Date   
The OpenChain Project in 2H 2020 - International Standard via ISO/IEC JTC1 PAS Transposition Process (DIS 5230)

 

Dear all

The OpenChain Project had an exceptionally busy first half of 2020. From conformance to membership announcements, from reference material releases to taking the final steps in our ISO submission, the project and its community has pushed forward the state of the art in compliance.

In Q3 you can expect big news.

First, a recap. OpenChain 2.0 is our current industry standard. It was reformatted for ISO submission in Q1 via something called the ISO/IEC JTC1 PAS transposition process. This reformatted but functionally identical document was termed OpenChain 2.1 and constituted our ISO/IEC JTC1 PAS submission in Q2. The goal is simple: our mature de facto industry standard (OpenChain 2.0) is going through a process to become a formal International Standard. There are two positive implications:
(a) everyone conformant with OpenChain 2.0 will also be conformant to the International Standard and;
(b) people new to our field can easily engage and adopt our standard.

Our ISO/IEC JTC1 PAS submission (DIS 5230) will complete its voting period on the 22nd of September. Unless there is a request for a further FDIS ballot, our International Standard will be published within six weeks or less. In other words, OpenChain will have completed its transition from de facto industry standard into a formal international standard, expanding our audience of immediate interest from hundreds to thousands of companies. We will be the first formal standard from The Linux Foundation in 14 years (the last was Linux Standard Base / ISO/IEC 23360) and we are the first project to collaborate with Joint Development Foundation on transitioning a de facto standard from our field into an International Standard via the ISO/IEC JTC1 PAS transposition process.

A lot of our time and energy from now until then will be about putting everything in place to welcome new companies and new collaborators to our project. We want to ensure that people from sales, procurement and other areas impacted by the inclusion of ISO standards can quickly get up to speed. Our goal is to facilitate smooth adoption and to ensure everyone gets the benefit of great open source compliance programs.

The outcome of all of the above will be:
An International Standard
Improvements in our current reference material
New reference material for sales/procurement/etc

= 1 =

You can expect to always be able to access our International Standard on the OpenChain website. The OpenChain Specification 2.1 that will be hosted on our website will be "technically aligned” with the published ISO standard = they are the same. This is very similar to how the standard for Office Open XML File Formats is addressed with free access via ECMA-376 and formal ISO publication (gated access) via ISO/IEC 29500.
https://www.ecma-international.org/publications/standards/Ecma-376.htm

= 2 =

You can expect to always be able to self-certify to the OpenChain Specification 2.1 on the OpenChain website, along with all previous and future versions of our standard. By the same measure, you can always discover and collaborate with our official partners for legal support, services support and even full third-party certification precisely as before.

= 3 =

You can expect all future work on the OpenChain ISO standard to remain right here, running under the same processes, our well-established and refined method of ensuring we have a concise, useful and pragmatic solution to the question of open source compliance.

= 4 =

And you can expect stability. Our forthcoming ISO standard is the end result of years of contributions from hundreds of people. It has seen four iterations after originally going to market in October 2016 (OpenChain 1.0, 1.1, 1.2 and finally 2.0). Each iteration refined our work based on practical feedback from real world deployment. OpenChain 2.0 has been out since April 2019. It is rock solid, it is seeing adoption across every major geography and market. The status of OpenChain 2.0 and the functionally identical ISO formatted OpenChain 2.1 (DIS 5230) is simple: this International Standard, when it completes the ballot process, will be in market for many, many years to come. Adoption of OpenChain 2.0 and our forthcoming ISO standard is the adoption of a consistent standard that can be deployed with confidence in any supply chain.

= And of course… =

Of course this does not mean we will put away our editing gloves. We want to capture experience and feedback from today and into the foreseeable future. As of last month we began bi-weekly calls to provide this forum. Oversimplifying things a little, we want to make sure that every viable idea and suggestion is captured and recorded on our GitHub for the Specification:
https://github.com/OpenChain-Project/Specification/issues
This will allow us to draft future generations of the standard at an appropriate pace while also addressing and resolving many items via reference material. As always, the process will be clearly defined and clearly monitored, thanks in no small part to the exceptional work of Mark Gisi as the chair of the OpenChain Specification Work Team. Thanks Mark!

What else in 2H 2020? Conformance announcements. Membership announcements. Partner announcements. The usual. Each reflecting a new milestone in our continued progress. Most importantly our work teams, whether global and addressing spaces like automotive and reference tooling, or local and addressing geographies like China, Japan, Korea, Taiwan, India, Germany and (as of July) the UK, will remain the heart of everything we do. OpenChain is created by and run by user organizations to solve challenges for user organizations. This laser focus is at the heart of our success and it will remain so in the future.

On a final note, the OpenChain Project expects to be operating virtually until 2021. Our individual work groups in various geographies may hold physical meetings based on their discretion, but for the project as a whole our emphasis will be on ensuring our online communication and sharing is effective and consistent. We already put everything in place (bi-weekly webinars, bi-weekly space for spec discussions, our pre-existing mailing lists, free access to Zoom + UberConference), and we will continue to execute against this plan.

