This repository contains a set of rules and tools for
- declaring metadata about packages, such as
- the licenses the package is available under
- the canonical package name and version
- copyright information
- ... and more TBD in the future
- gathering those license declarations into artifacts to ship with code
- applying organization specific compliance constriants against the set of packages used by a target.
- (eventually) producing SBOMs for built artifacts.
WARNING: The code here is still in active initial development and will churn a lot.
If you want to follow along:
Background reading: These is for learning about the problem space, and our approach to solutions. Concrete specifications will always appear in checked in code rather than documents.