跳到主要內容

How OpenChain can transform the supply chain


The OpenChain Project's open source compliance standards aim to make supply chains simpler, faster, safer, and more efficient.

OpenChain is all about increasing open source compliance in the supply chain. This issue, which many people initially dismiss as a legal concern or a low priority, is actually tied to making sure that open source is as useful and frictionless as possible. In a nutshell, because open source is about the use of third-party code, compliance is the nexus where equality of access, safety of use, and reduction of risk can be found. OpenChain accomplishes this by building trust between organizations.

Many companies today understand open source and act as major supporters of open source development; however, addressing open source license compliance in a systematic, industry-wide manner has proven to be a somewhat elusive challenge. The global IT market has not seen a significant reduction in the number of open source compliance issues in areas such as consumer electronics over the past decade.

The majority of compliance issues originate in the midst of sharing multiple hardware and software components across numerous entities. The global supply chain is long and the participants are simultaneously intertwined and disparate. It is possible to have companies making hardware, companies making software, and companies doing both, all collaborating around a relatively small component. The products that result are often outstanding, but the challenge of keeping track of everything is substantial.

Complexities of supply change compliance

Open source presents a specific challenge in the global supply chain. This is not because open source is inherently complex, but because of companies' varying degrees of exposure and domain knowledge. By way of example, the staff of a company developing a small component that requires a device driver may be entirely unfamiliar with open source. One mistake, one misunderstanding, and one component deployed in dozens of devices can present problems. Most compliance challenges arise from mistakes. Few, if any, originate with intent.

Ultimately, solving open source compliance challenges involves solving open source compliance in the supply chain. This is no small task: There are thousands of companies in play across dozens of national borders using numerous languages. Because no single company makes a finished device, no single company can solve the compliance challenges. Therefore, the global supply chain must align behind certain shared approaches.

Compliance is not a device or code issue. It is a process challenge that spans multiple organizations.Awareness of this fact and the provision of a practical solution are two different matters. It takes time for ideas and suggested approaches to percolate and mature. It takes input from lawyers and managers and developers and political scientists. It takes, in short, a while for a community to bounce ideas back and forth until a simple, clear approach can be found. This is how the OpenChain Project came to be.
The OpenChain Project

The OpenChain Project, hosted by The Linux Foundation, is intended to make open source license compliance more predictable, understandable, and efficient for the software supply chain. Formally launched in October 2016, the OpenChain Project started three years earlier with discussions that continued at an increasing pace until a formal project was born. The basic idea was simple: Identify recommended processes for effective open source management. The goal was equally clear: Reduce bottlenecks and risk when using third-party code to make open source license compliance simple and consistent across the supply chain. The key was to pull things together in a manner that balanced comprehensiveness, broad applicability, and real-world usability.

OpenChain conformance

There are three interconnected part to the OpenChain Project:

        • a Specification that defines the core requirements of a quality compliance program,
        • a Conformance method that helps organizations display adherence to these requirements, and
        • a Curriculum to provide basic open source processes and best practices.
The core of the project is the Specification. This identifies a series of processes that help ensure organizations of any size can effectively address open source compliance issues. The main goal of organizations using the OpenChain Specification is to become conformant; that is, to meet the requirements of a certain version of the OpenChain Specification. A conformant organization can advertise this fact on its website and promotional material, which enables potential suppliers and customers to understand and trust its approach to open source compliance.

OpenChain Conformance can be easily checked via a free, online self-certification questionnaire. This is the quickest, easiest, and most effective way to check and confirm adherence to the OpenChain Specification. There is also a manual conformance document available for organizations whose process requires a paper review or disallows web-based submissions. Either online or manual conformance can be completed at a pace decided by the conforming organization, and both methods remain private until a submission is completed.

The OpenChain Curriculum helps organizations meet the training and process requirements of the OpenChain Specification. It provides a generic, refined, and clear example of an open source compliance training program that can either be used directly or incorporated into existing training programs. It can also be applied to various processes for managing open source inside an organization. The OpenChain Curriculum is available with very few restrictions to ensure organizations can use it in as many ways as possible. It is licensed as CC-0, effectively public domain, so it can be remixed or shared freely for any purpose.

A strong backing community

The OpenChain Project provides a compelling approach to making open source compliance more consistent and more effective across multiple market segments. However, good ideas need implementation, and in open source this inevitably hinges on a supporting community. Fourteen Platinum Members currently support the OpenChain Project's development and adoption: Adobe, ARM, Cisco, Comcast, GitHub, Harman, Hitachi, HPE, Qualcomm, Siemens, Sony, Toyota, Western Digital, and Wind River. There is also a wide community of almost 200 participants on the main mailing list that listen, share, and remix ideas.

At its core, the OpenChain Project is about providing a simple, clear method of building trust between organizations that rely on each other to share code and create products. Any organization that is OpenChain Conformant is aligning behind key requirements that its peers agree are required in a quality compliance program. It is about confirming overarching processes and policies, while allowing the specifics of each process and policy to be crafted by each organization to suit its specific needs.

The OpenChain Specification is at version 1.2 and is ready for adoption by any organization that creates, uses, or distributes open source code. The online conformance is free of charge, and the mailing list and work team calls are open to everyone. This is the first time there has been a single, unifying approach to addressing the challenge of open source compliance in the supply chain, and it has the potential to be truly transformative for the industry.

https://www.openchainproject.org

留言

這個網誌中的熱門文章

COSCUP x KCD Taiwan 2022 CfP is now open, submit your proposal before May 23th, 2022.

