|
| 1 | +# Frequently Asked Questions |
| 2 | + |
| 3 | +Version 2 |
| 4 | + |
| 5 | +## General FAQ |
| 6 | + |
| 7 | +The OpenChain Project is global community of organizations collaborating to create trust in the open source supply chain. |
| 8 | + |
| 9 | +We do this through ISO/IEC 5230:2020, the International Standard for open source license compliance, and our Security Assurance Reference Specification. We also have education, training and certification resources freely available to all parties. |
| 10 | + |
| 11 | +Most importantly, our community acts as a support network where knowledge is shared to reduce friction and increase efficiency across all aspects of open source process management. |
| 12 | + |
| 13 | +### Where Can I Find A Formal Description Of The OpenChain Project? |
| 14 | + |
| 15 | +The formal description and structure of the OpenChain Project is contained in the Project Charter. You can find this on GitHub. |
| 16 | + |
| 17 | +https://github.com/OpenChain-Project/Project-Charter-And-Agreements/tree/master/Project-Charter |
| 18 | + |
| 19 | +### What Does The OpenChain Project Cover? |
| 20 | + |
| 21 | +The OpenChain Project is focused on building trust in the open source supply chain. Our primary emphasis is on issues related to license, security and other types of compliance. We are working towards a world where open source is predictable, understandable and optimized for internal and external supply chains of any type. |
| 22 | + |
| 23 | +Our global community also works on topics like open source training, open source policy, open source program offices (OSPOs) and more. Everything we do is open to everyone, and it is all freely available. |
| 24 | + |
| 25 | +### Who Conforms To The OpenChain Standards? |
| 26 | + |
| 27 | +We maintain a list of organizations decide to publicly announce OpenChain Conformant Programs through our website. |
| 28 | + |
| 29 | +https://www.openchainproject.org/community-of-conformance |
| 30 | + |
| 31 | +However, because our specifications are supply chain standards, they focus on the relationship between customers and suppliers, so most organizations adopt our work without public announcement. |
| 32 | + |
| 33 | +The primary way you find out if an organization is OpenChain ISO 5230 or OpenChain Security Assurance conformant is by discussing their conformance in procurement negotiations or through their sales material. You can also ask their OSPO (if present) about their conformance status. |
| 34 | + |
| 35 | +### How Is The OpenChain Project Organized? |
| 36 | + |
| 37 | +The OpenChain Project has global and local work groups that anyone can be part of. Some examples are the: |
| 38 | + |
| 39 | +Specification Work Group, which identifies and publishes a set of core requirements a quality open source compliance program should satisfy. |
| 40 | + |
| 41 | +Education Work Group, which provides reference material to help organization meet our specification requirements. |
| 42 | + |
| 43 | +You can find a full list of our work groups and other activities on our community page. |
| 44 | + |
| 45 | +https://www.openchainproject.org/community |
| 46 | + |
| 47 | +There are three committees for member companies: |
| 48 | + |
| 49 | +Governing Board – Manage policies or rules and procedures for the Project, fund raising, budgeting and so forth. |
| 50 | + |
| 51 | +Steering Committee – Development, management and updating of the OpenChain Compliance Specification. |
| 52 | + |
| 53 | +Outreach Committee – Designing, developing and executing efforts to build an OpenChain compliance ecosystem throughout relevant supply chains in collaboration with the Governing Board. |
| 54 | + |
| 55 | +### Can I Participate In The OpenChain Project? |
| 56 | + |
| 57 | +Yes, of course. Everyone from any company, organization or government is welcome to participate. We also welcome individuals interested in the topics we cover. There is no registration or membership required. Get started here: |
| 58 | + |
| 59 | +https://www.openchainproject.org/community |
| 60 | + |
| 61 | +### Can My Company Become An OpenChain Member? |
| 62 | + |
| 63 | +There is no membership requirement to attend our meetings, to join our calls and webinars, or to help edit our standard and reference material. There is currently one membership level for the OpenChain Project: Platinum Membership. This is available to user companies (not vendors) and it provides a seat and a vote on our governing board and our steering committee. To learn more contact the General Manager at [email protected]. |
| 64 | + |
| 65 | +There is also a partner program for vendor companies to engage with OpenChain. You can learn more here: |
| 66 | + |
| 67 | +https://www.openchainproject.org/partners |
| 68 | + |
| 69 | +### How Is The OpenChain Project Related To Other Linux Foundation Process Projects? |
| 70 | + |
| 71 | +The OpenChain Project has various sister standards covering adjacent topics in the area of open source process management. For example, the SDPX Project maintains SPDX ISO/IEC 5962, the International Standard for Software Bill of Materials (SBOM). The Open Source Security Foundation (OpenSSF) has extensive investment in security-related practices and management. The TODO Group has a focus on Open Source Program Offices (OSPOs). The Automated Compliance Tooling Project (ACT Project) supports open source tooling for automation related to management and compliance topics. |
| 72 | + |
