Hi, Just made the sbom-composer tool public. It’s been only run with sboms that I generated, so would be very happy to hear your feedback and do any following updates if necessary. Joe, it does the me

#spdx

Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?

#spdx

Hi, I’m currently working on a composer tool that supports merging. Shortly to be open-sourced. Best, Ivana --- Ivana Atanasova Open Source Engineer VMware Open Source Program Office From: spdx@lists.

#spdx

I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pu

#spdx

Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md (Different from the attestation i just sent)

#spdx

I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size

#spdx

May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here. A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I

#spdx

Sandeep, I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and po

#spdx

Sandeep, I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX). REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including

#spdx

Hi All, Is there any guidelines to sign SPDX file ? Regards Sandeep

#spdx

Hi All, Is there any tool to merge two spdx file ? Regards Sandeep

#spdx

Special Presentation this month by Matthew Crawford from Arm: Title A new era for SPDX at Arm, are we ready for change? Let me walk you through the journey of open source software compliance at Arm, f

I hope you are all ready for the upcoming pains in the next few years. Transitioning Fedora to SPDX is not going to be a happy time for a little while, since there's a huge impedance mismatch between

Nice. This certainly makes it easy to map from Fedora to SPDX IDs! SPDX license identifiers have emerged as a standard Woo hoo! From: Spdx-legal@... <Spdx-legal@...> on behalf of

Jilayne, this is awesome news -- thanks for passing it along! Looking forward to us working with the Fedora community to support them adding SPDX license IDs across the distro. Steve

Hot off the press! Link to blog post of this here: https://communityblog.fedoraproject.org/important-changes-to-software-license-information-in-fedora-packages-spdx-and-more/ Thanks for the support on

Greetings all, The SPDX spec version 2.3 is now available for review at https://spdx.github.io/spdx-spec/v2.3-RC1/. A summary of the changes can be found in the SPEC Annex I. If you identify any issue

Hi all, Again, this conversation belongs on the SPDX-legal mailing list, not the SPDX-general list. I tried to remedy this early on, but somehow SPDX-legal got dropped and it went back to SPDX-general

Yes that’s it. I think AND alone could be (and might widely be) misconstrued as to what state is actually being represented. One solution is for people and tools to correctly understand the SPDX tags

SPDX is a compliance tool. It's designed to help people comply with their obligations. It doesn't cover every possible eventuality, and this situation falls outside the spec. IMHO. Having said that, o