Re: SPDX Goes ISO
Thanks, Phil – I’m very much looking forward to the configurable profiles capability.
Thanks,
Dick Brooks
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Sent: Tuesday, September 14, 2021 1:16 PM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO
Yes, understood. Thanks, Dick. For that use case, the President was more concerned with a cyber attack that a license violation. This is the point of evolving SPDX to be “configurable” with profiles to meet different use cases.
From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Tuesday, September 14, 2021 at 12:44 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO
Phil,
Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber risk, i.e. C-SCRM, whereas license management is a Legal/Financial risk.
The use of SBOM for license legal risk management is indeed a good practice, but it is not required to satisfy NTIA minimal SBOM requirements for EO 14028.
Thanks,
Dick Brooks
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.
From: spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...>
Date: Tuesday, September 14, 2021 at 10:31 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO
Congratulations!
This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!
hip hip hurrah!
Matija
--
gsm: tel:+386.41.849.552
www: https://urldefense.com/v3/__https://matija.suklje.name__;!!A4F2R9G_pg!JDcVm_7nX5ihf6dF-lq5bEdOjwvrwPFEsQEyBY11L-icpBRYY7c2OV2t2w8ajmFojgc$
xmpp: matija.suklje@...
sip: matija_suklje@...