snaggen@programming.dev
on 08 Nov 2023 19:13
nextcollapse
I must say I am a bit confused. They are open source, and some previous blog post said they are certifying upstream. Yet, they sell quality managed licenses. So, what are these licenses and why are they needed?
snaggen@programming.dev
on 08 Nov 2023 19:28
collapse
Ok, after reading some comments on other places, I think I get it now. While you are free to use their open sourced tool chain, which is what they have certified, you still doesn’t fulfilling the legal requirements unless you buy the certified tool chain. Just because it is open source, doesn’t legally guarantee that is what’s certified.
So, you pay to get the legal status of the certification. Did I understand this somewhat correct?
autokludge@programming.dev
on 08 Nov 2023 20:16
nextcollapse
I’m a layman in this case but sounds about right. Sounds similar to material certificates for steel etc in construction. You could technically have steel for a project that is up to spec but without a material cert it may as well be ballast.
5C5C5C@programming.dev
on 09 Nov 2023 15:32
collapse
When it comes to certifying your own software, the evidence is the key thing needed by the certifying bodies.
If I’m someone who wants to get my Rust software safety certified, it’s not enough for me to tell the certifier “I compiled my software with this compiler from a project called Ferocene and they have a blog post saying that they’re safety certified. Give me a certification please.”
Instead you need to show the certifier all the evidence that went into the safety case that achieved certification for Ferocene and then make a case that the evidence is relevant to your own safety case. This evidence from Ferocene is what you pay them for.
ActuallyRuben@actuallyruben.nl
on 09 Nov 2023 16:21
collapse
Interesting, I did not expect them to meet SIL4 standards, that’s not an easy achievement.
threaded - newest
I must say I am a bit confused. They are open source, and some previous blog post said they are certifying upstream. Yet, they sell quality managed licenses. So, what are these licenses and why are they needed?
Ok, after reading some comments on other places, I think I get it now. While you are free to use their open sourced tool chain, which is what they have certified, you still doesn’t fulfilling the legal requirements unless you buy the certified tool chain. Just because it is open source, doesn’t legally guarantee that is what’s certified.
So, you pay to get the legal status of the certification. Did I understand this somewhat correct?
I’m a layman in this case but sounds about right. Sounds similar to material certificates for steel etc in construction. You could technically have steel for a project that is up to spec but without a material cert it may as well be ballast.
When it comes to certifying your own software, the evidence is the key thing needed by the certifying bodies.
If I’m someone who wants to get my Rust software safety certified, it’s not enough for me to tell the certifier “I compiled my software with this compiler from a project called Ferocene and they have a blog post saying that they’re safety certified. Give me a certification please.”
Instead you need to show the certifier all the evidence that went into the safety case that achieved certification for Ferocene and then make a case that the evidence is relevant to your own safety case. This evidence from Ferocene is what you pay them for.
Interesting, I did not expect them to meet SIL4 standards, that’s not an easy achievement.