Due to popular demand, please find our latest OpenChain ISO gear at Threadless. As always, we sell everything at cost price.
As part of our continued commitment to internationalization, we are delighted to announce that the full OpenChain 2.1 (ISO/IEC 5230) specification is now available in:
- Chinese Simplified
- Chinese Traditional
- French
- German
- Italian
- Japanese
- Korean
- Spanish
These are reference translations provided to help organizations on their path to conformance. These organizations can also self-certify to the standard in:
- Chinese Simplified
- Chinese Traditional
- English
- French
- German
- Hebrew
- Hindi
- Italian
- Japanese
- Korean
- Russian
- Spanish
You can get these translations from our GitHub repository
FOSSAware is the latest partner of the OpenChain Project. OpenChain maintains ISO/IEC 5230, the International Standard for open source license compliance.
“The OpenChain Project consists of a large, vibrant community of companies that use open source in products and solutions,” says Shane Coughlan, OpenChain General Manager. “There is also a growing partner community that consists of organizations offering legal, consulting and tooling support in the management and automation of open source compliance. We are glad to welcome FOSSAware to this program and look forward to collaborating in Israel and beyond.”
“Encompassing over two-thirds of the average commercial software, open-source has become an essential part of modern software developmen,” says Yaniv Ozerzon, Co-Founder & CEO at FOSSAware. “Undermanaging the consumption and redistribution of Open source is no longer a viable option. Having an effective Open Source compliance program is a key differentiator marking industry-leading enterprise companies such as Google, Microsoft, and others. We are excited and pleased to become an official partner of OpenChain and are set to assist companies in reaching conformant with the OpenChain specification, minimize Open Source associated risks, and reduce remediation costs.”
About FOSSAware
FOSSAware consultancy and services specializes in Free and Open Source software (“FOSS”) compliance. Our mission is to work alongside our clients to minimize the legal, operational and security risks associated with FOSS. We tailor each client a suitable compliance program, render support in the implementation process and services for on-going compliance. https://fossaware.com/
About the OpenChain Project
OpenChain began when a group of open source compliance professionals met in a conference lounge and chatted about how so much duplicative, redundant open source license compliance work was being done inefficiently in the software supply chain simply. They realized that while each company did the same work behind the scenes in a different manner the output for downstream recipients could not realistically be relied on because there was no visibility into the process that generated the output.
The answer the early principles of this discussion arrived at was to standardize open source compliance, make it transparent and build trust across the ecosystem. The project began as outreach to the community with the idea of a new standard for open source license compliance with slides titled, “When Conformity is Innovative.” A growing community quickly recognized the value of this approach and contributed to the nascent collaboration soon named The OpenChain Project.
This advent calendar has been created by our Japanese Work Group as part of their community outreach. We hope you enjoy their recap of compliance topics to end the year.
About me
Hello. I am Takashi Ninjouji.
I mainly participate in Tooling Sub-Group (Tooling-SG) of OpenChain Japan-WG, and I am this SG leader since April 2020.
This article introduces the activities of Tooling-SG.
Tooling-SG
The Tooling-SG group is to use OSS for OSS management operations to achieve the following in Open Source Compliance:
- Build workflows according to your organization.
- Automation
- Quality improvement (on tools, workflows, and compliance)
Most of the participants are engineers. Many of them actually use the tools in their work, are developers of the tools, and even participate in the development community. On the other hand, because toolchain is also a means of handling open source compliance information, there will also be people from the compliance management departments such as legal and intellectual property, which are the relevant departments.
You may also want to read the article “About the activities of OpenChain Japan WG Tooling Sub-WG” by Kobayashi-san, the first leader at the time of its establishment in 2019, which was published in the 2019 Advent Calendar project. That article introduces why we wanted to create a place to exchange opinions about Open Source Compliance toolchain in Japanese and collaborate with global communities such as the OpenChain Reference Tooling Workgroup.
Activities
As in the previous year, the following activities and guiding principles have been established.
- Compile/disseminate information about the tool (in collaboration with the global community)
- Provide a place to study and discuss while using the tool (e.g., introducing the tool, holding seminars and hands-on sessions)
- Information distribution and tool mapping (identify issues and collaborate to improve workflow implementation)
- Promotion to expand membership (presentations at non-OpenChain meetings, use GitHub and other media)
We are welcome to feel free to participate and feel free to make a presentation (or talk).
At the meeting on 2020/11/24, we decided that we will have presentations in foreign languages. We would like to have a more active exchange of information.
