That’s great, Dick. A very important direction for us IMO. From:spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Date: Friday, October 15, 2021 at 9:49 AM To: spdx@... <spdx@...> Subject:

Thanks, Phil. Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn. Thanks, Dick

Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to

Phil, I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required

A couple of special items for this month’s meeting: Quick status of updated SPDX governance Short presentation by VM (Vicky) Brasseur, Director, Senior Strategy Advisor at Wipro. Her company has

Thanks, Phil – I’m very much looking forward to the configurable profiles capability. Thanks, Dick Brooks Never trust software, always verify and report!

Yes, understood. Thanks, Dick. For that use case, the President was more concerned with a cyber attack that a license violation. This is the point of evolving SPDX to be “configurable” with

Die 14. 09. 21 et hora 17:52 Phil Odence via lists.spdx.org scripsit: I know. I’m just excited by the prospect of synergies and more use of SPDX in the wild! I can already see how the wider

Phil, Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX. From:spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...> Date:

Congratulations! This is indeed a massive step for the software world, and hopefully not just in terms of license compliance! hip hip hurrah! Matija --

The content that went into the standard is the same as what is in our github repo today, and a pretty version is at: https://spdx.github.io/spdx-spec/. The sources for the 2.2.1 are at:

I believe that is correct. It seems an odd systems, but as I understand it, it’s not unusual to have free and paid for versions of specs with the same content. Openchain is, I believe, and example

I’ll defer to Phil or Kate for an official answer, but my understanding is that SPDX will continue to publish the specification directly from the SPDX project to the community, but certain versions

It now costs CHF198 to buy. This is the ISO way, and I think it's literally criminal. As in: violates UN Charter of Human Rights. If it doesn't wind up on the Publically Available Standards list,

"I guess it will..." does not sound very reassuring, to be honest 🤠 So will it definitely become an "ISO Publicly Available Standard" and is that just a question of time? Viele Grü0e, Henk

I guess it will… The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated. -- zvr

This is wonderful news! Congrats to Kate and everyone else who had a hand in this! Hopefully this means wider adoption and growth for the future! Zachary Fetters Freelance graphic/web

Since the standard was not developed by ISO itself, will the standard be publicly available athttps://standards.iso.org/ittf/PubliclyAvailableStandards/ ? I think it should. Do we know?