|
| 1 | +# Overview |
| 2 | + |
| 3 | +This is a document to explore model provisions for OpenChain ISO/IEC 5230 or ISO/IEC DIS 18974 in procurement contracts and similar material. It is based on the public domain Risk Grid version 12 hosted in the OpenChain Reference Library on GitHub: |
| 4 | +https://github.com/OpenChain-Project/Reference-Material/blob/master/General-Compliance-Support-Material/Risk-Grid/risk-grid-12.md |
| 5 | + |
| 6 | +The goal of this document is to ensure people can understand options. We will not be prescriptive and these model provisions will remain part of the OpenChain reference material. They will not be included in the OpenChain standards themselves. |
| 7 | + |
| 8 | +## Version 0.5 |
| 9 | + |
| 10 | +# Series of Due Diligence Questions to be used prior to preparation of contract |
| 11 | + |
| 12 | +Note: this document is to be interpreted consistently with the OpenChain Specification 2.1 (ISO5230:2020) ("OpenChain"). For a copy of the OpenChain specification, please see here [insert link]. In each case, if the answer to a question below is *yes*, please provide details. |
| 13 | + |
| 14 | +### Q0.1: Do you have any formal certifications or conformance assessments relating to your open source compliance activities (e.g. OpenChain, ISO/IEC 5230:2020). These can be self certifications or external certifications. |
| 15 | + |
| 16 | +### Q0.2 If yes, is the software to be developed for us developed under a program which conforms to these certifications or assessments? |
| 17 | + |
| 18 | +### Q1: Do you have a policy for selecting, using and deploying free and open source software (FOSS) components? |
| 19 | + |
| 20 | +### Q2: Do you provide training to staff on selecting and incorporating FOSS into your products? |
| 21 | + |
| 22 | +### Q3: Do you have a process for reviewing FOSS licences and categorising the obligations/conditions attached to them? |
| 23 | + |
| 24 | +### Q3.1 Do you have a method of recording decisions made as to whether a particular component should be incorporated or not? |
| 25 | + |
| 26 | +### Q3.2 Are these records attributable to specific version(s) or release(s) of software? |
| 27 | + |
| 28 | +### Q3.3 How long are the records archived for? |
| 29 | + |
| 30 | +### Q4: Do you use any software tools or services to assist with open source license compliance? (For example, Black Duck, Scancode, White Source, FOSSology, SW360) |
| 31 | + |
| 32 | +### Q5.1: Have you appointed individuals with overall responsibility for open source license compliance policies, practice and procedures? |
| 33 | + |
| 34 | +### Q5.2: Have you appointed individuals with overall responsibility for responding to open source queries from outside the organization? |
| 35 | + |
| 36 | +### Q6: Can you provide a complete list of open source components and their respective licensing information used in any software you use or ship? |
| 37 | + |
| 38 | +### Q7: Do you provide customers with all materials required by the relevant open source software licenses (e.g. source code or offers to provide source, attribution notices, installation instructions)? |
| 39 | + |
| 40 | +### Q8: Does your organization contribute to external open source projects? Do you have a policy for handling this? |
| 41 | + |
| 42 | + |
| 43 | +# OpenChain based representations for use in a procurement contract |
| 44 | + |
| 45 | +*Note: This is a set of representations and obligations to be incorporated in a procurement contract. The structure follows ISO:5230:2020. The representations may also be modified to take effect as warranties and/or indemnities depending on local law and as agreed between the parties.* |
| 46 | + |
| 47 | +*If due diligence determines that the supplier claims to be ISO 5230:2020 compliant, the following warranties apply. If the customer is **not** compliant with ISO 5230:2020 then extra care should be taken in selecting this supplier (and they should be encouraged to implement the relevant requirements, and ideally comply with ISO 5230:2020 in its entirety, and the warranties marked with an asterisk (\*) can be deleted* |
| 48 | + |
| 49 | +[Note: Alternatively, we can produce shortened set of reps applying to companies which have already confirmed they are OpenChain conformant] |
| 50 | + |
| 51 | +### 1.1. General |
| 52 | + |
| 53 | +#### 1.1.1. All capitalized terms in this Section [1] are, unless defined elsewhere in this Agreement, to be interpreted in line with the definitions in the OpenChain Specification 2.1 (ISO 5230:2020) (“OpenChain”). |
