Added OpenChain FAQ (1.0 draft) for editing.

shanecoughlan · shanecoughlan · commit 6af605c6bfdf · 2022-10-04T19:29:11.000+02:00
diff --git a/FAQ/1.0/en/faq.md b/FAQ/1.0/en/faq.md
@@ -0,0 +1,206 @@
+# Frequently Asked Questions
+
+## General FAQ
+
+The OpenChain Project has an extensive global community that involves thousands of companies collaborating to make the supply chain quicker, more effective and more efficient. We work together to create trust between entities around open source.
+
+Our job is to increase trust in the open source supply chain. We do this by maintaining ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have a large global community where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management.
+
+### Where Can I Find A Formal Description Of OpenChain?
+
+The formal description and structure of the OpenChain Project is contained in the Project Charter.
+https://github.com/OpenChain-Project/Project-Charter-And-Agreements/tree/master/Project-Charter
+
+### What Does OpenChain Cover?
+
+The OpenChain Project is focused on building trust in the open source supply chain. Our primary emphasis is on issues related to license, security and related types of compliance. We are working towards a world where open source is predictable, understandable and optimized for internal and external supply chains of any type.
+
+### Who Conforms To OpenChain Standards?
+
+We maintain a list of organizations that have a publicly announced OpenChain Conformant Program. However, because the specifications we publish are supply chain standards, focused on the relationship between suppliers and purchasers, most organizations adopt our work without public announcement.
+
+### How Is OpenChain Organized?
+
+The OpenChain Project has global and local work groups that anyone can be part of. Some examples are the:
+
+Specification Work Group, which identifies and publishes a set of core requirements a quality open source compliance program should satisfy.
+
+Education Work Group, which provides reference material to help organization meet our specification requirements.
+
+You can find a full list of our work groups and other activities on our community page.
+https://www.openchainproject.org/community
+
+There are three committees for member companies:
+
+Governing Board – Manage policies or rules and procedures for the Project, fund raising, budgeting and so forth.
+
+Steering Committee – Development, management and updating of the OpenChain Compliance Specification.
+
+Outreach Committee – Designing, developing and executing efforts to build an OpenChain compliance ecosystem throughout relevant supply chains in collaboration with the Governing Board.
+
+### How Is OpenChain Related To OpenSSF Best Practices?
+
+OpenChain and the OpenSSF Best Practices are both Linux Foundation initiatives that identify criteria around open source process quality. OpenChain focuses on the software supply chain. In contrast, the OpenSSF best practices badge focuses on well-run open source projects themselves. These are complimentary initiatives, and both can be used to optimize open source from upstream to deployment and support.
+
+### Can I Participate In OpenChain?
+
+Yes, of course. Everyone from any company, organization or government is welcome to participate. We also welcome individuals interested in the topics we cover. There is no registration or membership required. Get started here:
+https://www.openchainproject.org/community
+
+### Can My Company Become An OpenChain Member?
+
+There is no membership requirement to attend our meetings, to join our calls and webinars, or to help edit our standard and reference material. There is currently one membership level for the OpenChain Project: Platinum Membership. This is available to user companies (not vendors) and it provides a seat and a vote on our governing board and our steering committee. To learn more contact the General Manager at scoughlan@linuxfoundation.org. There is a partner program for vendor companies to engage with OpenChain. You can learn more here:
+https://www.openchainproject.org/partners
+
+## Specification FAQ
+
+This is the FAQ for the OpenChain specification. We highly recommend all contributors to specification’s development review these questions and answers as a first step to contributing. There are four principles that guide the development of the specification:
+
+* Build trust around the use of open source in constructing Modern Software Solutions.
+* Less is More
+    * Avoid boiling the ocean – Focus specifically on providing the necessary and sufficient requirements of a “quality” compliance program
+    * Focus on meaningful pain points based on actual practice use cases
+* Focus of the what and why (avoid the how and when)
+    * Embrace the implementation of different practices to solve a given requirement
+    * Avoid providing specific legal advice or specific best practices
+* Function as an open development initiative – open to all to contribute – inclusion via discussion and consensus that adhere to these guiding principles
+
+### What is the objective of the OpenChain Specification?
+
+To define a core set of requirements a Open Source compliance program should satisfy to achieve: a level of trust that an organization provides the artifacts required to achieve Open Source license compliance for software it shares with others. Compliance artifacts consist of: source code, build scripts, license copies, attribution notices, modification notices, SPDX data and other materials open source licenses governing a software deliverable may require.
+
+### Where can I find the current version of the specification?
+
+You can find it on the OpenChain Specification page:
+https://www.openchainproject.org/get-started/conformance
+
+### Does a FOSS program need to satisfy all the requirements of the specification to be considered OpenChain Conforming?
