Further discussion was contained here:
OpenChain-Project/License-Compliance-Specification#63

Consolidating to this issue (and closing License Compliance Spec Issue 63) because it seems we will conclude with:
• Our current approach appears workable for the market situation
• The one change should be to harmonize between Licensing and Security to this language:
"software subject to one or more licenses that meet the Open Source Definition published by the Open Source Initiative (see opensource.org/osd) or the Free Software Definition published by the Free Software Foundation (see gnu.org/philosophy/free-sw.html) or similar license”

This would involve adding "or similar license" to the Security Assurance Spec.

Full discussion here:
https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/20