SPDX Goes ISO


Phil Odence
 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 


Steve Winslow
 

A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

Steve


On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Dick Brooks
 

A truly amazing achievement – well done and congratulations to Kate and the entire SPDX and Linux Foundation community that made this happen.

 

So much looking forward to advancing SPDX interoperability via the DocFest event.

 

Thanks,

 

Dick Brooks

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Steve Winslow
Sent: Thursday, September 9, 2021 11:15 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


 

Seconded!

This is tremendously important for the governance ecosystem.

Regards

Shane 

On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:


A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

Steve

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   
<image003.jpg>
   
<image004.jpg>
   
<image005.jpg>

 



--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Phil Odence
 

We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 



On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Richard Purdie
 

On Thu, 2021-09-09 at 15:02 +0000, Phil Odence via lists.spdx.org wrote:
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
 
Many people have worked hard over the last decade to get us to this point. Big
credit goes to my Steering Committee colleagues who have all been instrumental.
And we should recognize that this was all Kate’s brainchild. I believe it was
Fall of 2009 when she started informally socializing the idea of a standard SBOM
format at Linux Foundation events. Not too long thereafter, in the then single
weekly meeting, early participants began debating whether it should be SPDE,
ultimately deciding “X” at the end would be catchier. And now it’s officially
caught.
 
Here’s the LF press release:
http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
This is great news, very happy to see it and kudos to everyone involved.

People may also be interested to know that we just merged SPDX SBOM generation
into OpenEmbedded-Core, just before our feature freeze for our October release
(3.4).

This means that Yocto Project will have SPDX and hence ISO compliant SBOM
generation out the box from then and hence on our next LTS planned for April.

http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=f1a34a63e44dc444ed213c48bfeab9da1196bfc8
(and following patches)

Cheers,

Richard


 

Please do 🙂

On Sep 10, 2021, at 19:45, Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:



We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 



On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Dick Brooks
 

I just realized that the DocFest will be demonstrating interoperability of an ISO standard SBOM.

Great timing getting the ISO standard status before the 9/16 DocFest. Very cool!

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, September 10, 2021 6:45 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 

 

On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
 

Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?

 

I think it should.

 

Do we know?

 

Marc-Etienne

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, September 9, 2021 5:03 PM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Goes ISO

 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 


Zachary Fetters
 

This is wonderful news! Congrats to Kate and everyone else who had a hand in this! Hopefully this means wider adoption and growth for the future!

Zachary Fetters
Freelance graphic/web designer.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Thursday, September 9th, 2021 at 11:02 AM, Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



Alexios Zavras
 

I guess it will…

The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated.

 

-- zvr

 

From: spdx@... <spdx@...> On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
Sent: Friday, 10 September, 2021 16:40
To: spdx@...
Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
Subject: Re: [spdx] SPDX Goes ISO

 

Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?

 

I think it should.

 

Do we know?

 

Marc-Etienne

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, September 9, 2021 5:03 PM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Goes ISO

 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Henk Birkholz
 

"I guess it will..." does not sound very reassuring, to be honest 🤠

So will it definitely become an "ISO Publicly Available Standard" and is that just a question of time?

Viele Grü0e,

Henk

On 13.09.21 09:23, Alexios Zavras wrote:
I guess it will…
The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated.
-- zvr
*From:* spdx@lists.spdx.org <spdx@lists.spdx.org> *On Behalf Of *Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
*Sent:* Friday, 10 September, 2021 16:40
*To:* spdx@lists.spdx.org
*Cc:* Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@nokia.com>
*Subject:* Re: [spdx] SPDX Goes ISO
Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ <https://standards.iso.org/ittf/PubliclyAvailableStandards/> ?
I think it should.
Do we know?
Marc-Etienne
*From:*spdx@lists.spdx.org <mailto:spdx@lists.spdx.org> <spdx@lists.spdx.org <mailto:spdx@lists.spdx.org>> *On Behalf Of *Phil Odence via lists.spdx.org
*Sent:* Thursday, September 9, 2021 5:03 PM
*To:* SPDX-general <spdx@lists.spdx.org <mailto:spdx@lists.spdx.org>>
*Subject:* [spdx] SPDX Goes ISO
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021 <https://urldefense.com/v3/__https:/www.iso.org/standard/81870.html__;!!A4F2R9G_pg!IzcEk2nRZUdfzZmQ8bT_tVgInVURy_PWptKdAupJoT8av2upo-tStlSbY_4GqlpA$>.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials <https://urldefense.com/v3/__http:/www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials__;!!A4F2R9G_pg!IzcEk2nRZUdfzZmQ8bT_tVgInVURy_PWptKdAupJoT8av2upo-tStlSbY89Cvfim$>
Best regards,
Phil
**
*L. Philip Odence*
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@synopsys.com <mailto:phil.odence@synopsys.com>
https://www.synopsys.com/audits <https://www.synopsys.com/audits>
SIG-emailsig-2020
signature_653089988<https://www.linkedin.com/showcase/sw_integrity/>signature_1312878970<https://twitter.com/SW_Integrity>signature_1721301777<https://www.youtube.com/channel/UC0I_hKR1E-Ty0roBUEQN4Ww>signature_106429426<https://www.facebook.com/SynopsysSoftwareIntegrity>
Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de>
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Michael Richardson
 

It now costs CHF198 to buy. This is the ISO way, and I think it's literally criminal.
As in: violates UN Charter of Human Rights.

