|
Steve Kilbane
Hi all,
The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary
on the current landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the
UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific issues under consideration, or that orgs are running into, of which the UK workgroup is aware?
With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from
a better understanding of what the UK workgroup is up to, presently.
I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions.
Thanks,
steve
|
|
|
Hi Steve On Oct 19, 2022, at 14:16, Steve Kilbane <stephen.kilbane@...> wrote:
The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific issues under consideration, or that orgs are running into, of which the UK workgroup is aware?
With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding of what the UK workgroup is up to, presently.
I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions. Thank you for you this! I think fostering a round-table discussion format would be an excellent evolution, and the sharing of knowledge from the UK market - and ensuring it goes outward - could be really useful. How about at the next meeting with focus on having a couple of specific items for workshopping, designed explicitly for interactive discussion? Regards Shane
|
|
|
On 19 Oct 2022, at 15:12, Shane Coughlan <scoughlan@...> wrote: On Oct 19, 2022, at 14:16, Steve Kilbane <stephen.kilbane@...> wrote: The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific issues under consideration, or that orgs are running into, of which the UK workgroup is aware? With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding of what the UK workgroup is up to, presently. I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions. I think fostering a round-table discussion format would be an excellent evolution, and the sharing of knowledge from the UK market - and ensuring it goes outward - could be really useful. How about at the next meeting with focus on having a couple of specific items for workshopping, designed explicitly for interactive discussion?
Yes, let’s do this!
- Andrew
|
|
|
Steve Kilbane
So to seed the topic with some ideas….
- At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations
of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes.
Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.
- Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this,
I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would
make it easier to clear the project in a compliance toolchain later?
- SBOM distribution methods – especially when the software distribution is embedded.
I recognise that these are not UK-specific, but figure that need not be a barrier.
*runs away again*
steve
From:
uk-wg@... <uk-wg@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Wednesday, 19 October 2022 at 16:12
To: OpenChain UK <uk-wg@...>
Subject: Re: [uk-wg] Plans for the UK workgroup
[External]
Hi Steve
> On Oct 19, 2022, at 14:16, Steve Kilbane <stephen.kilbane@...> wrote:
> The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current
landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific
issues under consideration, or that orgs are running into, of which the UK workgroup is aware?
> With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding
of what the UK workgroup is up to, presently.
> I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions.
Thank you for you this!
I think fostering a round-table discussion format would be an excellent evolution, and the sharing of knowledge from the UK market - and ensuring it goes outward - could be really useful.
How about at the next meeting with focus on having a couple of specific items for workshopping, designed explicitly for interactive discussion?
Regards
Shane
|
|
|
Hi Steve! On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
• At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion. I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream. Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain? • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later? This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it. • SBOM distribution methods – especially when the software distribution is embedded.
I recognise that these are not UK-specific, but figure that need not be a barrier. Some case studies here sound super useful. Andrew, what do you think? Regards Shane
|
|
|
Hi Shane
I concur completely.
@steve, it would be great to have a quick chat to co-ordinate ideas. How about a call next week? And then we can come back to the list with some slightly more structured thoughts and a plan. @shane (and indeed anyone else on the list) - let me know if you would like to participate in that initial chat.
(And apologies for top-posting. My mail client is still misbehaving).
All the best
Andrew
On 25/10/2022, 14:37, "uk-wg@... on behalf of Shane Coughlan" <uk-wg@... on behalf of scoughlan@...> wrote:
Hi Steve!
> On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
> • At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.
I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream.
Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?
> • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?
This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.
> • SBOM distribution methods – especially when the software distribution is embedded.
> I recognise that these are not UK-specific, but figure that need not be a barrier.
Some case studies here sound super useful.
Andrew, what do you think?
Regards
Shane
|
|
|
Steve Kilbane
Hi Andrew,
Yes, a chat next week is a possibility.
steve
From:
uk-wg@... <uk-wg@...> on behalf of Andrew K <andrew.katz@...>
Date: Tuesday, 25 October 2022 at 14:49
To: uk-wg@... <uk-wg@...>
Subject: Re: [uk-wg] Plans for the UK workgroup
[External]
Hi Shane
I concur completely.
@steve, it would be great to have a quick chat to co-ordinate ideas. How about a call next week? And then we can come back to the list with some slightly more structured thoughts and a plan. @shane (and indeed anyone else on the list) - let me know if you would
like to participate in that initial chat.
(And apologies for top-posting. My mail client is still misbehaving).
All the best
Andrew
On 25/10/2022, 14:37, "uk-wg@... on behalf of Shane Coughlan" <uk-wg@... on behalf of scoughlan@...> wrote:
Hi Steve!
> On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
> • At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting
it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient
to warrant some discussion.
I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started
on the topic of final upstream.
Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?
> • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes
the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?
This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.
> • SBOM distribution methods – especially when the software distribution is embedded.
> I recognise that these are not UK-specific, but figure that need not be a barrier.
Some case studies here sound super useful.
Andrew, what do you think?
Regards
Shane
|
|
|
Please do loop me into the call invite :)
Perhaps send to the list?
toggle quoted message
Show quoted text
On Oct 25, 2022, at 15:52, Steve Kilbane <stephen.kilbane@...> wrote:
<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; font-size:10.0pt; font-family:"Calibri",sans-serif;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} span.EmailStyle19 {mso-style-type:personal-reply; font-family:"Calibri",sans-serif; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.WordSection1 {page:WordSection1;} --> Hi Andrew,
Yes, a chat next week is a possibility.
steve
From: uk-wg@... <uk-wg@...> on behalf of Andrew K <andrew.katz@...>
Date: Tuesday, 25 October 2022 at 14:49
To: uk-wg@... <uk-wg@...>
Subject: Re: [uk-wg] Plans for the UK workgroup
[External]
Hi Shane
I concur completely.
@steve, it would be great to have a quick chat to co-ordinate ideas. How about a call next week? And then we can come back to the list with some slightly more structured thoughts and a plan. @shane (and indeed anyone else on the list) - let me know if you would like to participate in that initial chat.
(And apologies for top-posting. My mail client is still misbehaving).
All the best
Andrew
On 25/10/2022, 14:37, "uk-wg@... on behalf of Shane Coughlan" <uk-wg@... on behalf of scoughlan@...> wrote:
Hi Steve!
> On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
> • At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.
I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream.
Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?
> • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?
This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.
> • SBOM distribution methods – especially when the software distribution is embedded.
> I recognise that these are not UK-specific, but figure that need not be a barrier.
Some case studies here sound super useful.
Andrew, what do you think?
Regards
Shane
|
|
|
