User Tools

Site Tools


openchain:specification-questions-and-answers

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
openchain:specification-questions-and-answers [2017/06/20 11:18]
mgisi [Is a third party audit required to declare a FOSS program to be OpenChain Conforming?]
openchain:specification-questions-and-answers [2019/11/17 19:12] (current)
mgisi [Does the specification describe how to comply with the most popular Open Source licenses?]
Line 1: Line 1:
  
 =====  OpenChain Specification FAQ ===== =====  OpenChain Specification FAQ =====
-This is the FAQ for the OpenChain specification. We highly recommend all contributors to specification'​s development review these questions and answers as a first step to contributing. There are four principles that guide the development of the specification:​ +This is the FAQ for the OpenChain specification. We highly recommend all contributors to specification'​s development review these questions and answers as a first step to contributing. 
-   - Build trust and consistency ​around the use and sharing ​of open source software+ 
 +====What is the objective of the OpenChain specification?​==== 
 + 
 +To define a core set of requirements a Open Source compliance program should satisfy to achieve: a level of trust that an organization provides the artifacts required to achieve Open Source license compliance for software it shares with others. Compliance artifacts consist of: source code, build scripts, license copies, attribution notices, modification notices, SPDX data and other materials open source licenses governing a software deliverable may require. 
 + 
 +==== What are the Specification Guiding Principles? ==== 
 + There are four principles that guide the development of the specification:​ 
 +   - Build trust around the use of open source ​in constructing ​software ​solutions that are shared with others (with a focus on license compliance).
    - Less is More    - Less is More
-     * Avoid boiling the ocean - we can't solve all of the license compliance process issues +     * Avoid boiling the ocean - Focus specifically on providing the necessary and sufficient requirements of a “high quality” compliance program 
-     ​* ​Focus specifically on providing the necessary and sufficient requirements of a “quality” compliance program +     * Focus on meaningful ​pain points based on practical ​use cases 
-     * Focus on meaningfully significant ​pain points ​(based on actual practice ​use cases)+     * If we could remove words and still preserve meaning and value then use fewer words
   - Focus of the what and why (avoid the how and when)   - Focus of the what and why (avoid the how and when)
     * Embrace the implementation of different practices to solve a given requirement     * Embrace the implementation of different practices to solve a given requirement
-    * Avoid providing specific legal advice or specific ​best practices +    * Avoid providing specific legal advice or specific ​common ​practices 
-  - Function as an open development initiative - open to all to contribute - inclusion via discussion and consensus ​ +  - Function as an open development initiative - open to all to contribute - inclusion via discussion and consensus ​that adhere to these guiding principles. Consider adopting best practices from standard initiatives which complement an open development approach.
  
-====What is the objective of the of the of the OpenChain specification?​==== 
- 
-To define a core set of requirements a Open Source compliance program should satisfy to achieve: a level of trust that an organization provides the artifacts required to achieve Open Source license compliance for software it shares with others. Compliance artifacts consist of: source code, build scripts, license copies, attribution notices, modification notices and other materials open source licenses governing a software deliverable may require. 
  
 ====Where can I obtain a copy of the current version of the specification?​==== ====Where can I obtain a copy of the current version of the specification?​====
  
-   * current version of the specification can be found here: [[https://​wiki.linuxfoundation.org/​_media/​openchain/​openchainspec-1.0.pdf|OpenChain Compliance ​1.0 Specification]]+   * current version of the specification can be found here: [[https://​wiki.linuxfoundation.org/​_media/​openchain/​openchainspec-current.pdf|OpenChain Compliance Specification]]
  
-<!--* working draft of the next version here: [[https://​wiki.linuxfoundation.org/​_media/​openchain/​openchainspec-1.1.draft.pdf|OpenChain Compliance 1.1 DRAFT Specification]].-->​ 
  
-==== Does a FOSS program need to satisfy all the requirements of the specification to be considered OpenChain Conforming? ====+==== Does an Open Source Compliance ​program need to satisfy all the requirements of the specification to be considered OpenChain Conforming? ====
  
 Yes. The specification was designed to provide a core set of requirements to ensure a certain level of program quality has been achieved. In order to ensure there are no significant gaps in an OpenChain conforming program that could lead to poor quality output, a program must satisfy all the requirements to be considered OpenChain conforming. Yes. The specification was designed to provide a core set of requirements to ensure a certain level of program quality has been achieved. In order to ensure there are no significant gaps in an OpenChain conforming program that could lead to poor quality output, a program must satisfy all the requirements to be considered OpenChain conforming.
Line 29: Line 31:
 ====What does it mean that a software offering is OpenChain Conforming?​==== ====What does it mean that a software offering is OpenChain Conforming?​====
  
