|
Re: OpenChain UK Workgroup Meeting - 26th January 2023
Andrew K
Hi All
I'm looking forward to seeing many of you later, in person and virtually, at today's meeting at 15:00UTC/GMT. The proposed agenda is as follows:
All the best Andrew
|
||||||||||
|
|
||||||||||
|
Re: [openchain] OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday
Hi Chris
toggle quoted messageShow quoted text
The call will be at 17:00 Pacific / 19:00 Central on January 16th (Monday) for the US :) https://zoom.us/j/4377592799 Shane
On Jan 16, 2023, at 23:14, Christopher Wood <cvw01@...> wrote:
|
||||||||||
|
|
||||||||||
|
Re: OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday
My apologies. This will be our “USA / Asia” call, not our Europe / Asia call. It will be 01:00 in Europe, so the meeting is only for true die-hard process fans on that continent.
toggle quoted messageShow quoted text
On Jan 16, 2023, at 16:25, scoughlan@... wrote:
|
||||||||||
|
|
||||||||||
|
OpenChain Monthly Community Call - 09:00 CST (01:00 UTC) on 3rd Tuesday
|
||||||||||
|
|
||||||||||
|
Next OpenChain UK Work Group Meeting on 26th January
The Eventbrite booking form for the next OpenChain UK Workgroup meeting, taking place on 26th January 2023 is now live. Date: 26th January 2023 Time: 15:00 – 17:00 UTC Venue: Both virtual and physical. You can select your preference on the booking form. The physical meeting will take place at the offices of Analog Devices in Hayes, West London (near Heathrow) at the Old Vinyl Factory, 5 Pressing Lane, Hayes UB3 1EP. Many thanks to Steve Kilbane for making the space available for us at his company’s offices.
|
||||||||||
|
|
||||||||||
|
OpenChain UK Workgroup Meeting - 26th January 2023
Hi, The Eventbrite booking form for the next OpenChain UK Workgroup meeting, taking place on 26th January 2023 is now live. Date: 26th January 2023 Time: 15:00 - 17:00 Venue: Both virtual and physical. You can select your preference on the booking form. The physical meeting will take place at the offices of Analog Devices in Hayes, West London (near Heathrow) at the Old Vinyl Factory, 5 Pressing Lane, Hayes UB3 1EP. Many thanks to Steve Kilbane for making the space available for us at his company's offices.
|
||||||||||
|
|
||||||||||
|
OpenChain UK Workgroup Meeting - 26th January 2023
Andrew K
Hi All
Happy New Year!
We’re delighted to announce that the next meeting of the OpenChain UK workgroup will take place on 26th January 2023 at 3pm at the offices of Analog Devices in Hayes, West London (near Heathrow) at the Old Vinyl Factory, 5 Pressing Lane, Hayes, UB3 1EP. Many thanks to Steve Kilbane for making the space available for us at his company’s offices. The meeting will also be available to join virtually. We have scheduled 2 hours from 3pm to 5pm.
We’re planning on launching an exciting new initiative. Since meeting at the OpenSource Summit in Dublin back in September last year, it's becoming clear that it would be helpful to the OpenChain community at large to produce some end-to-end reference materials showing how example real world projects can be developed, built and distributed in a compliant way, and how compliance artefacts can be generated for the project which ensure that on deployment, all the relevant materials are made available.
The idea is to move away from abstract questions to concrete examples of a project, covering the tooling actually used, the compliance artifacts actually generated, and how they are actually made available to recipients of the code.
Ideally, we’d like to create a reference for a number of projects, distributed in the following different ways:
We will use this as an opportunity to demonstrate good practice (or best practice), so compliance artifacts should be machine readable, for example, and, where appropriate, comply with SPDX standards (https://spdx.dev/), and repos which are made available could also, where appropriate, comply with REUSE standards https://reuse.software/).
This is a pretty ambitious task, so we suggest that we start with a reasonably straightforward project (distribution of a standard desktop app: the list above is in a rough order of complexity, easiest first). We can also, as mini-projects with easily attainable goals, take a simple repo, and issue pull requests with the aim of bringing it into compliance.
We’ve already started working on this behind the scenes and want to present our thoughts at the meeting.
As a project which is complementary to this, Yogesh Despande from ARM will demonstrate how ARM has have been working alongside Google in increasing transparency in the compliance process for firmware development.
In addition, Martin Yagi has been working on some great training materials including bitesize training videos and you can see an example of his work here: https://drive.google.com/file/d/1Px8Ffs_sTmNWKWvCAObRDJ_VL1Tl43yN/view?usp=sharing
He will provide some more information on the history of this initiative, his plans for the future, and how the OpenChain UK community could get involved.
We can also give you news about the next meeting to follow later in the year. David Buckhurst from the BBC who has been kind enough to offer us space for our second meeting of the year at the BBC at Media City in Salford. This one is provisionally set for 28th March, and further details will follow.
