|
Re: SPDX Merging
#spdx
Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?
From: spdx@... <spdx@...> On Behalf OfGary O'Neall via
Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?
From: spdx@... <spdx@...> On Behalf OfGary O'Neall via
|
By
Joe Bussell
·
#1586
·
|
|
Re: SPDX Merging
#spdx
Hi,
I’m currently working on a composer tool that supports merging. Shortly to be open-sourced.
Best,
Ivana
---
Ivana Atanasova
Open Source Engineer
VMware Open Source Program
Hi,
I’m currently working on a composer tool that supports merging. Shortly to be open-sourced.
Best,
Ivana
---
Ivana Atanasova
Open Source Engineer
VMware Open Source Program
|
By
Ivana Atanasova
·
#1585
·
|
|
Re: SPDX Merging
#spdx
I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create
I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create
|
By
Gary O'Neall
·
#1584
·
|
|
Re: SPDX Signing
#spdx
Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md
(Different from the attestation i just sent)
Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md
(Different from the attestation i just sent)
|
By
Brandon Lum
·
#1583
·
|
|
Re: SPDX Signing
#spdx
I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size
I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size
|
By
Brandon Lum
·
#1582
·
|
|
Re: SPDX Signing
#spdx
May as well throw out a plug forhttps://openssf.org/, and for https://www.sigstore.dev/ in particular, here.
A recent* Open Source Summit session gave an example of signing SBOMs using sigstore,
May as well throw out a plug forhttps://openssf.org/, and for https://www.sigstore.dev/ in particular, here.
A recent* Open Source Summit session gave an example of signing SBOMs using sigstore,
|
By
Steve Kilbane
·
#1581
·
|
|
Re: SPDX Signing
#spdx
Sandeep,
I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and
Sandeep,
I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and
|
By
hectorf@...
·
#1580
·
|
|
Re: SPDX Signing
#spdx
Sandeep,
I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).
REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text
Sandeep,
I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).
REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text
|
By
Dick Brooks
·
#1579
·
|
|
SPDX Signing
#spdx
Hi All,
Is there any guidelines to sign SPDX file ?
Regards
Sandeep
Hi All,
Is there any guidelines to sign SPDX file ?
Regards
Sandeep
|
By
Patil, Sandeep
·
#1578
·
|
|
SPDX Merging
#spdx
Hi All,
Is there any tool to merge two spdx file ?
Regards
Sandeep
Hi All,
Is there any tool to merge two spdx file ?
Regards
Sandeep
|
By
Patil, Sandeep
·
#1577
·
|
|
SPDX Thurs General Meeting Reminder
Special Presentation this month by Matthew Crawford from Arm:
Title
A new era for SPDX at Arm, are we ready for change?
Let me walk you through the journey of open source software compliance at
Special Presentation this month by Matthew Crawford from Arm:
Title
A new era for SPDX at Arm, are we ready for change?
Let me walk you through the journey of open source software compliance at
|
By
Phil Odence
·
#1576
·
|
|
Re: [spdx-tech] Important changes to software license information in Fedora packages (SPDX and more!)
I hope you are all ready for the upcoming pains in the next few years. Transitioning Fedora to SPDX is not going to be a happy time for a little while, since there's a huge impedance mismatch between
I hope you are all ready for the upcoming pains in the next few years. Transitioning Fedora to SPDX is not going to be a happy time for a little while, since there's a huge impedance mismatch between
|
By
Neal Gompa
·
#1575
·
|
|
Re: [spdx-tech] Important changes to software license information in Fedora packages (SPDX and more!)
Nice. This certainly makes it easy to map from Fedora to SPDX IDs!
SPDX license identifiers have emerged as a standard
Woo hoo!
From:Spdx-legal@... <Spdx-legal@...> on behalf of Steve
Nice. This certainly makes it easy to map from Fedora to SPDX IDs!
SPDX license identifiers have emerged as a standard
Woo hoo!
From:Spdx-legal@... <Spdx-legal@...> on behalf of Steve
|
By
Phil Odence
·
#1574
·
|
|
Re: [spdx-tech] Important changes to software license information in Fedora packages (SPDX and more!)
Jilayne, this is awesome news -- thanks for passing it along!
Looking forward to us working with the Fedora community to support them adding SPDX license IDs across the distro.
Steve
Jilayne, this is awesome news -- thanks for passing it along!
Looking forward to us working with the Fedora community to support them adding SPDX license IDs across the distro.
Steve
|
By
Steve Winslow
·
#1573
·
|
|
Important changes to software license information in Fedora packages (SPDX and more!)
Hot off the press!
Link to blog post of this here:https://communityblog.fedoraproject.org/important-changes-to-software-license-information-in-fedora-packages-spdx-and-more/
Hot off the press!
Link to blog post of this here:https://communityblog.fedoraproject.org/important-changes-to-software-license-information-in-fedora-packages-spdx-and-more/
|
By
J Lovejoy
·
#1572
·
|
|
SPDX Spec Version 2.3 Available for Review
Greetings all,
The SPDX spec version 2.3 is now available for review at https://spdx.github.io/spdx-spec/v2.3-RC1/.
A summary of the changes can be found in the SPEC Annex I.
If you
Greetings all,
The SPDX spec version 2.3 is now available for review at https://spdx.github.io/spdx-spec/v2.3-RC1/.
A summary of the changes can be found in the SPEC Annex I.
If you
|
By
Gary O'Neall
·
#1571
·
|
|
Re: Specific SPDX identifier question I didn't see addressed in the specification
Hi all,
Again, this conversation belongs on the SPDX-legal mailing list, not the SPDX-general list. I tried to remedy this early on, but somehow SPDX-legal got dropped and it went back to
Hi all,
Again, this conversation belongs on the SPDX-legal mailing list, not the SPDX-general list. I tried to remedy this early on, but somehow SPDX-legal got dropped and it went back to
|
By
J Lovejoy
·
#1570
·
|
|
Re: Specific SPDX identifier question I didn't see addressed in the specification
Yes that’s it. I think AND alone could be (and might widely be) misconstrued as to what state is actually being represented.
One solution is for people and tools to correctly understand the
Yes that’s it. I think AND alone could be (and might widely be) misconstrued as to what state is actually being represented.
One solution is for people and tools to correctly understand the
|
By
McCoy Smith
·
#1569
·
|
|
Re: Specific SPDX identifier question I didn't see addressed in the specification
SPDX is a compliance tool. It's designed to help people comply with their obligations. It doesn't cover every possible eventuality, and this situation falls outside the spec. IMHO.
Having said that,
SPDX is a compliance tool. It's designed to help people comply with their obligations. It doesn't cover every possible eventuality, and this situation falls outside the spec. IMHO.
Having said that,
|
By
Warner Losh
·
#1568
·
|
|
Re: Specific SPDX identifier question I didn't see addressed in the specification
McCoy,
Your example was about snippets in files, but this also happens one level up:
If there are some files under License-A and some files under License-B, how do you express the license of a
McCoy,
Your example was about snippets in files, but this also happens one level up:
If there are some files under License-A and some files under License-B, how do you express the license of a
|
By
Alexios Zavras
·
#1567
·
|