Sebastian Schuberth

> Is this something that could be fixed upstream in ScanCode instead? I don't think so. ScanCode already does report Copyright statements without holders (if that's how they're declared in...

> @fviernau Are you planning to continue fixing this PR? We probably cannot upgrade unless also the CycloneDX Java library upgrades.

Also having a look at https://github.com/open-pdf-sign/open-pdf-sign might be useful.

> Please let me know if the ORT project take as dependency any of the semantic-copycat libs. Thanks, will do! > The components evolve quickly and despite my best efforts,...

> Consider adding support for the PDM package manager. Actually, [now](https://snarky.ca/why-it-took-4-years-to-get-a-lock-files-specification/) that Python has an official [lock file format specification](https://packaging.python.org/en/latest/specifications/pylock-toml/), and "[PDM](https://pdm-project.org/en/latest/usage/lockfile/) has already been updated to allow users to...

BTW, OpenSSF folks like @joshbressers also draft an SOM QA document over [here](https://docs.google.com/document/d/1teHmlRKvL50GwidZFrfCwpHI9Mhm5dUJsG5KduBC_tI/edit?usp=sharing).

Some commit message hints: - Please don't add any emoticons. - Properly end sentences with a dot. - Add the `Signed-off-by` to the commit message, not only to the PR...

The fixup commit still needs to be squashed into the first one.

@bennati, @tsteenbe, how should we proceed with this?

> This looks like a runtime problem unrelated to the Docker image so that shouldn't keep us from wrapping this up. Indeed. That looks more like an issue with a...