Re: Plans for the UK workgroup

Andrew K

Hi Shane

I concur completely.

@steve, it would be great to have a quick chat to co-ordinate ideas. How about a call next week? And then we can come back to the list with some slightly more structured thoughts and a plan. @shane (and indeed anyone else on the list) - let me know if you would like to participate in that initial chat.

(And apologies for top-posting. My mail client is still misbehaving).

All the best


On 25/10/2022, 14:37, "uk-wg@... on behalf of Shane Coughlan" <uk-wg@... on behalf of scoughlan@...> wrote:

Hi Steve!

> On Oct 20, 2022, at 17:17, Steve Kilbane <stephen.kilbane@...> wrote:
> • At the OpenChain day at the Open Source Summit in Dublin, Andrew asked whether the community could provide reference implementations of compliance as examples. My garbled notes of the day were just a single line of text for this, but I’m interpreting it as (for example) simple projects on GitHub with the associated metadata or config files to tie in with tooling, and resulting outcomes. Or perhaps appropriate SPDX declarations in source files. I dunno – I figure “community could provide examples” is sufficient to warrant some discussion.

I think this is an excellent topic. The bridge between the ideas and standards versus seeing how to implement them is a real challenge. If we could and show projects with tooling integration or SPDX prep already done, it shows people how to get started on the topic of final upstream.

Perhaps this UK WG is where we could first display a case study or two, and discuss how relevant that can be for the supply chain?

> • Would it make sense to have a community-led project to improve the compliance stance of popular open-source projects? By this, I mean coordinating the submission of PRs to projects , where the PR (for example) adds SPDX-License identifiers, or makes the project conform to REUSE guidelines or adds configurations for OSS tooling for scanning, or whatever else makes sense that would make it easier to clear the project in a compliance toolchain later?

This is something sorely needed and underdeveloped throughout the market. If the UK WG could do a few items like this and explain how it was done, perhaps we could encourage other WGs and bodies around the world to lend a hand. I like it.

> • SBOM distribution methods – especially when the software distribution is embedded.
> I recognise that these are not UK-specific, but figure that need not be a barrier.

Some case studies here sound super useful.

Andrew, what do you think?



Join to automatically receive all group messages.