+
+Yes. The specification was designed to provide a core set of requirements to ensure a certain level of program quality has been achieved. In order to ensure there are no significant gaps in an OpenChain conforming program that could lead to poor quality output, a program must satisfy all the requirements to be considered OpenChain conforming.
+
+### What does it mean that a software offering is OpenChain Conforming?
+
+For the 1.0 version of the specification supplied software itself is not identified as being OpenChain Conforming. An Open Source compliance program which the software is prepared under is a candidate for OpenChain conformance. When a software supplier states they are OpenChain conforming it means they have a program that satisfies all the requirements of the OpenChain specification. A software supplier may declare the software offered was prepared under an OpenChain conforming program. Similarly, a software recipient may ask the supplier if the software they received was prepared under an OpenChain conforming program.
+
+### Does all software in an organization need to be covered by an OpenChain Conforming program to achieve program conformance?
+
+No. Organizations are sometimes composed of different groups and/or departments which may have different programs and release procedures (e.g., engineering vs professional services). One Open Source program within an organization can be classified as OpenChain conforming if it satisfies the specification requirements while another program may not. One should not associate software with OpenChain conformance if it has not been reviewed under a program that has been assessed to be OpenChain conforming.
+
+### Does 85% of software staff in an organization need to have completed open source training within the last 24 months to achieve program conformance?
+
+The 85% may not necessarily apply to the entire organization, but to the totality of those specifically responsible for the design, development and delivery of each Supplied Software release reviewed under an OpenChain conforming program. That is, all the Software staff participating in conforming program represents 100%.
+
+### Does the specification serve as a best practice guide?
+
+No. The main objective of the specification provides a set of requirements that would help one evaluate whether an existing Open Source compliance program is sufficient. It focuses on the “what and why” aspects of a program and not the how or when. There are many different ways to construct a Open Source compliance program (how and when) such that each way would satisfy the specification. The specification provides a method of measuring whether a program has obtained a base line level of quality and consistency. This allows a software supplier to represent to their users that the compliance artifacts they deliver were prepared under a Open Source program that met a standard level of quality.
+
+### How was the specification developed?
+
+The Linux Foundation OpenChain Working Groups functions like an open source project by obtaining input from dozens of individuals, companies and organizations that have experiences preparing for and/or exchanging software in the software supply chain. There are no specific requirements for participating. The working group identified 6 main categories of a compliance program and then had contributors identify important tasks and deliverable for each category. The six categories were:
+
+* Know Your Free and Open Source (FOSS) Responsibilities [i.e., “Policy and Training”]
+* Assign Responsibility for Achieving Compliance
+* Deliver FOSS Content Documentation and Artifacts
+* Review and approve FOSS content
+* Understand FOSS Community Engagement
+* Certify Adherence to OpenChain Requirements
+
+A number of reference documents were prepared and used as important sources of input into identifying core requirements of a quality compliance program. Several of those documents include:
+
+https://etherpad.wikimedia.org/p/openchain-proposal1
+http://etherpad.wikimedia.org/p/openchain
+The Supplier License Compliance Audit (SLCA)
+
+### Does the specification describe how to comply with the most popular FOSS licenses?
+
+No. The OpenChain Specification is simply structured to provide a list of requirements where each requirement maintains a set of acceptance criteria (Verification Artifacts). Each requirement is a description of an important quality a Open Source program must maintain. The Verification Artifacts for a requirement represent a list of tangible artifacts that must exist in order for one to determine the specific requirement has been met. Although artifacts must exist, one is not required to make them public. The key goal of the specification is to foster trust around Open Source compliance between two parties exchanging software. Although currently an audit by a third party is not a requirement of the OpenChain specification, a partner or customer may ask for evidence of the Verification Artifacts as a condition for doing business (e.g., under an Non-Disclosure agreement). That is, the obligation to provide evidence of the existence of the artifacts, and the willingness to do so, is determined by the relationship entered into by two parties. It has been discussed that a future version of the specification may provide more specific guidelines on how to obtain third party certification.
+
+### Does the specification provide legal guidance?
+
+No. The specification does not provide legal guidance. It does require an organization to designate a legal expert who can assist with legal guidance. Furthermore the specification requires that a process exists that ensures the appropriate attention is given to license obligation analysis and and fulfillment.
+
+### Does OpenChain program conformance guarantee license compliance?
+
+No, but it significantly increases the probability that license compliance will be achieved for software releases prepared under a OpenChain conforming program.
+
+### Do resources exist to assist my organization in achieving OpenChain Conformance?
+
+The OpenChain Curriculum working group has developed training reference materials that greatly facilitate the creation (or enhancement) of a Open Source compliance training program. The OpenChain Conformance working group has developed a questionnaire to guide an organization in self-certifying a program to be OpenChain conforming. The Linux Foundation sponsors various open source projects and initiatives that provide useful tools and compliance program resources that can help implement an OpenChain Open Source compliance program (e.g., SPDX, FOSSology, …). 
