Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

Kate Stewart

Hi Martin,

On Wed, Aug 9, 2017 at 12:44 PM, Martin Callinan <> wrote:
It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of  ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. which in a way is similar to SPDX

The challenge with using SWIDs is you have to pay for access to the specification.     SWIDs also don't have a good human
readable equivalent, as you'll need to use a tool to read one.

Also, as I understand it (please correct me) in order to get an SWID tag assigned,  
you need to join an organization (tagvault) and pay a fee.   Which isn't necessarily viable
for open source upstream projects and hence supply chains with open source 
component dependencies. 

Thanks, Kate

Join to automatically receive all group messages.