Regards

Shane

PS: Want to talk more about this? Follow the link below to book a time that suits you.
https://calendly.com/openchainproject

--
Shane Coughlan
General Manager, OpenChain
e: @shanecoughlan
p: +81 (0) 80 4035 8083
w: www.linuxfoundation.org

Schedule a call:
https://calendly.com/openchainproject

OpenChain – The OSS Compliance Survey

 

Our wonderful OpenChain Japan Work Group is running a global survey in English covering open source compliance in business environments. Please assist in our ongoing mission to lock down real-world data points to help everyone increase efficiency around compliance activities. Huge thanks to Watanabe San from Hitachi Solutions for the English translation of the material. Amazing work all!

Learn more:
https://www.openchainproject.org/news/2020/07/06/openchain-the-oss-compliance-survey

The Survey of OSS Compliance Operations in Companies

Masato Endo
 

Dear Governing Board,

Japan Work Group Promotion Sub Group OSS Skill Standard Development Team would like to investigate and analyze the actual situation of companies' OSS compliance operations.
In order to do so, we decided to conduct a questionnaire survey.
We believe the result of this investigation to help improvement the operations of each company.
In addition, we will post the analysis of this to the Intellectual Property Association of Japan for development OSS skill standard.
We would like to ask you to respond to a wide range of responses for conducting effective survey.
I understand you are occupied at the moment, but we appreciate your cooperation.
In addition, the deadline for responses is July 17, 2020, so please respond within the deadline.

Please answer this survey the link as below.
<https://docs.google.com/forms/d/e/1FAIpQLSf6KuL1na6fgid8a_jXWCvdQ1Z5wDO9XQTRskK7j2ZTAWU3Rg/viewform>


OpenChain Project Japan Work Group Promotion Sub Group OSS Skill Standard Development Team

Masato Endo (Toyota Motor Corporation)
Yukiko Kamijo (Nagasaki University)
Ayumi Watanabe (Hitachi Solutions)
Tomo Dote (micware)
Mitsutoshi Yamada (IPTech)

++++++++++++INNOVATION MANAGEMENT!++++++++++++

 トヨタ自動車(株)  
 TOYOTA MOTOR CORP  

 知的財産部          IP戦略G
 Intellectual Property Div IP Strategic Group

 (兼務先)
 知的財産部          IP企画G
 Intellectual Property Div IP Planning Group

 遠藤 雅人
MASATO ENDO

消費生活アドバイザー
(内閣総理大臣及び経済産業大臣事業認定資格)
ADVISORY SPECIALIST FOR CONSUMER'S AFFAIRS

CEL= 050-3166-1380 (+81-50-3166-1380)
FAX= 0565-44-9490 (+81-565-44-9490)
EXTENSION NUM= 850-3166-1380
MAIL= masato_endo@...


+++++++++++++++++++++++++++++++++++++++++++++

OpenChain Project Survey Q2 2020 - 3 minutes of your time is requested

 

Dear all

Help the international standard for open source compliance get even better!

It is time for a project-wide survey to help us judge what is working, what we can improve, and what we might innovate around in the coming months. If you could take 3 minutes to fill out this survey it would be super appreciated. The outcomes will help us shape strategy as OpenChain graduates from ISO around September 2020.
https://forms.gle/uQo35PgkANiWj9gy7

Regards

Shane

OpenChain Specification Work Team - New calls second Monday (9am Pacific) and fourth Monday (5pm Pacific) each month

 

Dear all

Our new webinar series on first and third Monday’s has been a hit. However, we also want to ensure space for developing our specification and adjacent reference material. Mark Gisi, specification chair, will lead regular calls second Monday (9am Pacific) and fourth Monday (5pm Pacific) each month starting next week, Monday, at 9am Pacific. A calendar invite will go out shortly.

I defer to Mark to discuss specifics, but in a nutshell we are collecting feedback now and in coming months from adoption of the standard and increased engagement around ISO. This feedback will be triaged and included in the next revision cycle of our standard, and we want to ensure everyone has an opportunity to be part of this.

Mark, over to you!

Regards

Shane

OpenChain Platinum Members

 

The OpenChain Project benefits from an exceptional government board made up of diverse companies supporting the project through Platinum Membership. These companies are spread across the world and across different market spaces. The resulting knowledge and support has been critical in developing OpenChain from an important idea into the clear, deployed standard for open source compliance. Thanks to their support we have impacted hundreds of companies directly and influenced many more through the supply chain. We have built perhaps the world’s most comprehensive reference library of compliance process, policy and training material. We are well advanced in the process to evolve from a de facto standard to formal ISO standard in Q3 2020. OPPO, as our first Chinese Platinum Member, advances our mission even further. The steps we take together in the coming months will help ensure the global supply chain can address open source compliance easier, faster and more effectively. 

To recap:

Our Vision is a supply chain where open source is delivered with trusted and consistent compliance information.

Our Mission is to establish requirements to achieve effective management of open source for software supply chain participants, such that the requirements and associated collateral are developed collaboratively and openly by representatives from the software supply chain, open source community, and academia.

