During July we had two excellent calls covering the next generations of our license compliance and security assurance specifications.
The first call took place on the 11th of July and allowed North American and European contributors to gather:
The second call took place on the 18th of July and allowed North American and Asian contributors to gather:
Two GitHub issues were central to the discussion:
Align “Terms and Definitions” in Section 2 with Licensing Spec 3.0
Adjust SBOM definition to align with Licensing Spec 3.0
Initially scoped to focus on the Security Assurance specification, the conversations lead to improved material for the License Compliance specification as well.
The discussion then proceeded on a related topic:
What is a quality or complete SBOM for licensing or security use cases?
This issue is actively soliciting comments. It is significantly influenced by the forthcoming Telco Spec:
There is a next step to review what the SPDX Lite proposal from the OpenChain Japan community covers:
(See slide 25 and 26)
They have already submitted SPDX Lite for the forthcoming SPDX 3.0 specification via this pull request at the SPDX Project:
Of course, both the next generation License Compliance specification and the next generation Security Assurance specification also have pre-existing open issues for review: