ISO_IEC_5230_2020E.pdf

Information technology OpenChain Specification ISO/IEC 2020INTERNATIONAL STANDARDISO/IEC5230Reference numberISO/IEC 5230:2020(E)First edition2020-12 ISO/IEC 5230:2020(E)ii ISO/IEC 2020 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2020All rights reserved.Unless otherwise specified,or required in the context of its implementation,no part of this publication may be reproduced or utilized otherwise in any form or by any means,electronic or mechanical,including photocopying,or posting on the internet or an intranet,without prior written permission.Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCP 401 Ch.de Blandonnet 8CH-1214 Vernier,GenevaPhone:+41 22 749 01 11Email:copyrightiso.orgWebsite:www.iso.orgPublished in SwitzerlandISO/IEC 5230:2020(E)ISO/IEC 2020 All rights reserved iii Contents Foreword.iv Introduction.v 1 Scope.1 2 Terms and definitions.1 3 Requirements.2 3.1 Program foundation.2 3.1.1 Policy.2 3.1.2 Competence.2 3.1.3 Awareness.3 3.1.4 Program scope.3 3.1.5 License obligations.4 3.2 Relevant tasks defined and supported.4 3.2.1 Access.4 3.2.2 Effectively resourced.4 3.3 Open source content review and approval.5 3.3.1 Bill of materials.5 3.3.2 License compliance.6 3.4 Compliance artifact creation and delivery.6 3.4.1 Compliance artifacts.6 3.5 Understanding open source community engagements.7 3.5.1 Contributions.7 3.6 Adherence to the specification requirements.7 3.6.1 Conformance.7 3.6.2 Duration.7 Annex A(informative)Language translations of this specification.9 ISO/IEC 5230:2020(E)iv ISO/IEC 2020 All rights reserved Foreword ISO(the International Organization for Standardization)and IEC(the International Electrotechnical Commission)form the specialized system for worldwide standardization.National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity.ISO and IEC technical committees collaborate in fields of mutual interest.Other international organizations,governmental and non-governmental,in liaison with ISO and IEC,also take part in the work.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives,Part 1.In particular,the different approval criteria needed for the different types of document should be noted(see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights.ISO and IEC shall not be held responsible for identifying any or all such patent rights.Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received(see www.iso.org/patents)or the IEC list of patent declarations received(see http:/patents.iec.ch).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation of the voluntary nature of standards,the meaning of ISO specific terms and expressions related to conformity assessment,as well as information about ISOs adherence to the World Trade Organization(WTO)principles in the Technical Barriers to Trade(TBT),see www.iso.org/iso/foreword.html.This document was prepared by the Joint Development Foundation(as OpenChain Specification)and drafted in accordance with its editorial rules.It was adopted,under the JTC 1 PAS procedure,by Joint Technical Committee ISO/IEC JTC 1,Information technology.Any feedback or questions on this document should be directed to the users national standards body.A complete listing of these bodies can be found at www.iso.org/members.html.ISO/IEC 5230:2020(E)ISO/IEC 2020 All rights reserved v Introduction This document defines the key requirements of a quality open source license compliance program.The objective is to provide a benchmark that builds trust between organizations exchanging software solutions comprised of open source software.Specification conformance provides assurance that a program has been designed to produce the required compliance artifacts(i.e.,legal notices,source code and so forth)for each software solution.This document focuses on the“what”and“why”aspects of a program rather than the“how”and“when”.This ensures flexibility for different organizations of different sizes in different markets to choose specific policy and process content that fits their size,goals and scope.For instance,an OpenChain conformant program may address a single product line or the entire organization.This introduction provides the context for all potential users.Clause 2 defines key terms used throughout this document.Clause 3 defines the requirements that a program must satisfy to achieve conformance.A requirement consists of one or more verification materials(i.e.,rec