You can dig deeper via our FAQ:

You can learn more about some of the faces behind our community here:

Everyone is welcome to be part of what we do:

OPPO Is Now An OpenChain Platinum Member

 

One of our biggest announcements for 1st half 2020:
Today the OpenChain Project is delighted to announce OPPO as our latest Platinum Member. As a Platinum Member of the project OPPO will provide strategic oversight on the governing board, the steering committee and the outreach committee. While OpenChain has had an active China Work Group since 2019, OPPO is the first Chinese company to join the project governing board, and their contribution will be invaluable as OpenChain becomes an ISO standard.
https://www.openchainproject.org/news/2020/05/26/oppo-is-now-an-openchain-platinum-member

Joint Development Foundation recognized as an ISO/IEC JTC 1 PAS submitter and submits OpenChain for international review

 

In the last few days Linux Foundation has publicly announced Joint Development Foundation (JDF) as an ISO/IEC JTC 1 PAS submitter and provided more information on how JDF will support OpenChain and other specifications to become ISO standards moving forward. This is an extremely important media inflection point for our community and for the broader global collaborations creating effective, adopted and mature de facto standards.

While the basic news is not new to the OpenChain community (you know we are using JDF to submit a ISO standard and you know that OpenChain is the first standard going this route), blog posts by The Linux Foundation and the media coverage is very useful for helping to explain our work to others. Some key excerpts below.

"This week, we are proud to announce that the Joint Development Foundation (JDF), which became part of the Linux Foundation family in 2019, has been accepted as an ISO/IEC JTC 1 PAS (“Publicly Available Specification”) Submitter. The OpenChain Specification is the first specification submitted for JTC 1 review and recognition as an international standard. The JDF was formed to simplify the process of creating new technical specification collaboration efforts. Standards and specifications are vitally important for the creation or advancement of new technologies, ensuring that the resulting products are well defined, provide predictable performance and that different implementations can interoperate with one another."
https://www.linuxfoundation.org/blog/2020/05/joint-development-foundation-recognized-as-an-iso-iec-jtc-1-pas-submitter-and-submits-openchain-for-international-review/

You can also read this announcement in Japanese:
https://www.linuxfoundation.jp/blog/2020/05/joint-development-foundation-recognized-as-an-iso-iec-jtc-1-pas-submitter-and-submits-openchain-for-international-review/

We have seen some great media coverage. One of the best articles can be found in Linux Insider. A key quotation below:
"JDF projects now have a clear path from open source project or specification to an internationally recognized standard. The OpenChain specification is JDF’s first standard to be submitted. The OpenChain standard is a specification that identifies the key requirements of an open source compliance program. It is designed to build trust between companies in the supply chain while reducing internal resource costs. The outcome is increased trust and consistency in open source software across the supply chain. International standardization will help to guide the evolution of the OpenChain Specification from de facto to de jure standard, a process that will assist procurement, sales and other departments to engage with OpenChain-related activities, according to [Seth Newberry, executive director of the JDF]."
https://linuxinsider.com/story/linux-foundation-joins-ranks-of-international-standards-submitters-86672.html

Finally, if you are wondering why OpenChain is talking about this PR now, about seven days from release, the answer is pretty simple. I (Shane Coughlan, General Manager) wanted to check out the media coverage and select the most concise, clearly messaged article to share. I believe this blog post and mailing list post, and the links it references, provide an excellent on-boarding point for a wider audience. People in procurement. People in sales. People in marketing. Please do share this message.

I am happy to take questions at any time at @shanecoughlan or via a scheduled call using the link below:
https://calendly.com/shanecoughlan

Regards

Shane

--
Shane Coughlan
General Manager, OpenChain
e: @shanecoughlan
p: +81 (0) 80 4035 8083
w: www.linuxfoundation.org

Schedule a call:
https://calendly.com/shanecoughlan

Re: [openchain] [germany-wg] [openchain-automotive-work-group] OpenChain Webinar 3 - Today (Monday) at 9am Pacific

Jeremiah C. Foster
 

On Fri, 2020-05-15 at 09:15 +0000, Thomas Steenbergen wrote:
Hi,

You suggested converting the approval process into an app. I
wondered whether there have been implementations of open-source
tooling that does this?
Below I wrote out an example workflow, it's not a single web app as
Adobe presented [1] as we always prefer to integrate into existing
company’s systems to lower the threshold to user adoption.
This is smart, adapting to existing customer tooling is a wise choice.
Also, if you need to create an "app" or a set of more unified
functionality, creating a container that can access other tools with a
web UI has been a powerful approach in my experience.

| -> compliance rule engine
I've done something like this ---> | -> fossology
| -> web ui
| -> security tool
| -> . . .

This way you can also add a data base and use kubernetes on the control
plane allow for scale. Since the tools are containerized you can offer
the "app" as SaaS or on premise.

This at a high-level is how we have automated parts of our OSS policy
within our company using mostly open source tools.

== Example contribution approval app / workflow ==

For this example let's assume your contribution policy is based on
Google’s Open Source patching [2] and you have stack consisting out
of AWS lambda, Jenkins (MIT)[3] , JIRA, and OSS Review Toolkit
(Apache-2.0) [4] and ScanCode (Apache-2.0) [5]. A simplified version
of the approval app's workflow would then look something like:
IMHO I think one should use generic tools here, i.e. "Issue tracker"
instead of JIRA simply because not everyone uses JIRA and it may have
some special functionality you use that you assume exists in other
places. Have generic names means that tools can be interchanged in the
workflow and your more likely to have standardized interfaces (or
better, reuse existing standardized interfaces.)