-For the 1.0 version of the specification supplied software ​itself is not identified as being OpenChain Conforming. An Open Source compliance program which the software is prepared under is a candidate for OpenChain conformance. When a software supplier states they are OpenChain conforming it means they have a program that satisfies all the requirements of the OpenChain specification. A software supplier may declare the software offered was prepared under an OpenChain conforming program. Similarly, a software recipient may ask the supplier if the software they received was prepared under an OpenChain conforming program.+ 
 +An organizaition'​s Supplied Software ​itself is not identified as being OpenChain Conforming. An Open Source compliance ​**program** which the software is prepared under is a candidate for OpenChain conformance. When a software supplier states they are OpenChain conforming it means they have a **program** that satisfies all the requirements of the OpenChain specification. A software supplier may declare the software offered was prepared under an OpenChain conforming ​**program**. Similarly, a software recipient may ask the supplier if the software they received was prepared under an OpenChain conforming ​**program**.
  
 ====Does all software in an organization need to be covered by an OpenChain Conforming program to achieve program conformance?​==== ====Does all software in an organization need to be covered by an OpenChain Conforming program to achieve program conformance?​====
Line 37: Line 40:
 ====Does the specification serve as a best practice guide?==== ====Does the specification serve as a best practice guide?====
  
-No. The main objective of the specification provides a set of requirements that would help one evaluate whether an existing Open Source compliance program is sufficient. It focuses on the “what and why” aspects of a program and not the how or when. There are many different ways to construct a Open Source compliance program (how and when) such that each way would satisfy the specification. The specification provides a method of measuring whether a program has obtained a base line level of quality and consistency. This allows a software supplier to represent to their users that the compliance artifacts they deliver ​were prepared under a Open Source program that met standard level of quality.+No. The main objective of the specification provides a set of requirements that would help one evaluate whether an existing Open Source compliance program is sufficient. It focuses on the “what and why” aspects of a program and not the how or when. There are many different ways to construct a Open Source compliance program (how and when) such that each way would satisfy the specification. The specification provides a method of measuring whether a program has obtained a base line level of quality and consistency. This allows a software supplier to represent to their users that the compliance artifacts they provided ​were prepared under a Open Source program that satisfied ​core set of requirements.
  
 ====How was the specification developed?​==== ====How was the specification developed?​====
  
-The Linux Foundation OpenChain working group functions like an open source project by obtaining input from dozens ​of individuals,​ companies and organizations that have experiences preparing for and/or exchanging software in the software supply chain. There are no specific requirements for participating. The working group identified 6 main categories of a compliance program and then had contributors identify important tasks and deliverable for each category. The six categories were: +The Linux Foundation OpenChain working group functions like an open source project by obtaining input from scores ​of individuals,​ companies and organizations that have experiences preparing for and/or exchanging software in the software supply chain. There are no specific requirements for participating. The working group identified 6 main categories of a compliance program and then had contributors identify important tasks and deliverable for each category. The five categories were: 
-  - Know Your FOSS Responsibilities ​[i.e., “Policy and Training”] +  - Program Foundation ​[i.e., “Policy and Training”] 
-  - Assign Responsibility for Achieving Compliance +  - Relevant Tasks 
-  - Deliver FOSS Content ​Documentation ​and Artifacts +  - Open Source ​Content ​Review ​and Approval 
-  - Review ​and approve FOSS content +  - Compliance Artifact Creation ​and Delivery 
-  - Understand ​FOSS Community Engagement +  - Understand ​Open Source ​Community Engagement 
-  - Certify Adherence to OpenChain Requirements +A number of references that document the history ​of the specs development ​include: 
-A number of reference documents were prepared and used as important sources ​of input into identifying core requirements of a quality compliance program. Several of those documents ​include: +  * {{ https://lists.openchainproject.org/g/specification | specification mailing list}} 
-  * [[https://etherpad.wikimedia.org/p/openchain-proposal1]] +  * {{ https://github.com/OpenChain-Project/Specification/​issues |  github issue tracking}} 
-  * [[http://etherpad.wikimedia.org/p/openchain]] +  * This FAQs
-  * The Supplier License Compliance Audit (SLCA)+
  
-====Is a third party audit required to declare ​a FOSS program to be OpenChain Conforming?​====+====Is a third party audit required to declare ​an Open Source Compliance ​program to be OpenChain Conforming?​====
  
