News

Original document here:

• https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/OSPO/OSPOLocalMeetup-Memo/20230217/meetup-en-20230217.md

Want to be part of the next meeting? Join the mailing list:

• https://lists.openchainproject.org/g/japan-sg-ospo

• Participants:
  • Owada, Daikoku, Fukuchi, Endo, Shima, Suzuki, Oyagi, Kobota, Koizumi, Motai, Watanabe, Kato, Hayashi, Kuwata
• Date:
  • Friday, February 17, 2023 15: 00 -16: 00
• Location:
  • Online

■Summary

• We would create an equally short and easy to understand FAQ to help creating OSPO and running
• reference: OSS License FAQ Created by OpenChain Japan WG
• ◇Future activities
  • Second Friday: OSS Strategy & OSS Hosting / Leader Motai
  • Fourth Friday: OSPO Launch & FAQ / Leader Owada
• ◇Action
  • Future activities listed above will be disclosed on the LF Event site (Kuwata)
  • Sharing GGI materials ( Koizumi, Kobota)
  • From now on, the meeting rules will be explained at the beginning of the meeting.

■proceedings

• ◇OSPO launch at a company and OSS document structure summary
  • a state of thirst for expert know-how, opinion, and advice
  • The OSS Licensing Institute site is useful
  • The problems that will be encountered during the OSPO startup phase,
  • I’d be happy if you could give me a Q & A or something.
• C) Some come from OpenChain,
  • What OpenChain policy can’t do, it gets it out of the lab
  • I doubt if I can say that the FAQ collection is for OSPO.
• Q) Do you want answers specifically tailored to your company?
  • Either you want a general answer or
• A) There are companies that offer support,
  • Some companies get support from C-class people, but software development takes a different form if the company is a small part of the business, so I want to know the case
• C)If it’s the former, I think other people might want it,
  • I thought the latter was a new point of view.
• C) The former is close to what you once suggested on Lightning Talk.
• C) You might want to join OpenChain
• C) It would be nice to have a forum to mainly discuss how to set up OSPO.
• C) Know-how to set up OSPO, in favor of creating best practices
  • I doubt if it can be compiled into a beautiful document, but I agree with the challenge of compiling it into an FAQ.
• C) It is interesting to use a brief, FAQ as an example.
  • The TODO line has a lot of long sentences.
  • It’s interesting to challenge yourself to put it all together in a short sentence.
• C) The checklist attached to the translated GGI may be close
• C) I think the words that speak of OSPO go off on their own and think of different things in each.
  • It would be interesting if we could converge and go, it would help to create a common understanding.
• C) If we can put it together, it will be useful when we explain to the high officials in each company.
• Q) Do you do FAQs by format, or do you argue and then summarize?
• A) How to extract Q first and then make a sentence before PPT
• Q) Classified as OSPO launch and strategic use, OSPO launch?
• C) If it’s about OSPO, it doesn’t have to be limited to the launch
• C) Wouldn’t it be that from being able to answer “yes” and “no” easily, it would become a Q that simply can’t be answered when strategy and other things get higher?
• C) OSPO activities come and go on stage with the same agenda
• C) Every organization has its own OSPO, but it’s worth trying
• C) I think we can make good things if we shape what we say in writing and discuss it again.
• Q) Are we talking about giving GGI feedback?
• A) We’re talking about a challenge to step away from GGI and try to sort through the FAQ
• C) a good challenge to try because it’s easy to get started
• C) There are some sentences in terms of the stance to be taken after the systematization of Europe, but I think it would be good to complement each other if we take the Japanese stance and approach.

