1. FOSS Compliance Certification Program The Linux Foundation

2. Basic elements of a certification program A purpose or motivation for certification Sponsors or customers that require suppliers to be certified A standard or reference model to certify against A certification or appraisal methodology and trained appraisers A certificate designating the supplier’s certification achievement 2

3. Certification is based on a key principle Process matters: A repeatable and systematic compliance process is required to achieve FOSS compliance consistently and routinely Certification appraises a supplier’s process as a predictor of eventual compliance success. Certification addresses conformance to a standard rather than business efficiency  Appraisals certify that process goals have been achieved rather than that specific practices and/or tools are used The Linux Foundation Confidential3

4. Open Certification Proposal Reference model  Grounded in Self-Assessment Checklist  Proposes 6 compliance goals:  G1. Everyone knows their FOSS responsibilities  G2. Responsibility for achieving compliance is assigned  G3. FOSS content (packages/licenses) is known  G4. FOSS content is reviewed and approved  G5. FOSS obligations are satisfied  G6. Community contributions are encouraged  At least two possible certification approaches, based on goals and sub-goals:  Multi-level: Initial, Basic, Advanced  Single level: Certified, Uncertified  Community consensus will be needed about the reference model The Linux Foundation Confidential4

5. Certification appraisal methodology On-site appraisal involving interviews and examination of evidence  The Self-Assessment Checklist will provide the primary guide for interviews and data collection  Responses  Goal/Sub-goal satisfaction  Certification level Other appraisers (in addition to LF) could be trained and authorized to conduct certification appraisals The Linux Foundation Confidential5

6. Back-up: Reference Model The Linux Foundation Confidential6

7. GoalG1. Everyone knows their FOSS responsibilities SP1.1 FOSS policy exists SP1.2 FOSS compliance training program actively used Supporting practices

8. GoalG2. Responsibility for achieving compliance is assigned SP2.1 FOSS Compliance Officer exists SP2.2 Compliance management activity is resourced Supporting practices SP2.3 Licensing expertise is available SP2.2.1 Processes, procedures, templates, forms, etc. are developed SP2.2.2 Compliance tool needs are identified SP2.2.3 Compliance tools are evaluated, developed or acquired, and deployed

9. GoalG3. FOSS content (packages/licenses) is known SP3.1 Code audits/scans are conducted SP3.2 Supplier compliance is managed Supporting practices SP3.3 FOSS records are maintained SP3.2.1 Supplier compliance practices are assessed SP3.2.2 Supplier FOSS disclosures are made and reviewed SP3.2.3 Supplier FOSS obligations are satisfied

10. GoalG4. FOSS content is reviewed and approved SP4.1 OSRB exists and is staffed appropriately SP4.2 Planned FOSS use is reviewed in context Supporting practices SP4.3 License obligations are identified, understood, and documented SP4.4 Issues are resolved and approval decisions are followed

11. GoalG5. FOSS obligations are satisfied SP5.1 Documentation obligations are met SP5.2 Source code obligations are met Supporting practices SP5.3 Community interface exists SP5.3.1 Email and postal addresses work SP5.3.2 Web portal works SP5.3.3 Community requests and inquiries are satisfied

12. GoalG6. Community contributions are encouraged SP6.1 Individual contributions are reviewed and approved SP6.2 Company contributions are reviewed and approved Supporting practices