Re: Proposed spec for external packages
On 04/08/2015 9:34 AM, Philippe Ombredanne wrote:
On Tue, Aug 4, 2015 at 5:00 AM, Yev BronshteynTo add to Philippe's comments, and speaking on behalf of a major producer of open source software, the proposal for an "External Security and Asset Management Identifier" seems to be fundamentally flawed. A quick perusal of the tagvault.org website tells me that the spec is not publicly available (i.e. you must buy it for $265 from ANSI), and that the tools used to tag software assets are available only to members of their private club.
IMO, any requirement that open source communities use a closed standard, and proprietary tools to annotate their open source code is dead on arrival.