SlideShare a Scribd company logo
1 of 15
OpenChain Legal
Work Group
2024-01-17
Anti-Trust Policy Notice
● Linux Foundation meetings involve participation by industry competitors, and it is the intention
of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust
and competition laws. It is therefore extremely important that attendees adhere to meeting
agendas, and be aware of, and not participate in, any activities that are prohibited under
applicable US state, federal or foreign antitrust and competition laws.
● Examples of types of actions that are prohibited at Linux Foundation meetings and in
connection with Linux Foundation activities are described in the Linux Foundation Antitrust
Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about
these matters, please contact your company counsel, or if you are a member of the Linux
Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP,
which provides legal counsel to the Linux Foundation.
Agenda
1. Meeting Overview
2. Maturity Model Presentation by Andrew Katz of Orcro
3. Any Other Business
4. End of Meeting
Meeting Overview
This meeting will provide an overview of maturity models related to assessing
competence around open source management.
It has a particular focus on a maturity model from Orcro based on ISO/IEC
5230:2020.
We will also discuss how OpenChain Project can improve reference material in
this area.
Maturity Models – Andrew Katz
Open Chain Maturity Model
Roadmap
Capability Maturity Model – What is a CMM?
A framework for determining the degree of capability,
adaptability and resilience of a business function within
an organisation, with the aim of optimising continuous
improvement.
Maturity Model – High Level Approach
Indicative levels of maturity
• INITIAL: Minimal knowledge of open source compliance practice and procedure
• REPEATABLE: Some steps towards compliance. Some systems in place, but
application ad hoc
• DEFINED/IMPLEMENTED: Policies, practice and procedure in place, but not
necessarily in operation
• MANAGED: Policies etc. in place, and in operation, and improved as considered
necessary
• OPTIMISING: Policies etc. in place, in operation, and actively managed using
appropriate metrics and a process of continuous improvement.
Maturity Model – High Level Approach
59%
38%
64%
50%
5
4
3
2
1
Measured
Maturity
Score
Target
Systems
Information
People &
Organisation
Process
Optimising
Managed
Defined / Implemented
Repeatable
Initial
The capabilities of the organisation that have
been developed to manage open source
software development will be considered
against the requirements of the OpenChain
Specification v2.1, ISO/IEC 5230:2020.
They will be categorised into four types of
capability; people and organisational, process,
information, and systems.
Maturity will be assessed against five levels of
completeness as shown.
The target level will be specific to each
organisation and can be set according to their
ambition and view of business risk and
priorities for delivery.
The gap between target level and measured
level presents defines opportunities for
improvement and is easily converted to
implementation plans,
OpenChain Provides a Potential Framework
1. The Specification (ISO 5230:2020) contains the set of characteristics that a quality
Open Source development function possess within an organisation.
2. Each OpenChain requirement can be mapped against a business function, and a
degree of maturity can be assigned to each business function.
3. We propose a hierarchy. Top level requirements will be applicable across all
organisations.
4. Second level requirements can be tailored to the method of implementation chosen
by the organisation.
5. It’s compatible with existing best practice in capability maturity modelling across the
