You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, because our specifications are supply chain standards, they focus on the relationship between customers and suppliers, so most organizations adopt our work without public announcement.
31
+
However, because our specifications are supply chain standards, they focus on the relationship between customers and suppliers, so most organizations adopt our work without public announcement. For example, a Bitkom survey sponsored by PwC in 2021 indicated that 20% of German companies with more than 2,000 employees are currently using OpenChain ISO/IEC 5230, the international standard for open source license compliance.
32
32
33
-
The primary way you find out if an organization is OpenChain ISO 5230 or OpenChain Security Assurance conformant is by discussing their conformance in procurement negotiations or through their sales material. You can also ask their OSPO (if present) about their conformance status.
33
+
The primary way you find out if an organization is OpenChain ISO/IEC 5230 or OpenChain Security Assurance conformant is by discussing this in sales communications or procurement negotiations. You can also ask their OSPO (if present) about their conformance status.
34
34
35
35
### How Is The OpenChain Project Organized?
36
36
@@ -40,8 +40,7 @@ Specification Work Group, which identifies and publishes a set of core requireme
40
40
41
41
Education Work Group, which provides reference material to help organization meet our specification requirements.
42
42
43
-
You can find a full list of our work groups and other activities on our community page.
44
-
43
+
You can find a full list of our work groups and other activities on our community page:
45
44
https://www.openchainproject.org/community
46
45
47
46
There are three committees for member companies:
@@ -101,11 +100,11 @@ You can find it on the OpenChain Project conformance page:
### Does an open source program need to satisfy all the requirements of the specification to be considered OpenChain Conforming?
103
+
### Does an open source program need to satisfy all the requirements of OpenChain ISO/IEC 5230:2020 to be considered conformant?
105
104
106
-
Yes. OpenChain ISO/IEC 5230:2020 the key requirements of a quality open source license compliance program. To make sure there are no gaps that would lead to poor quality output, a program must satisfy all the OpenChain ISO/IEC 5230:2020 requirements to be considered conforming.
105
+
Yes. OpenChain ISO/IEC 5230:2020 defines the key requirements of a quality open source license compliance program. To make sure there are no gaps that would lead to poor quality output, a program must satisfy all the OpenChain ISO/IEC 5230:2020 requirements to be considered conforming.
107
106
108
-
### Can software package be OpenChain ISO/IEC 5230:2020 conformant?
107
+
### Can software packages be OpenChain ISO/IEC 5230:2020 conformant?
109
108
110
109
No. OpenChain ISO/IEC 5230:2020 defines a quality open source license compliance program. The program is conformant. The software packages go *through* the program and therefore benefit from it. The question to ask suppliers is whether the software they supply was prepared under an OpenChain conforming program.
111
110
@@ -145,9 +144,74 @@ The version we host on our website (currently called OpenChain 2.1) is licensed
### What is the difference between Conformance vs Compliance
147
+
## OpenChain Security Assurance Specification FAQ
148
+
149
+
This is the FAQ for the OpenChain Security Assurance Specification specification. We recommend that all contributors to our specification development process take a while to review this section of our FAQ.
150
+
151
+
### We work based on four principles:
152
+
153
+
- Build trust around the open source supply chain.
154
+
- Remember that less is more:
155
+
-- Define the key requirements of a quality compliance program
156
+
-- Do this by solving real pain points in the supply chain
157
+
- Keep our specifications limited to what and why (avoid the how and when)
158
+
-- Embrace different implementations to solve challenges
159
+
-- Avoid mandating specific process content
160
+
- Be open to all to participate and contribute
161
+
162
+
### What is the objective of the OpenChain Security Assurance Specification?
163
+
164
+
It is designed to identify the key requirements of a quality open source security assurance program. This means it provides a level of trust about what organizations are doing as they ingest, internally develop and distribute open source software.
165
+
166
+
### Where can I find the current version of OpenChain Security Assurance Specification?
167
+
168
+
You can find it on the OpenChain Project conformance page:
### Does an open source program need to satisfy all the requirements of the OpenChain Security Assurance Specification to be conformant?
173
+
174
+
Yes. OpenChain Security Assurance Specification defines the key requirements of a quality open source security assurance program. To make sure there are no gaps that would lead to poor quality output, a program must satisfy all the OpenChain Security Assurance Specification requirements to be considered conforming.
175
+
176
+
### Can software packages be OpenChain Security Assurance Specification conformant?
177
+
178
+
No. OpenChain Security Assurance Specification defines a quality open source license compliance program. The program is conformant. The software packages go *through* the program and therefore benefit from it. The question to ask suppliers is whether the software they supply was prepared under an OpenChain conforming program.