| 54 | + |
| 55 | +#### 1.1.2. “Software” means Supplied Software delivered or to be delivered to the Customer. |
| 56 | + |
| 57 | +#### 1.1.3. “Supplier Information Pack” means information supplied in writing and appended to this Agreement providing information about the Supplier's Open Source Conformance Program. |
| 58 | + |
| 59 | +#### 1.1.4. “Use Case” means the Use Case which the Customer has specified as being its intended use of the Software (for example, installation of the software onto an embedded device which is distributed to an end-user). |
| 60 | + |
| 61 | +#### 1.1.5. The Supplier affirms that the Software is developed subject to a Program which is OpenChain conformant. * |
| 62 | + |
| 63 | +#### 1.1.6. The Supplier affirms that it has obtained and holds an OpenChain conformance validation document issued within the past 18 months, a copy of which is appended to the Supplier Information Pack. * |
| 64 | + |
| 65 | +#### 1.1.7. Where in this Section [1] [or pursuant to OpenChain]* the Supplier represents that it has any policy, process or procedure, it further represents that it shall maintain and enforce any such policy, process and procedure throughout the [term of this Agreement] |
| 66 | + |
| 67 | +### 1.2. Policy |
| 68 | + |
| 69 | +#### 1.2.1. The Supplier has a written Open Source policy that governs Open Source compliance of the Software a copy of which is appended to the Supplier Information Pack. |
| 70 | + |
| 71 | +#### 1.2.2. The Supplier has (i) appointed persons responsible for the Supplier’s compliance with its Open Source policy; (ii) determined the necessary competence of such persons; (iii) ensured and taken action to ensure that such persons are competent on the basis of appropriate education, training, and/or experience; and (iv) retained documented information as evidence of competence. Copies of documents evidencing the above are appended to the Supplier Information Pack. |
| 72 | + |
| 73 | +#### 1.2.3. The Supplier has documented a procedure for making its Program Participants of its Open Source policy, has ensured that its Program Participants are aware of the Supplier’s Open Source policy, the relevant Open Source objectives, their contribution to the effectiveness of the compliance program, and the implications of non-compliance. Copies of documents evidencing the above are appended to the Supplier Information Pack. |
| 74 | + |
| 75 | +#### 1.2.4. Where different Open Source compliance programs are governed by their different levels of scope and limits, the Supplier has declared the scope designation for each program applicable to Supplied Software, copies of which are appended to the Supplier Information Pack. |
| 76 | + |
| 77 | +#### 1.2.5. The Supplier has adopted a process for reviewing the Identified Licenses to determine the obligations, restrictions and rights granted by each license. Details of the process are appended to the Supplier Information Pack. |
| 78 | + |
| 79 | +### 1.3. Access & Resourcing |
| 80 | + |
| 81 | +#### 1.3.1. The Supplier has (i) adopted and maintained a process to effectively respond to external Open Source inquiries, details of which are appended to the Supplier Information Pack; and (ii) publicly identified a means by which a third party can make an Open Source compliance inquiry. |
| 82 | + |
| 83 | +#### 1.3.2. The Supplier has (i) assigned accountability to its Program Participants officers to ensure the successful execution of compliance Program tasks; (ii) ensured that compliance Program tasks have been provided with sufficient execution time and funding resources; (iii) adopted a process for reviewing and updating the policy and the supporting tasks; (iv) ensured that legal expertise pertaining to Open Source license compliance is accessible to those who may need such guidance; and (v) adopted a process for the resolution of Open Source license compliance issues. Details of the above are appended to the Supplier Information Pack. |
| 84 | + |
| 85 | +### 1.4. Content Review & Approval |
| 86 | + |
| 87 | +#### 1.4.1. The Supplier has adopted and documented a process for creating and managing a bill of materials that includes each Open Source component (and its identified licenses) from which the supplied software is comprised. Details of the process are appended to the Supplier Information Pack. |
| 88 | + |