1) User creates a JIRA ticket with the following fields:
- Title: what the contribution is about in a few sentences
- Description: describes in a few sentences the contribution
- VCS URL: URL to clone the repository to which they want to
contribute
We've been working on this internally (as have probably every fortune
500 company) and I've found https://schema.org/SoftwareSourceCode to be
a very useful tool. Since this is W3C standardized data it will likely
easily fit in to tools and processes that are already existing.

2) User transitions the ticket from "open" to "scan" state.
3) Upon transition to the "scan" state JIRA calls an AWS lambda via a
REST call.
o_O

4) The AWS lambda verifies all required data has been provided.
If OK:
=> Calls Jenkins job via a REST call that will execute a scan with
OSS Review Toolkit of the master branch of repository specified in
VCS URL.
If NOT OK:
=> The AWS lambda using JIRA's REST API adds a comment to the ticket
with a message which data need to be provided by the user and moves
ticket back to the "open" state.
5) In the Jenkins job OSS Review Toolkit using ScanCode scans the
source code and its dependency and then the scan results are
evaluated against a user-defined policy.
OSS Review Toolkit has Evaluator component that allows you to turn
Google’s Open Source patching rules like "No review required" and
"Forbidden patches" into OK / NOT OK checks.
It also support recording <package> or <package, version> approvals.
6) Once the OSS Review Toolkit scan completes Jenkins calls AWS
lambda with a link to the Jenkins job
7) AWS lambda fetches results from Jenkins job, processes the results
and using JIRA REST API updates the JIRA ticket.
If OK:
=> Updates ticket with a comment that contribution is OK with policy
and moves ticket back to the "completed" state.
If approval is required:
=> Updates ticket with a comment that contribution requires approval
and moves ticket back to the "needs approval" state and assigns it to
person who can do the approval.
If NOT OK:
=> Updates ticket with a comment why the contribution is NOT OK and
moves ticket back to the "denied" state.

If enough people are interested in this I can add Google’s Open
Source patching as one of OSS Review Toolkit's examples and explain
how it works in a future OpenChain call.
This is awesome, thanks for this! From my perspecitve we use a lot of
Free Software and our goal is to not just ensure that there is FOSS
compliance but that the customer's business model is effectively
aligned with copyleft and it's ethics. We've found a great deal of
interest in this combination and as such I'd be more interested in
either a contrast your proprietary approach or a version of your
workflow that was idempotent but used only FOSS tooling.

Cheers,

Jeremiah

Regards,

Thomas Steenbergen
Head of Open Source, HERE Technologies

[1]
https://ossna18.sched.com/event/FAO9/how-adobe-is-changing-its-culture-around-open-source-steven-gill-filip-maj-adobe
[2] https://opensource.google/docs/patching/
[3] https://www.jenkins.io/
[4] https://oss-review-toolkit.org/
[5] https://github.com/nexB/scancode-toolkit


On 15.05.20, 08:51, "germany-wg@... on behalf
of Shane Coughlan via lists.openchainproject.org" <
germany-wg@... on behalf of
scoughlan=linuxfoundation.org@...> wrote:

LEARN FAST: This email originated outside of HERE.
Please do not click on links or open attachments unless you
recognize the sender and know the content is safe. Thank you.


Let’s do the call. Perhaps next week? Then we can include it in a
forthcoming webinar before/after the main speakers.

> On May 14, 2020, at 0:38, Tobie Langel <@tobie>
wrote:
>
> That's a great question for a topic I care a lot about. Happy
to dig deeper in a follow-up call or a pre-recorded video, as you
wish.
>
> Let me know how you want to proceed.
>
> Thanks,
>
> --tobie
>
> On Tue, May 12, 2020 at 9:22 AM Shane Coughlan <
@shanecoughlan> wrote:
> Steve, thank you for this question!
>
> Tobie, can we record the answer and include it in a forthcoming
OpenChain webinar? I’m thinking we hop onto Zoom for 5~10 minutes and
cover this.
>
> Shane
>
> > On May 5, 2020, at 19:36, Steve Kilbane <
@steve.kilbane> wrote:
> >
> > My thanks to all the presenters for the informative talks
yesterday. I very much enjoyed them.
> >
> > A follow-up question for Tobie, which I didn't raise at the
time due to a combination of a tight schedule and an over-abundance
of mute buttons...
> >
> > You suggested converting the approval process into an app. I
wondered whether there have been implementations of open-source
tooling that does this? It's obviously reminiscent of CLA/DCO
approval within GitHub, but I imagine that something different would
be needed, since this would be approval from the other side of the
contribution transaction.
> >
> > Thanks again,
> >
> > steve
> >
> >
> >
> >
>








________________________________

This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.

Re: [germany-wg] [openchain-automotive-work-group] OpenChain Webinar 3 - Today (Monday) at 9am Pacific

 

I’m thinking this could be a great addition to our all-community first Monday July webinar!

Thomas, you up for it?