whole range of an organisation’s business functions, not just software development
(or open source software development).
ISO Requirements and Processes
Governance Strategy and Oversight
1
3.1.1 Policy
Appoint policy author, owner, exec sponsor
Publish policy
Review policy
Distribute policy
Track awareness of policy
Review performance against policy
objectives
Enablement and Performance Management
3.1.4 Program scope
Define programme scope
Review appropriateness of programme
scope
Define risks to be managed
Define benefits to be achieved
3.1.2 Competence
Identify roles and responsibilities
Determine competence required
Determine training need
Assess competence achieved
3.2.2 Effectively
resourced
Review programme resourcing and funding
Track progress against policy objectives
Analyse progress against policy objectives
3.5.1 Contributions
Develop policy for contributions (in and outbound)
Review and maintain policy
Track progress against policy
Review performance (risks and benefits)
3.1.3 Awareness
Communicate open source and
contribution policy
Track awareness of policies
Communicate implications of non-
compliance
Track non-compliance events
Track awareness of contribution policy
Open Chain Delivery
3.6.1 Conformance,
3.6.2 Duration
Review OpenChain
conformance (18 month)
Manage 3rd party
certification
3.1.5 License
Obligations
Identify licenses in
use
Document license
obligations
3.3.2 License
Compliance
review license compliance
across distribution modes
Produce contributions
guidelines for contributors
3.3.1 Bill of
Materials
Produce SBOM
Review and approve SBOM
Maintain version and distribution
history
Licence analysis
Produce records of process followed
3.4.1 Compliance
Artifacts
Generate artefacts
Distribute artifacts
Record artifacts
3.2.1 Access
Respond to compliance inquiries
Track nature of response to inquiries
Review performance of inquiry responses
Example assessment
3.3.1 Bill of Materials
People and Organisation Capability Processes Capabiliity
Attributes P&O Maturity
Questions
Process Attributes Process Maturity
Questions
Key role holders
Development Team
Leader
Associated roles
DevOps Specialist
Does a role exist for
generating (or
maintaining the system
which generates)
SBOMs?
Are role/responsibility
holders suitably
trained?
Do role/responsibility
holders have the
necessary
competencies?
Key processes
Produce SBOM
Review and approve
SBOM
Maintain version and
distribution history
Produce records of
process followed
Does a process exist
(automated or not) for
generating SBOMs?
Does a process exist for
reviewing and approving
SBOMs?
As part of any process
involving SBOMs, are
suitable records kept?
Information Capability Systems Capability
Information
Attributes
Information maturity
question
Systems Attributes Systems Maturity
Questions
Key Information
Component
manifests
Correct SBOMs
SBOM records &
metadata
Are component manifests
made available for
compliance purposes?
Are SBOMs generated?
Do SBOMs contain
sufficient correct data for
licence compliance?*
Are SBOMs generated in a
way which facilitates other
risk management or
operational processes (e.g.
security/vulnerability or
export control)
Are standards (e.g. SPDX,
CycloneDX) used to
generate SBOMs
Are the standards used to
generate SBOMs consistent
across the organisation?
Key systems
Compliance
toolchain*
Emerging good
practice
Metadata repository
(such as SW360)
Does the compliance
toolchain have
functionality for
generating SBOMs?
Where issues are
identified (e.g., a failing
test) is it possible to
remedy the issue in-situ?
Is compliance metadata
stored in a suitable system
such as SW360?
Full Profile Assessment
Rapid view of gaps and priorities
Deeper analysis possible by each
of the four capability lenses.
Supports optimisation of open
chain programme
Any Other Business?
Close of Meeting

