Skip to Main Content
The Apache Software Foundation
Apache 20th Anniversary Logo

ECMA Relations

This was extracted (@ 2025-06-25 23:10) from a list of minutes which have been approved by the Board.

Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting. ASF Members may have access to a private draft of these still-unapproved minutes.

WARNING: these pages may omit some original contents of the minutes.
This is due to changes in the layout of the source minutes over the years. Fixes are being worked on.

21 May 2025 [Piotr Karwasz]

The ECMA TC 54 (Software Transparency) committee is currently working on three
standards, due to be published at the end of 2025, and updates to the
CycloneDX standard:

1. Transparency Exchange API[1]: The standard will specify a common HTTP API
 to query security-related documents (SBOMs, vulnerability disclosures,
 attestations, end-of-life dates, etc.) from a software vendor.

 A beta1 of TEA was released on May 9th. The standard is still not stable
 with frequent changes to the specification. When it will become stable,
 around September, it would interesting to integrate it into ATR.

 [1] https://github.com/CycloneDX/transparency-exchange-api

2. Package URL: The standard aims at assigning an identifier to each software
 package and replace the CPE standard that is used in vulnerability
 disclosures.

 The standard is mature and will not introduce any breaking changes. The CVE
 Project is considering PURL as a replacement for CPE and
 `collectionURL/packageName` identifiers currently used to designate
  affected packages.

 PURLs are used to designate the "convenience binaries" that the ASF
 publishes to ecosystem-specific repositories, but there is also a
 proposal[2] to create a PURL type for the source and binary archives
 publishes on `downloads.apache.org`.

 [2] https://github.com/package-url/purl-spec/issues/305

3. Common Lifecycle Enumeration: The purpose of the standard is to provide
 end-of-life and other lifecycle information for software releases in a
 uniform way. Currently there is only a draft of the standard available at
 [3].

 The types of events considered by CLE are mostly targeted at commercial
 companies. Some input from the ASF might be required to include the
 lifecycle events of OSS projects. Since I am unable to attend CLE meetings,
 I will ask for volunteers among ASF members.

 Since lifecycle information (EOL dates) are very hard to find, even in
 human-readable form, it might be useful to ask PMCs to include a webpage
 that lists the support status of all the published software releases.

 [3] https://github.com/Ecma-TC54/tg3/pull/3

4. Related to CLE, an OSS Sustainability WG[4] was created inside CycloneDX.
 Its purpose is to mark projects that lack active maintenance, like projects
 in the Attic or the dormant subprojects of TLPs.

 I am not actively participating in the meetings of this group.

 [4]: https://cyclonedx.org/participate/working-groups/

16 Apr 2025 [Piotr Karwasz]

A report was expected, but not received

19 Mar 2025 [Piotr P. Karwasz]

A report was expected, but not received