Shane

On May 16, 2020, at 0:47, Steve Kilbane <@steve.kilbane> wrote:

Well, I'm interested, for one. :-)

Though, disclaimer: ORT is one of the tools on my list of "things I really should look at", but haven't gotten to yet. :-(

steve

-----Original Message-----
From: openchain-automotive-work-group@groups.io <openchain-automotive-work-group@groups.io> On Behalf Of Thomas Steenbergen
Sent: 15 May 2020 10:15
To: germany-wg@...; Tobie Langel <@tobie>
Cc: OpenChain Automotive <openchain-automotive-work-group@groups.io>; Kate Stewart <kstewart@...>; Alexandra Boehm <aleksa.boehm@...>; Rachel Braun <rbraun@...>; OpenChain Main <main@...>
Subject: Re: [germany-wg] [openchain-automotive-work-group] OpenChain Webinar 3 - Today (Monday) at 9am Pacific

[External]

Hi,

You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this?
Below I wrote out an example workflow, it's not a single web app as Adobe presented [1] as we always prefer to integrate into existing company’s systems to lower the threshold to user adoption.
This at a high-level is how we have automated parts of our OSS policy within our company using mostly open source tools.

== Example contribution approval app / workflow ==

For this example let's assume your contribution policy is based on Google’s Open Source patching [2] and you have stack consisting out of AWS lambda, Jenkins (MIT)[3] , JIRA, and OSS Review Toolkit (Apache-2.0) [4] and ScanCode (Apache-2.0) [5]. A simplified version of the approval app's workflow would then look something like:

1) User creates a JIRA ticket with the following fields:
- Title: what the contribution is about in a few sentences
- Description: describes in a few sentences the contribution
- VCS URL: URL to clone the repository to which they want to contribute
2) User transitions the ticket from "open" to "scan" state.
3) Upon transition to the "scan" state JIRA calls an AWS lambda via a REST call.
4) The AWS lambda verifies all required data has been provided.
If OK:
=> Calls Jenkins job via a REST call that will execute a scan with OSS Review Toolkit of the master branch of repository specified in VCS URL.
If NOT OK:
=> The AWS lambda using JIRA's REST API adds a comment to the ticket with a message which data need to be provided by the user and moves ticket back to the "open" state.
5) In the Jenkins job OSS Review Toolkit using ScanCode scans the source code and its dependency and then the scan results are evaluated against a user-defined policy.
OSS Review Toolkit has Evaluator component that allows you to turn Google’s Open Source patching rules like "No review required" and "Forbidden patches" into OK / NOT OK checks.
It also support recording <package> or <package, version> approvals.
6) Once the OSS Review Toolkit scan completes Jenkins calls AWS lambda with a link to the Jenkins job
7) AWS lambda fetches results from Jenkins job, processes the results and using JIRA REST API updates the JIRA ticket.
If OK:
=> Updates ticket with a comment that contribution is OK with policy and moves ticket back to the "completed" state.
If approval is required:
=> Updates ticket with a comment that contribution requires approval and moves ticket back to the "needs approval" state and assigns it to person who can do the approval.
If NOT OK:
=> Updates ticket with a comment why the contribution is NOT OK and moves ticket back to the "denied" state.

If enough people are interested in this I can add Google’s Open Source patching as one of OSS Review Toolkit's examples and explain how it works in a future OpenChain call.

Regards,

Thomas Steenbergen
Head of Open Source, HERE Technologies

[1] https://urldefense.com/v3/__https://ossna18.sched.com/event/FAO9/how-adobe-is-changing-its-culture-around-open-source-steven-gill-filip-maj-adobe__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YaJdecf1$
[2] https://urldefense.com/v3/__https://opensource.google/docs/patching/__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YQIjyUau$
[3] https://urldefense.com/v3/__https://www.jenkins.io/__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YctI5_FQ$
[4] https://urldefense.com/v3/__https://oss-review-toolkit.org/__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YRokiBm6$
[5] https://urldefense.com/v3/__https://github.com/nexB/scancode-toolkit__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YacpdfYx$


On 15.05.20, 08:51, "germany-wg@... on behalf of Shane Coughlan via lists.openchainproject.org" <germany-wg@... on behalf of scoughlan=linuxfoundation.org@...> wrote:

LEARN FAST: This email originated outside of HERE.
Please do not click on links or open attachments unless you recognize the sender and know the content is safe. Thank you.


Let’s do the call. Perhaps next week? Then we can include it in a forthcoming webinar before/after the main speakers.

On May 14, 2020, at 0:38, Tobie Langel <@tobie> wrote:

That's a great question for a topic I care a lot about. Happy to dig deeper in a follow-up call or a pre-recorded video, as you wish.

Let me know how you want to proceed.

Thanks,

--tobie

On Tue, May 12, 2020 at 9:22 AM Shane Coughlan <@shanecoughlan> wrote:
Steve, thank you for this question!

Tobie, can we record the answer and include it in a forthcoming OpenChain webinar? I’m thinking we hop onto Zoom for 5~10 minutes and cover this.

Shane

On May 5, 2020, at 19:36, Steve Kilbane <@steve.kilbane> wrote:

My thanks to all the presenters for the informative talks yesterday. I very much enjoyed them.

A follow-up question for Tobie, which I didn't raise at the time due to a combination of a tight schedule and an over-abundance of mute buttons...

