This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
openchain:proposed-draft [2015/02/03 15:46] jlovejoy [Section 1] |
openchain:proposed-draft [2016/08/11 12:12] (current) AliceSmith [Software Engineering Institute (SEI)] |
||
---|---|---|---|
Line 51: | Line 51: | ||
===== Outline of Compliance Reference Model ===== | ===== Outline of Compliance Reference Model ===== | ||
- | G = Goal__\\ | + | G = Goal\\ |
- | SP = Supporting Practices__\\ | + | SP = Supporting Practices\\ |
- | C = Criteria for supporting practices | + | C = Criteria for supporting practices\\ |
+ | (see charts below for original version) | ||
- **G1: Everyone knows their FOSS responsibilities** | - **G1: Everyone knows their FOSS responsibilities** | ||
Line 73: | Line 74: | ||
* FOSS concepts and obligations | * FOSS concepts and obligations | ||
* How to adhere to FOSS approval process | * How to adhere to FOSS approval process | ||
- | __C1.2.3 Delivery method__\\ | + | * C1.2.3 Delivery method\\ |
- | * __In-person, online__\\ | + | * In-person, online //(JL: should we dictate what format the training delivery method should be? Is this to mean it can be in either in-person or online - or needs to be in both formats?)// |
- | __C1.2.4 Compliance and attendance__\\ | + | * C1.2.4 Compliance and attendance //(JL: compliance with the training? might not want to use the word "compliance" here as it is more associated with license compliance?)// |
- | * __Recordkeeping__\\ | + | * Recordkeeping |
- | * __Reoccurring training__\\ | + | * Reoccurring training |
- | + | - **G2: Responsibility for achieving compliance is assigned** | |
- | G2: Responsibility for achieving compliance is assigned\\ | + | - SP2.1 FOSS Compliance Officer exists |
- | Supporting practices:\\ | + | - SP2.2 Compliance management activity is resourced |
- | SP2.1 FOSS Compliance Officer exists\\ | + | * SP2.2.1 Processes, procedures, templates, forms, etc. are developed |
- | SP2.2 Compliance management activity is resourced\\ | + | * SP2.2.2 Compliance tool needs are identified //(JL: do we want to specifically say "tools"? Are tools always required, e.g. small companies who still want to use these guidelines?)// |
- | -SP2.2.1 Processes, procedures, templates, forms, etc. are developed\\ | + | * SP2.2.3 Compliance tools are evaluated, developed or acquired, and deployed |
- | -SP2.2.2 Compliance tool needs are identified\\ | + | - SP2.3 Licensing expertise is available //(JL: recommend putting this as first SP here)// |
- | -SP2.2.3 Compliance tools are evaluated, developed or acquired, and deployed\\ | + | - **G3: FOSS content (packages/license) is known** //consider making this G2?// |
- | SP2.3 Licensing expertise is available\\ | + | - SP3.1 Code audits/scans are conducted |
- | + | - SP3.2 Supplier compliance is managed //(JL: define who a supplier is; what if the company in question is situated to not really have suppliers, do they still have to comply with these goals?)// | |
- | G3: FOSS content (packages/license) is known\\ | + | * SP3.2.1 Supplier compliance practices are assessed |
- | Supporting practices:\\ | + | * SP3.2.2 Supplier FOSS disclosures are made and reviewed |
- | SP3.1 Code audits/scans are conducted\\ | + | * SP3.2.3 Supplier FOSS obligations are satisfied |
- | SP3.2 Supplier compliance is managed\\ | + | - SP3.3 FOSS records are maintained //(JL: move up in list here)// |
- | -SP3.2.1 Supplier compliance practices are assessed\\ | + | - **G4: FOSS content is reviewed and approved** |
- | -SP3.2.2 Supplier FOSS disclosures are made and reviewed\\ | + | - SP4.1 OSRB exists and is staffed appropriately |
- | -SP3.2.3 Supplier FOSS obligations are satisfied\\ | + | - SP4.2 Planned FOSS use is reviewed in context |
- | SP3.3 FOSS records are maintained\\ | + | - SP4.3 License obligations are identified, understood, and documented |
- | + | - SP4.4 Issues are resolved and approval decisions are followed | |
- | G4: FOSS content is reviewed and approved\\ | + | - **G5: FOSS obligations are satisfied** |
- | Supporting practices:\\ | + | - SP5.1 Documentation obligations are met |
- | SP4.1 OSRB exists and is staffed appropriately\\ | + | - SP5.2 Source code obligations are met |
- | SP4.2 Planned FOSS use is reviewed in context | + | - SP5.3 Community interface exists |
- | SP4.3 License obligations are identified, understood, and documented\\ | + | * SP5.3.1 Email and postal addresses work |
- | SP4.4 Issues are resolved and approval decisions are followed\\ | + | * SP5.3.2 Web portal works |
- | + | * SP5.3.3 Community requests and inquiries are satisfied | |
- | G5: FOSS obligations are satisfied\\ | + | - **G6: Community <del>contributions are encouraged</del> engagement is understood** |
- | Supporting practices:\\ | + | - <del>SP6.1: Individual contributions are reviewed and approved</del> |
- | SP5.1 Documentation obligations are met\\ | + | - <del>SP6.2: Company contributions are reviewed and approved</del> |
- | SP5.2 Source code obligations are met\\ | + | - __SP6.1: Community participation is reviewed and approved.__ |
- | SP5.3 Community interface exists\\ | + | |
- | -SP5.3.1 Email and postal addresses work\\ | + | |
- | -SP5.3.2 Web portal works\\ | + | |
- | -SP5.3.3 Community requests and inquiries are satisfied\\ | + | |
- | + | ||
- | G6: Community <del>contributions are encouraged</del> engagement is understood\\ | + | |
- | Supporting Practices:\\ | + | |
- | <del>SP6.1: Individual contributions are reviewed and approved</del>\\ | + | |
- | <del>SP6.2: Company contributions are reviewed and approved</del>\\ | + | |
- | __SP6.1: Community participation is reviewed and approved.__ | + | |
{{:openchain:g1.jpg|}} | {{:openchain:g1.jpg|}} | ||
Line 130: | Line 121: | ||
{{:openchain:g6.jpg|}} | {{:openchain:g6.jpg|}} | ||
- | |||
- | |||
- | |||
- | |||
====== Appendix B ====== | ====== Appendix B ====== | ||
Line 176: | Line 163: | ||
Although the SEI originally focused on self-appraisals to encourage frank and confidential internal discussions about improvement needs, eventually many DoD contract sponsors required that bidders provide evidence of (at least) Level 3 maturity. These funding agencies required an appraisal, conducted by a government-approved appraisal team, as part of the award process. | Although the SEI originally focused on self-appraisals to encourage frank and confidential internal discussions about improvement needs, eventually many DoD contract sponsors required that bidders provide evidence of (at least) Level 3 maturity. These funding agencies required an appraisal, conducted by a government-approved appraisal team, as part of the award process. | ||
- | Over time, the SEI’s model was recognized for the soundness of its software engineering principles and its ability to drive process improvements. A large community of industry and government people coalesced around its guidance. The model itself has continued to evolve and has spawned additional maturity models, as well as a cottage industry of consultants offering appraisal and training services. | + | Over time, the SEI’s model was recognized for the soundness of its software engineering principles and its ability to drive process improvements. A large community of industry and government people coalesced around its guidance. The model itself has continued to evolve and has spawned additional maturity models, as well as a cottage industry of consultants offering appraisal and training [[https://www.linkedin.com/company/redgage-llc | services]]. |
==== ISO 9001 ==== | ==== ISO 9001 ==== |