You may arrange for your interpreter and translation of the materials in advance, or we would be happy to have volunteers to help you. If you are considering presenting in a foreign language, we would be glad to discuss this with you. Also, we may ask you to give your presentation at Tooling-SG.
How to participate
We use the following three means:
Mailing list
- https://lists.openchainproject.org/g/japan-sg-tooling
- Register: japan-sg-tooling+subscribe@lists.openchainproject.org
Slack
- Slack#10_tooling-sg (mainly for announcements, etc.)
- Slack#10_tooling-sg-random
Virtual Meeting
Starting in April 2020, we are holding virtual meetings in conjunction with the Japan-WG meetings. Currently, we meet every other week for about an hour, alternating between the following meetings.
We are flexible in practice, so please feel free to join us if you have questions. If you have a topic to present, please contact us via the mailing list or Slack.
- Monthly Meeting
- about 1 or 2 presentations
- Fourth Tuesday of every month 16:00-17:00 (JST)
- Casual Meeting
- anyone is welcome to talk about any topic.
- Second Tuesday of each month 16:00-17:00 (JST)
Meetings
We have had these meetings in FY 2020 so far.
| Meeting | Topics |
|---|---|
| 10th | Feature study: OSS Review Toolkit |
| 11th | “Sharing the challenges of field deployment (usage) of FOSSology“and “the results and impressions of the FOSSA OSS license management trial” |
| 12th | Tern by VMware (ACT) (Article on Qiita) |
| 13th | SW360 v11 (Article on Qiita) |
| 14th | Exchange of opinions on future initiatives |
Upcoming events
As SW360, a component cataloging tool, becomes multilingual and a Japanese kit is provided, it is expected to spread to Japan in the future.
Tooling-SG is planning to hold a hands-on session for SW360 Chores, a version of SW360 available in containers, in early 2021. We discuss the content and timing on the mailing list and Slack, so please join us if you are interested.
What is the next article?
Morishita-san will introduce OSS toolchain for Open Source Compliance. With the OpenChain specification being ISO standard, there has been a lot of discussion about automation of compliance practices in various tool communities. Don’t miss it!
はじめに
こんにちは、忍頂寺と申します。
OpenChan Japan-WGでは主に Tooling Sub-Group (Tooling-SG) に参加し、2020年4月から同SGのリーダーを務めています。
本稿はTooling-SGの活動を紹介します。
Tooling SGとは
このTooling-SGは、OSS管理運用のためのOSS(ツール)を利用して、Open Source Compliance において次を実現することを目的とします。
- 組織に応じたワークフローの構築
- 省力化 (オートメーション)
- 質の向上 (ツール、ワークフロー、コンプライアンスについて)
参加者の多くはエンジニアで構成されます。実際に業務で利用している方、ツールの開発者さらには開発コミュニティに参加している方などです。一方で、ツールがオープンソースコンプライアンス情報の取り扱い手段でもあることから、関係部門となる法務・知財などのコンプライアンス管理部門の方々の参加もあります。
なお、2019年のAdvent Calendar企画にあった、2019年設立時の初代リーダーの小林さんによる活動紹介記事「OpenChain Japan WG Tooling Sub-WGの活動について」もご一読頂けると幸いです。Japan-WGの活動趣旨に沿ってツールについて日本語で気軽に意見交換する場を設けたいとする経緯や、OpenChain Reference Tooling Workgroup などのグローバルコミュニティとの連携などを紹介しています。
活動内容
昨年度に引き続き、次を活動内容とその指針としています。
- ツールの情報をまとめる / 発信する (Globalコミュニティと連携)
- 実際に使いながら勉強や議論する場の提供 (ツール紹介、セミナーやハンズオンの開催など)
- 情報流通とツールのマッピング (ワークフロー実現のために課題を洗い出し、他と連携して改善)
- 活動に賛同するメンバ拡大のためのプロモーション (OpenChain以外の会合での発表、GitHubやその他メディアの活用)
気軽な参加、気楽な発表(発言)、をお願いしています。
なお、2020/11/24会合にて、今後は外国語での発表もアリになりました。
より活発な情報交換をしていきたいと考えています。
通訳や事前の資料の翻訳などは発表者ご自身で手配や検討を頂くでもよいですし、参加メンバーのボランティアで対応できればとも考えています。外国語での発表をご検討の際はまずは相談頂ければ幸いです。また、Tooling-SGから発表をお願いすることもあると考えています。
参加方法など
次の3つの手段を活用しています。
メーリングリスト
- https://lists.openchainproject.org/g/japan-sg-tooling
- 登録:japan-sg-tooling+subscribe@lists.openchainproject.org
Slack
- Slack#10_tooling-sg (主に連絡・周知など)
- Slack#10_tooling-sg-random
Virtual会合
