Alin Li OÜ
Open Computing
Review process

Open-Source Compliance Review Process

How Alin Li OÜ reviews its open-source compliance programme: the cadence, the artefacts checked, and the decision flow. This diagram is part of the public ISO/IEC 5230:2020 evidence and matches the procedure recorded in the internal six-document pack.

« Open Source at Alin Li · Conformance statement

The cycle in one picture

The diagram below shows two things: when reviews happen during the year, and what happens at each one. The full procedure is recorded in Document 6 (Adherence) of the internal evidence pack.

Alin Li OSS-compliance review process Two-part diagram. Top: annual cycle with two review dates (2 February and 2 December), showing a 10-month gap and a 2-month wrap-around. Bottom: the steps performed at each scheduled review, with a decision branch leading to either a new pack version or a no-change confirmation. The annual review cycle Twice yearly: 2 February and 2 December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec R 2 February Review #1 R 2 December Review #2 10 months between reviews to next year from prev year 10 months < 18-month max (ISO 5230 Sec. 3.6.2) ✓ What happens at each review Performed by the OSPO Lead on every scheduled date Open the review OSPO Lead records start date in the Review Log Run automated checks License-check each simulator; regenerate SBOMs Spot-check the credits pages Confirm components, licences and links are accurate Anything changed? YES Issue new version Update pack, bump number, regenerate SBOM and credits NO Confirm current Append a no-change line to the review log Close out and schedule next review Update conformance.html and re-lodge OpenChain checklist if anything changed

How the cadence stays compliant

ISO/IEC 5230:2020 Section 3.6.2 requires conformance to be re-verified at least every 18 months. Our cadence (2 February and 2 December each year) makes the maximum gap between consecutive reviews approximately 10 months, comfortably within that limit. The 2-month / 10-month asymmetry is deliberate: a short review in early February catches anything that drifted during a quiet December, and a longer working window between February and December lets the simulators evolve normally.

Step-by-step procedure

StepActionOutput
1. Open The OSPO Lead opens the review by appending a new line to the Review Log in OSS-REVIEW.md. Review start recorded.
2. Automated checks For each in-scope simulator, identify shipped components and regenerate the SBOM. With the current first-party-only posture this is a confirmation step; if a third-party component is ever added, it becomes a deeper licence-classification check. Updated SBOM per simulator.
3. Spot-check credits Open each credits/<slug>.html and confirm that the listed components, licences and source links are accurate and complete. Accurate end-user attribution.
4. Decide Did anything change since the last review? Two outcomes only. Decision: issue new version, or confirm current.
5. Close out Update conformance.html with the new last-reviewed date and next-review date. If the pack version changed, re-lodge the OpenChain online self-certification checklist. Public statement refreshed; OpenChain entry current.

Who does it

RoleResponsibilityHeld by
Programme OwnerAuthorises any change of scope or pack version.Osama Abandeh
OSPO LeadRuns the review steps above, signs the close-out.Osama Abandeh
Technical ReviewerReviews any new components, where applicable.OSPO Lead (delegated as required)

Records kept

Contact

For questions about the review process: Compliance@alinli.com.