跳到主要內容

How OpenChain can transform the supply chain


The OpenChain Project's open source compliance standards aim to make supply chains simpler, faster, safer, and more efficient.

OpenChain is all about increasing open source compliance in the supply chain. This issue, which many people initially dismiss as a legal concern or a low priority, is actually tied to making sure that open source is as useful and frictionless as possible. In a nutshell, because open source is about the use of third-party code, compliance is the nexus where equality of access, safety of use, and reduction of risk can be found. OpenChain accomplishes this by building trust between organizations.

Many companies today understand open source and act as major supporters of open source development; however, addressing open source license compliance in a systematic, industry-wide manner has proven to be a somewhat elusive challenge. The global IT market has not seen a significant reduction in the number of open source compliance issues in areas such as consumer electronics over the past decade.

The majority of compliance issues originate in the midst of sharing multiple hardware and software components across numerous entities. The global supply chain is long and the participants are simultaneously intertwined and disparate. It is possible to have companies making hardware, companies making software, and companies doing both, all collaborating around a relatively small component. The products that result are often outstanding, but the challenge of keeping track of everything is substantial.

Complexities of supply change compliance

Open source presents a specific challenge in the global supply chain. This is not because open source is inherently complex, but because of companies' varying degrees of exposure and domain knowledge. By way of example, the staff of a company developing a small component that requires a device driver may be entirely unfamiliar with open source. One mistake, one misunderstanding, and one component deployed in dozens of devices can present problems. Most compliance challenges arise from mistakes. Few, if any, originate with intent.

Ultimately, solving open source compliance challenges involves solving open source compliance in the supply chain. This is no small task: There are thousands of companies in play across dozens of national borders using numerous languages. Because no single company makes a finished device, no single company can solve the compliance challenges. Therefore, the global supply chain must align behind certain shared approaches.

Compliance is not a device or code issue. It is a process challenge that spans multiple organizations.Awareness of this fact and the provision of a practical solution are two different matters. It takes time for ideas and suggested approaches to percolate and mature. It takes input from lawyers and managers and developers and political scientists. It takes, in short, a while for a community to bounce ideas back and forth until a simple, clear approach can be found. This is how the OpenChain Project came to be.
The OpenChain Project

The OpenChain Project, hosted by The Linux Foundation, is intended to make open source license compliance more predictable, understandable, and efficient for the software supply chain. Formally launched in October 2016, the OpenChain Project started three years earlier with discussions that continued at an increasing pace until a formal project was born. The basic idea was simple: Identify recommended processes for effective open source management. The goal was equally clear: Reduce bottlenecks and risk when using third-party code to make open source license compliance simple and consistent across the supply chain. The key was to pull things together in a manner that balanced comprehensiveness, broad applicability, and real-world usability.

OpenChain conformance

There are three interconnected part to the OpenChain Project:

        • a Specification that defines the core requirements of a quality compliance program,
        • a Conformance method that helps organizations display adherence to these requirements, and
        • a Curriculum to provide basic open source processes and best practices.
The core of the project is the Specification. This identifies a series of processes that help ensure organizations of any size can effectively address open source compliance issues. The main goal of organizations using the OpenChain Specification is to become conformant; that is, to meet the requirements of a certain version of the OpenChain Specification. A conformant organization can advertise this fact on its website and promotional material, which enables potential suppliers and customers to understand and trust its approach to open source compliance.

OpenChain Conformance can be easily checked via a free, online self-certification questionnaire. This is the quickest, easiest, and most effective way to check and confirm adherence to the OpenChain Specification. There is also a manual conformance document available for organizations whose process requires a paper review or disallows web-based submissions. Either online or manual conformance can be completed at a pace decided by the conforming organization, and both methods remain private until a submission is completed.

The OpenChain Curriculum helps organizations meet the training and process requirements of the OpenChain Specification. It provides a generic, refined, and clear example of an open source compliance training program that can either be used directly or incorporated into existing training programs. It can also be applied to various processes for managing open source inside an organization. The OpenChain Curriculum is available with very few restrictions to ensure organizations can use it in as many ways as possible. It is licensed as CC-0, effectively public domain, so it can be remixed or shared freely for any purpose.

A strong backing community

The OpenChain Project provides a compelling approach to making open source compliance more consistent and more effective across multiple market segments. However, good ideas need implementation, and in open source this inevitably hinges on a supporting community. Fourteen Platinum Members currently support the OpenChain Project's development and adoption: Adobe, ARM, Cisco, Comcast, GitHub, Harman, Hitachi, HPE, Qualcomm, Siemens, Sony, Toyota, Western Digital, and Wind River. There is also a wide community of almost 200 participants on the main mailing list that listen, share, and remix ideas.

At its core, the OpenChain Project is about providing a simple, clear method of building trust between organizations that rely on each other to share code and create products. Any organization that is OpenChain Conformant is aligning behind key requirements that its peers agree are required in a quality compliance program. It is about confirming overarching processes and policies, while allowing the specifics of each process and policy to be crafted by each organization to suit its specific needs.