2020年4月からは、Japan-WG会合に合わせてVirtual開催にしています。
現在は隔週で1時間ほど、次の会合を交互に開催しています。
実際は柔軟に運用しているので、質問がある場合は気軽にご参加ください。
また発表ネタがある場合は気軽に上記のメーリングリストかSlackでご連絡ください。
- 月例会
- 発表は1または2件程度
- 毎月第4火曜日 16:00-17:00 (JST)
- カジュアル会
- どんな話題でも、どなたでも、お話しください。
- 毎月第2火曜日 16:00-17:00 (JST)
会合実施内容
2020年度はおよそ次の内容で開催しました。
| 回 | 内容 |
|---|---|
| 第10回 | OSS Review Toolkit 機能調査 |
| 第11回 | FOSSologyの現場展開(利用)における課題点の共有、OSSライセンス管理「FOSSA」の試用結果および所感 |
| 第12回 | VMware社による Tern について (Qiita投稿記事) |
| 第13回 | SW360 v11 について (Qiita投稿記事) |
| 第14回 | 今後の取組について意見交換 |
今後開催予定のイベント
コンポーネントカタログツールであるSW360が多言語対応となり日本語キットも提供されることから、今後の普及が期待されています。
Tooling-SGでは、SW360をコンテナで利用できる SW360 Chores を対象に起動や操作のハンズオンを、2021年早々に開催しようと計画中です。メーリングリストやSlackにて実施内容や時期を検討しているので、興味のある方はぜひご参加ください。
次回の記事
明日(2020/12/17) は森下さんが、Open Source Compliance のための OSS を紹介してくれます。OpenChain仕様がISO化されたことで、様々なツールコミュニティでコンプライアンス実務のオートメーションの議論が活発になってきています。お楽しみに!
This advent calendar has been created by our Japanese Work Group as part of their community outreach. We hope you enjoy their recap of compliance topics to end the year.
About me
Hello. I am Takashi Ninjouji.
I mainly participate Tooling-SG of OpenChain Japan-WG.
This article is part 4 of introducing OpenChain Spec v2.1 (functionally identical to ISO/IEC 5280:2020).(2020.12.14: “Status”is “Under development”, “Life cycle” is “60.00 International Standard under publication” at ISO/IEC)
(2020.12.15: “Status”is “Published”, “Life cycle” is “60.60 International Standard under published” at ISO/IEC!)
“OpenChain Self Certification” provides the Online Self-Certification. You can see the questionnaire in several languages in this repository: “OpenChain-Project/conformance-questionnaire”
OpenChain Spec v2.1 §3.3 “Open source content review and approval”
§3.3.1 Bill of Materials
§3.3.1 is about the Bill of Materials (BOM), which is a list of OSS that compose a software package, and an organization needs to have a process in place to create and manage that BOM.
Here is the questionnaire for Self-Certification:
| Number | Spec Ref | Question Text |
|---|---|---|
| 3.a | 3.1, 3.1.1 | Do you have a documented procedure for identifying, tracking and archiving information about the open source components in a Supplied Software release? |
| 3.b | 3.1, 3.1.2 | Do you have open source component records for the Supplied Software which demonstrate the documented procedure was properly followed? |
§3.3.2 License compliance
§3.3.2 is about use cases. Internal processes need to be in place for each use case, such as distribution in binary form and distribution in source code form. Each organization can define use cases freely. In order to the efficiency of creation of BOMs and of open source license compliance using BOM, compliance tooling are needed and are discussed along with its development and its workflows as well.
Here is the questionnaire for Self-Certification:
| Number | Spec Ref | Question Text |
|---|---|---|
| 3.c | 3.2, 3.2.1 | Do you have a documented procedure that covers these common open source license use cases for open source components in the Supplied Software? |
| 3.c.i | 3.2, 3.2.1 | – Distribution in binary form; |
| 3.c.ii | 3.2, 3.2.1 | – Distribution in source form; |
| 3.c.iii | 3.2, 3.2.1 | – Integration with other open source that may trigger additional obligations; |
| 3.c.iv | 3.2, 3.2.1 | – Containing modified open source; |
| 3.c.v | 3.2, 3.2.1 | – Containing open source or other software under incompatible licenses for interaction with other components in the Supplied Software; |
| 3.c.vi | 3.2, 3.2.1 | – Containing open source with attribution requirements. |
What is the next?