More Related Content

Similar to OpenChain Legal Work Group - 2024-01-17

Capability Maturity Model Integration
Capability Maturity Model IntegrationCapability Maturity Model Integration
Capability Maturity Model IntegrationAAKASH S
 
How to Evaluate Solutions and Build your Evaluation Committee
How to Evaluate Solutions and Build your Evaluation CommitteeHow to Evaluate Solutions and Build your Evaluation Committee
How to Evaluate Solutions and Build your Evaluation CommitteeBlytheco
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Smart ERP Solutions, Inc.
 
Software development o & c
Software development o & cSoftware development o & c
Software development o & cAmit Patil
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft CorpAntoinette Williams
 
Adopting the Right Software Test Maturity Assessment Model
Adopting the Right Software Test Maturity Assessment ModelAdopting the Right Software Test Maturity Assessment Model
Adopting the Right Software Test Maturity Assessment ModelCognizant
 
A brief Introduction to ISO 9001 2015-Quality Management System
A brief Introduction to ISO 9001 2015-Quality Management SystemA brief Introduction to ISO 9001 2015-Quality Management System
A brief Introduction to ISO 9001 2015-Quality Management SystemSARWAR SALAM
 
Tool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsTool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsRicky Smith CMRP, CMRT
 
336 Yes Getting Everyone To Agree Final Updated Aug 27
336 Yes Getting Everyone To Agree Final Updated Aug 27336 Yes Getting Everyone To Agree Final Updated Aug 27
336 Yes Getting Everyone To Agree Final Updated Aug 27Espo2460
 
A Simple Introduction To CMMI For Beginer
A Simple Introduction To CMMI For BeginerA Simple Introduction To CMMI For Beginer
A Simple Introduction To CMMI For BeginerManas Das
 
Content Marketing Software RFP: A Framework to Determine Marketer Needs & Sol...
Content Marketing Software RFP: A Framework to Determine Marketer Needs & Sol...Content Marketing Software RFP: A Framework to Determine Marketer Needs & Sol...
Content Marketing Software RFP: A Framework to Determine Marketer Needs & Sol...Rebecca Lieb
 
Ten Elements of Open Source Governance
Ten Elements of Open Source GovernanceTen Elements of Open Source Governance
Ten Elements of Open Source GovernanceRogue Wave Software
 
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxCRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxfaithxdunce63732
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software EngineeringMajane Padua
 
Asset Finance Systems: Project Initiation "101"
Asset Finance Systems: Project Initiation "101"Asset Finance Systems: Project Initiation "101"
Asset Finance Systems: Project Initiation "101"David Pedreno
 
Achieving IT Strategic Directives When Evaluating a New Promotional Content E...
Achieving IT Strategic Directives When Evaluating a New Promotional Content E...Achieving IT Strategic Directives When Evaluating a New Promotional Content E...
Achieving IT Strategic Directives When Evaluating a New Promotional Content E...Cognizant
 
[Slides] Content Marketing Software RFP, by Altimeter Group
[Slides] Content Marketing Software RFP, by Altimeter Group[Slides] Content Marketing Software RFP, by Altimeter Group
[Slides] Content Marketing Software RFP, by Altimeter GroupAltimeter, a Prophet Company
 
Agile Testing: Best Practices and Methodology
Agile Testing: Best Practices and Methodology  Agile Testing: Best Practices and Methodology
Agile Testing: Best Practices and Methodology Zoe Gilbert
 

Similar to OpenChain Legal Work Group - 2024-01-17 (20)

Capability Maturity Model Integration
Capability Maturity Model IntegrationCapability Maturity Model Integration
Capability Maturity Model Integration
 
How to Evaluate Solutions and Build your Evaluation Committee
How to Evaluate Solutions and Build your Evaluation CommitteeHow to Evaluate Solutions and Build your Evaluation Committee
How to Evaluate Solutions and Build your Evaluation Committee
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2
 
Software development o & c
Software development o & cSoftware development o & c
Software development o & c
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft Corp
 
SDLC_Intro.ppt
SDLC_Intro.pptSDLC_Intro.ppt
SDLC_Intro.ppt
 
Adopting the Right Software Test Maturity Assessment Model
Adopting the Right Software Test Maturity Assessment ModelAdopting the Right Software Test Maturity Assessment Model
Adopting the Right Software Test Maturity Assessment Model
 
A brief Introduction to ISO 9001 2015-Quality Management System
A brief Introduction to ISO 9001 2015-Quality Management SystemA brief Introduction to ISO 9001 2015-Quality Management System
A brief Introduction to ISO 9001 2015-Quality Management System
 
Tool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsTool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendations
 
336 Yes Getting Everyone To Agree Final Updated Aug 27
336 Yes Getting Everyone To Agree Final Updated Aug 27336 Yes Getting Everyone To Agree Final Updated Aug 27
336 Yes Getting Everyone To Agree Final Updated Aug 27
 
A Simple Introduction To CMMI For Beginer
A Simple Introduction To CMMI For BeginerA Simple Introduction To CMMI For Beginer
A Simple Introduction To CMMI For Beginer
 
Content Marketing Software RFP: A Framework to Determine Marketer Needs & Sol...
Content Marketing Software RFP: A Framework to Determine Marketer Needs & Sol...Content Marketing Software RFP: A Framework to Determine Marketer Needs & Sol...
Content Marketing Software RFP: A Framework to Determine Marketer Needs & Sol...
 
Ten Elements of Open Source Governance
Ten Elements of Open Source GovernanceTen Elements of Open Source Governance
Ten Elements of Open Source Governance
 
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxCRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
 
Introduction to Software Engineering
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software Engineering
 
Asset Finance Systems: Project Initiation "101"
Asset Finance Systems: Project Initiation "101"Asset Finance Systems: Project Initiation "101"
Asset Finance Systems: Project Initiation "101"
 
Achieving IT Strategic Directives When Evaluating a New Promotional Content E...
Achieving IT Strategic Directives When Evaluating a New Promotional Content E...Achieving IT Strategic Directives When Evaluating a New Promotional Content E...
Achieving IT Strategic Directives When Evaluating a New Promotional Content E...
 
[Slides] Content Marketing Software RFP, by Altimeter Group
[Slides] Content Marketing Software RFP, by Altimeter Group[Slides] Content Marketing Software RFP, by Altimeter Group
[Slides] Content Marketing Software RFP, by Altimeter Group
 
Intro to CMM.pdf
Intro to CMM.pdfIntro to CMM.pdf
Intro to CMM.pdf
 
Agile Testing: Best Practices and Methodology
Agile Testing: Best Practices and Methodology  Agile Testing: Best Practices and Methodology
Agile Testing: Best Practices and Methodology
 

More from Shane Coughlan

OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19Shane Coughlan
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleShane Coughlan
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06Shane Coughlan
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06Shane Coughlan
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09Shane Coughlan
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxShane Coughlan
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...Shane Coughlan
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesShane Coughlan
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27Shane Coughlan
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30Shane Coughlan
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeShane Coughlan
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxShane Coughlan
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11Shane Coughlan
 

More from Shane Coughlan (20)

OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
 

Recently uploaded

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024MulesoftMunichMeetup
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfWSO2
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...Neo4j
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfkalichargn70th171
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Flutter Agency
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Conceptsthomashtkim
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Clinic
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insightsrapidoform
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 

Recently uploaded (20)

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Rapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and InsightsRapidoform for Modern Form Building and Insights
Rapidoform for Modern Form Building and Insights
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 