You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this? It's obviously reminiscent of CLA/DCO approval within GitHub, but I imagine that something different would be needed, since this would be approval from the other side of the contribution transaction.

Thanks again,

steve













Re: [germany-wg] [openchain-automotive-work-group] OpenChain Webinar 3 - Today (Monday) at 9am Pacific

Steve Kilbane
 

Well, I'm interested, for one. :-)

Though, disclaimer: ORT is one of the tools on my list of "things I really should look at", but haven't gotten to yet. :-(

steve

-----Original Message-----
From: openchain-automotive-work-group@groups.io <openchain-automotive-work-group@groups.io> On Behalf Of Thomas Steenbergen
Sent: 15 May 2020 10:15
To: germany-wg@...; Tobie Langel <@tobie>
Cc: OpenChain Automotive <openchain-automotive-work-group@groups.io>; Kate Stewart <kstewart@...>; Alexandra Boehm <aleksa.boehm@...>; Rachel Braun <rbraun@...>; OpenChain Main <main@...>
Subject: Re: [germany-wg] [openchain-automotive-work-group] OpenChain Webinar 3 - Today (Monday) at 9am Pacific

[External]

Hi,

You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this?
Below I wrote out an example workflow, it's not a single web app as Adobe presented [1] as we always prefer to integrate into existing company’s systems to lower the threshold to user adoption.
This at a high-level is how we have automated parts of our OSS policy within our company using mostly open source tools.

== Example contribution approval app / workflow ==

For this example let's assume your contribution policy is based on Google’s Open Source patching [2] and you have stack consisting out of AWS lambda, Jenkins (MIT)[3] , JIRA, and OSS Review Toolkit (Apache-2.0) [4] and ScanCode (Apache-2.0) [5]. A simplified version of the approval app's workflow would then look something like:

1) User creates a JIRA ticket with the following fields:
- Title: what the contribution is about in a few sentences
- Description: describes in a few sentences the contribution
- VCS URL: URL to clone the repository to which they want to contribute
2) User transitions the ticket from "open" to "scan" state.
3) Upon transition to the "scan" state JIRA calls an AWS lambda via a REST call.
4) The AWS lambda verifies all required data has been provided.
If OK:
=> Calls Jenkins job via a REST call that will execute a scan with OSS Review Toolkit of the master branch of repository specified in VCS URL.
If NOT OK:
=> The AWS lambda using JIRA's REST API adds a comment to the ticket with a message which data need to be provided by the user and moves ticket back to the "open" state.
5) In the Jenkins job OSS Review Toolkit using ScanCode scans the source code and its dependency and then the scan results are evaluated against a user-defined policy.
OSS Review Toolkit has Evaluator component that allows you to turn Google’s Open Source patching rules like "No review required" and "Forbidden patches" into OK / NOT OK checks.
It also support recording <package> or <package, version> approvals.
6) Once the OSS Review Toolkit scan completes Jenkins calls AWS lambda with a link to the Jenkins job
7) AWS lambda fetches results from Jenkins job, processes the results and using JIRA REST API updates the JIRA ticket.
If OK:
=> Updates ticket with a comment that contribution is OK with policy and moves ticket back to the "completed" state.
If approval is required:
=> Updates ticket with a comment that contribution requires approval and moves ticket back to the "needs approval" state and assigns it to person who can do the approval.
If NOT OK:
=> Updates ticket with a comment why the contribution is NOT OK and moves ticket back to the "denied" state.

If enough people are interested in this I can add Google’s Open Source patching as one of OSS Review Toolkit's examples and explain how it works in a future OpenChain call.

Regards,

Thomas Steenbergen
Head of Open Source, HERE Technologies

[1] https://urldefense.com/v3/__https://ossna18.sched.com/event/FAO9/how-adobe-is-changing-its-culture-around-open-source-steven-gill-filip-maj-adobe__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YaJdecf1$
[2] https://urldefense.com/v3/__https://opensource.google/docs/patching/__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YQIjyUau$
[3] https://urldefense.com/v3/__https://www.jenkins.io/__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YctI5_FQ$
[4] https://urldefense.com/v3/__https://oss-review-toolkit.org/__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YRokiBm6$
[5] https://urldefense.com/v3/__https://github.com/nexB/scancode-toolkit__;!!A3Ni8CS0y2Y!sPSg88GORxnNRsGMjtvKuZCZ3mGb_PRxmIk22_H4QkxlljaM43Q_iSsNjbQ8YacpdfYx$


On 15.05.20, 08:51, "germany-wg@... on behalf of Shane Coughlan via lists.openchainproject.org" <germany-wg@... on behalf of scoughlan=linuxfoundation.org@...> wrote:

LEARN FAST: This email originated outside of HERE.
Please do not click on links or open attachments unless you recognize the sender and know the content is safe. Thank you.


Let’s do the call. Perhaps next week? Then we can include it in a forthcoming webinar before/after the main speakers.

