Shane Coughlan

在2022年9月16日召开的OSCAR开源产业大会上，由中国信通院【可信开源合规计划】承办的开源合规论坛顺利举办。本次论坛聚集了一批产业界开源合规专家，就开源合规相关话题与社会各界进行了热烈讨论。

致辞

Linux基金会OpenChain项目总监 Shane Coughlan

Linux基金会OpenChain项目总监Shane Coughlan首先通过远程方式发表了致辞。Shane Coughlan表示：“多年来，OpenChain始终致力于开源生态建设，追求可信的软件供应链；我们与中国信通院的伙伴关系将加快这项使命的达成。”

企业级开源软件供应链管理经验分享

荣耀终端 钟鸣

荣耀终端有限公司开源软件管理工程师钟鸣老师与参会专家共同探讨了针对开源软件供应链管理，如何平衡开源软件管理投入与收益。

软件企业开源应用的风险治理策略

快手 李嫄

北京快手科技有限公司开源合规顾问李嫄老师从一个APP的全生命周期维度，讲述了如何在企业内进行开源风险治理。

李嫄在演讲中

【可信开源合规计划】工作分享：如何推动我国开源合规体系建设

中国信通院 俊哲

中国信通院云计算与大数据研究所开源工程师俊哲老师也重点围绕开源软件合规风险、开源许可协议规定与企业开源合规风险防控三大环节展开了讨论。

俊哲在演讲中

破除开源许可证迷思

开放原子开源基金会 王荷舒

开放原子开源基金会法务与知识产权部部长王荷舒老师对开源的基本法律逻辑和开源许可证的基本范式进行了简要说明，澄清了开源许可证的一些迷思。

王荷舒在演讲中

开源软件与出口管制合规探讨

国浩律师（北京）事务所 胡静

国浩律师（北京）事务所合伙人胡静老师针对开源软件开发全流程中出口管制合规要点进行了探讨。

胡静在演讲中

字体开源、内容开源相关许可证分享

北京京东世纪贸易有限公司 李欣博

北京京东世纪贸易有限公司知识产权顾问李欣博老师带来了字体开源、内容开源相关许可证分享。

李欣博在演讲中

开源片段引用风险治理

华为 陈一雄

华为软件工程师陈一雄老师也通过视频的方式介绍了开源项目中片段引用的风险及治理。

陈一雄在演讲中

本次开源合规论坛的顺利举行，为开源合规问题的探讨提供了重要平台，对于保障开源生态建设的平稳运行而言意义重大。

关于可信开源合规计划

中国信息通信研究院于2022年5月20日牵头发起了【可信开源合规计划】（TWOS-C）。【可信开源合规计划】为聚焦开源合规的国内开源组织，该组织旨在凝聚各方力量，聚集一大批国内开源合规人才，整合优质资源，完善开源合规标准体系，输出开源合规建设经验，全面提升我国开源合规水平，为行业的发展提供强劲合力。

【可信开源合规计划】负责人：

• 张燕 13716220988（电话号码）
• 13856344090（微信）
• Zhangyan12@caict.ac.cn
• 俊哲 18900125677（微信同号）
• junzhe@caict.ac.cn

The OpenChain Japan Work Group will host its next meeting on the 31st of October between 15:30 and 16:30 JST. This meeting will be held mostly in Japanese. All are welcome.

== Information in Japanese follows ==

【全体会合】【2022年10月31日(月)15:30-16:30】
今回は、以下の2つのSubgroupの活動紹介を予定しています。
Leaflet Subgroup　新しい活動のお知らせ
OSPO Subgroup これまでの活動と今後の予定の紹介第25回全体会合（第12回オンライン会合）
日時：2022年10月31日(月)15:30-16:30開催場所(Venue)：Zoom
https://zoom.us/j/99975267803?pwd=ekhxaHA3bVZUSVU5M0dVMkF2Z0pkQT09
Meeting ID: 99975267803 / パスワード: ]>guXS~6アジェンダ：
15:30 – 15:32 Opening
15:32 – 15:40 Keynote   by Shane Coughlan
15:40 – 15:50 Leaflet SubWG よりお知らせ
15:50 – 16:30 OSPO SubWG の紹介
16:30 Closing
(optional) 16:30 – 17:00 　交流会多くの方々のご参加をお待ちしております。

The OpenChain Project has a lot of meetings being run by various work groups around the world. We constantly share the outcomes of these meetings in recordings throughout our community, but today we wanted to do something a little different. Let’s dig into a whole workflow through a recent three-part call to action around MarkDown in our reference library.

Our goal was to create a workflow to allow us to transition over time from many, many different file formats to a single, easy to edit and easy to translate file format for our reference material. This would never cover 100% of the material we share, but it could cover a lot, and it would make both contributions and tracking changes a lot easier.