| 73 | +We work with all of these projects to help companies find the best solution for their market requirements. The OpenChain Project has perhaps the highest level optic - how to get started with key processes for open source management - and then you can use our sister projects to build out your processes and continually improve your approach. |
| 74 | + |
| 75 | +### How Are The OpenChain Standards Related To The OpenSSF Best Practices Badge? |
| 76 | + |
| 77 | +The OpenChain Project and the OpenSSF Best Practices Badge are both Linux Foundation initiatives to identify criteria around open source process quality. The OpenChain Project focuses on the software supply chain. In contrast, the OpenSSF Best Practices Badge focuses on well-run open source projects themselves. These are complimentary initiatives, and both can be used to optimize open source from upstream to deployment and support. |
| 78 | + |
| 79 | +## OpenChain ISO/IEC 5230:2020 FAQ |
| 80 | + |
| 81 | +This is the FAQ for the OpenChain ISO/IEC 5230:2020 specification. We recommend that all contributors to our specification development process take a while to review this section of our FAQ. |
| 82 | + |
| 83 | +### We work based on four principles: |
| 84 | + |
| 85 | +- Build trust around the open source supply chain. |
| 86 | +- Remember that less is more: |
| 87 | +-- Define the key requirements of a quality compliance program |
| 88 | +-- Do this by solving real pain points in the supply chain |
| 89 | +- Keep our specifications limited to what and why (avoid the how and when) |
| 90 | +-- Embrace different implementations to solve challenges |
| 91 | +-- Avoid mandating specific process content |
| 92 | +- Be open to all to participate and contribute |
| 93 | + |
| 94 | +### What is the objective of OpenChain ISO/IEC 5230:2020? |
| 95 | + |
| 96 | +It is designed to identify the key requirements of a quality open source license compliance program. This means it provides a level of trust about what organizations are doing as they ingest, internally develop and distribute open source software. |
| 97 | + |
| 98 | +### Where can I find the current version of OpenChain ISO/IEC 5230:2020? |
| 99 | + |
| 100 | +You can find it on the OpenChain Project Specification page: |
| 101 | + |
| 102 | +https://www.openchainproject.org/get-started/conformance |
| 103 | + |
| 104 | +### Does an open source program need to satisfy all the requirements of the specification to be considered OpenChain Conforming? |
| 105 | + |
| 106 | +Yes. OpenChain ISO/IEC 5230:2020 the key requirements of a quality open source license compliance program. To make sure there are no gaps that would lead to poor quality output, a program must satisfy all the OpenChain ISO/IEC 5230:2020 requirements to be considered conforming. |
| 107 | + |
| 108 | +### Can software package be OpenChain ISO/IEC 5230:2020 conformant? |
| 109 | + |
| 110 | +No. OpenChain ISO/IEC 5230:2020 defines a quality open source license compliance program. The program is conformant. The software packages go *through* the program and therefore benefit from it. The question to ask suppliers is whether the software they supply was prepared under an OpenChain conforming program. |
| 111 | + |
| 112 | +### Does all the software in an organization need to be covered by an OpenChain ISO/IEC 5230:2020 conformant program? |
| 113 | + |
| 114 | +No. Organizations are often made from different groups or departments with different programs and release procedures. One example is that engineering may be very different from professional services). An organization decides how much of the total entity to cover with its OpenChain ISO/IEC 5230:2020 conformant program. Many companies start with one part of one group covering one product, and build out from there. |
| 115 | + |
| 116 | +### Does the specification serve as a best practice guide? |
| 117 | + |
| 118 | +No. OpenChain ISO/IEC 5230:2020 defines a quality open source license compliance program. It focuses on the “what and why” aspects of a program and not the how or when. A best practices guide must explain how and when to ensure it supports implementation activities. We publish reference material like Playbooks covering these topics, but they are separate to OpenChain ISO/IEC 5230:2020 itself. |
| 119 | + |
| 120 | +### How was OpenChain ISO/IEC 5230:2020 developed? |
| 121 | + |
| 122 | +The OpenChain Project developed OpenChain ISO/IEC 5230:2020 via our specification mailing list and calls. The process was (and is) open to everyone. The initial draft of OpenChain ISO/IEC 5230:2020 (then called OpenChain 1.0) was created in the 2015-2016 period and released in late 2016. Since then the OpenChain Project has continually reviewed and maintained the standard in an open, collaborative manner that mirrors how open source software is created. |
| 123 | + |
| 124 | +### Does OpenChain ISO/IEC 5230:2020 describe how to comply with the most popular open source licenses? |
| 125 | + |
| 126 | +No. OpenChain ISO/IEC 5230:2020 defines a quality open source license compliance program. It is not designed to identify, breakdown and interpret individual open source licenses. Because open source licenses are legal documents, they will also vary in their interpretation and application across different legal jurisdictions. Local organizations like OSADL (Germany) have worked on license obligation lists relevant for their markets. |
| 127 | + |
| 128 | +### Does OpenChain ISO/IEC 5230:2020 provide legal guidance? |
| 129 | + |