The OpenChain Specification is at version 1.2 and is ready for adoption by any organization that creates, uses, or distributes open source code. The online conformance is free of charge, and the mailing list and work team calls are open to everyone. This is the first time there has been a single, unifying approach to addressing the challenge of open source compliance in the supply chain, and it has the potential to be truly transformative for the industry.

https://www.openchainproject.org

留言

這個網誌中的熱門文章

COSCUP 2020 CfP is now open, submit your proposal before May 11th, 2020.

We are looking for talks in several open-source related areas, please submit your proposal before May 11th, 2020. After the review process from the coordinators, we will publish the full programme in early June.一如往常,在今年的 COSCUP 我們徵求各式各樣不同的 Open Source 相關稿件。請於 5 月 11 日前投稿,或可參考本頁下方各議程軌資訊。Submit your proposalImportant DatesSubmission deadline: May 11th, 2020 (截稿時間)Full programme published: Early June (預定公佈時間)COSCUP 2020: Aug 1-2 (with welcome party at July 31st night), at National Taiwan University of Science and TechnologyTracksQMK Keyboarder / 鍵人谷Open Source ChatbotLet's Read the Source Code / 帶您讀源碼MySQL Open Space / 開放 MySQL 開放空間Cloud Native HubBSDArch Linux & ArchersEnter the FLOSS World / 開源新手村Open Source AI: Human-like & Trustworthy AI / AI 開源:更有智慧與可信賴的 AIEffective GoJulia LanguageMyDataCOSCUP StartupsCOSCUP EnterprisesOpen Source DesignOpen Source EducationPostgreSQLRubyEverything in RustBlockchain and Distributed LedgerOpenStreetMap x WikidataEmbedded Linux / 嵌入式 Linu…

COSCUP 2020 Call for Participation -- now open! 議程軌與攤位即日起開放申請

Photo by Jaime Lopes on UnsplashLadies and gentlemen, time to apply for a COSCUP 2020 community track/booth! 快速跳到中文版TracksCommunity Tracks are assigned to self-organizing groups to work, share, and discuss issues around an open-source-related topic. The application should be submitted before March 30th.You can decide the content and format in your Track.You can decide the duration of each section and the whole schedule in your Track.Key datesMarch 30th: Deadline for Track applicationsApril 10th: Track coordinators provide information of Call for ProposalApril 13 April 20th: Call for Proposal starts (Update: We've postponed the CfP start date to April 20th.)May 11th: Deadline for Call for ProposalLate-May: Track coordinators provide the complete scheduleEarly June: Full schedule published on COSCUP.org (TBC)August 1-2 at Taipei: COSCUP 2020Application rulesScheduleWe do not plan for rooms to be empty during the event. By applying for a Track you are making a commitment to fill th…

來去上海、來去東京!COSCon 與 OSC Tokyo「COSCUP 特別軌」徵稿開始!

嗨,各位關心開源、熱愛分享的夥伴大家今天過得好嗎?今年六月的時候,我們出訪香港開源年會,廣受好評,接下來將帶大家前往上海舉辦的中國開源年會(COSCon)及東京的 OSC 2019 Tokyo/Fall 啦! 給忙碌的你: 往上海的傳送門往東京的傳送門 COSCon COSCon 由開源社為了推廣開放源碼而舉辦,相信大家在今年 COSCUP 有看到許多開源社夥伴的活躍表現,十一月就換我們過去作客啦!我們將在 COSCon 有半天的議程軌作為「COSCUP 特別軌」,重要的資訊如下: 徵稿期間:即日起~9/30 止徵稿對象:能夠以大會接受之語言(漢語、英語)演講、願意配合 COSCUP / COScon 對此專案相關宣傳及訪問者徵稿內容:各式 Open Source 軟體(以 FSF / OSI Licenses 釋出)相關議題皆可投稿結果公佈:暫定 10 月中旬 於 COSCon 網站及 COSCUP Blog 公布COSCon 大會期間: 11/02 ~ 11/03 於 上海普陀區 華東師範大學(中北校區) OSC Tokyo OSC Tokyo 是什麼?就也當成是日本版的 COSCUP 吧 XD (怎麼想來想去形容詞都是這句…) OSC 的主辦單位 OSPN 每年在日本各地辦近 20 場集結開源人的聚會,而我們將直接前往規模較大、一年還辦兩次的東京場交流!一整軌的「COSCUP 特別軌」將讓讓大家見識一下台灣開源人的厲害,重要的資訊如下: 徵稿期間:即日起~9/30 止徵稿對象:能夠以大會接受之語言(日語、英語)演講、願意配合 COSCUP / OSC Tokyo 對此專案相關宣傳及訪問者徵稿內容:各式 Open Source 軟體(以 FSF / OSI Licenses 釋出)相關議題皆可投稿結果公佈:暫定 10 月中旬 於 OSC Tokyo 網站及 COSCUP Blog 公布OSC Tokyo 大會期間: 11/23 ~ 11/24 於 日本東京日野市 明星大學 可能已經有人心中堆滿疑問:看起來很有趣但要怎麼參加?去國外參加 Conf 好像很貴… 別擔心,COSCUP 籌備特別軌自然是有照顧到這些問題。如同六月的香港出征,我們有完整的補助計劃,相關辦法都列在下面的文件了,心動不如馬上行動,十一月讓我們前進上海與東京吧! 上海 徵稿表單旅費補助辦法東京