跳到主要內容

How OpenChain can transform the supply chain


The OpenChain Project's open source compliance standards aim to make supply chains simpler, faster, safer, and more efficient.

OpenChain is all about increasing open source compliance in the supply chain. This issue, which many people initially dismiss as a legal concern or a low priority, is actually tied to making sure that open source is as useful and frictionless as possible. In a nutshell, because open source is about the use of third-party code, compliance is the nexus where equality of access, safety of use, and reduction of risk can be found. OpenChain accomplishes this by building trust between organizations.

Many companies today understand open source and act as major supporters of open source development; however, addressing open source license compliance in a systematic, industry-wide manner has proven to be a somewhat elusive challenge. The global IT market has not seen a significant reduction in the number of open source compliance issues in areas such as consumer electronics over the past decade.

The majority of compliance issues originate in the midst of sharing multiple hardware and software components across numerous entities. The global supply chain is long and the participants are simultaneously intertwined and disparate. It is possible to have companies making hardware, companies making software, and companies doing both, all collaborating around a relatively small component. The products that result are often outstanding, but the challenge of keeping track of everything is substantial.

Complexities of supply change compliance

Open source presents a specific challenge in the global supply chain. This is not because open source is inherently complex, but because of companies' varying degrees of exposure and domain knowledge. By way of example, the staff of a company developing a small component that requires a device driver may be entirely unfamiliar with open source. One mistake, one misunderstanding, and one component deployed in dozens of devices can present problems. Most compliance challenges arise from mistakes. Few, if any, originate with intent.

Ultimately, solving open source compliance challenges involves solving open source compliance in the supply chain. This is no small task: There are thousands of companies in play across dozens of national borders using numerous languages. Because no single company makes a finished device, no single company can solve the compliance challenges. Therefore, the global supply chain must align behind certain shared approaches.

Compliance is not a device or code issue. It is a process challenge that spans multiple organizations.Awareness of this fact and the provision of a practical solution are two different matters. It takes time for ideas and suggested approaches to percolate and mature. It takes input from lawyers and managers and developers and political scientists. It takes, in short, a while for a community to bounce ideas back and forth until a simple, clear approach can be found. This is how the OpenChain Project came to be.
The OpenChain Project

The OpenChain Project, hosted by The Linux Foundation, is intended to make open source license compliance more predictable, understandable, and efficient for the software supply chain. Formally launched in October 2016, the OpenChain Project started three years earlier with discussions that continued at an increasing pace until a formal project was born. The basic idea was simple: Identify recommended processes for effective open source management. The goal was equally clear: Reduce bottlenecks and risk when using third-party code to make open source license compliance simple and consistent across the supply chain. The key was to pull things together in a manner that balanced comprehensiveness, broad applicability, and real-world usability.

OpenChain conformance

There are three interconnected part to the OpenChain Project:

        • a Specification that defines the core requirements of a quality compliance program,
        • a Conformance method that helps organizations display adherence to these requirements, and
        • a Curriculum to provide basic open source processes and best practices.
The core of the project is the Specification. This identifies a series of processes that help ensure organizations of any size can effectively address open source compliance issues. The main goal of organizations using the OpenChain Specification is to become conformant; that is, to meet the requirements of a certain version of the OpenChain Specification. A conformant organization can advertise this fact on its website and promotional material, which enables potential suppliers and customers to understand and trust its approach to open source compliance.

OpenChain Conformance can be easily checked via a free, online self-certification questionnaire. This is the quickest, easiest, and most effective way to check and confirm adherence to the OpenChain Specification. There is also a manual conformance document available for organizations whose process requires a paper review or disallows web-based submissions. Either online or manual conformance can be completed at a pace decided by the conforming organization, and both methods remain private until a submission is completed.

The OpenChain Curriculum helps organizations meet the training and process requirements of the OpenChain Specification. It provides a generic, refined, and clear example of an open source compliance training program that can either be used directly or incorporated into existing training programs. It can also be applied to various processes for managing open source inside an organization. The OpenChain Curriculum is available with very few restrictions to ensure organizations can use it in as many ways as possible. It is licensed as CC-0, effectively public domain, so it can be remixed or shared freely for any purpose.

