News

Original document here:

• https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/OSPO/OSPOLocalMeetup-Memo/20230210/meetup-en-20230210.md

Want to be part of the next meeting? Join the mailing list:

• https://lists.openchainproject.org/g/japan-sg-ospo

participant:

• Real: Owada, Shima, Kato, Koizumi, Handa, Fukuchi, Motai, Suzuki, Kuwata
• Online: Hayashi, Iwami, Yoshida, Yamazaki, Watanabe, Daikoku, Ohyagi, Sado, Ninjouji

Date and time:

• Friday, February 10, 2023 15:00-16:00

place:

• Real: Socionext Shin-Yokohama Office

Contents:

■ Mapping issues to OSPO maturity stages

• Not good mindset/attitude like:
• ◇1. use
  • It’s okay if you can use it without permission
  • There was a time like this in the past, but it seems to have passed
• ◇2. Compliance
  • It seems that they worked hard on the site, it is not an issue for the entire company
  • see it as a legal issue
• ◇3. Participation
  • Misunderstandings that rely on others
  • Maintained even if left alone
  • No need to keep up with upgrades
• ◇4. Co-creation (collaboration)
  • Contribute only when you can afford it
  • No immediate effect
• ◇5. Strategy
  • we don’t have to do it ourselves

■OSPO GGI Mapping

• ◇OSS business strategy
  • OSS activities are positioned as part of the business, and targets are set with both the business and the community in mind.
  • OSPO representatives are able to communicate at C-Level regular meetings
  • Some employees do not understand the OSS business model
  • I’m trying to get the conversation across
  • There are contributors, but they are not in a form that leads to business
  • Classified as Strategy goal activities
  • Mapping to maturity level 5 could not be assigned
  • C) I felt that even at the maturity level they were going as far as strategy
    • Isn’t it that there are things that are done and things that are not done?
    • A) Communication at the top is done, but there are some areas such as education that are lacking
• ◇OSS hosting
  • Develop product A with OSS
    • Became a sponsor of the base OSS PJ and has also contributed
    • It is open on Github, but the problem is that there are few external contributors and users
    • There is no internal system in place to deal with the increase in external
  • Product B Source released, development closed
    • Activities to revitalize the user community have been activated
    • There are also users who customize
    • Categorized as Engagement goal activities
  • Maturity level is weak in Leadership Community Education Engagement
  • C) be able to act as a leader, but not able to engage
• ◇OSS contribution
  • I want a more influential approach to the community
  • It would be good if we could accumulate know-how on how to do this within the company.
  • We also support private and open source activists
  • I can get information and I can visualize it
  • Some people don’t want to be open as individuals and don’t want support
  • I’m trying to automate and collect contribution logs
  • I want to make use of the experience and know-how of employees who are responsible for board members
  • Classification is Engagement gaol activities maturity level
• ◇ What we want to do at TODO Group Japan
  • OSS Business strategy area
    • Not enough things that are organized in Japanese
    • Isn’t it easier to talk if you have something to show?
    • Combination of support type and open core type,
    • I think it would be easier to apply OSS to business if there is a place to analyze and discuss such things, such as using paid services as users use OSS.
  • OSS hosting area
    • It’s out there, but it’s revitalizing and gathering people
    • Know-how and best practices should be created
• C) I would like to work with someone who is interestedI want to be able to bring out the results from Japan to the world.
• C) Posing a very good challenge
  • there are many people who are interested in
    • Some people may be interested but unable to contribute
  • There was a company analysis at OSSJ, so It might be useful
    • thinking about doing it broadly or deeply.
• Q) There was talk of researching external community contributions. how it ultimately intends to use the results
  • A) The company is happy to know individual skills
  • You can’t just get results
  • We provide financial support when making presentations at overseas events.
  • We want to create a win-win relationship from both sides
• C) Motivation seems to increase
  • A) Incorporating skill development leave, we have prepared a system that allows you to go without using your paid leave.
• Q) Is it better to set up a sub-work or continue here?
  • A) I don’t know the framework yet, but I want to do it

