Steve, SBOM’s are created to serve a purpose, for example some SBOM’s are used for license management, some are used for dependency tracking and the one I’m most familiar with is an SBOM

Hi all, One of the suggestions in today’s call for the OpenChain Telco SIG, where we’re discussing proposals for an SBOM standard for the Telecommunications industry, was: > SBOMs

Small correction: Thurs is Dec 1. From:spdx@... <spdx@...> on behalf of Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> Date: Wednesday, November 30, 2022 at 10:16 AM To: SPDX-general

This month we’ll have a couple special presentations. Gary will give a debrief on Wednesday’s docfest. Alexios will walk is through the GitHub 3.0 directories so everyone knows how to

This survey was a great start to gather feedback about SBOM, but it would be good to get some questions about AI sBOM, they need additional information collected

Dear SPDX Community, The SEMERU research lab from William and Mary is conducting an online survey to understand issues, needs, and opportunities related to software supply chain management through

[this is also available as https://gist.github.com/zvr/c852b4a560ac2c67885c473034cd4a93] # FOSDEM 2023 - SBOM devroom info and CfP ## Overview [FOSDEM] is one of the world's premier

EMEA folks- US had not changed clocks yet, so the meeting time at 11EDT is an hour off from normal for you. We will have a special presentation from Thomas Steenbergen about how we have been

With the colossal caveat that I am only a **consumer of** Unicode's deliverables, I could speak briefly to the concern at point #3: This is certainly inconvenient, but the Unicode site does host quite

Dear all, I'm wondering why https://spdx.org/licenses/Unicode-TOU.html is (still) part of the license list. Could it be deprecated? 1. First of all, the current text of the "Unicode® Copyright and

Dear all The OpenChain Telco Work Group has a meeting today at 17:00 CEST (15:00 UTC). This meeting will be of special interest to anyone working on matters related to SBOMs, as the work group is

This month’s presentation will be one of the every popular reports on a Google Summer of Code project: Project Title: NTIA Conformance Checker – Josh Lin Project Abstract: This project

REA is pleased to announce the general availability of SAG-PM Version 1.2 with support for SPDX V 2.3 and CycloneDX V 1.4. This release satisfies the requirements outlined on OMB memo M-22-18

Dear SPDX community, As mentioned on a couple of the general calls some time ago, the Steering Committee has been working on a Change Proposal template and process to facilitate communication,

It’s September! Apologies for the late reminder. I just never hit send yesterday. Note that the minutes from August meeting are at the bottome of this email. This month, there will be no

Hi, Just made thesbom-composer tool public. It’s been only run with sboms that I generated, so would be very happy to hear your feedback and do any following updates if necessary. Joe, it

Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?

Hi, I’m currently working on a composer tool that supports merging. Shortly to be open-sourced. Best, Ivana --- Ivana Atanasova Open Source Engineer VMware Open Source Program

I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create

Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md (Different from the attestation i just sent)