179
+
180
+
### Does all the software in an organization need to be covered by an OpenChain Security Assurance Specification conformant program?
149
181
150
-
OpenChain ISO/IEC 5230:2020 does not use the term “compliance” when referring to meeting the requirements of the specification itself. This was a conscious decision to avoid confusion between “license compliance” and meeting the specification requirements. That is why we use the term “conformance” when talking about meeting the specification requirements.
182
+
No. Organizations are often made from different groups or departments with different programs and release procedures. One example is that engineering may be very different from professional services). An organization decides how much of the total entity to cover with its OpenChain Security Assurance Specification conformant program. Many companies start with one part of one group covering one product, and build out from there.
183
+
184
+
### Does the OpenChain Security Assurance Specification serve as a best practice guide?
185
+
186
+
No. OpenChain Security Assurance Specification defines a quality open source security assurance program. It focuses on the “what and why” aspects of a program and not the how or when. A best practices guide must explain how and when to ensure it supports implementation activities. We publish reference material like Playbooks covering these topics, but they are separate to OpenChain Security Assurance Specification itself.
187
+
188
+
### How was the OpenChain Security Assurance Specification developed?
189
+
190
+
The OpenChain Project developed OpenChain Security Assurance Specification via our specification mailing list and calls. The process was (and is) open to everyone. The initial draft of the OpenChain Security Assurance Specification (then called the OpenChain Security Assurance Reference Guide) was created in the 2021 period. It was restructured as the OpenChain Security Assurance Reference Specification in Q1 2022 and released as the OpenChain Security Assurance Specification in Q4 2022. Since then the OpenChain Project has continually reviewed and maintained the standard in an open, collaborative manner that mirrors how open source software is created.
191
+
192
+
### Does the OpenChain Security Assurance Specification describe how to comply with specific security requirements?
193
+
194
+
No. OpenChain Security Assurance Specification defines a quality open source security assurance program. It is not designed to identify, breakdown and interpret individual security requirements. The specifics of each requirement and obligation must be determined by each company for their respective market space and legal jurisdiction.
195
+
196
+
### Does the OpenChain OpenChain Security Assurance Specification provide legal guidance?
197
+
198
+
No. The specification does not provide legal guidance because that can only come from a legal expert assigned to advise an organization.
199
+
200
+
### Does the OpenChain Security Assurance Specification conformance guarantee security assurance?
201
+
202
+
No, but it significantly increases the probability that security assurance issues will arise for software prepared under an OpenChain Security Assurance Specification conformant program.
203
+
204
+
### Do resources exist to assist my organization in achieving OpenChain Security Assurance Specification conformance?
205
+
206
+
Yes. You will find a substantial amount of resources, including self-certification checklists, on the OpenChain website:
207
+
208
+
https://www.openchainproject.org
209
+
210
+
### What license is OpenChain Security Assurance Specification released under?
211
+
212
+
The version we host on our website (currently called OpenChain 2.1) is licensed under the Creative Commons Attribution License 4.0 (CC-BY-4.0). A copy of the license can be obtained here:
Once you complete the process, please let me know so that we can add you to our Community of Conformance on the OpenChain Project website. This is not mandatory but it provides an advantage to you (more of your peers know that you have the key requirements of a quality open source compliance program in place), and it provides an advantage to us because we have more insight into market adoption. You can let us know about your conformance by contacting us here:
240
+
### Please let us know when you are conformant
177
241
178
-
https://www.openchainproject.org/about
242
+
Once you complete the process, please let us know so that we can add you to our Community of Conformance on the OpenChain Project website. This is not mandatory but it provides an advantage to you (more of your peers know that you have the key requirements of a quality open source compliance program in place), and it provides an advantage to us because we have more insight into market adoption. You can let us know about your conformance by contacting our [helpdesk](mailto:[email protected]).
243
+
244
+
### We also have legacy support
179
245
180
-
By the way, we also have a legacy self-certification web app. This has been used as the primary way to record conformance progress online since 2017. However, it is depreciated as we transition to document formats more easily ingested into organizations for self-certification. It can be here:
246
+
We have a legacy self-certification web app. This has been used as the primary way to record conformance progress online since 2017. However, it is depreciated as we transition to document formats more easily ingested into organizations for self-certification. It can be here:
### If I use the web app, what response time should I expect to a submittal request?
191
257
192
-
If all information is correct, the submittal will automatically be approved by the system. Any omissions or incorrect answers will be reported by the user.
193
-
194
-
### How do I report issues with the web app?
195
-
196
-
Contact us here:
197
-
198
-
https://www.openchainproject.org/about
258
+
If all information is correct, the submittal will automatically be approved by the system. Any omissions or incorrect answers will be reported by the user.
0 commit comments