| 89 | +#### 1.4.2. The Supplier has adopted and documented a process to ensure that its compliance program is capable of handling the common Open Source license use cases for the Open Source components of the supplied software. Details of the documented process are appended to the Supplier Information Pack. |
| 90 | + |
| 91 | +### 1.5. Compliance Artefacts |
| 92 | + |
| 93 | +#### 1.5.1. The Supplier has adopted and documented a process for creating a set of Compliance Artefacts (such as legal notices or source code) that represent the output of a compliance Program and accompany the Software. Copies of this procedure and records evidencing that it has been followed are appended to the Supplier Information Pack. |
| 94 | + |
| 95 | +#### 1.5.2. The Compliance Artefacts are prepared in such a way as to ensure that use and/or distribution of the Software in accordance with the Use Case will be compliant. |
| 96 | + |
| 97 | +### 1.6. Contributions |
| 98 | + |
| 99 | +#### 1.6.1. The Supplier has a policy governing the contribution to third party Open Source projects, a copy of which is appended to the Supplier Information Pack |
| 100 | + |
| 101 | +### 1.7. Ongoing Obligations |
| 102 | + |
| 103 | +#### 1.7.1. The Customer shall be entitled on request to receive a copy of any Verification Materials or Compliance Artifacts applicable to Software or to any version of the Software currently in development. |
| 104 | + |
| 105 | +#### 1.7.2. The Supplier shall notify the Customer promptly should any practice, policy or procedure comprising part of the Program change in any material respect. |
| 106 | + |
| 107 | +#### 1.7.3. [Access to software/repo as it is in development] |
| 108 | + |
| 109 | +#### 1.7.4. [Access to logs showing queries and breaches of policies] |
| 110 | + |
| 111 | +### 1.8. Warranties and Indemnities |
| 112 | + |
| 113 | +#### 1.8.1. The Supplier warrants that any Open Source components contained within the Software are fully and accurately listed on each Software Bill of Materials made available to the Customer from time to time; |
| 114 | + |
| 115 | +#### 1.8.2. Are accompanied by all Compliance Artifacts necessary to fully comply with the terms of the Open Source licenses applicable to all components contained within the Software when the Software is |
| 116 | + |
| 117 | +#### 1.8.2.1. Delivered to the Customer; and |
| 118 | + |
| 119 | +#### 1.8.2.2. Delivered to any downstream distributor of the Customer; and |
| 120 | + |
| 121 | +#### 1.8.2.3. Delivered to any End User [either as an installer package, a binary, a packaged delivered and installed through an app store, or delivered pre-installed into any device] as anticipated by the Use Case |
| 122 | + |
| 123 | +#### 1.8.3. [usual warranties as to general IP compliance, right to supply to customer, conformance with specification etc.] |
| 124 | + |
| 125 | +#### 1.8.4. [usual ongoing obligations as to awareness of breaches etc.] |
| 126 | + |
| 127 | +#### 1.8.5. [usual indemnity wording] |
| 128 | + |
| 129 | +# Below is a Series of Optional Model Language Issues in Original Risk Grid Format: |
| 130 | + |
| 131 | +Each issue is formatted as follows: |
| 132 | + |
| 133 | +- Issue |
| 134 | +- Commentary |
| 135 | +- Who is best placed to bear risk? |
| 136 | +- Best mechanism to tackle risk |
| 137 | +- Sample Wording |
| 138 | +- Supplier's Arguments |
| 139 | +- Customer's Arguments |
| 140 | + |
| 141 | +## Overarching Topics |
| 142 | + |
| 143 | +### Issue - Inclusion of OpenChain ISO/IEC 5230 |
| 144 | + |
| 145 | +#### Commentary |
| 146 | + |
| 147 | +None listed. |
| 148 | + |
| 149 | +#### Who is best placed to bear risk? |
| 150 | + |
| 151 | +Supplier. |
| 152 | + |
| 153 | +#### Best mechanism to tackle risk |
| 154 | + |
| 155 | +None listed. |
| 156 | + |
| 157 | +#### Sample Wording |
| 158 | + |
| 159 | +The Supplier warrants that the [Software] [defined components of the Software] originate[s] from an OpenChain ISO/IEC 5230:2000 Conformant Program [or Programs] [, with the OpenChain ISO/IEC 5230:2000 Conformant Program being specified in the Supplier Information Pack]. |
| 160 | + |
| 161 | +or |
| 162 | + |
| 163 | +The Supplier warrants that the [Software] [defined components of the Software] originate[s] from a Program [or Programs] adhering to aspects of an OpenChain ISO/IEC 5230:2000 Conformant Program as specified in the Supplier Information Pack]. |
| 164 | + |
| 165 | +and |
| 166 | + |
