Today marks a significant step forward for both the field of Third-Party Certification and the Chinese market in the context of OpenChain ISO/IEC 5230, the International Standard for open source license compliance. The China Academy of Information and Communications Technology (CAICT) has helped three companies establish OpenChain conformant programs scoped to cover one key product from each. This type of program is a common method of helping companies to “onboard” to broader programs over time.
The products going through the new OpenChain conformant programs are:
- GBase 8a from General Data Technology Co., Ltd. (GBASE) [1]
- KingbaseES V8 from CETC Kingbase [2]
- Tidb enterprise v4.0 from PingCap [3]
CAICT has a Third-Party Certification Program that draws on their domain experience in legal compliance consulting and which lasts between four and six weeks. In words of Zhang Jun Xia, who is leading the program for CAICT, the process looks like this:
- Agreement is reached on how to approach certification: “we talk about the importance of open source compliance with the key staffs of the companies, including their managers or vice managers of commercial ,developing and legal departments(from last year my team discussed with about 10 companies). Then some of them reach the agreement to set the opensource compliance management process.”
- Kick off meeting to estimate the scope of work: “my team will hold a starting meeting with the company who decided to go through the OpenChain program. We invited almost every manager or vice manager whose responsibilities related to open source upstreaming and down-streaming. We talked about their understanding opensource compliance and the basic requirements of opensource compliance, and introduce the procedures that we will performance to help them meet the requirement.”
- Training to share knowledge and increase cohesion between the company and CAICT teams: “we start the training step. according to the understanding and basic estimate at the kick-off meeting, we design the training courses which last to 6 hours to 12 hours, depending on the basis of different companies( Half of the training resources are from OpenChain training resource). By the course, we lead to the agreement what is opensource compliance and what should have to be done to meet it.”
- The interview process: “we start a 2-3 days interviews with the key individuals who is involved in opensource compliance management,like the legal officer,the development manager,the product manager,the commercial officer….we dug out the specific procedures how the product is developed,how they manage the upgrade versions,and how to ensure the function and performance indexes such as availability , reliability and security.”
- Setting the compliance procedure to documents: “Next week we will write the documents which set the management processes, based on their original ones, trying to make the least change and make sure to meet the 6 fields of OpenChain standard. We discussed the documents with the key staffs to reach another agreement (in this step we wrote a lot of documents, even described every steps procedure).”
- Inspection period: “Once we both agreed, the product line will execute the management processes, and make the records,logs,and discuss every thing that should be cleared or should be changed. We will inspect the new process for 2 to 4 weeks, until we believe it is OK.”
“We are delighted to announce three new companies entering the OpenChain community of conformance today, ands we applaud CAICT on this exceptional certification accomplishment,” says Shane Coughlan, OpenChain General Manager. “The conformance of entities around the world falls into three categories. Self-certification, independent assessment and third-party certification. The availability of the latter is of critical important to ensure freedom of choice, and to ensure critical products in demanding industries are fully supported. The words largest technology production environment is reaching a new stage of maturity.”
[1]Founded in 2004, GBASE adheres to the independent research and development and promotion of database, and provides users with full stack database products and services. As a state-level high-tech enterprise, GBASE has been rated as a leading domestic database enterprise for many years.
GBase 8a MPP Cluster is a leading product of massive parallel processing database management system, have entered the core business system of more than 80 large banks. The sales of GBase 8a have covered all provinces in China (except Hong Kong and Taiwan) and 34 countries, including the United States, Mexico, Pakistan, Japan, the United Kingdom, Russia and South Africa.
In recent years Gbase 8A adopts more and more open source components in version upgrading, and gradually realizes the importance of open source compliance. Through the Openchain compliance guidance provided by caict, the product has established a standardized open source management process, which greatly improved the transparency of SBOM transmission within the company and improved the reliability of open source compliance.
[2]CETC Kingbase is a company specializing in database research and development and product services. It has mastered a number of database core technologies, developed large-scale general database products with international advanced level, and is widely used in high information security fields such as government, national defense, military industry, energy, finance and medical treatment, with a total installation and deployment of more than 1 million sets. Kingbases, its independently developed database management system, has passed a number of national security certifications and won the “second prize of national science and Technology Progress Award” in 2018.
In the process of product development, it took the applying of ISO/IEC 5230:OpenChain standard and built a set of open source compliance management mechanism, which greatly reduced the risk of open source reference and effectively ensured the quality and safety of products.
[3]Founded in 2015, Pingkai Xingchen (Beijing) Technology Co., Ltd (hereinafter referred to as PingCAP) is an enterprise-grade distributed database provider committed to delivering a modern data infrastructure for growth-oriented users that is efficient, reliable, open and compatible, unleashing productivity, and accelerating digital transformation for enterprises.
PingCAP’s flagship project, TiDB, is an open-source, distributed Hybrid Transactional/Analytical Processing (HTAP) database that features horizontal scalability, strong consistency, and high availability with MySQL compatibility. TiDB 4.0 was designed for enterprise core business scenarios with requirements such as high availability, strong consistency, and large data scale, and has been adopted at scale in Finance, Internet, New economy, Public services, High-tech manufacturing and other industries in China.
As an open source company, PingCAP has been dedicated to driving forward autonomous open source communities that honor contribution and participation as key credits. To date, TiDB as an open source project has received 30200+ stars on GitHub, and has been adopted by over 2000 companies in production world wide, covering multiple industries such as Finance, Telecommunication, Manufacturing, Internet, and Public Service.