+
+### What is the license of the OpenChain Specification?
+
+The specification is licensed under the Creative Commons Attribution License 4.0 (CC-BY-4.0). A copy of the license can be obtained here: 
+https://creativecommons.org/licenses/by/4.0/legalcode
+
+### What is the difference between Conformance vs Compliance
+
+In the specification text we do *not* use the term “Compliance” with respect to satisfying the spec requirements not to confuse it with “license compliance” or “Open Source Compliance program” which is frequently mentioned through out the spec. We use the term “Conformance” instead to mean a program has satisfied all the spec‘s requirements. It is possible that someone might make reference to the fact that their program “complies” with Spec 1.1 or that the program is “compliant” with version X of the spec which would be equivalent to stating the program “conforms” or has achieved “conformance” with version X.
+
+## Conformance FAQ
+
+The OpenChain Specification is designed to build trust around open source through being a clear and impartial standard. The approach is “less is more”, a focus on what and why (rather than how and when) and by functioning as an open project. Conformance is equally focused – it seeks to provide the simplest method of asking the right questions to measure conformance.
+
+### What is the objective of OpenChain Conformance?
+
+OpenChain Self-Certification is designed to assess the status of OpenChain Conformance in relation to a specific version of the OpenChain Specification. Organizations of any size can accomplish Self-Certification through the OpenChain Project Online Self-Certification Web App. A company that completes the Online Self-Certification confirms they meet the OpenChain Specification requirements.
+
+### Where can I access the OpenChain Online Self-Certification?
+
+It can be found at https://certification.openchainproject.org/.
+
+### Where can I get help with OpenChain Self-Certification?
+
+OpenChain Self Certification page.
+
+### Can I change my submission?
+
+You will see an Unsubmit button at the bottom of the page after signing in to the Online Self-Certification site. Clicking this button will cancel your previous OpenChain Self-Certification submission. You can then re-submit the conformance check. The site is here:
+https://certification.openchainproject.org/
+
+### What is meant by Artifacts?
+
+Artifacts are a tangible by-product of implementing OpenChain conformance policies. These can include digital documents, websites or paper documents public or private. All Artifacts should be verified internally by the organization using them.
+
+### What if I don’t agree with a submission made by another organization?
+
+Email openchain-conformance@linux-foundation.com with the name of the organization you are concerned about and the reason you disagree with their submission. You should expect a response within 4 weeks.
+
+### What response time should I expect to a submittal request?
+
+If all information is correct, the submittal will automatically be approved by the system. Any omissions or incorrect answers will be reported by the user.
+
+### How do I report issues with the Online Self-Certification Web App?
+
+Email openchain-conformance@linux-foundation.com with any issues. Please include specific information on the issue you have encountered.
+
+### How can I contribute?
+
+OpenChain Community website for information on how to join and contribute.
+
+## Curriculum FAQ
+
+This FAQ is focused on the OpenChain Curriculum Training Slides. These are the core of the curriculum and have been widely adopted, adjusted and redistributed by companies, consultancies and law firms around the world. That said, the OpenChain Curriculum also contains checklists, flowcharts, guides and kanban documents. The FAQ equally applies to these: they are designed to provide simple, clear reference material to assist with confirming that a company has implemented – or can implement – the key requirements of a quality open source compliance program.
+
+### What is the OpenChain Curriculum used for?
+
+The OpenChain Curriculum slide deck provides reference material to meet OpenChain Specification requirement 1.2.
+
+### Who is the OpenChain Curriculum intended for?
+
+The OpenChain Curriculum is intended to help companies shipping Open Source Software and the companies receiving such software through the supply chain.
+
+### How long is the OpenChain Curriculum slide training session?
+
+The reference slides are designed to be delivered in a half day training session. They are split into chapters to allow flexible delivery across different timescales and – given the CC-0 licensing – to allow companies to “pick and choose” the sections they need to expand on any existing in-house training materials.
+
+### What legal jurisdiction do the reference slides cover?
+
+The OpenChain Curriculum reference slides are focused on US law. Companies need to take this into account when considering the use of the reference slides for in-house training. Different legal jurisdictions have different legal requirements.
+
+### Are these slides everything you need to be compliant with licenses?
+
+No, this is a reference deck. It is intended to help companies either get started with an OpenChain conformant compliance training program or to expand on existing training programs to help conform with the OpenChain Specification.
+
+### How can companies or individuals contribute to the OpenChain Curriculum?
+
+You can join the OpenChain Main Mailing List. Everyone is invited to participate, contribute material and to assist expanding existing material. 
