Skip to main content

OpenChain Tooling Work Group Meeting #4 – Outcomes, October 2nd 2019

By 2019-10-09News

The minutes are below. The slides discussed during the meeting are also below for reference.

1. News

Oliver gave an overview about “what happened since last meeting”
Two new user stories are available in the Github repo:
             Initial user story –
             Initial user story –

A new version of the one pager slide was circulated on the mailing list. The objective is to have the first release next week.

Upcoming Events:
             Oliver presented an overview of the interesting session from an OSS compliance perspective at Eclipsecon.
             Alexios asked about an overview of the interesting sessions at OSS Summit Europe. Michael J. sent an email with interesting talks at the OSS Summit Europe to the mailing list.

2. Sw360antenna
Lars gave an overview about their work concerning automation and integration of the OSS compliance tools in the CI/CD workflow. He introduced two use cases (please see attached slides):
1. Automatic management of 3rd party dependencies
             This use case applies to “normal” software development, where the OSS component approval is triggered by the integration of the component.
2. Upfront dependency approval
             This use case applies to software development in regulated environments like safety critical systems, where the OSS components which will be integrated must be known upfront. If an unknown component is detected this will cause a policy violation.
             Aaron added that this use case is also common in the financial sector.

Lars mentioned that for having an overview about the licensing situation scancode is used and for the curation, approval and release FOSSology is used.
He gave a nice live demo showing the working implementation of use case 1. Oliver mentioned that this demo covers the following functional blocks of the big picture:
             Dependency resolver
             Source package downloader
             License & Copyright Scanner
             Policy Checker
             Component & application inventory
             FOSS Compliance Bundle generator

The documentation of use case 1 is available on

3. Next Steps
             User stories:
                            Kate mentioned that there is no user story covering the recipients of the compliance artifacts – the persons/organizations receiving the results of the process and results produced by the toolchain. Oliver said that such a user story will be added.

             Next meeting:
                            The next regular Wednesday meeting will be on 6th of Nov. On 10th of Oct there is the face to face meeting in Darmstadt