Specify relationship between standardName and standardCompliance

[bact]

Background

In SPDX 3.0, we have two properties related to standards:

• Core/standardName
  • Summary:

    The name of a relevant standard that may apply to an artifact.

  • Description:

    Various standards may be relevant to useful to capture for specific artifacts.

• AI/standardCompliance
  • Summary:

    Captures a standard that is being complied with.

  • Description:

    A free-form text that captures a standard that the AI software complies with.
    This includes both published and unpublished standards, such as those developed by ISO, IEEE, and ETSI.
    The standard may, but is not necessarily required to, satisfy a legal or regulatory requirement.

What can be improved

There are at least two things we can improved here:

1. Amend the summary/description to explicitly specify the difference between the two properties and how they can working together
2. Considering revise the description and making the standardCompliance to be more generic and allow it to be use in non-AI context (in a non-breaking way for SPDX 3.x)

• Moving the property to Core Profile will change the IRI and it's a break. But amending the description will not.

Proposals

1. Keep both and use them in different way (that can compliment each other):

   Currently, in the AI BOM whitepaper (to be released), @bennetkl distinguished the two in this way:

   • standardName - standards adhered to but that compliance was not obtained
   • standardCompliance - standards that compliance are obtained (for example, from a third-party attestation or certification)

2. Drop/deprecate standardCompliance

   Modify model description of standardCompliance to say that this property is deprecate and standardName is preferred.

   From this commit comment, 027a1fa , it looks like standardName was created with AI and Dataset Profiles in mind in the beginning.

See also

• #387 proposes additional fields related to standards