Open Supplychain Information Modeling TC

 View Only
  • 1.  licenses

    Posted 10-18-2024 18:45

    At some point we will start fleshing out the actual information model. I propose we use the SPDX license list as the basis for that portion of the information model. To my knowledge, all existing SBOM formats use this list as their basis so it's uncontroversial but I would like to get agreement before spending time actually making the information model. So I drafted an FAQ to capture the agreement (presuming we'll agree).

    I, Duncan Sparrell, move that PR #52 (an FAQ where the license list comes from) be approved, and request that if seconded via this list, and no objections received via this list within one week (ie by 25-Oct-2024 7 PM Eastern) , that the motion automatically carry and the maintainers may merge the PRs at their convenience.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------


  • 2.  RE: licenses

    Posted 10-21-2024 12:37
    Please would you add somewhere in the PR the license which governs and allows the inclusion of this data?

    I don't expect it's disallowed or controversial but if we're incorporating the external work of others I think it'd be great as a practice to be explicit about the licenses permitting that.

    On Fri, Oct 18, 2024 at 4:45 PM Duncan Sparrell via OASIS <Mail@mail.groups.oasis-open.org> wrote:
    At some point we will start fleshing out the actual information model. I propose we use the SPDX license list as the basis for that portion of the... -posted to the "OASIS Open Supplychain Information Modeling (OSIM) TC" community

    Open Supplychain Information Modeling TC

    Post New Message
    licenses
    Reply to Group Reply to Sender via Email
    Oct 18, 2024 6:45 PM
    Duncan Sparrell

    At some point we will start fleshing out the actual information model. I propose we use the SPDX license list as the basis for that portion of the information model. To my knowledge, all existing SBOM formats use this list as their basis so it's uncontroversial but I would like to get agreement before spending time actually making the information model. So I drafted an FAQ to capture the agreement (presuming we'll agree).

    I, Duncan Sparrell, move that PR #52 (an FAQ where the license list comes from) be approved, and request that if seconded via this list, and no objections received via this list within one week (ie by 25-Oct-2024 7 PM Eastern) , that the motion automatically carry and the maintainers may merge the PRs at their convenience.



    ------------------------------
    Duncan Sparrell
    Chief Cyber Curmudgeion
    sFractal Consulting LLC
    Oakton VA
    703-828-8646
    ------------------------------
      Reply to Group via Email   Reply to Sender via Email   View Thread   Recommend   Forward  



     
    You are subscribed to "Open Supplychain Information Modeling TC" as isaach@google.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.





  • 3.  RE: licenses

    Posted 10-21-2024 13:24
    The OWASP SPDX spec is CC-BY-3.0. I think this wins even when using the ISO spec since for the license list, ISO uses the URL to the Owasp list. So that's what I'll use unless anybody says otherwise. 

    iPhone, iTypo, iApologize





  • 4.  RE: licenses

    Posted 10-21-2024 15:15

    SPDX itself, of which the license list is a part, is licensed under the "Community Specification License 1.0", identified as SPDX License ID: CC-BY-4.0.

     






  • 5.  RE: licenses

    Posted 10-26-2024 20:32

    Hi Duncan,

    SPDX license list is Linux Foundation - not OWASP - but it is CC-BY-3.0.

    Bob

    Robert (Bob) Martin Sr. Software and Supply Chain Assurance Principal Eng. Cross Cutting Solutions and Innovation Dept Cyber Solutions Innovation Center MITRE Labs MITRE Corporation 781-271-3001o 781-424-4095c
    On 10/21/24 1:34 PM, Duncan Sparrell via OASIS wrote:
    01000192b024c9ab-5c074a52-5612-4775-aeaa-32ef720f4e07-000000@email.amazonses.com">
    The OWASP SPDX spec is CC-BY-3. 0. I think this wins even when using the ISO spec since for the license list, ISO uses the URL to the Owasp list. . . . -posted to the "OASIS Open Supplychain Information Modeling (OSIM) TC" community Open Supplychain
    The OWASP SPDX spec is CC-BY-3.0. I think this wins even when using the ISO spec since for the license list, ISO uses the URL to the Owasp list.... -posted to the "OASIS Open Supplychain Information Modeling (OSIM) TC" community





  • 6.  RE: licenses

    Posted 10-26-2024 22:52
    Duh! That was just a brain fart. I knew that. I mushed it was LF SPDX and even OWASP CylconeDX used it. My brain outran my fingers. 

    iPhone, iTypo, iApologize

    Duncan Sparrell
    sFractal Consulting, LLC
    I welcome VSRE emails. Learn more at http://vsre.info/






  • 7.  RE: licenses

    Posted 10-21-2024 13:30
    Good point. I'll figure out how to word. I'm not sure if it's the OSI license or the OWASP license. OSI adopted the OWASP spec via PAS. 

    Anybody else on list know?

    iPhone, iTypo, iApologize





  • 8.  RE: licenses

    Posted 10-21-2024 13:42
    Consider the motion withdrawn. I'll resubmit once I make the changes. 

    iPhone, iTypo, iApologize