If it doesn't wind up on the Publically Available Standards list, then I
think it's just been killed as a specification.
No open source person is going to buy the document.


William Bartholomew
 

I’ll defer to Phil or Kate for an official answer, but my understanding is that SPDX will continue to publish the specification directly from the SPDX project to the community, but certain versions will be also published as ISO standards (the first being 2.2.1 which is materially the same as what’s published on the SPDX site today).

 

William

 

On 9/13/21, 11:34 AM, "spdx@..." <spdx@...> wrote:

 

It now costs CHF198 to buy.  This is the ISO way, and I think it's literally criminal.

As in: violates UN Charter of Human Rights.

 

If it doesn't wind up on the Publically Available Standards list, then I

think it's just been killed as a specification.

No open source person is going to buy the document.

 

 

 

 

 

 

 

 


Phil Odence
 

I believe that is correct. It seems an odd systems, but as I understand it, it’s not unusual to have free and paid for versions of specs with the same content. Openchain is, I believe, and example of same.

 

From: spdx@... <spdx@...> on behalf of William Bartholomew via lists.spdx.org <iamwillbar=github.com@...>
Date: Monday, September 13, 2021 at 2:43 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

I’ll defer to Phil or Kate for an official answer, but my understanding is that SPDX will continue to publish the specification directly from the SPDX project to the community, but certain versions will be also published as ISO standards (the first being 2.2.1 which is materially the same as what’s published on the SPDX site today).

 

William

 

On 9/13/21, 11:34 AM, "spdx@..." <spdx@...> wrote:

 

It now costs CHF198 to buy.  This is the ISO way, and I think it's literally criminal.

As in: violates UN Charter of Human Rights.

 

If it doesn't wind up on the Publically Available Standards list, then I

think it's just been killed as a specification.

No open source person is going to buy the document.

 

 

 

 

 

 

 

 

 


Kate Stewart
 

The content that went into the standard is the same as what is
in our github repo today, and a pretty version is at:  https://spdx.github.io/spdx-spec/.
The sources for the 2.2.1 are at: https://github.com/spdx/spdx-spec that fed into the review
process.   There's some editorial changes we incorporated into the ISO spec after the review, but nothing substantive, and we're working on a plan right now to capture those in SPDX 2.2.2 release.

Net: the ISO version of the specification has some specific formatting requirements 
that ISO requests us to follow (document structure, table numbering, etc.), but the
actual fields are publicly available either at the web link or the github repo directly.

SPDX is a living standard that is evolving with open participation in the SPDX tech
mailing list and calls.   Issues and pull requests are encouraged and welcome as we continue
to evolve to SPDX 3.0.   Once we solidify on the next set of changes, we may decide to submit to ISO, but it's being worked on in the github repo first.

Kate


On Mon, Sep 13, 2021 at 1:34 PM Michael Richardson <mcr@...> wrote:

It now costs CHF198 to buy.  This is the ISO way, and I think it's literally criminal.
As in: violates UN Charter of Human Rights.

If it doesn't wind up on the Publically Available Standards list, then I
think it's just been killed as a specification.
No open source person is going to buy the document.









Matija Šuklje
 

Congratulations!

This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!


hip hip hurrah!
Matija
--
gsm: tel:+386.41.849.552
www: https://matija.suklje.name
xmpp: matija.suklje@gabbler.org
sip: matija_suklje@ippi.fr


Phil Odence
 

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

 

From: spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...>
Date: Tuesday, September 14, 2021 at 10:31 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Congratulations!

This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!


hip hip hurrah!
Matija
--
gsm:    tel:+386.41.849.552
www:    https://urldefense.com/v3/__https://matija.suklje.name__;!!A4F2R9G_pg!JDcVm_7nX5ihf6dF-lq5bEdOjwvrwPFEsQEyBY11L-icpBRYY7c2OV2t2w8ajmFojgc$
xmpp:   matija.suklje@...
sip:    matija_suklje@...







Dick Brooks
 

Phil,

 

               Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber risk, i.e. C-SCRM, whereas license management is a Legal/Financial risk.

 

The use of SBOM for license legal risk management is indeed a good practice, but it is not required to satisfy NTIA minimal SBOM requirements for EO 14028.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Tuesday, September 14, 2021 11:53 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

 

From: spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...>
Date: Tuesday, September 14, 2021 at 10:31 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Congratulations!

This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!


hip hip hurrah!
Matija
--
gsm:    tel:+386.41.849.552
www:    https://urldefense.com/v3/__https://matija.suklje.name__;!!A4F2R9G_pg!JDcVm_7nX5ihf6dF-lq5bEdOjwvrwPFEsQEyBY11L-icpBRYY7c2OV2t2w8ajmFojgc$
xmpp:   matija.suklje@...
sip:    matija_suklje@...






Matija Šuklje
 

Die 14. 09. 21 et hora 17:52 Phil Odence via lists.spdx.org scripsit:
Absolutely not just license compliance. Security too is a
big driver and an important part/direction of SPDX.
I know. I’m just excited by the prospect of synergies and more use of SPDX in
the wild!

I can already see how the wider community would start working together on
joint SPDX documents, fixing issues together, nesting/referring existing SPDX
documents for subcomponents in the SPDX documents of the wider codebase
instead of re-scanning the whole thing over and over again …ah, may the dreams
finally become true! :)


cheers,
Matija
--
gsm: tel:+386.41.849.552
www: https://matija.suklje.name
xmpp: matija.suklje@gabbler.org
sip: matija_suklje@ippi.fr