg@...> on behalf of Andrew K <andrew.katz@...>
Date: Tuesday, 25 October 2022 at 14:49
To: uk-wg@... <uk-wg@...>
Subject: Re: [uk-wg] Plans for the UK workgroup
[External]

Hi Shane

I concur completely.

@steve, it would be great to have a quick chat to co-ordinate ideas. How about a call next week? And then we can come back to the list with some slightly more structured thoughts and a plan. @shane (and indeed anyone else on the list) - let me know if you would like to participate in that initial chat.

(And apologies for top-posting. My mail client is still misbehaving).

All the best



Andrew



On 25/10/2022, 14:37, "uk-wg@... on behalf of Shane Coughlan" <uk-wg@... on behalf of scoughlan@...> wrote:

Hi Steve!

> On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
> • At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.

I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream.

Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?

> • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?

This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.

> • SBOM distribution methods – especially when the software distribution is embedded.
> I recognise that these are not UK-specific, but figure that need not be a barrier.

Some case studies here sound super useful.

Andrew, what do you think?

Regards

Shane












Re: Plans for the UK workgroup

Steve Kilbane
 

Hi Andrew,

 

Yes, a chat next week is a possibility.

 

steve

 

From: uk-wg@... <uk-wg@...> on behalf of Andrew K <andrew.katz@...>
Date: Tuesday, 25 October 2022 at 14:49
To: uk-wg@... <uk-wg@...>
Subject: Re: [uk-wg] Plans for the UK workgroup

[External]

Hi Shane

I concur completely.

@steve, it would be great to have a quick chat to co-ordinate ideas. How about a call next week? And then we can come back to the list with some slightly more structured thoughts and a plan. @shane (and indeed anyone else on the list) - let me know if you would like to participate in that initial chat.

(And apologies for top-posting. My mail client is still misbehaving).

All the best



Andrew



On 25/10/2022, 14:37, "uk-wg@... on behalf of Shane Coughlan" <uk-wg@... on behalf of scoughlan@...> wrote:

    Hi Steve!

    > On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
    >     • At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.

    I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream.

    Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?

    >     • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?

    This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.

    >     • SBOM distribution methods – especially when the software distribution is embedded.
    >  I recognise that these are not UK-specific, but figure that need not be a barrier.

    Some case studies here sound super useful.

    Andrew, what do you think?

    Regards

    Shane



   








Re: Plans for the UK workgroup

Andrew K
 

Hi Shane

I concur completely.

@steve, it would be great to have a quick chat to co-ordinate ideas. How about a call next week? And then we can come back to the list with some slightly more structured thoughts and a plan. @shane (and indeed anyone else on the list) - let me know if you would like to participate in that initial chat.

(And apologies for top-posting. My mail client is still misbehaving).

All the best



Andrew



On 25/10/2022, 14:37, "uk-wg@... on behalf of Shane Coughlan" <uk-wg@... on behalf of scoughlan@...> wrote:

Hi Steve!

> On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
> • At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.

I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream.

Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?

> • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?

This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.

> • SBOM distribution methods – especially when the software distribution is embedded.
> I recognise that these are not UK-specific, but figure that need not be a barrier.

Some case studies here sound super useful.

Andrew, what do you think?

Regards

Shane


Re: Plans for the UK workgroup

 

Hi Steve!

On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
• At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.
I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream.

Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?

• Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?
This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.

• SBOM distribution methods – especially when the software distribution is embedded.
I recognise that these are not UK-specific, but figure that need not be a barrier.
Some case studies here sound super useful.

Andrew, what do you think?

Regards

Shane


Re: Plans for the UK workgroup

Steve Kilbane
 

So to seed the topic with some ideas….

 

  1. At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.
  2. Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?
  3. SBOM distribution methods – especially when the software distribution is embedded.

 

I recognise that these are not UK-specific, but figure that need not be a barrier.

 

*runs away again*

 

steve

 

From: uk-wg@... <uk-wg@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Wednesday, 19 October 2022 at 16:12
To: OpenChain UK <uk-wg@...>
Subject: Re: [uk-wg] Plans for the UK workgroup

[External]

Hi Steve

> On Oct 19, 2022, at 14:16, Steve Kilbane <stephen.kilbane@...> wrote:
> The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific issues under consideration, or that orgs are running into, of which the UK workgroup is aware?
> With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding of what the UK workgroup is up to, presently.
> I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions.

Thank you for you this!

I think fostering a round-table discussion format would be an excellent evolution, and the sharing of knowledge from the UK market - and ensuring it goes outward - could be really useful.

How about at the next meeting with focus on having a couple of specific items for workshopping, designed explicitly for interactive discussion?

Regards

Shane




Re: Plans for the UK workgroup

Andrew K
 



On 19 Oct 2022, at 15:12, Shane Coughlan <scoughlan@...> wrote:

Hi Steve

On Oct 19, 2022, at 14:16, Steve Kilbane <stephen.kilbane@...> wrote:
The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific issues under consideration, or that orgs are running into, of which the UK workgroup is aware?
With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding of what the UK workgroup is up to, presently.
I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions.

Thank you for you this!

I think fostering a round-table discussion format would be an excellent evolution, and the sharing of knowledge from the UK market - and ensuring it goes outward - could be really useful.

How about at the next meeting with focus on having a couple of specific items for workshopping, designed explicitly for interactive discussion?

Regards

Shane


Yes, let’s do this!


- Andrew







Re: Plans for the UK workgroup

 

Hi Steve

On Oct 19, 2022, at 14:16, Steve Kilbane <stephen.kilbane@...> wrote:
The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific issues under consideration, or that orgs are running into, of which the UK workgroup is aware?
With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding of what the UK workgroup is up to, presently.
I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions.
Thank you for you this!

I think fostering a round-table discussion format would be an excellent evolution, and the sharing of knowledge from the UK market - and ensuring it goes outward - could be really useful.

How about at the next meeting with focus on having a couple of specific items for workshopping, designed explicitly for interactive discussion?

Regards

Shane


Plans for the UK workgroup

Steve Kilbane
 

Hi all,

 

The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific issues under consideration, or that orgs are running into, of which the UK workgroup is aware?

 

With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding of what the UK workgroup is up to, presently.

 

I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions.

 

Thanks,

 

steve

 


Call to action for UK WG: provide feedback for next generation of license compliance and security assurance standards

 

The OpenChain Project is ready to start accepting feedback to improve our license compliance and security standards. The next generation of our license compliance standard will update ISO/IEC 5230.

Learn more:
https://www.openchainproject.org/featured/2022/10/18/improve-our-standards

Some notes:

(1) Our security assurance standard (generation 1) is scheduled to become an ISO/IEC standard in mid-2023. The update to generation 2 will trigger an update to the new ISO/IEC standard for late 2023~mid-2024.

(2) You will find extensive feedback on our standards already exists on GitHub and you can easily review that before submitting a suggestion for improvement.

Pre-existing submissions for the security assurance standard:
https://github.com/OpenChain-Project/Security-Assurance-Specification/issues

Pre-existing submissions for the license compliance standard:
https://github.com/OpenChain-Project/License-Compliance-Specification/issues

1 - 20 of 277