■future plan

• OSS Business strategy area
• OSS hosting area
• C) First, I wanted to know how many people wanted to do it.
• So far, four have raised their hands.
• C) Wouldn’t it be better to divide the first and second half of the month by themes?
• Q) Is it not necessary to make a summary by adding only the month of reporting?
• A) You don’t have to get together to report, the organizer just has to report in English once every three months what you could do in Japan.
• C) It is better to decide who will read each.
• C) Week 2 OSS Strategy & Hosting / Leader Motai
• C) Week 4: OSPO launch / Leader Owada

★Publish the above to the LF Event site

• C) Sharing Materials (Daikoku)
• C) GGI materials also shared (Mr. Koizumi, Mr. Kobota)

Original document here:

• https://github.com/OpenChain-Project/OpenChain-JWG/blob/master/OSPO/OSPOLocalMeetup-Memo/20230210/meetup-en-20230210.md

Want to be part of the next meeting? Join the mailing list:

• https://lists.openchainproject.org/g/japan-sg-ospo

participant:

• Real: Owada, Shima, Kato, Koizumi, Handa, Fukuchi, Motai, Suzuki, Kuwata
• Online: Hayashi, Iwami, Yoshida, Yamazaki, Watanabe, Daikoku, Ohyagi, Sado, Ninjouji

Date and time:

• Friday, February 10, 2023 15:00-16:00

place:

• Real: Socionext Shin-Yokohama Office

Contents:

■ Mapping issues to OSPO maturity stages

• Not good mindset/attitude like:
• ◇1. use
  • It’s okay if you can use it without permission
  • There was a time like this in the past, but it seems to have passed
• ◇2. Compliance
  • It seems that they worked hard on the site, it is not an issue for the entire company
  • see it as a legal issue
• ◇3. Participation
  • Misunderstandings that rely on others
  • Maintained even if left alone
  • No need to keep up with upgrades
• ◇4. Co-creation (collaboration)
  • Contribute only when you can afford it
  • No immediate effect
• ◇5. Strategy
  • we don’t have to do it ourselves

■OSPO GGI Mapping

• ◇OSS business strategy
  • OSS activities are positioned as part of the business, and targets are set with both the business and the community in mind.
  • OSPO representatives are able to communicate at C-Level regular meetings
  • Some employees do not understand the OSS business model
  • I’m trying to get the conversation across
  • There are contributors, but they are not in a form that leads to business
  • Classified as Strategy goal activities
  • Mapping to maturity level 5 could not be assigned
  • C) I felt that even at the maturity level they were going as far as strategy
    • Isn’t it that there are things that are done and things that are not done?
    • A) Communication at the top is done, but there are some areas such as education that are lacking
• ◇OSS hosting
  • Develop product A with OSS
    • Became a sponsor of the base OSS PJ and has also contributed
    • It is open on Github, but the problem is that there are few external contributors and users
    • There is no internal system in place to deal with the increase in external
  • Product B Source released, development closed
    • Activities to revitalize the user community have been activated
    • There are also users who customize
    • Categorized as Engagement goal activities
  • Maturity level is weak in Leadership Community Education Engagement
  • C) be able to act as a leader, but not able to engage
• ◇OSS contribution
  • I want a more influential approach to the community
  • It would be good if we could accumulate know-how on how to do this within the company.
  • We also support private and open source activists
  • I can get information and I can visualize it
  • Some people don’t want to be open as individuals and don’t want support
  • I’m trying to automate and collect contribution logs
  • I want to make use of the experience and know-how of employees who are responsible for board members
  • Classification is Engagement gaol activities maturity level
• ◇ What we want to do at TODO Group Japan
  • OSS Business strategy area
    • Not enough things that are organized in Japanese
    • Isn’t it easier to talk if you have something to show?
    • Combination of support type and open core type,
    • I think it would be easier to apply OSS to business if there is a place to analyze and discuss such things, such as using paid services as users use OSS.
  • OSS hosting area
    • It’s out there, but it’s revitalizing and gathering people
    • Know-how and best practices should be created
• C) I would like to work with someone who is interestedI want to be able to bring out the results from Japan to the world.
• C) Posing a very good challenge
  • there are many people who are interested in
    • Some people may be interested but unable to contribute
  • There was a company analysis at OSSJ, so It might be useful
    • thinking about doing it broadly or deeply.
• Q) There was talk of researching external community contributions. how it ultimately intends to use the results
  • A) The company is happy to know individual skills
  • You can’t just get results
  • We provide financial support when making presentations at overseas events.
  • We want to create a win-win relationship from both sides
• C) Motivation seems to increase
  • A) Incorporating skill development leave, we have prepared a system that allows you to go without using your paid leave.
• Q) Is it better to set up a sub-work or continue here?
  • A) I don’t know the framework yet, but I want to do it