Kobota-san will introduce part 5 on 12/18. Don’t miss it!
In tomorrow’s article (12/16), I will introduce the Tooling SG of Japan-WG. This subgroup aims to share information about the compliance tooling and the know-how to use them.
はじめに
こんにちは、忍頂寺と申します。
OpenChan Japan-WGでは、主にTooling-SGなどに参加しています。
本稿は国際規格 ISO/IEC 5230:2020 に相当する OpenChain Spec v2.1 を紹介するシリーズの第4回となります。(2020.12.14: ISO/IEC にて、進捗(Status)は “Under development”, “Life cycle” は “60.00 International Standard under publication” です。)
(2020.12.15: ISO/IEC にて、進捗(Status)は “Published”, “Life cycle” は “60.60 International Standard published” です! )
なお、自己認証の手続は“OpenChain Self Certification” でできます。 また、確認項目はGitHubの “OpenChain-Project/conformance-questionnaire”で確認できます。英文や和文などで用意されています。
OpenChain Spec v2.1 §3.3 “Open source content review and approval”
§3.3.1 Bill of Materials
§3.3.1 は、BOM (Bill of Materials) に関する章です。BOMは各ソフトウエアを構成するOSSのリストを指します。OpenChain適合を果たす組織は、このBOMの作成および管理するためのプロセスを整備する必要があります。
ここでの自己認証のための確認項目は次になります:
| Number | Spec Ref | Question Text |
|---|---|---|
| 3.a | 3.1, 3.1.1 | Do you have a documented procedure for identifying, tracking and archiving information about the open source components in a Supplied Software release? (供給ソフトウェアのリリースに含まれるすべてのオープンソースコンポーネントに関する情報を特定し、追跡し、リストとして保管するための手順書がありますか?) |
| 3.b | 3.1, 3.1.2 | Do you have open source component records for the Supplied Software which demonstrate the documented procedure was properly followed? (手順書に適切に従っていることを証明する、各供給ソフトウェアのリリースに関するオープンソースコンポーネントの記録がありますか?) |
§3.3.2 License compliance
§3.3.2は、ライセンスコンプライアンスの実務におけるユースケースに関する章です。バイナリ形式での頒布、ソースコード形式での頒布等の各ユースケースに対応できるよう社内プロセスを整備する必要があります。ユースケースの定義については各組織が自由に設定することができます。BOMの作成やBOMを利用してのオープンソース ライセンス コンプライアンス業務については、ツールによる効率化が検討されています。
ここでの自己認証のための確認項目は次になります:
| Number | Spec Ref | Question Text |
|---|---|---|
| 3.c | 3.2, 3.2.1 | Do you have a documented procedure that covers these common open source license use cases for open source components in the Supplied Software? (各供給ソフトウェアのリリースに関するオープンソースコンポーネントについて、少なくとも次の共通オープンソースライセンスのユースケースを扱った手順を実施していますか?) |
| 3.c.i | 3.2, 3.2.1 | – Distribution in binary form; (バイナリ形態で頒布されている) |
| 3.c.ii | 3.2, 3.2.1 | – Distribution in source form; (ソースコード形態で頒布されている) |
| 3.c.iii | 3.2, 3.2.1 | – Integration with other open source that may trigger additional obligations; (コピーレフトの義務を生じうる他のオープンソースと統合されている) |
| 3.c.iv | 3.2, 3.2.1 | – Containing modified open source; (改変されたオープンソースを含んでいる) |
| 3.c.v | 3.2, 3.2.1 | – Containing open source or other software under incompatible licenses for interaction with other components in the Supplied Software; (供給ソフトウェア内の他のコンポーネントとやりとりする、両立性のないライセンス下のオープンソースやその他のソフトウェアを含んでいる) |
| 3.c.vi | 3.2, 3.2.1 | – Containing open source with attribution requirements. (帰属要求のあるオープンソースを含んでいる) |
次回
次回仕様紹介となる第5回の記事は、小保田さんから 12/18 に公開予定です。お楽しみに!
明日(12/16)は、再び僕の投稿になりますが、ツールに関する情報共有を行っているTooling SGの活動を紹介します。
