跳到主要內容

How OpenChain can transform the supply chain


The OpenChain Project's open source compliance standards aim to make supply chains simpler, faster, safer, and more efficient.

OpenChain is all about increasing open source compliance in the supply chain. This issue, which many people initially dismiss as a legal concern or a low priority, is actually tied to making sure that open source is as useful and frictionless as possible. In a nutshell, because open source is about the use of third-party code, compliance is the nexus where equality of access, safety of use, and reduction of risk can be found. OpenChain accomplishes this by building trust between organizations.

Many companies today understand open source and act as major supporters of open source development; however, addressing open source license compliance in a systematic, industry-wide manner has proven to be a somewhat elusive challenge. The global IT market has not seen a significant reduction in the number of open source compliance issues in areas such as consumer electronics over the past decade.

The majority of compliance issues originate in the midst of sharing multiple hardware and software components across numerous entities. The global supply chain is long and the participants are simultaneously intertwined and disparate. It is possible to have companies making hardware, companies making software, and companies doing both, all collaborating around a relatively small component. The products that result are often outstanding, but the challenge of keeping track of everything is substantial.

Complexities of supply change compliance

Open source presents a specific challenge in the global supply chain. This is not because open source is inherently complex, but because of companies' varying degrees of exposure and domain knowledge. By way of example, the staff of a company developing a small component that requires a device driver may be entirely unfamiliar with open source. One mistake, one misunderstanding, and one component deployed in dozens of devices can present problems. Most compliance challenges arise from mistakes. Few, if any, originate with intent.

Ultimately, solving open source compliance challenges involves solving open source compliance in the supply chain. This is no small task: There are thousands of companies in play across dozens of national borders using numerous languages. Because no single company makes a finished device, no single company can solve the compliance challenges. Therefore, the global supply chain must align behind certain shared approaches.

Compliance is not a device or code issue. It is a process challenge that spans multiple organizations.Awareness of this fact and the provision of a practical solution are two different matters. It takes time for ideas and suggested approaches to percolate and mature. It takes input from lawyers and managers and developers and political scientists. It takes, in short, a while for a community to bounce ideas back and forth until a simple, clear approach can be found. This is how the OpenChain Project came to be.
The OpenChain Project

The OpenChain Project, hosted by The Linux Foundation, is intended to make open source license compliance more predictable, understandable, and efficient for the software supply chain. Formally launched in October 2016, the OpenChain Project started three years earlier with discussions that continued at an increasing pace until a formal project was born. The basic idea was simple: Identify recommended processes for effective open source management. The goal was equally clear: Reduce bottlenecks and risk when using third-party code to make open source license compliance simple and consistent across the supply chain. The key was to pull things together in a manner that balanced comprehensiveness, broad applicability, and real-world usability.

OpenChain conformance

There are three interconnected part to the OpenChain Project:

        • a Specification that defines the core requirements of a quality compliance program,
        • a Conformance method that helps organizations display adherence to these requirements, and
        • a Curriculum to provide basic open source processes and best practices.
The core of the project is the Specification. This identifies a series of processes that help ensure organizations of any size can effectively address open source compliance issues. The main goal of organizations using the OpenChain Specification is to become conformant; that is, to meet the requirements of a certain version of the OpenChain Specification. A conformant organization can advertise this fact on its website and promotional material, which enables potential suppliers and customers to understand and trust its approach to open source compliance.

OpenChain Conformance can be easily checked via a free, online self-certification questionnaire. This is the quickest, easiest, and most effective way to check and confirm adherence to the OpenChain Specification. There is also a manual conformance document available for organizations whose process requires a paper review or disallows web-based submissions. Either online or manual conformance can be completed at a pace decided by the conforming organization, and both methods remain private until a submission is completed.

The OpenChain Curriculum helps organizations meet the training and process requirements of the OpenChain Specification. It provides a generic, refined, and clear example of an open source compliance training program that can either be used directly or incorporated into existing training programs. It can also be applied to various processes for managing open source inside an organization. The OpenChain Curriculum is available with very few restrictions to ensure organizations can use it in as many ways as possible. It is licensed as CC-0, effectively public domain, so it can be remixed or shared freely for any purpose.

A strong backing community

The OpenChain Project provides a compelling approach to making open source compliance more consistent and more effective across multiple market segments. However, good ideas need implementation, and in open source this inevitably hinges on a supporting community. Fourteen Platinum Members currently support the OpenChain Project's development and adoption: Adobe, ARM, Cisco, Comcast, GitHub, Harman, Hitachi, HPE, Qualcomm, Siemens, Sony, Toyota, Western Digital, and Wind River. There is also a wide community of almost 200 participants on the main mailing list that listen, share, and remix ideas.

At its core, the OpenChain Project is about providing a simple, clear method of building trust between organizations that rely on each other to share code and create products. Any organization that is OpenChain Conformant is aligning behind key requirements that its peers agree are required in a quality compliance program. It is about confirming overarching processes and policies, while allowing the specifics of each process and policy to be crafted by each organization to suit its specific needs.

