ClearlyDefined and fostering multi-stakeholder collaboration for accurate licensing metadata at scale
Funding Area: Critical shared infrastructure / Infraestructura compartida critica
Problem Statement: ClearlyDefined’s goal is to help organizations to collaboratively achieve accurate licensing metadata (oftentimes part of SBOMs) at scale, for each stage on the supply chain, for every build or release. This is accomplished by allowing organizations to identify and share any missing or wrongly identified licensing metadata. Currently, ClearlyDefined is being championed by Microsoft. The project was donated to the Open Source Initiative (OSI) to serve as a neutral home, where multiple stakeholders will be able to collaborate under an open governance model. Companies like SAP, Bloomberg, and GitHub, as well as projects like the Linux Foundation’s GUAC and ORT (OSS Review Toolkit), have contributed to ClearlyDefined, but there’s still much work to be done to foster collaboration among these stakeholders under this new open governance model (https://blog.opensource.org/what-is-open-governance-drafting-a-charter-for-an-open-source-project/). Our proposal is to help establish a neutral infrastructure to foster collaboration among multiple stakeholders, which will be key to drive compliance and security of the open source supply chain.
Proposed Activities: Recently, GitHub has worked together with ClearlyDefined to add over 17.5 million new package licenses to their database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository's software bill of materials (https://github.blog/changelog/2023-07-10-new-license-information-for-17-5-million-packages/). Next steps for the coming months (July-October 2023) include: 1) run a ClearlyDefined harvester locally (as part of GitHub’s infrastructure). 2) allow contributions of any missing licensing metadata. 3) crowd-source the curation of these contributions. 4) feed curated contributions back to ClearlyDefined and the original projects. Starting November, as part of the Open Infrastructure Fund, the goal is to document and expand this same process to other organizations: November-December 2023: expand the current documentation (https://docs.clearlydefined.io/) to provide clear instructions on how to implement the process outlined above. January-March 2024: work together with other organizations, so that each one is able to run a ClearlyDefined harvester locally and implement the process above. April-July 2024: further develop the process and establish a neutral infrastructure to make collaboration among the different stakeholders easier.
Openness: ClearlyDefined is both an open source project, as well as a free service. It provides the following elements: - Open source code repository: https://github.com/clearlydefined - Open data: https://github.com/clearlydefined/curated-data - Technical user documentation: https://docs.clearlydefined.io/ - Governance structure and processes: current charter (https://docs.clearlydefined.io/charter) and new charter proposal (https://blog.opensource.org/what-is-open-governance-drafting-a-charter-for-an-open-source-project/). - Governance activities: https://docs.clearlydefined.io/minutes - Web accessibility statement: https://docs.clearlydefined.io/accessibility - Transparent pricing & cost expectations: ClearlyDefined is (and always will be) a free service run by the Open Source Initiative. - Commitment to equity and inclusion: https://docs.clearlydefined.io/diversity - Community engagement: https://docs.clearlydefined.io/get-involved
Challenges: The work being carried out to establish a neutral infrastructure at the Open Source Initiative to foster collaboration among multiple stakeholders is already well underway with the proposal of an open governance model (https://blog.opensource.org/what-is-open-governance-drafting-a-charter-for-an-open-source-project/) and with growing collaboration between Microsoft, GitHub, SAP, Bloomberg, and other open source projects from the Linux Foundation (such as GUAC and ORT). As we add more organizations to this open governance model, the biggest challenge will be the necessary coordination and funding to continue the work.
Neglectedness: Currently the ClearlyDefined project is being funded by the organizations that are making most use of the services, among which Microsoft, GitHub, SAP, and Bloomberg. We hope that we’ll receive more funding as we add more organizations to our project. We are also looking at applying for opportunities like the Invest in Open Infrastructure, in hopes to diversify our funding.
Success: Establishing three or more local ClearlyDefined harvesters and allowing for a seamless collaboration among these in sync with OSI’s neutral infrastructure would indicate that the proposed work has been successful. Our hope is that the process will be more clearly defined once we have established these first local harvesters and it will be much easier to onboard new organizations.
Total Budget: US$ 25,000
Budget File: pdf
Affiliations: Open Source Initiative
LMIE Carveout: Just one contributor working from Brazil (Niccholas Rodriguez Vidal). Others working from North America and Europe.
Team Skills: Stefano Maffulli: Executive Director at the Open Source Initiative. Niccholas Rodriguez Vidal: Community Manager at the Open Source Initiative. Jeff Wilcox: Principal Manager at Microsoft. Emanuelle Martinez: Senior Software Engineer at Microsoft. Lynette Rayle: Senior Software Engineer at GitHub. Roman Iakovlev: Staff Software Engineer at GitHub. Ashley Wolf: Open Source Program Officer Director at GitHub. Qing Tomlinson: Senior Software Engineer at SAP. Brian Duran: Open Source Compliance, Strategic Projects at SAP. Gordon Lee: Project Manager at SAP. Tom Bedford: Senior Software Engineer at Bloomberg. Alyssa Wright: Open Source Program Office Director at Bloomberg. Jeff Mendoza: Software Engineer at Kusari (GUAC project). Thomas Steenbergen: Head of Open Source Program Office at EPAM Systems.
How Did You Hear About This Call: Word of mouth (e.g. conversations and emails from IOI staff, friends, colleagues, etc.) / Boca a boca (por ejemplo, conversaciones y correos electrónicos del personal del IOI, amigos, colegas, etc.)
Submission Number: 184
Loading