■ Issue mapping by OSPO maturity level and individual ⇔ company/OSPO scope

• The usage status of Open Source can be grasped at the project level for the purpose of satisfying compliance, but it is not grasped in the necessary form when considering strategic utilization throughout the company.
• I have mapped to 2 compliance and 3 participation in the OSPO maturity levels, but the objectives are 5 strategies and I feel that the OSPO maturity levels will come and go rather than monotonously climb
  • C) Issues that do not allow you to jump into the community as your own matter and issues such as being recognized by your superiors and improving the personnel system are related
• Is there a link between individual issues and organizational issues?
• The timing of individual motivation and organizational motivation is out of sync
• want to raise my personal motivation, even if it’s just a little
• If you try to make it fair, you can’t make it
• Value standards such as the size of the community and the number of committed lines are difficult
• OSS activities are not recognized by the company
• are introducing new technology
• Some people have good networks and some people don’t.
• Individual study until community feedback is available
• OSS activities are far away
• Is the introduction of new technology evaluated?
• OSS is even more unacceptable if it is not evaluated
• A place to discuss careers
• Individuals are not necessarily part of a community associated with the company
• I want to promote it, but it is difficult to evaluate
• Difficult in business evaluation
• Establish other forms of awards or rewards
• The next time you start working on your company’s business
• SW human resource development
• eventually return to business
• Business is difficult if you don’t understand it
• After all, SW is a human resource.
• Scale of support for individuals
• For example, overseas events are big, or they are paying attention to technology

■ Other

• ◇ Relationship with legal
  • Q) Are legal people familiar with OSS licenses and able to intervene?
  • C) Isn’t it an area that has been talked about in Open Chain?
  • C) We also aim to cooperate with legal affairs
  • I hold study sessions and get involved
  • No one understands OSS in ordinary company legal affairs
  • C) No legal involvement
  • Since it starts with compliance, it starts with a legal proposal, but the legal department cannot handle it, so the open source team is supposed to take responsibility.
  • C) The parent company is doing well, so we can do commercial distribution from there, but there are cases where we can’t do it ourselves.
• ◇ SBOM and department in charge, procurement contract text
  • Q) Is the procurement department in charge of SBOM or is the project doing it?
  • A) It is in the form that the place requested from procurement takes responsibility
  • It is supposed to be included in the instructions at the time of procurement, but the requesting department is supposed to include it
  • C) I think that the OSPO functions in the LF organizational form.
  • I think there are various ways to actually do it, but I was wondering if I would intervene or get involved
  • C) There are various aspects, SBOM can not do even if they know the law
  • Tooling is essential, OSPO’s position needs to be promoted when introducing Tooling
  • I can’t understand the contents of the software unless I’m on site,
  • collaboration is needed
  • C) OSPO is being asked to wield the flag, but there are various ways to do it, such as creating a new mechanism
  • C) It doesn’t matter if OSPO is a departmental organization or a company organization
  • Small steps to try to do things right together
  • C) SBOM does not proceed unless C-Level thinks SBOM is necessary
  • There are still not many companies that think that they have to do it desperately while thinking that it is exciting
  • C) There are many parts that move in the security system
  • that one is more motivational
  • C) The word SBOM stands alone, and the image differs from person to person
  • Security is shifting from the purpose of checking what license is included
  • It will also be used to understand the information we are using to make strategic decisions.
  • It will be different depending on what you emphasize, but it will be easier to talk if you use a common language
  • C) Concerning procurement, OSPO also participates in the preparation of the template and incorporates the conditions of OSS.
  • Regarding SBOM, the product security unit has started to move mainly in cooperation with OSPO.
  • With the cooperation of LF, we are planning an in-house lecture by asking the GM of OpenSSF and SPDX.

Nathan continues to lead collaboration around the OpenChain education material. We have a lot of reference material, ranging from self-certification to training to policy material, and the community is currently preparing updates to help people get started more quickly. Our goal is not only to make adopting our license compliance and security assurance standards easier, but also to provide great material that can be repurposed for other aspects of open source management.