跳到主要內容

How OpenChain can transform the supply chain


The OpenChain Project's open source compliance standards aim to make supply chains simpler, faster, safer, and more efficient.

OpenChain is all about increasing open source compliance in the supply chain. This issue, which many people initially dismiss as a legal concern or a low priority, is actually tied to making sure that open source is as useful and frictionless as possible. In a nutshell, because open source is about the use of third-party code, compliance is the nexus where equality of access, safety of use, and reduction of risk can be found. OpenChain accomplishes this by building trust between organizations.

Many companies today understand open source and act as major supporters of open source development; however, addressing open source license compliance in a systematic, industry-wide manner has proven to be a somewhat elusive challenge. The global IT market has not seen a significant reduction in the number of open source compliance issues in areas such as consumer electronics over the past decade.

The majority of compliance issues originate in the midst of sharing multiple hardware and software components across numerous entities. The global supply chain is long and the participants are simultaneously intertwined and disparate. It is possible to have companies making hardware, companies making software, and companies doing both, all collaborating around a relatively small component. The products that result are often outstanding, but the challenge of keeping track of everything is substantial.

Complexities of supply change compliance

Open source presents a specific challenge in the global supply chain. This is not because open source is inherently complex, but because of companies' varying degrees of exposure and domain knowledge. By way of example, the staff of a company developing a small component that requires a device driver may be entirely unfamiliar with open source. One mistake, one misunderstanding, and one component deployed in dozens of devices can present problems. Most compliance challenges arise from mistakes. Few, if any, originate with intent.

Ultimately, solving open source compliance challenges involves solving open source compliance in the supply chain. This is no small task: There are thousands of companies in play across dozens of national borders using numerous languages. Because no single company makes a finished device, no single company can solve the compliance challenges. Therefore, the global supply chain must align behind certain shared approaches.

Compliance is not a device or code issue. It is a process challenge that spans multiple organizations.Awareness of this fact and the provision of a practical solution are two different matters. It takes time for ideas and suggested approaches to percolate and mature. It takes input from lawyers and managers and developers and political scientists. It takes, in short, a while for a community to bounce ideas back and forth until a simple, clear approach can be found. This is how the OpenChain Project came to be.
The OpenChain Project

The OpenChain Project, hosted by The Linux Foundation, is intended to make open source license compliance more predictable, understandable, and efficient for the software supply chain. Formally launched in October 2016, the OpenChain Project started three years earlier with discussions that continued at an increasing pace until a formal project was born. The basic idea was simple: Identify recommended processes for effective open source management. The goal was equally clear: Reduce bottlenecks and risk when using third-party code to make open source license compliance simple and consistent across the supply chain. The key was to pull things together in a manner that balanced comprehensiveness, broad applicability, and real-world usability.

OpenChain conformance

There are three interconnected part to the OpenChain Project:

        • a Specification that defines the core requirements of a quality compliance program,
        • a Conformance method that helps organizations display adherence to these requirements, and
        • a Curriculum to provide basic open source processes and best practices.
The core of the project is the Specification. This identifies a series of processes that help ensure organizations of any size can effectively address open source compliance issues. The main goal of organizations using the OpenChain Specification is to become conformant; that is, to meet the requirements of a certain version of the OpenChain Specification. A conformant organization can advertise this fact on its website and promotional material, which enables potential suppliers and customers to understand and trust its approach to open source compliance.

OpenChain Conformance can be easily checked via a free, online self-certification questionnaire. This is the quickest, easiest, and most effective way to check and confirm adherence to the OpenChain Specification. There is also a manual conformance document available for organizations whose process requires a paper review or disallows web-based submissions. Either online or manual conformance can be completed at a pace decided by the conforming organization, and both methods remain private until a submission is completed.

The OpenChain Curriculum helps organizations meet the training and process requirements of the OpenChain Specification. It provides a generic, refined, and clear example of an open source compliance training program that can either be used directly or incorporated into existing training programs. It can also be applied to various processes for managing open source inside an organization. The OpenChain Curriculum is available with very few restrictions to ensure organizations can use it in as many ways as possible. It is licensed as CC-0, effectively public domain, so it can be remixed or shared freely for any purpose.

A strong backing community

The OpenChain Project provides a compelling approach to making open source compliance more consistent and more effective across multiple market segments. However, good ideas need implementation, and in open source this inevitably hinges on a supporting community. Fourteen Platinum Members currently support the OpenChain Project's development and adoption: Adobe, ARM, Cisco, Comcast, GitHub, Harman, Hitachi, HPE, Qualcomm, Siemens, Sony, Toyota, Western Digital, and Wind River. There is also a wide community of almost 200 participants on the main mailing list that listen, share, and remix ideas.

At its core, the OpenChain Project is about providing a simple, clear method of building trust between organizations that rely on each other to share code and create products. Any organization that is OpenChain Conformant is aligning behind key requirements that its peers agree are required in a quality compliance program. It is about confirming overarching processes and policies, while allowing the specifics of each process and policy to be crafted by each organization to suit its specific needs.