-No. At least not yet. The [[https://​wiki.linuxfoundation.org/​_media/​openchain/​openchainspec-1.0.pdf|OpenChain 1.0 specification]] is simply structured ​to provide a list of requirements where each requirement maintains a set of acceptance criteria (Verification ​Artifacts). Each requirement is a description of an important quality ​Open Source program must maintain. The Verification ​Artifacts ​for a requirement represent a list of tangible artifacts ​that must exist in order for one to determine the specific requirement has been met. Although ​artifacts ​must exist, one is not required to make them public. The key goal of the specification is to foster trust around Open Source compliance between two parties exchanging software. ​Although currently an audit by a third party is not a requirement of the OpenChain specification,​ a partner or customer may ask for evidence of the Verification ​Artifacts ​as a condition for doing business (e.g., under an Non-Disclosure agreement). That is, the obligation to provide evidence of the existence of the artifacts, and the willingness to do so, is determined by the relationship entered into by two parties. It has been discussed that a future version of the specification may provide more specific guidelines on how to obtain third party certification.+No. The specification ​was designed ​to provide a list of requirements where each requirement maintains a set of acceptance criteria (Verification ​Materials). Each requirement is a description of an important quality ​an Open Source ​Compliance ​program must satisfy. The Verification ​Materials ​for a requirement represent a collection ​of evidence ​that must exist in order for one to determine the specific requirement has been met. Although ​evidence ​must exist, one is not required to make them public. The key goal of the specification is to foster trust around Open Source compliance between two parties exchanging software. ​partner or customer may ask for evidence of the Verification ​Materials ​as a condition for doing business (e.g., under an Non-Disclosure agreement). That is, the obligation to provide evidence of the existence of the materials, and the willingness to do so, is determined by the relationship entered into by two parties. ​
  
-====Does the specification describe how to comply with the most popular ​FOSS licenses?​====+====Does the specification describe how to comply with the most popular ​Open Source ​licenses?​====
  
-No. The specification does not provide legal guidance. It does require an organization to designate a legal expert who can assist with legal guidance. Furthermore the specification requires that a process exists that ensures the appropriate attention is given to license obligation analysis and and fulfillment.+No. The specification does not provide legal guidance. It does require an organization to designate a legal expert who can assist with legal guidance. Furthermore the specification requires that ''​a process exists'' ​that ensures the appropriate attention is given to license obligation analysis and and fulfillment.
  
 ====Does OpenChain program conformance guarantee license compliance?​==== ====Does OpenChain program conformance guarantee license compliance?​====
Line 67: Line 69:
 ====Do resources exist to assist my organization in achieving OpenChain Conformance?​==== ====Do resources exist to assist my organization in achieving OpenChain Conformance?​====
  
-The OpenChain Curriculum working group has developed training reference materials that greatly facilitate the creation (or enhancement) of a FOSS compliance training program. The OpenChain Conformance working group has developed a questionnaire to guide an organization in self-certifying a program to be OpenChain conforming. The Linux Foundation sponsors various open source projects and initiatives that provide useful tools and compliance program resources that can help implement an OpenChain ​FOSS compliance program (e.g., [[https://​spdx.org/​|SPDX]],​ [[https://​www.fossology.org/​|FOSSology]],​ …). These resources can be found in the +The OpenChain Curriculum working group has developed training reference materials that greatly facilitate the creation (or enhancement) of a Open Source ​compliance training program. The OpenChain Conformance working group has developed a questionnaire to guide an organization in self-certifying a program to be OpenChain conforming. The Linux Foundation sponsors various open source projects and initiatives that provide useful tools and compliance program resources that can help implement an OpenChain ​Open Source ​compliance program (e.g., [[https://​spdx.org/​|SPDX]],​ [[https://​www.fossology.org/​|FOSSology]],​ …). These resources can be found in the 
 [[https://​www.linuxfoundation.org/​offerings/​open-source-compliance|Linux Foundation Open Compliance Program]]. [[https://​www.linuxfoundation.org/​offerings/​open-source-compliance|Linux Foundation Open Compliance Program]].
  
Line 76: Line 78:
 ====  What is the different between Conformance vs Compliance ==== ====  What is the different between Conformance vs Compliance ====
  
-In the specification text we do *not* use the term "​Compliance"​ with respect to satisfying the spec requirements not to confuse it with "​license compliance"​ or "FOSS Compliance program"​ which is frequently mentioned through out the spec. We use the term "​Conformance"​ instead to mean a program has satisfied all the spec's requirements. It is possible that someone might make reference to the fact that their program "​complies"​ with Spec 1.1 or that the program is "​compliant"​ with version X of the spec which would be equivalent ​ to stating the program "​conforms"​ or has achieved ​"conformance"​ with version X.  +In the specification text we do *not* use the term "​Compliance"​ with respect to satisfying the spec requirements ​- so not to confuse it with "​license compliance"​ or "Open Source ​Compliance program"​ which is frequently mentioned through out the spec. We use the term "​Conformance"​ instead to mean a program has satisfied all the spec's requirements. It is possible that someone might make reference to the fact that their program "​complies"​ with version X of the spec or that the program is "​compliant"​ with version X of the spec which would be equivalent to stating the program "​conforms"​; "is conformant"; ​or "has achieved conformance"​ with version X. 
  
  
openchain/specification-questions-and-answers.1497957487.txt.gz · Last modified: 2017/06/20 11:18 by mgisi