So to seed the topic with some ideas….
- At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations
of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes.
Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.
- Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this,
I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would
make it easier to clear the project in a compliance toolchain later?
- SBOM distribution methods – especially when the software distribution is embedded.
I recognise that these are not UK-specific, but figure that need not be a barrier.
*runs away again*
uk-wg@... <uk-wg@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Wednesday, 19 October 2022 at 16:12
To: OpenChain UK <uk-wg@...>
Subject: Re: [uk-wg] Plans for the UK workgroup
> On Oct 19, 2022, at 14:16, Steve Kilbane <stephen.kilbane@...> wrote:
> The UK OpenChain workgroup had a meeting last week, and there was a lot of great info passed on about what’s been going on in the OpenChain project worldwide over the past few months. There was also some fascinating and thoughtful commentary on the current
landscape from Andrew. Perhaps it was the format of the Zoom session, but it seemed to be very much a one-directional session, and it made me wonder what the UK workgroup is up to, right now. Are there specific activities in progress? Are there UK-specific
issues under consideration, or that orgs are running into, of which the UK workgroup is aware?
> With the publication of OpenChain as an ISO/IEC standard, there’s been a lot of adoption over the past couple of years, so it’s possible that there are people who are new to the UK mailing list too. If so, like me, they might benefit from a better understanding
of what the UK workgroup is up to, presently.
> I think that, towards the end of the session, Andrew and Sami were asking for suggested topics to address, and presumably this mailing list would be the place to make suggestions.
Thank you for you this!
I think fostering a round-table discussion format would be an excellent evolution, and the sharing of knowledge from the UK market - and ensuring it goes outward - could be really useful.
How about at the next meeting with focus on having a couple of specific items for workshopping, designed explicitly for interactive discussion?