OpenChain Legal Work Group - 2024-01-17

  • 2. Anti-Trust Policy Notice ● Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. ● Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
  • 3. Agenda 1. Meeting Overview 2. Maturity Model Presentation by Andrew Katz of Orcro 3. Any Other Business 4. End of Meeting
  • 4. Meeting Overview This meeting will provide an overview of maturity models related to assessing competence around open source management. It has a particular focus on a maturity model from Orcro based on ISO/IEC 5230:2020. We will also discuss how OpenChain Project can improve reference material in this area.
  • 5. Maturity Models – Andrew Katz
  • 6. Open Chain Maturity Model Roadmap
  • 7. Capability Maturity Model – What is a CMM? A framework for determining the degree of capability, adaptability and resilience of a business function within an organisation, with the aim of optimising continuous improvement.
  • 8. Maturity Model – High Level Approach Indicative levels of maturity • INITIAL: Minimal knowledge of open source compliance practice and procedure • REPEATABLE: Some steps towards compliance. Some systems in place, but application ad hoc • DEFINED/IMPLEMENTED: Policies, practice and procedure in place, but not necessarily in operation • MANAGED: Policies etc. in place, and in operation, and improved as considered necessary • OPTIMISING: Policies etc. in place, in operation, and actively managed using appropriate metrics and a process of continuous improvement.
  • 9. Maturity Model – High Level Approach 59% 38% 64% 50% 5 4 3 2 1 Measured Maturity Score Target Systems Information People & Organisation Process Optimising Managed Defined / Implemented Repeatable Initial The capabilities of the organisation that have been developed to manage open source software development will be considered against the requirements of the OpenChain Specification v2.1, ISO/IEC 5230:2020. They will be categorised into four types of capability; people and organisational, process, information, and systems. Maturity will be assessed against five levels of completeness as shown. The target level will be specific to each organisation and can be set according to their ambition and view of business risk and priorities for delivery. The gap between target level and measured level presents defines opportunities for improvement and is easily converted to implementation plans,
  • 10. OpenChain Provides a Potential Framework 1. The Specification (ISO 5230:2020) contains the set of characteristics that a quality Open Source development function possess within an organisation. 2. Each OpenChain requirement can be mapped against a business function, and a degree of maturity can be assigned to each business function. 3. We propose a hierarchy. Top level requirements will be applicable across all organisations. 4. Second level requirements can be tailored to the method of implementation chosen by the organisation. 5. It’s compatible with existing best practice in capability maturity modelling across the whole range of an organisation’s business functions, not just software development (or open source software development).
  • 11. ISO Requirements and Processes Governance Strategy and Oversight 1 3.1.1 Policy Appoint policy author, owner, exec sponsor Publish policy Review policy Distribute policy Track awareness of policy Review performance against policy objectives Enablement and Performance Management 3.1.4 Program scope Define programme scope Review appropriateness of programme scope Define risks to be managed Define benefits to be achieved 3.1.2 Competence Identify roles and responsibilities Determine competence required Determine training need Assess competence achieved 3.2.2 Effectively resourced Review programme resourcing and funding Track progress against policy objectives Analyse progress against policy objectives 3.5.1 Contributions Develop policy for contributions (in and outbound) Review and maintain policy Track progress against policy Review performance (risks and benefits) 3.1.3 Awareness Communicate open source and contribution policy Track awareness of policies Communicate implications of non- compliance Track non-compliance events Track awareness of contribution policy Open Chain Delivery 3.6.1 Conformance, 3.6.2 Duration Review OpenChain conformance (18 month) Manage 3rd party certification 3.1.5 License Obligations Identify licenses in use Document license obligations 3.3.2 License Compliance review license compliance across distribution modes Produce contributions guidelines for contributors 3.3.1 Bill of Materials Produce SBOM Review and approve SBOM Maintain version and distribution history Licence analysis Produce records of process followed 3.4.1 Compliance Artifacts Generate artefacts Distribute artifacts Record artifacts 3.2.1 Access Respond to compliance inquiries Track nature of response to inquiries Review performance of inquiry responses
  • 12. Example assessment 3.3.1 Bill of Materials People and Organisation Capability Processes Capabiliity Attributes P&O Maturity Questions Process Attributes Process Maturity Questions Key role holders Development Team Leader Associated roles DevOps Specialist Does a role exist for generating (or maintaining the system which generates) SBOMs? Are role/responsibility holders suitably trained? Do role/responsibility holders have the necessary competencies? Key processes Produce SBOM Review and approve SBOM Maintain version and distribution history Produce records of process followed Does a process exist (automated or not) for generating SBOMs? Does a process exist for reviewing and approving SBOMs? As part of any process involving SBOMs, are suitable records kept? Information Capability Systems Capability Information Attributes Information maturity question Systems Attributes Systems Maturity Questions Key Information Component manifests Correct SBOMs SBOM records & metadata Are component manifests made available for compliance purposes? Are SBOMs generated? Do SBOMs contain sufficient correct data for licence compliance?* Are SBOMs generated in a way which facilitates other risk management or operational processes (e.g. security/vulnerability or export control) Are standards (e.g. SPDX, CycloneDX) used to generate SBOMs Are the standards used to generate SBOMs consistent across the organisation? Key systems Compliance toolchain* Emerging good practice Metadata repository (such as SW360) Does the compliance toolchain have functionality for generating SBOMs? Where issues are identified (e.g., a failing test) is it possible to remedy the issue in-situ? Is compliance metadata stored in a suitable system such as SW360?
  • 13. Full Profile Assessment Rapid view of gaps and priorities Deeper analysis possible by each of the four capability lenses. Supports optimisation of open chain programme