Re: Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)


Martin Callinan
 

Hi Kate,

 

The standard was produced so anybody could create a tag. I once considered it as a service offering. TagVault was started by Steve Klos who was convener for the writing of ISO 19770-2 and have positioned themselves certification authority but that does not stop anybody creating tags without going through TagVault.

 

I was not meaning to suggest we go down the same route as SWIDs for Open Source but thought there may be some learnings we can take from the work they have done.

 

ISO always charges for standards but their standards have a lot of credibility and a lot of work goes into having a standard recognised.

 

In the UK there is an organisation called the British Standards Institute https://www.bsigroup.com/en-GB/our-services/certification/how-to-get-certified/ where they support groups creating standards which can then me moved up to ISO to evolve into an ISO ratified standard. I though as OpenChain matures it may be logical to aim for ISO certification.

 

Kind Regards,

 

Martin

 

 

 

 

From: Kate Stewart [mailto:kstewart@...]
Sent: 11 August 2017 16:22
To: Martin Callinan <martin.callinan@...>
Cc: Foster, Jeremiah <JFoster@...>; mballhausen@...; stcroppe@...; john@...; openchain@...
Subject: Re: [OpenChain] Verification/Providing Artifacts (was: Onboarding work team - CALL FOR MATERIALS)

 

Hi Martin,

 

On Wed, Aug 9, 2017 at 12:44 PM, Martin Callinan <martin.callinan@...> wrote:

It is interesting to see Software Asset Management being referenced. I have been involved in SAM since the late 90's. I was part of a non-profit call Investors in Software that formed to drive standards in managing software (at the time proprietary) which led to the publication of  ISO/IEC 19770-1 Standard for Software Asset Management which is a process standard
https://www.iso.org/standard/56000.html

There is also ISO/IEC 19770-2 Software ID Tagging Standard which is an XML Tag definition to tag software that needs to be licensed. https://www.iso.org/standard/53670.html which in a way is similar to SPDX

 

The challenge with using SWIDs is you have to pay for access to the specification.

https://www.iso.org/standard/65666.html     SWIDs also don't have a good human

readable equivalent, as you'll need to use a tool to read one.

 

Also, as I understand it (please correct me) in order to get an SWID tag assigned,  

you need to join an organization (tagvault) and pay a fee.   Which isn't necessarily viable

for open source upstream projects and hence supply chains with open source 

component dependencies. 

 

Thanks, Kate

 

Join main@lists.openchainproject.org to automatically receive all group messages.