■ Issue mapping by OSPO maturity level and individual ⇔ company/OSPO scope

• The usage status of Open Source can be grasped at the project level for the purpose of satisfying compliance, but it is not grasped in the necessary form when considering strategic utilization throughout the company.
• I have mapped to 2 compliance and 3 participation in the OSPO maturity levels, but the objectives are 5 strategies and I feel that the OSPO maturity levels will come and go rather than monotonously climb
  • C) Issues that do not allow you to jump into the community as your own matter and issues such as being recognized by your superiors and improving the personnel system are related
• Is there a link between individual issues and organizational issues?
• The timing of individual motivation and organizational motivation is out of sync
• want to raise my personal motivation, even if it’s just a little
• If you try to make it fair, you can’t make it
• Value standards such as the size of the community and the number of committed lines are difficult
• OSS activities are not recognized by the company
• are introducing new technology
• Some people have good networks and some people don’t.
• Individual study until community feedback is available
• OSS activities are far away
• Is the introduction of new technology evaluated?
• OSS is even more unacceptable if it is not evaluated
• A place to discuss careers
• Individuals are not necessarily part of a community associated with the company
• I want to promote it, but it is difficult to evaluate
• Difficult in business evaluation
• Establish other forms of awards or rewards
• The next time you start working on your company’s business
• SW human resource development
• eventually return to business
• Business is difficult if you don’t understand it
• After all, SW is a human resource.
• Scale of support for individuals
• For example, overseas events are big, or they are paying attention to technology

■ Other

• ◇ Relationship with legal
  • Q) Are legal people familiar with OSS licenses and able to intervene?
  • C) Isn’t it an area that has been talked about in Open Chain?
  • C) We also aim to cooperate with legal affairs
  • I hold study sessions and get involved
  • No one understands OSS in ordinary company legal affairs
  • C) No legal involvement
  • Since it starts with compliance, it starts with a legal proposal, but the legal department cannot handle it, so the open source team is supposed to take responsibility.
  • C) The parent company is doing well, so we can do commercial distribution from there, but there are cases where we can’t do it ourselves.
• ◇ SBOM and department in charge, procurement contract text
  • Q) Is the procurement department in charge of SBOM or is the project doing it?
  • A) It is in the form that the place requested from procurement takes responsibility
  • It is supposed to be included in the instructions at the time of procurement, but the requesting department is supposed to include it
  • C) I think that the OSPO functions in the LF organizational form.
  • I think there are various ways to actually do it, but I was wondering if I would intervene or get involved
  • C) There are various aspects, SBOM can not do even if they know the law
  • Tooling is essential, OSPO’s position needs to be promoted when introducing Tooling
  • I can’t understand the contents of the software unless I’m on site,
  • collaboration is needed
  • C) OSPO is being asked to wield the flag, but there are various ways to do it, such as creating a new mechanism
  • C) It doesn’t matter if OSPO is a departmental organization or a company organization
  • Small steps to try to do things right together
  • C) SBOM does not proceed unless C-Level thinks SBOM is necessary
  • There are still not many companies that think that they have to do it desperately while thinking that it is exciting
  • C) There are many parts that move in the security system
  • that one is more motivational
  • C) The word SBOM stands alone, and the image differs from person to person
  • Security is shifting from the purpose of checking what license is included
  • It will also be used to understand the information we are using to make strategic decisions.
  • It will be different depending on what you emphasize, but it will be easier to talk if you use a common language
  • C) Concerning procurement, OSPO also participates in the preparation of the template and incorporates the conditions of OSS.
  • Regarding SBOM, the product security unit has started to move mainly in cooperation with OSPO.
  • With the cooperation of LF, we are planning an in-house lecture by asking the GM of OpenSSF and SPDX.

Nathan continues to lead collaboration around the OpenChain education material. We have a lot of reference material, ranging from self-certification to training to policy material, and the community is currently preparing updates to help people get started more quickly. Our goal is not only to make adopting our license compliance and security assurance standards easier, but also to provide great material that can be repurposed for other aspects of open source management.