We have pleasure to work with KCD Taiwan to have a joint conference this year. We are looking for talks in several open-source related areas, please submit your proposal before May 23th, 2022. After the review process from the coordinators, we will publish the full programme in early June. Please note that the length of each agenda is preset to 30 minutes, only the specific tracks are open to other agenda lengths for selection, which will be filled in on the second page of the registration form.  In the submission type on the first page of the registration form, please select the default value (30 mins) . 今年 COSCUP 我們很榮幸與 KCD Taiwan 合作舉辦聯合研討會,並且如往常,徵求各式各樣不同的 Open Source 相關稿件。請於 5 月 23 日前投稿,或可參考本頁下方各議程軌資訊。    請注意,每場議程長度預設為 30 分鐘 ,惟指定議程軌開放其他議程長度進行選擇,會在報名表單第二頁進行填寫,報名表單第一頁的 提交型態 中,請選擇預設值。 Submit your proposal Important Dates Submission deadline: May 23th, 2022, Anywhere on Earth!(截稿時間) Full programme published: Early July (預定公佈時間) COSCUP x KCD 2022: July 30th - July 31th, at National Taiw

2022!前夜派對!Open source and wine!Welcome Party!

喝! 年會 前夜 的交流 派對 ,來與大會講者、社群同好一起喝酒聊天! Join the Party, have fun with the speakers and your beloved FLOSS community members! 會場有什麼? / What will we have at the party? 當日精選的 MIT 掌門精釀啤酒 (也有無酒精飲料) Beer ! For people who don't like alcohol, the bar also provides soft drinks. 下酒點心 Snacks 200 坪空中花園派對,可以直接看到台北 101!美景與美酒,絕配! Awesome view, believe me! Just check the photos from Google Maps. 最重要的是:與熱愛開源的大會講者與社群同好交流的最佳活動! Lots of FLOSS folks! 注意事項 / Note 會場食物為小零食,數量有限,建議吃過正餐再來! Please have your dinner before the party, we only prepare party appetizers. 低消為 $200 元。 The minimum order is NTD$200. 不用報名,自由參加。 Please feel free to join Welcome Party, no matter what you come to COSCUP x KCD Taiwan 2022 or not. 贊助商請找 贊助組 領取酒券。 If you are the sponsor, please contact the Sponsorship Team for the free beer ticket. 如果你怕忘記參加活動,可以訂閱 COSCUP 活動電子報 ,不錯過最新活動訊息! Subscribe the COSCUP newspaper to receive important reminders and exciting activities. 時間地點 / When, Where 時

會眾新服務「療癒市集」結合紅酒瑜伽、冥想正念、按摩小站、氮氣咖啡 | Introducing the Healing Market with Yoga Wine, Meditations, Massage Station, Nitro Coffee

新 [English version below] 今年的 COSCUP x KCD 2022 Taiwan 嘗試推出新的會眾服務,希望在繁忙的平日還抽空在假日來參與活動時、能夠療癒一下心靈與身體的負擔,「 療癒市集 」希望能夠為你帶來不一樣的體驗! 由於部分課程需要 預先報名 ,如果你有意參與課程,請直接 寄信報名 ,並等候志工收件處理,感謝! 以下是相關的課程簡介。 紅酒瑜伽 照片來源:台南安平雅樂軒酒店 都市生活步調快,上班壓力大,周末總想找些紓壓的活動幫自己充飽電,用更好的狀態去迎接下個挑戰。而說到現在最新穎,時尚的選擇那就不能不提風靡歐美的「紅酒瑜珈」。現在不用出國,在 COSCUP 也可以體驗這種身心靈保養的運動。 課程中,老師也會指引學員在不同階段品嘗手中的葡萄酒,感受這支紅酒在不同醒酒階段的各種風味,細細品嚐它的層次與韻味。酒精也同時能夠增加血液循環,讓身體發熱,達到肌肉暖身,類似熱瑜珈的運動效果! 紅酒瑜珈是什麼? 於 2017 年誕生於紐約,紅酒瑜珈是把紅酒帶進瑜珈練習的一種課程。在瑜珈練習的過程中,學員們手上各有一杯紅酒。老師帶領著學員練習瑜珈姿勢,並加入酒杯動作來增加難度與運動量。比如說,手握紅酒杯進行戰士三式(Warrior III),為了不讓液體撒出來,其實比起沒有道具輔助的瑜珈需要多一點肌耐力,所以可以達到更大的脂肪燃燒跟運動效果。 課程須知 每一課程時長為一個小時,費用 $470元/人,每一堂最多 12 人。 講座內容包含:活動包含約 45 分鐘的紅酒瑜珈活動,及約 15 分鐘的講解,課程會提供酒杯,若損壞葡萄酒杯,則每只費用 $250。 需自備:瑜伽墊、水壺、毛巾等個人用品。 ★ 由於課程需要預先報名,如果你有意參與此課程,請參閱 課程時間表 並直接 寄信報名 、等候志工收件處理,感謝! 冥想正念 我們都渴望獲得內心的平靜,尤其在現在這個快速、忙碌更迭的時代,在這個無時無刻都在面對比較、落後焦慮的世代。透過冥想與正念,你會更加理解你自己,你也會更加理解你的周遭一切,而點滴的時光之間,再次放下自我,又擁抱自我。 課程須知 每一課程時長為一個小時,費用 $350元/人,每一堂最多 10 人(未滿 5 人不開課)。 講座內容包含:冥想正念概念介紹、正念心理