| 130 | +No. The specification does not provide legal guidance because that can only come from a legal expert assigned to advise an organization. OpenChain ISO/IEC 5230:2020 does require an organization to designate a legal expert to do this as part of the conformance process. OpenChain ISO/IEC 5230:2020 also requires that a process exists to ensure the appropriate attention is given to license obligation analysis and and fulfillment. |
| 131 | + |
| 132 | +### Does OpenChain ISO/IEC 5230:2020 conformance guarantee license compliance? |
| 133 | + |
| 134 | +No, but it significantly increases the probability that license compliance will be achieved for software prepared under an OpenChain ISO/IEC 5230:2020 conformant program. |
| 135 | + |
| 136 | +### Do resources exist to assist my organization in achieving OpenChain ISO/IEC 5230:2020 conformance? |
| 137 | + |
| 138 | +Yes. You will find a substantial amount of resources, including self-certification checklists, on the OpenChain website: |
| 139 | + |
| 140 | +https://www.openchainproject.org |
| 141 | + |
| 142 | +### What license is OpenChain ISO/IEC 5230:2020 released under? |
| 143 | + |
| 144 | +The version we host on our website (currently called OpenChain 2.1) is licensed under the Creative Commons Attribution License 4.0 (CC-BY-4.0). A copy of the license can be obtained here: |
| 145 | + |
| 146 | +https://creativecommons.org/licenses/by/4.0/legalcode |
| 147 | + |
| 148 | +### What is the difference between Conformance vs Compliance |
| 149 | + |
| 150 | +OpenChain ISO/IEC 5230:2020 does not use the term “compliance” when referring to meeting the requirements of the specification itself. This was a conscious decision to avoid confusion between “license compliance” and meeting the specification requirements. That is why we use the term “conformance” when talking about meeting the specification requirements. |
| 151 | + |
| 152 | +## OpenChain Self-Certification FAQ |
| 153 | + |
| 154 | +OpenChain ISO/IEC 5230:2020 and the OpenChain Security Assurance Specification are designed to build trust around open source as clear and impartial standards. The approach is “less is more” and focus on what and why rather than how and when. Resources around self-certification are equally focused. They help organizations quickly understand practical application of the standards. |
| 155 | + |
| 156 | +### What is the objective of OpenChain Self-Certification? |
| 157 | + |
| 158 | +OpenChain self-certification resources are designed to help an organization assess if it meets the requirements of the standard with simple questions or checklists. Organizations of any size use self-certification as a way of improving their compliance approach and advertising that fact to their supply chain. |
| 159 | + |
| 160 | +### What if I don’t agree with a submission made by another organization? |
| 161 | + |
| 162 | +Contact the OpenChain Project with the name of the organization you are concerned about and the reason you disagree with their submission. We will get back to you to discuss the matter further. It should be noted that disagreements about conformance are exceptionally rare (we did not encounter one directly yet), but it is important to have a way to make sure the market is using our standards in a fair and balanced manner. You will find our contact details at the link below: |
| 163 | + |
| 164 | +https://www.openchainproject.org/about |
| 165 | + |
| 166 | +### How do I get started? |
| 167 | + |
| 168 | +You can use our self-certification questionnaire or checklist. You can access the questionnaire at the following link: |
| 169 | + |
| 170 | +https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Questionnaire/ISO5230-2020/en/ |
| 171 | + |
| 172 | +You can access the checklist at the following link: |
| 173 | + |
| 174 | +https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Checklist/ISO5230-2020/en/ |
| 175 | + |
| 176 | +Once you complete the process, please let me know so that we can add you to our Community of Conformance on the OpenChain Project website. This is not mandatory but it provides an advantage to you (more of your peers know that you have the key requirements of a quality open source compliance program in place), and it provides an advantage to us because we have more insight into market adoption. You can let us know about your conformance by contacting us here: |
| 177 | + |
| 178 | +https://www.openchainproject.org/about |
| 179 | + |
| 180 | +By the way, we also have a legacy self-certification web app. This has been used as the primary way to record conformance progress online since 2017. However, it is depreciated as we transition to document formats more easily ingested into organizations for self-certification. It can be here: |
| 181 | + |
| 182 | +https://certification.openchainproject.org/ |
| 183 | + |
| 184 | +### If I use the web app, can I change my submission? |
| 185 | + |
| 186 | +You will see an unsubmit button at the bottom of the page after signing in to the Online Self-Certification site. Clicking this button will cancel your previous OpenChain Self-Certification submission. You can then re-submit the conformance check. The site is here: |
| 187 | +https://certification.openchainproject.org/ |
| 188 | + |
| 189 | +### If I use the web app, what response time should I expect to a submittal request? |
| 190 | + |
| 191 | +If all information is correct, the submittal will automatically be approved by the system. Any omissions or incorrect answers will be reported by the user. |
| 192 | + |
| 193 | +### How do I report issues with the web app? |
| 194 | + |
| 195 | +Contact us here: |
| 196 | + |
| 197 | +https://www.openchainproject.org/about |
0 commit comments