The OpenChain Specification is at version 1.2 and is ready for adoption by any organization that creates, uses, or distributes open source code. The online conformance is free of charge, and the mailing list and work team calls are open to everyone. This is the first time there has been a single, unifying approach to addressing the challenge of open source compliance in the supply chain, and it has the potential to be truly transformative for the industry.

https://www.openchainproject.org

留言

這個網誌中的熱門文章

COSCUP 2019 CfP is now open, submit your proposal before May 6th, 2019.

We are looking for talks in several open-source related areas, please submit your proposal before May 6th, 2019. After the review process from the coordinators, we will publish the full programme in early June.一如往常,在今年的 COSCUP 我們徵求各式各樣不同的 Open Source 相關稿件。請於 5 月 6 日前投稿,或可參考本頁下方各議程軌資訊。Submit your proposalImportant DatesSubmission deadline: May 6th, 2019 (截稿時間)Full programme published: Early June (預定公佈時間)COSCUP 2019: Aug 17-18 (with welcome party at 16th night), at National Taiwan University of Science and TechnologyPartner conferences / 合作研討會特別軌We are gladly welcome HKOSCon (Hong Kong Open Source Conference,) COSCon (China Open Source Conf,) and OSPN OSC (オープンソースカンファレンス) join us with a special track. Please check their CfP form for more information about the track.今年 COSCUP 與 OpenSource HK 的「HKOSCon」、開源社的「COSCon」及 OSPN 的「OSC」合作推出特別軌,以期邀請各地的開源愛好者前來與大家一會。其各自的徵稿資訊,請參考下方連結。opensource.hk "HKOSCon" Special Track開源社 "COSCon" Special TrackOSPN "オープンソースカンファレンス" Spe…

2016 Unconference 議程公告!

嗨、各位親朋好友們
今年的 Unconference 名單出爐啦! 由於每一個 Talk 都相當精彩,因此我們想了辦法讓所有投稿的人都有舞台可以分享。 Unconference 演講場地為中研院活動中心的平面會議室。 對於其中的講題有興趣的朋友們請不要錯過囉 :-D
8/21 Unconference 活動中心的平面會議室時間 講題 講者 10:45
|
11:05 用開放原始碼技術翻轉傳統產業IT架構 Derek Hsu11:10
|
11:30 會自動飛行的"神奇寶貝"and飛行技巧 gavin 11:45
|
12:05 ProbeDroid: Crafting Your Own Dynamic Instrument Tool on Android for App Behavior Exploration | 沈宗賢 (AndyShen)12:10
|
12:30 蒙地卡羅模擬與志願運算 趙元13:30
|
13:50 Runtime PM for CPU idling in Linux kernelfreedom Koan-Sin Tan 13:55
|
14:15 Fuzzing and Mozilla GARY KWONG gkw14:30
|
14:50 無良房東一度電收你 5.5 元,你難道不生氣嗎?——從自幹智慧電表講起 Felix and Timo14:55
|
15:15 COSCUP + AppDevKit Jeff Lin C 備註:議程時間可能會調動。

COSCUP 2019 開源貢獻者保留票申請 / Open Source Contributors (OSC) Tickets Application

開源貢獻者資格 由 2018/5/12 到現在,實際針對開源專案提供開發、推廣、或其他有助專案進展之貢獻者,提出貢獻相關證明即可報名。
開源專案意指專案成果以 FSFOSI 認同之公眾授權條款釋出者 所提出之貢獻,必須可以經由公開途徑查證(例如提供 GitHub、Google Code、SourceForge 等公開專案平台上的討論紀錄、網址、commit log、信件文本、公開釋出之演講投影片紀錄等。) 海外參與者 你身在海外,雖想回台參與 COSCUP,但並非貢獻者又害怕搶不到票嗎?COSCUP 歡迎所有的海外人士前來參加!只要你居住在海外、承諾與會,並願意於 SNS 或個人 blog 公佈自己即將與會之訊息,即使非貢獻者或講者,也將優先獲得我們的 VIP 邀請。請在報名表上註明您的出發地,我們將再與您聯絡。

海外參與者請於第四個 Section 告訴我們您從哪裡來,並勾選相關選項。
Key dates5/12 報名截止。5/13 ~ 5/18 審查期間。5/19 第一次審查完畢,開始補件。5/26 前補件完成。6/2 公告開源貢獻者正式名單,通過的開源貢獻者可以在 KKTIX 上報名。 申請表單 申請方法與詳細資訊:https://goo.gl/forms/x7rmsEPsooBSK46T2

Who can apply for OSC tickets? Your participation in an open source project since 2018/5/12 makes you eligible for applying for a Registration Code. The open source project and your participation must meet the following conditions:
The project source code must be released with a license approved by Free Software Foundation or Open Source InitiativeThe project must be hosted on a public repository such as GitHub, Google Code, Sour…