As you can see, we have some great activity going on, the launch of some excellent initiatives and exciting potential for 2023!
We’ll be sending more information shortly about the meeting on 26th January, together with an Eventbrite invitation so that we can gauge numbers (virtually and in person). Save the date!
All the best
Andrew Andrew Katz Orcro Limited +44 1628 470003 +44 7970 835001
83-85 Baker Street, Marylebone, London W1U 6AG Orcro Limited is a limited company registered in England and Wales under Number 11173406. VAT number: GB 289 7831 32. Orcro Limited is not regulated as a law firm and does not provide legal advice, but has a relationship with Moorcrofts LLP. We are happy to work with either Moorcrofts LLP or your own chosen legal advisers. Individuals’ qualifications are as set out in their bio page. Reference to an individual as a lawyer, solicitor or paralegal does not mean that they are acting in that capacity as an Orcro staff member.
Data protection: we process your personal data to keep in touch with you, to carry out work for you or your organisation, for internal administration (including employment) for regulatory purposes and for limited marketing purposes (for which you can require us to stop at any time). For more information see https://orcro.co.uk/privacy-summary/ or contact team@...
|
||||||||||
|
|
||||||||||
|
Jimmy Ahlberg is the new OpenChain Governing Board Chair
The OpenChain Project has invested resources throughout 2022 towards improving the sustainability and continuity of our project. As part of this, the OpenChain Project Governing Board decided to initiate a chairperson election. This initiative was lead by David Marr of Qualcomm, our founding chairperson, and was designed to introduce processes for a predictable cycle of leadership rotation at the very top of the project management structure.
Jimmy Ahlberg of Ericsson was duly elected OpenChain Project Governing Board Chair on the 8th of December by his peers, the voting members of the OpenChain Project Governing Board. The board is made up of one voting representative from each of the Platinum Member companies. We currently have 24 Platinum Members spread across three continents, providing one of the most geographically diverse boards in our industry. The OpenChain Board Chair is a pivotal position. As with everything in this project, it is a position that offers influence but not control, though in this case the influence is specifically targeted towards our long-term strategic future. Jimmy has been elected for a period of three years. As the steward of two industry standards, one of which already has an ISO/IEC grant, the OpenChain Project Governing Board has a responsibility to ensure stability and sustainability. From fiscal decisions to overarching strategy, they meet once a quarter to assess our status and future steps. Because this is an open source project, their decisions are not taken in isolation. Our community has tremendous latitude and influence on this project, and our board has tremendous respect for what that means. Jimmy is stepping into the role with the continued support of David and the rest of the OpenChain Project Governing Board, and our fundamental strategy remains consistent. This said, we expect and look forward to Jimmy making his mark as new chairperson, and innovating around our top-level strategy based on his insight, experience and corporate background. If you have questions, comments or suggestions directed towards Jimmy, don’t hesitate to connect with him on one of our monthly calls, via our mailing lists or by direct mail. The leadership of the OpenChain Project is here to serve you, the community seeking to build trust in the supply chain. To end this lengthy post, please note that the OpenChain Project Governing Board formally thanks David Marr for his exceptional work in founding and growing this project. He first brought people together to discuss the concept of standardization around open source license compliance eight years ago, and it takes a special type of determination and community-building to turn that into an executed ISO/IEC standard. It is also thanks to David that we have expanded our activities based on community feedback to other aspects of a trusted supply chain. His impact has been and continues to be immeasurable. Check out the news with photos at this link: https://www.openchainproject.org/news/2022/12/12/jimmy-ahlberg-governing-board-chair
|
||||||||||
|
|
||||||||||
|
OpenChain Advent Calendar 2022 Now Out!
  The annual OpenChain Advent Calendar is now out! It is the 4th year of our calendar and our 100th article will be published on Christmas Day, the 25th of December 2022. Following advent tradition, the articles will be revealed daily, and then it is time for us to take a break, eat nice food, and watch our favorite movies. This calendar is maintained by our Japan Work Group and lead by Watanabe San from Hitachi Solutions with help from Fukuchi San of Sony and many more. You can access it at this link: Do you want to jump to the first article? Sure! It is from Shane Coughlan, OpenChain General Manager, and is available in both English and Japanese. Watanabe San created the Japanese translation:  OpenChain JWG Advent Calendar初日のShaneからの アドベントカレンダー: Shaneのメッセージ: 「さまざまなオープンソースのプロセス管理の課題を
|
||||||||||
|
|
||||||||||
|
Invitation: OpenChain Monthly Community Call - 09:00 PST (16:00 UTC) ... @ Monthly from 17:00 to 18:00 on the first Tuesday (CET) (uk-wg@lists.openchainproject.org)
|
||||||||||
|
|
||||||||||
|
OpenChain Monthly Community Call - 09:00 PST (16:00 UTC) on 1st Tuesday
This is a reminder that our monthly call takes place today (November 1st) at 09:00 PST (16:00 UTC).
