Hi all, how does one express "a release package was packaged by packaging-tool"? I learned that a build tool is a package. Hence, I assume that a "package tool" would probably also be a package. That

I have created Issue #94 https://github.com/spdx/spdx-3-model/issues/94 to describe my rationale for using the name Identity as the type of the createdBy property. The name should be chosen to best al

Hi all, this is to inform you that we have a new v0.7.1 pre-release up for the SPDX Python tools. This includes a few minor bugfixes and feature requests we have gotten since the release of v0.7.0. No

Hello Everyone, I know many people have worked hard to see this day! https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-c

Hi All, @Appu Goundan has been working on an awesome Gradle SPDX plugin, similar to https://github.com/spdx/spdx-maven-plugin. We'd like to have that be donated and hosted alongside as an SPDX repo! T

Hi! I have a quick question about required and cardinality. I was looking at the docs from yesterday's meeting and noticed that for PackageVerification code, the cardinality is 0..1 or 0..0 but requir

https://www.linkedin.com/posts/richard-dick-brooks-8078241_owasp-foundation-announces-cyclonedx-project-activity-7036702941843476480-ZcRj?utm_source=share&utm_medium=member_desktop New tools have been

G'day everyone, I just noticed that https://tools.spdx.org/ appears to be down - it times out for both http and ping requests. Is this just me, or is there indeed a server-side problem? Separately, do

Hello Everyone, I’ve written some comments on Director Easterly’s speech yesterday at CMU that contains lots of supportive statements for SBOM. Link to the speech transcript follows my comments and is

Reminder: SPDX tech team meeting When: Tuesday, February 28, 2023 11:00am to 12:30pm (UTC-06:00) America/Chicago Where: https://zoom.us/j/663426859 Organizer: Kate Stewart kstewart@... View Event Desc

Hi all, in the tech team call yesterday we discussed the plausibility of multiple file types and if any SBOMs exist "in the wild" that actually include files with more than one file type. So, here is

Hi! An issue was opened in tools-golang around the missing "documentDescribes" field, which is part of the JSON schema. For v2.2.1 and above, the field is present, however, in v2.2.0 of the spec, it l

Dear all, I'm today writing to announce the start of a series of meetings focused on the defining the 'Why, What and How' of SPDX 3.0 serialisation. As with our other meetings, participation is open t

SPDX Serialisation Focus Group - weekly meeting The SPDX Serialisation Focus Group is made up of members of the SPDX community who have an interest in the serialisation of SPDX data. It's mission is t

Reminder: SPDX tech team meeting When: Tuesday, February 21, 2023 11:00am to 12:30pm (UTC-06:00) America/Chicago Where: https://zoom.us/j/663426859 Organizer: Kate Stewart kstewart@... View Event Desc

We agreed today to model Actor as a concrete class above Person, Organization, and SoftwareAgent. And we left the door open to augmenting that model in the future. It would be helpful to have a common

Hello, I was reading a thread about Package Supplier field clarification from late last year and was hoping to get even further clarification as we add this information to Tern’s SPDX documents. Regar

SPDX Canonicalisation Committee - weekly meeting Dear all, Here is an invitation for our Canonicalisation Committee meetings in 2023. Best wishes, Sebastian SPDX Canonicalisation Committee - weekly me

Colleagues A couple of questions on files specified in a SPDX File item. According to the SPDX spec, the filename for a SPDX file is a relative filename (prefixed by ./). - see https://spdx.github.io/

Hello Everyone, Just s short note to inform you of an updated use cases document from the Internet Engineering Task Force (IETF) Supply Chain Integrity, Transparency and Trust (SCITT) work group. http