Minutes 13 Nov 2025

Host: Paul Albertella

Participants: Daniel Krippner

Agenda

- OSS Supply Chain document

Notes

Daniel asked what to do next with PR 56

Paul suggested writing a preamble setting out the objectives, and then we can review and possibly restructure the text to fit these goals.

Daniel: What are we aiming for as a working group? A coherent set of documents, or some disconnected ramblings?

Igor: My documents do have an end goal - a description of the problem, before attempting to propose a solution.

Daniel: My text could serve a similar purpose: set out the problems for this aspect of the bigger picture.

Igor: Describing the problem, your reasoning about it and rationale for a particular solution, which lets you determine how to verify it.

If the end goal for ‘safety integrity’, as it applies to existing open source, is the equivalent of QM, with the higher levels of integrity required for actual safety functionality attributed to dedicated solutions that have been specified in a more ‘traditional’ way. These might be open source solutions developed with these goals (and process requirements) in mind, or they might be proprietary commercial solutions.

Igor: The key is the evaluation criteria: the standards are an example of how this can be done, but they aren’t the only way. Debate begins when you don’t (or don’t want to) follow the standards. Saying that it can’t be done is misleading: saying that it is hard, and that may mean that it is not feasible for particular organisations or projects.

Paul: I also question the value of applying the standards as written (or as applied by organisations that I’ve worked with) and the decisions that it leads organisations to make.

Igor: If you have a solution that is proven to work, then it should be possible to convince an assessor.

Daniel: We also need to change the narrative around process expectations.

Igor: The trouble with what I’ve seen is people giving themselves a ‘free pass; on some of the problems, which means that the good work they may have done on some aspect is not sufficient. So when the assessors identify weaknesses, you have to address them.

Minutes 13 Nov 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!