Funding the SPDX python library

[joshbressers]

A proposal to fix the SPDX python library was discussed during the OpenSSF summit in Austin Texas. This would be a nice, first, big project for this group to take on. This is poorly documented in this notes document.

This proposal was then brought to this group in the meeting on Aug 2

The TAC discussed the issue on Aug 9 and a vote was approved to fund this project

The issue will now move to the governing board for approval, then we can start to push this project forward.

There are still some TODOs for us to tackle assuming GB approval happens

• Track and document progress of the work. We will want to give regular updates to the WG, SIG, TAC, and GB on how work is progressing
• Hold regular checkin meetings with the contractor
  • Who will attend these? We will need to keep the membership of this meeting very small
• Create public announcements about this effort when it begins. This is a huge milestone for SBOM everywhere as it is the first substantial effort to come from the group
  • This will the first of many such funded efforts. How can we secure future funding that comes from workstream sponsors?
• Ensure the python library has a maintainer for future updates and contributions

[david-a-wheeler]

I'm sure @joshbressers already knows this, but in case others are reading:

In the end, only the OpenSSF Governing Board (GB) can approve OpenSSF funding. That said, the GB always wants to hear a review from the TAC first (which I think is quite sensible). At this point, the OpenSSF TAC recommended approving the funding of this work. This proposal will now be sent in the next day or two to the GB for approval. The GB will make the final decision. That said, since the TAC unanimously approved it, I'd guess the odds are good.

[joshbressers]

The GB has approved this proposal 🎉