| 167 | +[The Supplier does not warrant that use, modification or further distribution by the Customer of the Software constitutes a continuation of adherence to an OpenChain ISO/IEC 5230:2000 Conformant Program]. |
| 168 | + |
| 169 | +#### Supplier's Arguments |
| 170 | + |
| 171 | +The Supplier may argue that the inclusion of these requirements or the extent of the requirements included introduce a cost-burden that need to be offset. |
| 172 | + |
| 173 | +#### Customer's Arguments |
| 174 | + |
| 175 | +The Customer is receiving a potential liability regarding third-party intellectual property along with the Software deliverable from the Supplier. As such, it is reasonable to request that the Supplier adheres to international standards related to the licensing of this third-party intellectual property. |
| 176 | + |
| 177 | +### Issue - Inclusion of OpenChain ISO/IEC DIS 18974 |
| 178 | + |
| 179 | +#### Commentary |
| 180 | + |
| 181 | +None listed. |
| 182 | + |
| 183 | +#### Who is best placed to bear risk? |
| 184 | + |
| 185 | +Supplier. |
| 186 | + |
| 187 | +#### Best mechanism to tackle risk |
| 188 | + |
| 189 | +None listed. |
| 190 | + |
| 191 | +#### Sample Wording |
| 192 | + |
| 193 | +The Supplier warrants that the [Software] [defined components of the Software] originate[s] from an OpenChain ISO/IEC DIS 18974 Conformant Program [or Programs] [, with the OpenChain ISO/IEC DIS 18974 Conformant Program being specified in the Supplier Information Pack]. |
| 194 | + |
| 195 | +or |
| 196 | + |
| 197 | +The Supplier warrants that the [Software] [defined components of the Software] originate[s] from a Program [or Programs] adhering to aspects of an OpenChain ISO/IEC DIS 18974 Conformant Program as specified in the Supplier Information Pack]. |
| 198 | + |
| 199 | +and |
| 200 | + |
| 201 | +[The Supplier does not warrant that use, modification or further distribution by the Customer of the Software constitutes a continuation of adherence to an OpenChain ISO/IEC DIS 18974 Conformant Program]. |
| 202 | + |
| 203 | +#### Supplier's Arguments |
| 204 | + |
| 205 | +The Supplier may argue that the inclusion of these requirements or the extent of the requirements included introduce a cost-burden that need to be offset. |
| 206 | + |
| 207 | +#### Customer's Arguments |
| 208 | + |
| 209 | +The Customer is receiving a potential liability regarding security along with the Software deliverable from the Supplier. As such, it is reasonable to request that the Supplier adheres to international standards related to the managing of security assurance related to the Software. |
| 210 | + |
| 211 | +### Issue - Determining if the OpenChain Conformant Program is self-certified or third-party certified |
| 212 | + |
| 213 | +#### Commentary |
| 214 | + |
| 215 | +None listed. |
| 216 | + |
| 217 | +#### Who is best placed to bear risk? |
| 218 | + |
| 219 | +Supplier |
| 220 | + |
| 221 | +#### Best mechanism to tackle risk |
| 222 | + |
| 223 | +None listed. |
| 224 | + |
| 225 | +#### Sample Wording |
| 226 | + |
| 227 | +The Supplier warrants that the OpenChain [ISO/IEC 5230:2000][ISO/IEC DIS 18974] Conformant Program [or Programs] referenced in the relevant [purchasing agreement[s]] [contract[s]] is self-certified as per the checklists or questionnaires provided by the OpenChain Project. |
| 228 | + |
| 229 | +or |
| 230 | + |
| 231 | +The Supplier warrants that the OpenChain [ISO/IEC 5230:2000][ISO/IEC DIS 18974] Conformant Program [or Programs] referenced in the relevant [purchasing agreement[s]] [contract[s]] is third-party certified by [registered] [licensed] third-party certified. |
| 232 | + |
| 233 | +and |
| 234 | + |
| 235 | +[The Supplier will produce documentation to verify that the OpenChain [ISO/IEC 5230:2000][ISO/IEC DIS 18974] Conformant Program [or Programs] has undergone the disclosed certification process.] |
| 236 | + |
| 237 | +#### Supplier's Arguments |
| 238 | + |
| 239 | +None. |
| 240 | + |
| 241 | +#### Customer's Arguments |
| 242 | + |
| 243 | +The Customer requires clarity regarding the type of certification that the Supplier has undergone to contextualize their risk. A Customer may regard third-party certification as preferable due to the inherent audit involved. Alternatively, a Customer may be satisfied that self-certification is sufficient given that OpenChain ISO/IEC 5230:2000 or ISO/IEC DIS 18974 both require the party with a conformant program to maintain documentation on how they accomplished their conformance. |
| 244 | + |
0 commit comments