We will be: Formally announcing Specification Work Group chairperson elections Starting the process for editing Generation 3 of License Specification (ISO/IEC 5230) Starting the process for editing Generation 2 of the Security Assurance Specification Working on Education material, especially items like playbooks and supplier education This is a call with live editing, so attending makes an immediate impact on how we promote trust in the supply chain. Everyone can join here: https://zoom.us/j/4377592799 == Formal Agenda == • Introductions • Specification (process standards) news • SBOM news • OSPO news • Automation news • Community feedback and comments - issues for standards and core supporting material • Community feedback and comments - issues for reference and supporting material • Community feedback and comments - issues to support other projects • Any other business • Close of meeting Regards Shane — Shane Coughlan General Manager, OpenChain e: scoughlan@... p: +81 (0) 80 4035 8083 w: www.linuxfoundation.org Schedule a call: https://meetings.hubspot.com/scoughlan
|
||||||||||
|
|
||||||||||
|
Re: Plans for the UK workgroup
Please do loop me into the call invite :)
toggle quoted messageShow quoted text
Perhaps send to the list?
On Oct 25, 2022, at 15:52, Steve Kilbane <stephen.kilbane@...> wrote:
|
||||||||||
|
|
||||||||||
|
Re: Plans for the UK workgroup
Hi Andrew,
Yes, a chat next week is a possibility.
steve
From:
uk-wg@... <uk-wg@...> on behalf of Andrew K <andrew.katz@...> [External]
|
||||||||||
|
|
||||||||||
|
Re: Plans for the UK workgroup
Andrew K
Hi Shane
I concur completely. @steve, it would be great to have a quick chat to co-ordinate ideas. How about a call next week? And then we can come back to the list with some slightly more structured thoughts and a plan. @shane (and indeed anyone else on the list) - let me know if you would like to participate in that initial chat. (And apologies for top-posting. My mail client is still misbehaving). All the best Andrew On 25/10/2022, 14:37, "uk-wg@... on behalf of Shane Coughlan" <uk-wg@... on behalf of scoughlan@...> wrote: Hi Steve! > On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote: > • At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion. I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream. Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain? > • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later? This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it. > • SBOM distribution methods – especially when the software distribution is embedded. > I recognise that these are not UK-specific, but figure that need not be a barrier. Some case studies here sound super useful. Andrew, what do you think? Regards Shane
|
||||||||||
|
|
||||||||||
|
Re: Plans for the UK workgroup
Hi Steve!
On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream. Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain? • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it. • SBOM distribution methods – especially when the software distribution is embedded.Some case studies here sound super useful. Andrew, what do you think? Regards Shane
|
||||||||||
|
|
||||||||||
|
Re: Plans for the UK workgroup
So to seed the topic with some ideas….
I recognise that these are not UK-specific, but figure that need not be a barrier.
*runs away again*
steve
From:
uk-wg@... <uk-wg@...> on behalf of Shane Coughlan <scoughlan@...> [External]
|
||||||||||
|
|
||||||||||
|
Re: Plans for the UK workgroup
Andrew K
Yes, let’s do this! - Andrew
|
||||||||||
|
|
||||||||||
|
Re: Plans for the UK workgroup
Hi Steve
On Oct 19, 2022, at 14:16, Steve Kilbane <stephen.kilbane@...> wrote:Thank you for you this! I think fostering a round-table discussion format would be an excellent evolution, and the sharing of knowledge from the UK market - and ensuring it goes outward - could be really useful. How about at the next meeting with focus on having a couple of specific items for workshopping, designed explicitly for interactive discussion? Regards Shane
|
||||||||||
|
|
||||||||||
|
Plans for the UK workgroup
Hi all,
The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific issues under consideration, or that orgs are running into, of which the UK workgroup is aware?
With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding of what the UK workgroup is up to, presently.
I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions.
Thanks,
steve
|
||||||||||
|
|
||||||||||
|
Call to action for UK WG: provide feedback for next generation of license compliance and security assurance standards
The OpenChain Project is ready to start accepting feedback to improve our license compliance and security standards. The next generation of our license compliance standard will update ISO/IEC 5230.
Learn more: https://www.openchainproject.org/featured/2022/10/18/improve-our-standards Some notes: (1) Our security assurance standard (generation 1) is scheduled to become an ISO/IEC standard in mid-2023. The update to generation 2 will trigger an update to the new ISO/IEC standard for late 2023~mid-2024. (2) You will find extensive feedback on our standards already exists on GitHub and you can easily review that before submitting a suggestion for improvement. Pre-existing submissions for the security assurance standard: https://github.com/OpenChain-Project/Security-Assurance-Specification/issues Pre-existing submissions for the license compliance standard: https://github.com/OpenChain-Project/License-Compliance-Specification/issues
|
||||||||||
|
|