We held our regular Monthly North America and Europe Call on the 3rd of September. The focus was on discussing the Public Comment period for our draft proposed updates to the licensing and security specifications.
Check Out The Recording
We keep all the slides from our monthly calls online and they can be a useful way to access direct links and more details:
What We Did On This Call:
Update openchain-license-compliance-3.0.md #76
Changed:
A process shall exist for creating the set of compliance artifacts for the supplied software.
Verification material(s):
- 3.4.1.1 – A documented procedure that describes the process under which the compliance artifacts are prepared and distributed with the supplied software as required by the identified licenses.
- 3.4.1.2 – A documented procedure for archiving copies of the compliance artifacts of the supplied software – where the archive is planned to exist for a reasonable period of time (Determined by domain, legal jurisdiction and/or customer contracts) since the last offer of the supplied software; or as required by the identified licenses (whichever is longer). Records exist that demonstrate the procedure has been properly followed.
To:
A process shall exist for creating the set of compliance artifacts for the supplied software.
Verification material(s):
- 3.4.1.1 – A documented procedure that describes the process under which the compliance artifacts are prepared and distributed with the supplied software as required by the identified licenses.
- 3.4.1.2 – A documented procedure for archiving copies of the compliance artifacts of the supplied software – where the archive is planned to exist for a reasonable period of time (determined by domain, legal jurisdiction and/or customer contracts) since the last offer of the supplied software, or as required by the identified licenses (whichever is longer). Records exist that demonstrate the procedure has been properly followed.
Improved 2.7 #75
Changed:
a “Software Bill of Materials” (SBOM) is a inventory for software, a list of ingredients that make up software components. An example is the (Software Package Data Exchange) SPDX specification created by the Linux Foundation’s SPDX Project to exchange bill of materials for a given software package (see spdx.org). Regardless of the SBOM specification used, it should follow a complete profile for the intended use case.
To:
a “Software Bill of Materials” (SBOM) is an inventory for software, a list of ingredients that make up software components. An example is the Software Package Data Exchange (SPDX) specification created by the Linux Foundation’s SPDX Project to exchange bill of materials for a given software package (see spdx.org). Regardless of the SBOM specification used, it should follow a complete profile for the intended use case.
Update openchain-license-compliance-3.0.md #74
Changed:
a set of open source software licenses identified as a result of following an appropriate method of identifying open source components from which the supplied software is may contain
To:
a set of open source software licenses identified as a result of following an appropriate method of identifying open source components which the supplied software may contain
Terms and definitions sub-headings to same level openchain-license-co… #66
Fixed formatting:
“Under Terms and definitions there were some sub-headings with ## and some with ### so changed them all to be ### level sub-headings.”
Update openchain-security-specification-2.0.md #37
Changed:
3.3.2 – Security Assurance
A process shall exist to detect, identify, and document the existence of Known Vulnerabilities in each Open Source Software component on the Software Bill of Materials (SBOM) for the Supplied Software.
To:
3.3.2 – Security Assurance
A process shall exist to detect, identify, and document the existence of Known Vulnerabilities in each Open Source Software component in the Software Bill of Materials (SBOM) for the Supplied Software.
Overview of the Public Comment Period
OpenChain Project Announces Public Comment Period for Draft Updates to Compliance and Security Specifications
Starting 2024-06-19 ~ Ending 2024-12-19
The OpenChain Project has announced the beginning of its six month Public Comment Period for proposed draft updates to the open source license compliance (ISO/IEC 5230:2020) and open source security assurance (ISO/IEC 18974:2023) specifications.
As per our specification development process outlined in the project FAQ, this Public Comment Period will run for six months, and it will be followed by a three month Freeze Period.
During the Public Comment Period everyone is invited to review and comment on the specifications. As an open project developing open standards, we host the draft documents on our GitHub repositories.
Learn More:
You can comment on this process by joining our monthly calls or via our Specification Mailing list. You can also leave comments via GitHub issues as detailed below.
