EMEA folks- US had not changed clocks yet, so the meeting time at 11EDT is an hour off from normal for you. We will have a special presentation from Thomas Steenbergen about how we have been

With the colossal caveat that I am only a **consumer of** Unicode's deliverables, I could speak briefly to the concern at point #3: This is certainly inconvenient, but the Unicode site does host quite

Dear all, I'm wondering why https://spdx.org/licenses/Unicode-TOU.html is (still) part of the license list. Could it be deprecated? 1. First of all, the current text of the "Unicode® Copyright and

Dear all The OpenChain Telco Work Group has a meeting today at 17:00 CEST (15:00 UTC). This meeting will be of special interest to anyone working on matters related to SBOMs, as the work group is

This month’s presentation will be one of the every popular reports on a Google Summer of Code project: Project Title: NTIA Conformance Checker – Josh Lin Project Abstract: This project

REA is pleased to announce the general availability of SAG-PM Version 1.2 with support for SPDX V 2.3 and CycloneDX V 1.4. This release satisfies the requirements outlined on OMB memo M-22-18

Dear SPDX community, As mentioned on a couple of the general calls some time ago, the Steering Committee has been working on a Change Proposal template and process to facilitate communication,

It’s September! Apologies for the late reminder. I just never hit send yesterday. Note that the minutes from August meeting are at the bottome of this email. This month, there will be no

Hi, Just made thesbom-composer tool public. It’s been only run with sboms that I generated, so would be very happy to hear your feedback and do any following updates if necessary. Joe, it

Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?

Hi, I’m currently working on a composer tool that supports merging. Shortly to be open-sourced. Best, Ivana --- Ivana Atanasova Open Source Engineer VMware Open Source Program

I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create

Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md (Different from the attestation i just sent)

I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size

May as well throw out a plug forhttps://openssf.org/, and for https://www.sigstore.dev/ in particular, here. A recent* Open Source Summit session gave an example of signing SBOMs using sigstore,

Sandeep, I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and

Sandeep, I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX). REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text

Hi All, Is there any guidelines to sign SPDX file ? Regards Sandeep

Hi All, Is there any tool to merge two spdx file ? Regards Sandeep

Special Presentation this month by Matthew Crawford from Arm: Title A new era for SPDX at Arm, are we ready for change? Let me walk you through the journey of open source software compliance at