A strong backing community

The OpenChain Project provides a compelling approach to making open source compliance more consistent and more effective across multiple market segments. However, good ideas need implementation, and in open source this inevitably hinges on a supporting community. Fourteen Platinum Members currently support the OpenChain Project's development and adoption: Adobe, ARM, Cisco, Comcast, GitHub, Harman, Hitachi, HPE, Qualcomm, Siemens, Sony, Toyota, Western Digital, and Wind River. There is also a wide community of almost 200 participants on the main mailing list that listen, share, and remix ideas.

At its core, the OpenChain Project is about providing a simple, clear method of building trust between organizations that rely on each other to share code and create products. Any organization that is OpenChain Conformant is aligning behind key requirements that its peers agree are required in a quality compliance program. It is about confirming overarching processes and policies, while allowing the specifics of each process and policy to be crafted by each organization to suit its specific needs.

The OpenChain Specification is at version 1.2 and is ready for adoption by any organization that creates, uses, or distributes open source code. The online conformance is free of charge, and the mailing list and work team calls are open to everyone. This is the first time there has been a single, unifying approach to addressing the challenge of open source compliance in the supply chain, and it has the potential to be truly transformative for the industry.

https://www.openchainproject.org

留言

這個網誌中的熱門文章

COSCon 中國開源年會特別軌:「COSCUP 議程軌」徵稿開始!

COSCUP 於中國的國際交流特別議程軌開跑了!! 想從台灣交換至中國演講的朋友們別錯過了! COSCon 2023 官網 業界最具影響力的開源年度盛會 2023 第八屆中國開源年會 (COSCon’23) 將於 2023 年 10 月 28 日(星期六)- 29 日(星期日)在四川省成都市高新區菁蓉匯由開源社舉辦。 COSCon 以其獨特定位及日益增加的影響力,吸引越來越多的頂級企業和國際基金會的大力支持。與一般企業、IT 媒體、行業協會或國外基金會在國內所舉辦的行業大會大不相同的是,COSCon 除了吸引跨企業和跨項目社區的不同用戶之外,也專註於吸引國內外大咖開源開發者、貢獻者和提交者的關註及參與項目及其社區。 今年的 COSCon 以「開源:川流不息、山海相映」為主題。 我們相信,開源之水將如山川間的溪流,生生不息,永不枯竭,無論是「峰會」還是「海會」,總有一個能容納心向開源的你。 在「後新冠時代」的第一年,我們將採用「烽火模式」,即在主會議後再在有意向的城市舉辦 After Party,將全球聚集而來「開源火種」在全國傳遞,以促進各個城市的開源文化傳播和開源人交流。 目前擬舉辦 After Party 的城市有北京、上海、成都(如果您所在的城市也希望舉辦 Affer Party 歡迎和我們取得聯系)…… 我們策劃的論壇主題包括但不限於:人工智能、開源商業、雲計算、大數據、區塊鏈、物聯網、開源教育、開源文化、開源治理、開源硬件、開源操作系統、女性論壇、開源公益、Web應用開發、開源百寶箱以及閃電演講等。除了各種會議,我們還將舉辦極具特色的“開源市集”,“開源市集”除了有展商的展台,還有各種有意思的小活動、小遊戲,通過遊戲化、娛樂化的方式普及開源文化,倡導開源精神。 COSCUP 今年與 COSCon 進行講者交流合作,於台灣及中國之間交換講者,建立國際交流的重要機會,讓雙方講者都能夠來往交流,特別是提供台灣的開源人更有機會到中國發表演講。 我想要投稿✋ 徵稿期間:即日起~9/13 止 徵稿對象:願意配合 COSCUP / COSCon 對此專案相關宣傳及訪問者; (及需要有被中國接受的證件才能出國。) 徵稿內容:各式 Open Source 相關議題皆可投稿; 請參考 COSCon 今年徵稿論壇類別 (上述) 。 演講

