Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)


Kate Stewart
 

Hi Martin,

On Wed, Aug 9, 2017 at 12:44 PM, Martin Callinan <martin.callinan@sourcecodecontrol.co> wrote:
It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of  ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX

The challenge with using SWIDs is you have to pay for access to the specification.
https://www.iso.org/standard/65666.html     SWIDs also don't have a good human
readable equivalent, as you'll need to use a tool to read one.

Also, as I understand it (please correct me) in order to get an SWID tag assigned,  
you need to join an organization (tagvault) and pay a fee.   Which isn't necessarily viable
for open source upstream projects and hence supply chains with open source 
component dependencies. 

Thanks, Kate
 

Join main@lists.openchainproject.org to automatically receive all group messages.