The calls were a success, and ended not only in the guidelines we wanted, but also in providing a core project resource in the new format (our self-certification questionnaire) and facilitating the quick alteration of that document into a new format (our new self-certification checklist).

Learn about precisely how we did it in these three videos recording our calls.

As part of our newly evolved situation with two specifications in market (one ISO/IEC standard for license compliance and one de facto but soon to be ISO/IEC standard for security compliance), our self-certification efforts are ripe for revamp and expansion. 

We took the first step in that direction today (2022-10-05) by creating a version of the Self-Certification Questionnaire for ISO/IEC 5230 in MarkDown based on the material from the existing Self-Certification Web App located on the OpenChain Website. Huge credit to Steve @ Analogue Devices for this work. 

Steve’s initial contribution gives us a super clean and easy way to review and improve the questions for self-certification related to ISO/IEC 5230:
https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Questionnaire/ISO5230-2020/en/OpenChain%20Self-Certification%20Questionnaire%202021-11-26.md

It also provides us with a clean way to fork and create a sister self-certification questionnaire for our Security Assurance Specification, the sister standard to ISO/IEC 5230.

Oh wait, but there is more!

On the markdown call today (2022-10-05) we decided that the best structure moving forward is checklist rather than a questionnaire. This is initially identical to the self-certification questionnaire in terms of structure and general wording, but everything is phrased as a statement rather than a question. You can find there here:
https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Checklist/ISO5230-2020/en/OpenChain%20Self-Certification%20Checklist%202022-10-05.md

And now we have a call to action. Please help review the checklist and see what you think of the wording for each statement. Is it clear enough? Can you improve it? If you find bugs or opportunities for improvement, please open an issue or a pull request to help make self-certification to ISO/IEC 5230 easier than ever. 

What we do will feed back into the primary website resources, and it will form the basis of new self-certification material for our Security Assurance Reference Specification.

The OpenChain Call to Action series dedicated to break-outs focusing on migrating our reference library to markdown has come to an end. We have seen substantial progress on our goal of ensuring long-term maintainability of the resource library, and in converting key resources into markdown to get us started.

Firstly, you will find updated instructions about our repository here:

https://github.com/OpenChain-Project/Reference-Material/blob/master/README.md

Secondly, you will find contribution guidelines here:

https://github.com/OpenChain-Project/Reference-Material/blob/master/CONTRIBUTING.md

And finally you will find a rolling priority list of resources to be converted here:

https://github.com/OpenChain-Project/Reference-Material/blob/master/markdown-conversion-queue.md

The first major outcome of our activity has been completed with the release of the ISO/IEC 5230 self-certification questionnaire in markdown format here:

https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Questionnaire/ISO5230-2020/en/OpenChain%20Self-Certification%20Questionnaire%202021-11-26.md

This allowed us to quickly explore a new structure and build a self-certification checklist here:

https://github.com/OpenChain-Project/Reference-Material/blob/master/Self-Certification/Checklist/ISO5230-2020/en/OpenChain%20Self-Certification%20Checklist%202022-10-05.md

Your help in reviewing this material, in converting new material and in suggesting improvements to our processes is always welcome. We are now turning this activity over to the Education Work Group, and you will find that here:

https://lists.openchainproject.org/g/education

We recently held two calls to review feedback from ISO/IEC WG/SC27 on our recently completed OpenChain Security Assurance Specification. These calls provided feedback ahead of our formal submission into the JTC-1 PAS Transposition Process. Below the video you will find the full guidance provided to our community during this review process. The end result can be found in the OpenChain Security Assurance Specification 1.1, which has now been handed over to Joint Development Foundation (JDF) for entry into the JTC-1 PAS Transposition Process during October.

For reference, here is the full guidance provided to the OpenChain community during these recorded review calls:

ISO/IEC WG/SC27 (security) has provided some feedback on the OpenChain Security Assurance Specification 1.0 for our review. Our review cycle runs from now until October 4th and you can get started on checking their comments via our issue tracker here:
https://github.com/OpenChain-Project/Security-Assurance-Specification/issues
(This review cycle was closed early as all comments were address by the conclusion of the second call on 29th of September)

We are providing some guidance on the review of these comments and suggestions.

(1) Our specification was completed after a multi-month process in March 2022, and it was ratified by our board for ISO/IEC JTC-1 PAS submission on the 14th of September 2022
(2) Therefore OpenChain Security Assurance Specification 1.0 is functionally complete
(3) We should review the ISO/IEC WG comments with this perspective
(4) We are looking for editorial adjusts for clarity and errors
(5) We are not looking to change the scope or function of OpenChain Security Assurance Specification 1.0 or any immediate clarity / error adjusted successor
(6) This is because we want to proceed with our JTC-1 PAS submission as approved by the OpenChain Governing Board
(7) But we can place any comments for scope and function adjustment into a deferred status
(8) And we will return to them for discussion around inclusion in OpenChain Security Assurance Specification 2.0