tl;dr: How about considering updating debian/copyright format to have more compatibility with SPDX format
SBOM is expected to be used widely and several tools support it as a trend now, since US government asks to use it. There are two formats for it, Software Package Data Exchange (SPDX) and CycloneDX. SPDX is led by the Linux foundation project, OpenChain for license compliance. And CycloneDX is developed by the Open Web Application Security Project (OWASP), so it is intended to use track vulnerabilities, IMO. Well, as I said above, several tools support SPDX and CycloneDX now and continue to be expanded, so I consider it'd be better if debian/copyright has more compatibilities with them, especially SPDX. It would be easier to handle debian/copyright data with tools that are outside of Debian. Making appropriate debian/copyright file is hard and boring task, IMHO, but if non-Debian people also can help it, it would be easier to fix it. Any ideas? -- Hideki Yamane <henr...@iijmio-mail.jp>