OpenChain Third Meeting 10/7/14
OpenChain Agenda for Third Call – 10/7/14 Roll Call – 5 mins (Continued) Open Source Review Framework Discussion (Yixiong Zou, QTI) – 20 mins Followed by comments and discussion ISO 19600 (Joseph Potvin, Opman Company) – 10 mins TODO Project (Mark Radcliffe, DLA/OSI) – 10 mins Collaboration space (Mike Dolan, LF) - 5 mins Upcoming meeting topics (Dave Marr, QTI) – 10 mins Proposed future topics (input requested)
License Reporting Framework Summary from previous meeting Current license reporting process may not be scalable vendors do not have necessary tools & information to perform license check prior to delivery The recipient bears all the burdens of license reporting verification License Reporting Framework as a potential solution Components: Scanner Validation Engine Acceptance Criteria Goal: To have vendors perform some level of license reporting verification prior to the delivery.
Basic Software Acceptance Framework for Open Source A Few More Details The Framework does not dictate a “universal” acceptance criteria. Instead, the recipient of the software define OS Acceptance Criteria based on the specification. “Basic Acceptance”: this test framework is not intended to replace the entire legal review process, rather it is intended to provide some basic automation to streamline the license review process. Recipient may opt to do complimentary scanning (e.g., well-known commercial options) for additional protection.
Basic Software Acceptance Framework Two operational models Independent Service Provider Cloud based service. Turn-key solutions Could be hosted by OpenChain. Downloadable software to establish the entire framework in a local environment.
Potential Candidate - Fossology Features: License detection based on contextual search. More advanced than simple keyword search. Gap: Need support for the acceptance criteria. Also keyword search capability may be desirable for some businesses.
Thoughts? Questions?
ISO 19600
TODO Project
Collaboration Space
Upcoming meeting topics Free form aggregation followed by discussion Draft FOSS compliance program (LF circa 2011) Training materials -Syllabus discussion SPDX 101 primer Certified trainers and consultants Software architecture diagrams Distribution flow diagrams
Appendix
Intro – Software Test Framework General Concept – Conformance Testing blackbox testing against a target Test Suite 1 Test Suite 2 Test Suite 3 Pass or Fail
Intro – Software Test Framework Benefit of Standardized Conformance Testing Compliance Testing Clarity of the requirement Consistency of the result Efficiency of the process
License Reporting in the Context of OpenChain Existing Process/Methodology License 1 License 2 Initial Scan License 1 ok License 2 not ok Interpretation License 3 Rescan
License Reporting in the Context of OpenChain Reasons for the Inefficiencies Licenses of the Open Source Software unclear Requirements from customer unclear No standard way of validating the OS licenses and customer requirements
A Basic OS License Acceptance Test Framework License Reporting Framework Scanner Acceptance Criteria Validation Engine Overview
A Basic OS License Acceptance Test Framework Scan Validate Pass or Fail Result Sample Process
Sample Basic Acceptance Criteria Acceptance Criteria is based on the business practice of the recipient. The following are some simple examples: Pass if only BSD/MIT licenses are found. Fail if GPL is found. Pass unless AGPL is found. Standard Specification for the Acceptance Criteria: Being a standard specification means the acceptance criteria can potentially work with different open source scanners. Examples: XML Schema.