> On May 14, 2020, at 0:38, Tobie Langel <@tobie> wrote:
>
> That's a great question for a topic I care a lot about. Happy to dig deeper in a follow-up call or a pre-recorded video, as you wish.
>
> Let me know how you want to proceed.
>
> Thanks,
>
> --tobie
>
> On Tue, May 12, 2020 at 9:22 AM Shane Coughlan <@shanecoughlan> wrote:
> Steve, thank you for this question!
>
> Tobie, can we record the answer and include it in a forthcoming OpenChain webinar? I’m thinking we hop onto Zoom for 5~10 minutes and cover this.
>
> Shane
>
> > On May 5, 2020, at 19:36, Steve Kilbane <@steve.kilbane> wrote:
> >
> > My thanks to all the presenters for the informative talks yesterday. I very much enjoyed them.
> >
> > A follow-up question for Tobie, which I didn't raise at the time due to a combination of a tight schedule and an over-abundance of mute buttons...
> >
> > You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this? It's obviously reminiscent of CLA/DCO approval within GitHub, but I imagine that something different would be needed, since this would be approval from the other side of the contribution transaction.
> >
> > Thanks again,
> >
> > steve
> >
> >
> >
> >
>

Re: [germany-wg] [openchain-automotive-work-group] OpenChain Webinar 3 - Today (Monday) at 9am Pacific

Thomas Steenbergen
 

Hi,

You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this?
Below I wrote out an example workflow, it's not a single web app as Adobe presented [1] as we always prefer to integrate into existing company’s systems to lower the threshold to user adoption.
This at a high-level is how we have automated parts of our OSS policy within our company using mostly open source tools.

== Example contribution approval app / workflow ==

For this example let's assume your contribution policy is based on Google’s Open Source patching [2] and you have stack consisting out of AWS lambda, Jenkins (MIT)[3] , JIRA, and OSS Review Toolkit (Apache-2.0) [4] and ScanCode (Apache-2.0) [5]. A simplified version of the approval app's workflow would then look something like:

1) User creates a JIRA ticket with the following fields:
- Title: what the contribution is about in a few sentences
- Description: describes in a few sentences the contribution
- VCS URL: URL to clone the repository to which they want to contribute
2) User transitions the ticket from "open" to "scan" state.
3) Upon transition to the "scan" state JIRA calls an AWS lambda via a REST call.
4) The AWS lambda verifies all required data has been provided.
If OK:
=> Calls Jenkins job via a REST call that will execute a scan with OSS Review Toolkit of the master branch of repository specified in VCS URL.
If NOT OK:
=> The AWS lambda using JIRA's REST API adds a comment to the ticket with a message which data need to be provided by the user and moves ticket back to the "open" state.
5) In the Jenkins job OSS Review Toolkit using ScanCode scans the source code and its dependency and then the scan results are evaluated against a user-defined policy.
OSS Review Toolkit has Evaluator component that allows you to turn Google’s Open Source patching rules like "No review required" and "Forbidden patches" into OK / NOT OK checks.
It also support recording <package> or <package, version> approvals.
6) Once the OSS Review Toolkit scan completes Jenkins calls AWS lambda with a link to the Jenkins job
7) AWS lambda fetches results from Jenkins job, processes the results and using JIRA REST API updates the JIRA ticket.
If OK:
=> Updates ticket with a comment that contribution is OK with policy and moves ticket back to the "completed" state.
If approval is required:
=> Updates ticket with a comment that contribution requires approval and moves ticket back to the "needs approval" state and assigns it to person who can do the approval.
If NOT OK:
=> Updates ticket with a comment why the contribution is NOT OK and moves ticket back to the "denied" state.

If enough people are interested in this I can add Google’s Open Source patching as one of OSS Review Toolkit's examples and explain how it works in a future OpenChain call.

Regards,

Thomas Steenbergen
Head of Open Source, HERE Technologies

[1] https://ossna18.sched.com/event/FAO9/how-adobe-is-changing-its-culture-around-open-source-steven-gill-filip-maj-adobe
[2] https://opensource.google/docs/patching/
[3] https://www.jenkins.io/
[4] https://oss-review-toolkit.org/
[5] https://github.com/nexB/scancode-toolkit


On 15.05.20, 08:51, "germany-wg@... on behalf of Shane Coughlan via lists.openchainproject.org" <germany-wg@... on behalf of scoughlan=linuxfoundation.org@...> wrote:

LEARN FAST: This email originated outside of HERE.
Please do not click on links or open attachments unless you recognize the sender and know the content is safe. Thank you.


Let’s do the call. Perhaps next week? Then we can include it in a forthcoming webinar before/after the main speakers.

> On May 14, 2020, at 0:38, Tobie Langel <@tobie> wrote:
>
> That's a great question for a topic I care a lot about. Happy to dig deeper in a follow-up call or a pre-recorded video, as you wish.
>
> Let me know how you want to proceed.
>
> Thanks,
>
> --tobie
>
> On Tue, May 12, 2020 at 9:22 AM Shane Coughlan <@shanecoughlan> wrote:
> Steve, thank you for this question!
>
> Tobie, can we record the answer and include it in a forthcoming OpenChain webinar? I’m thinking we hop onto Zoom for 5~10 minutes and cover this.
>
> Shane
>
> > On May 5, 2020, at 19:36, Steve Kilbane <@steve.kilbane> wrote:
> >
> > My thanks to all the presenters for the informative talks yesterday. I very much enjoyed them.
> >
> > A follow-up question for Tobie, which I didn't raise at the time due to a combination of a tight schedule and an over-abundance of mute buttons...
> >
> > You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this? It's obviously reminiscent of CLA/DCO approval within GitHub, but I imagine that something different would be needed, since this would be approval from the other side of the contribution transaction.
> >
> > Thanks again,
> >
> > steve
> >
> >
> >
> >
>

