You may also want to look at the SLSA framework. https://slsa.dev/levels --- Mike Dolan The Linux Foundation Office: +1.330.460.3250 Cell: +1.440.552.5322 mdolan@... ---

Yessssss… It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team! --V -- VM (Vicky) Brasseur Director, Senior

Hi Vicky, There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:

There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx. For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in

Dear Marc-Etienne, Yay! I was indeed just wondering about this earlier today, so thank you very much for the notification :) Best wishes, Sebastian

Hi all, Great news: ISO SPDX standard is now publicly available at: https://standards.iso.org/ittf/PubliclyAvailableStandards/ Best regards, Marc-Etienne

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04 General Meeting/Minutes/2021-11-04 < General Meeting‎ | Minutes · Attendance: 25 · Lead by Phil Odence ·

Came up on the call today. For those interested, here is an overview: https://asia.nikkei.com/Business/China-tech/New-China-data-transfer-rules-to-be-costly-for-foreign-companies Asia SPDX

Apologies for the late reminder. Notes: For Euro folks, time diff is off by an hour as US doesn’t go back to standard time until this weekend We will have a Google Summer of Code presentation

The "public domain" part appears to be the text of the Unlicense, so I'd assume "MIT OR Unlicense". Richard

Hi Pierre, I am moving the general SPDX list to BCC and sending this via the SPDX legal list, as that is the right place for this question! Also not - I have approved your message and copied you here

Hello, I am trying to identify this software in term of license expression https://github.com/nothings/stb It's is claimed to be "public domain or MIT". I don't see any license identifier for public

I’m pretty sure President Biden does too. From:spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Date: Friday, October 15, 2021 at 10:33 AM To: spdx@... <spdx@...> Subject: Re: [spdx] SPDX

Thanks, Phil. 100% agree with you. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788

That’s great, Dick. A very important direction for us IMO. From:spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Date: Friday, October 15, 2021 at 9:49 AM To: spdx@... <spdx@...> Subject:

Thanks, Phil. Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn. Thanks, Dick

Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to

Phil, I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required