In the February 2nd 2023 call, we reviewed the open pull requests on GitHub. All pull requests except one have been merged, with some modifications. The remaining pull request is about when the SBOM should be created. This needs further discussion. See section 3.7. Please review the current document and provide your comments.
Some topics that need review and input:
- The list of mandatory elements in section 3.4
- Section 3.7 SBOM Build information
- Section 3.13 SBOM Verification
- What level of detail do we mandate (package, file, snippet)?
Several “Verification and reference material” and “Rationale” sections are still empty.
The words “shall” and “should” are used. They must be defined.
Also, we need a good name for the specification. Currently in the document we have:
- OpenChain Telecommunications Group SBOM Specification
- OpenChain Telco SBOM specification
- Telco Standard SBOM
- telco standard SBOM
- Telco Group SBOM specification
- Telco SBOM specification
- Telco Profile of SPDX
Marc-Etienne, Telco SIG Chair