[RFC] List of ORT Users and Consultancy Companies/Individuals

[rettichschnidi]

I am part of the team that is evaluating potential FOSS compliance solutions for my employer. As a developer and FOSS enthusiast, I am lobbying for ORT.

As with many FOSS offerings, when making the case for ORT, I stumbled on two three:

1. Proprietary solutions (Black Duck, Snyk, etc.) are very eager to send their sales representatives, promising the sky. For ORT however, I need to answer our questions (based on the Linux Foundations An Open Guide To Evaluating Software Composition Analysis Tools) myself.

2. To make ORT more attractive to our sourcing/non-dev-decision-makers, it would be very helpful to point at commercial offerings that are willing to help with ORT adoption (and ongoing support).

3. Having a list of users would be great. The bigger their name, the better. Already exists

Questions:

• Regarding 1), would a PR trying to document the answers to the questionnaire linked in 1) be appreciated?
• Regarding 2), any chance we could have a (curated) list of offerings somewhere on the ORT website? Maybe similar to what Zephyr is doing? (also started with a request such as this one)
• Regarding 3), if you are a (potential) user, answer to this issue. Maybe this list then can serve as a starting point for some kind of (curated) list on the website? maybe we can have some nice logos attached to the names? Ideally presented on the webpage instead of "just" in the repository?

Meanwhile, those are commercial offerings of which I am aware of:

• Double Open
  • Company
  • SaaS, but no (general) consulting currently?
• EPAM:
  • Company
  • Consulting?
• Thomas Steenbergen?
  • Freelancer

[sschuberth]

I am lobbying for ORT.

Thank you ❤️

would a PR trying to document the answers to the questionnaire linked in 1) be appreciated?

Absolutely. I believe it would be a great addition to our documentation / website to explain how to use ORT to cover the evaluation criteria from that report.

point at commercial offerings that are willing to help with ORT adoption

To clarify, this is an ask / discussion that came up at the ORT Community Days. Given that similar requests / reservation to use ORT due to a lack of this information came up before, I'm all for supporting our users by pointing out commercial partners / support offerings.

However, I believe we should not just include any entity here that files a PR, but only those how have a proven track record of being knowledgeable in ORT and / or have contributed to ORT, as judged by the ORT TSC / core maintainers.

[willebra]

Listing known users of ORT would not hurt either. Or perhaps those of the users that want to be included in the list. As per the title of the issue.

[sschuberth]

Listing known users of ORT would not hurt either.

See ADOPTERS.md. And @mmurto wanted to work on #7315 😉

[rettichschnidi]

Listing known users of ORT would not hurt either. Or perhaps those of the users that want to be included in the list. As per the title of the issue.

Just updated the text a bit to reflect the title. And incorporated the hint of @sschuberth.

[grnrs]

Just to add on this: I'm currently in a similar position as @rettichschnidi and had similar questions (especially 2 and 3 initially mentioned).
Has something like a Landscape ever been considered for the Automated Compliance Tooling (ACT) project? (cf OpenSSF or CNCF)?

[sschuberth]

Has something like a Landscape ever been considered for the Automated Compliance Tooling (ACT) project?

I don't think so, but personally I regard ACT to be pretty much dead anyway, see e.g. its news page which was last updated in 2020.

Instead, I'd rather refer to the OpenChain Reference Tooling Work Group's Landscape, also see https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape.