Hi Steve!

On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
• At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.

I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream.

Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?

• Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?

This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.

• SBOM distribution methods – especially when the software distribution is embedded.
I recognise that these are not UK-specific, but figure that need not be a barrier.

Some case studies here sound super useful.

Andrew, what do you think?

Regards

Shane