Guide: Collaboration w SPDX/ACT on supply chain health practice standards

[Sealjay]

Goal

Create a TODO Guide to improve content - topic: Collaboration w SPDX/ACT on supply chain health practice standards

I act as an SME for not only our first party developers, but also for the products we source which are a majority 3rd party open components to attempt to assess risk of copyright concerns or security exposure
I have framed this as a "USDA" for open source where we can have objective practices that don't eliminate risk, but indicate safe practices that result in a form of accountable badging.
This ideally simplifies the supplier side attestation without requiring intrusive analysis, but also provides significant incentives to use projects appropriately, invest upstream in hygiene activities, and generally knowing what they are selling since they will be accountable.
1000% there is a lot of risk for manipulation here on which measures get codified, but with repeated supply chain attacks I think it is making companies ignore the risk rather than acknowledge it and demand more from the suppliers. > And we showed w CII that we could find some success in setting standards.

Description

This was ideated in #19 and todogroup/todogroup.org#143

Action Items

• Create first draft
• Submit pull request for review