COSCUP 啄事今蜚會前快報 第一期

COSCUP 啄事今蜚會前快報 第一期 2014年06月18日發行 距離大會剩下一個月的時間, 精彩的議程內容即將就定位,讓小啄帶大家來看看今年有些什麼精彩的吧! 從沒有人到超多人: g0v社群經驗 g0v.tw 是一個跨界的開源社群,由一些熟悉軟體開源文化的人開始,從最初期就致力拓展到其他非資訊領域,因此在社群的推動上有各種不同努力。將近兩年來,關注社群人數爆炸性成長,社群因此經歷數次危機。但透過 g0v 與NGO、政府等實體組織互動、加強社群基礎建設、深化參與的文化,社群核心價值與開幹精神至今能量依然不減。此 talk 將以 g0v 為例,分享跨界社群的成長經驗,以及從開源社群拓展到民主深化的初步成果。 State of the unison: g0v 村情咨文 從 2012 底開始的 g0v 運動,成功集結開放源碼社群,並輸出開源文化至各領域,促使公民高效率協作,解決問題。本次演講將回顧 g0v 社群的成果,包括專案、與 gov 合作、國際交流,以及未來展望。 DevRel 的再思考   俺可以来讲讲大陆开源技术社区这12年. 相似演讲: - 幻灯: https://speakerdeck.com/ zoomquiet/140330-ostc-just4fun - 录音: http://zoomq.qiniudn.com/ CPyUG/140330-OSTC/ 140330_ostc_pm1_zoomquiet.MP3 - 录像: http://v.youku.com/v_show/ id_XNjk2OTcyODQ4.html" 更多議程請見 http://coscup.org/2014/zh-tw/program/

補文:Conference: Impossible! 的 COSCUP 2009

COSCUP 2009 總召 pingooo 在 2009 年寫了三篇有關 COSCUP 的文章,這是 第三篇 ,轉貼到 COSCUP 部落格留個記錄。 唉呀,都 2010 年了,才來寫舉辦 COSCUP 2009 研討會的回顧不會太慢了嗎? 這實在是我自己懶,加上有些帳款比較晚才收到(好像也和我有關 :p),整個 COSCUP 2009 的會計帳前一陣子才結清,要謝謝辛苦對帳的 Layla 和 Jouston。 我另有一篇有關 COSCUP 2009 籌備時期點滴的「 pingooo 總召的碎碎唸 」,是為了大會手冊在大會前三週寫的。辦活動是越接近活動日越緊張,這篇就來寫寫最後那幾週刺激好玩的事、順便 把一些總帳算一算 講講夥伴們不可磨滅的功勞、也履行一下之前說會公開研討會財務的承諾好了。 難得見面的熱血工作夥伴 既歡樂又驚險的大會手冊 COSCUP 物流中心 北京烤鴨爐 COSCUP 花絮照片 COSCUP 名句 好好玩的閃電秀 人客來買唷! 書展 COSCUP 精品街 我們也有吉祥物! 記憶足跡 互相漏氣求進步 數據來了! 誌謝 結束了... 片尾功勞簿 難得見面的熱血工作夥伴 還記得 2008 年底的時候,說話一向一針見血的 Pofeng 發了一封信問幾個朋友 COSCUP 2009 要不要辦,說: 不過我要提醒一下 Ping ; COSCUP 的籌備人力一直不足 休息一年, 我也覺得無妨, 如果 COSCUP 2010 再需要小弟, 小弟也願效犬馬之勞 還好有輔導長 lman 的組織動員能力和各工頭的努力招募,往年一向籌備人力不足的 COSCUP,在 2009 年有了戲劇性的轉變。COSCUP 2009 雖然在台北舉行,但工作夥伴來自各地:台北、基隆、桃園、新竹、台中、嘉義、台南、高雄。都是志工的夥伴們,只能靠工作之餘的時間投入,彼此之間很少見面,完全依賴各種網路工具來討論、協調大小事,這樣也可以辦出一個 兩天兩地450人的歡樂研討會 ,現在想起來還是覺得不可思議!所有夥伴的熱血、主動積極、體諒彼此和相互扶持,是這一切成功的原因。 既歡樂又驚險的大會手冊 在 Ijs 的設計之下,COSCUP 2009 有一本印刷精美的大會手冊,整個研討會的