The OpenChain Specification is at version 1.2 and is ready for adoption by any organization that creates, uses, or distributes open source code. The online conformance is free of charge, and the mailing list and work team calls are open to everyone. This is the first time there has been a single, unifying approach to addressing the challenge of open source compliance in the supply chain, and it has the potential to be truly transformative for the industry.

https://www.openchainproject.org

留言

這個網誌中的熱門文章

【2020 COSCUP】Vue 作者尤雨溪分享 現場座無虛席

  【2020 COSCUP】Vue 作者尤雨溪分享 現場座無虛席 2020 COSCUP 第二天的重頭戲兼開場為主辦單位邀請到 Vue 作者—尤雨溪與現場會眾分享即將正式上線的 Vue 3 與個人開源心得。現場座無虛席並且與會眾問答的來回問答十分精彩,文中也邀請到台灣最大的 Vue 社群「Vue.js Taiwan 台灣」的 Kuro Hsu 做 Vue 的簡單懶人包。 COSCUP 第二天的開場為主辦單位邀請非常多次重量級來賓 Vue 作者尤雨溪(Evan You),而今年雖因為疫情關係,Evan 無法來到現場,但恰好搭配著 Vue 3 釋出的熱度,一早就湧進大量人潮。 目前 COSCUP 主辦單位已完整的將影片釋出到網路上囉!有興趣的網友們可點網址觀看:https://youtu.be/Z-i7VY-ez2Q COSCUP 工作人員也邀請到了台灣最大的 Vue 社群「Vue.js Taiwan 台灣」的 Kuro Hsu 為我們摘錄本次演講與 Vue 3 最精華與懶人包的內容(註:演講時間為 2020 年 8 月 2 日,可能與最新版本有不同,以最新釋出的版本消息為主唷!),若想討論 Vue 的技術與內容的話,也可以加入 「Vue.js Taiwan 台灣」 與他們一起討論喔!(社團連結: https://www.facebook.com/groups/vuejs.tw) --- 小編問題(一):7/18 release Vue 3(註:此為 Release Candidate、或稱 RC 版本,非正式版)和以往最大的改變(三個): Kuro 回答: Vue.js 以往版本 (v1、v2) 的核心底層是以 JavaScript 來開發,而型別檢測系統在 Vue 2 以來一直都有,底層是透過 Flow.js 來實作。 尤雨溪在演講中提及,首先是在近年的前端領域裡,使用 TypeScript 來開發的人越來越多, 而這點對 Vue 2.x 來說對 TS 的支援顯然是不足的;再來是 Flow.js 原本是 facebook 團隊開發用來作為檢查工具,並不是新的程式語言或超集語言, 而 Vue 3.0 底層改用 TypeScript 除了同樣能做到原本 Flow.js 的功能,並且在經過編輯器的整合 (如 VSCode) 甚至可以做到程式碼的即時檢查以及自動補完的提示

COSCUP x RubyConf Taiwan 2021 CfP is now open, submit your proposal before May 10th, 2021.

We have pleasure to work with RubyConf Taiwan to have a joint conference this year. We are looking for talks in several open-source related areas, please submit your proposal before May 10th, 2021. After the review process from the coordinators, we will publish the full programme in early June. 今年 COSCUP 我們很榮幸與 RubyConf Taiwan 合作舉辦聯合研討會,並且如往常,徵求各式各樣不同的 Open Source 相關稿件。請於 5 月 10 日前投稿,或可參考本頁下方各議程軌資訊。 Submit your proposal Important Dates Submission deadline: May 10th, 2021 (截稿時間) Full programme published: Early June (預定公佈時間) COSCUP 2021: July 31st - Aug 1 (with welcome party at July 30st night), at National Taiwan University of Science and Technology Tracks RubyConf Taiwan 2021 Chrome OS for Developer CLOUD NATIVE on Open Source Canal / 開源運河上的雲原生號 Let’s Read the Source Code / 帶您讀源碼 Enter the FLOSS World / 開源新手村 Open Source Chatbot 開放內容聯合軌 - OpenStreetMap 與 Wikidata PostgreSQL Bringing Open Source Software to Hardware System Software 鍵人谷:自我做鍵 From Beginner to Gopher 可能重要的 MySQL 三兩事 Aspe

COSCUP x RubyConfTW 2021 持續關注疫情變化,預計於 6/20 (日) 確認本次舉辦形式

COSCUP x RubyConfTW 2021 籌備團隊針對疫情召開應變會議,決議在 6/20 (日) 前仍保留實體+線上舉辦之籌備方案,預計於 6/20 (日) 確認是否更改為虛擬線上之舉辦形式。 再次感謝關注 COSCUP x RubyConfTW 2021 的朋友們,有任何想法或建議,也都誠摯歡迎您參與討論! COSCUP x RubyConfTW 2021: reaction of COVID-19 level 2 warning from CECC Taiwan On Jun 20 (Sun), we shall confirm the conference will be held physically or virtually. Comments and suggestions are very welcome. 🙇