nisha

> > Initially, I had looked at content descriptors to describe things and their relationships. > > I do this all over the place, and it's a good pattern. The...

> > Can you list the 3 requirements? - We want to store artifacts that are related to a container image (signatures, SBoM, supplemental artifacts, etc) - We want to...

Yes, I think those two statements are contradictory :). The TOB at this time cannot resolve conflicts without interfering in some way with the goings on of the individual projects....

Please choose your preferred name for the manifest field and API name from the list below: |Image|Distribution|Votes| |--------|---------------|--------| |refers|referrers| @sudo-bmitch @btklein | |affects|affectors|| |connects|connectors|| |qualifies|qualifiers|@nishakm| |attribute|attributes|| |relates_to|relationships|@vsoch @afflom | |subject...

😅 Sorry everyone. Just comment here on which ones you like and I will count the thumbs up from others.

@afflom you can totally vote!

I've removed duplicate votes since more have come out. Seems like `subject/referrers` has won out. Any disputes on the vote?

Tabling until we can figure out if tern can aggregate SPDX documents produced by other tools.

@makefu This project was created to address this issue: https://github.com/spdx/package-licenses-mapping. It's going to take a little while to create the mappings to all known licenses. PRs welcome :)

@rnjudge what do you think?