OpenChain Reference Tooling Work Group - Meeting #15 - Full Recording

 

The OpenChain Reference Tooling Work Group held its 15th meeting on the 13th of May. This meeting covered general updates in the tooling space and a deep dive into TERN for container compliance.
https://www.openchainproject.org/news/2020/05/15/openchain-reference-tooling-work-group-meeting-15-full-recording

OpenChain Newsletter #36 out now

 

The latest OpenChain newsletter is out, marking 36 months since we started a major outward push for awareness and adoption. During this time our industry standard entered a multitude of new markets. You can catch up on our April adventures at the link:
https://www.openchainproject.org/openchain-newsletter-issue-36

Re: OpenChain Webinar 3 - Today (Monday) at 9am Pacific

 

Let’s do the call. Perhaps next week? Then we can include it in a forthcoming webinar before/after the main speakers.

On May 14, 2020, at 0:38, Tobie Langel <@tobie> wrote:

That's a great question for a topic I care a lot about. Happy to dig deeper in a follow-up call or a pre-recorded video, as you wish.

Let me know how you want to proceed.

Thanks,

--tobie

On Tue, May 12, 2020 at 9:22 AM Shane Coughlan <@shanecoughlan> wrote:
Steve, thank you for this question!

Tobie, can we record the answer and include it in a forthcoming OpenChain webinar? I’m thinking we hop onto Zoom for 5~10 minutes and cover this.

Shane

On May 5, 2020, at 19:36, Steve Kilbane <@steve.kilbane> wrote:

My thanks to all the presenters for the informative talks yesterday. I very much enjoyed them.

A follow-up question for Tobie, which I didn't raise at the time due to a combination of a tight schedule and an over-abundance of mute buttons...

You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this? It's obviously reminiscent of CLA/DCO approval within GitHub, but I imagine that something different would be needed, since this would be approval from the other side of the contribution transaction.

Thanks again,

steve



Call for Papers, Open Compliance Summit, December

 

Reminder: Call for Papers, Open Compliance Summit, December. This is the only dedicated compliance summit in the world of open source. Join our diverse international audience and explore the intersection of business, law and engineering.
https://events.linuxfoundation.org/open-compliance-summit/program/cfp/#概要

Re: OpenChain Webinar 3 - Today (Monday) at 9am Pacific

 

Steve, thank you for this question!

Tobie, can we record the answer and include it in a forthcoming OpenChain webinar? I’m thinking we hop onto Zoom for 5~10 minutes and cover this.

Shane

On May 5, 2020, at 19:36, Steve Kilbane <@steve.kilbane> wrote:

My thanks to all the presenters for the informative talks yesterday. I very much enjoyed them.

A follow-up question for Tobie, which I didn't raise at the time due to a combination of a tight schedule and an over-abundance of mute buttons...

You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this? It's obviously reminiscent of CLA/DCO approval within GitHub, but I imagine that something different would be needed, since this would be approval from the other side of the contribution transaction.

Thanks again,

steve



Re: OpenChain Webinar 3 - Today (Monday) at 9am Pacific

Steve Kilbane
 

My thanks to all the presenters for the informative talks yesterday. I very much enjoyed them.

A follow-up question for Tobie, which I didn't raise at the time due to a combination of a tight schedule and an over-abundance of mute buttons...

You suggested converting the approval process into an app. I wondered whether there have been implementations of open-source tooling that does this? It's obviously reminiscent of CLA/DCO approval within GitHub, but I imagine that something different would be needed, since this would be approval from the other side of the contribution transaction.

Thanks again,

steve

OpenChain Spec - Next Gen After ISO - initial discussion 10am Pacific, May 4th

 

Dear all

Immediately after our 3rd webinar covering contribution policies, M&A and due diligence between 9am and 10am Pacific May 4th, Mark Gisi will lead a 20 minute first drafting discussion of the next gen OpenChain, OpenChain 3. 

Why?

OpenChain 2 has been deployed for one year. It will be released in ISO form in the coming months. We expect the 2nd gen standard to run for several years as a clear lighthouse to guide all compliance work.

Meanwhile, starting the draft process for OpenChain 3 this month will allow us to get feedback and experience from existing, new and near future adopters. We will use this to carefully consider what adjustments, clarifications and extensions will work for all our stakeholders. It’s a great conversation to join if you want to help frame the future.


Regards

Shane 

OpenChain Webinar 3 - Today (Monday) at 9am Pacific

 

OpenChain Webinar 3: Tobie Langel (UnlockOpen) on Contribution Policies, Leon Schwartz and Tony Decicco (GTC) on M&A, Andrew Katz (Moorcrofts) on Due Diligence. We will wrap with Mark Gisi (WindRiver) on framing the next gen OpenChain standard. 9am Pacific, free and open for all:
https://www.openchainproject.org/featured/2020/04/23/openchain-webinar-3