There are no new documents, it's all about following the LoRaWAN specification. If you buy any LoRaWAN compliant device, you should either be able to set the addresses yourself, or it should use over-the-air activation (OTAA). Device Addresses indicate the network operator the device belongs to, so if you bought a device with a fixed address, it is also fixed to that operator. You can find the list here: https://www.thethingsnetwork.org/wiki/LoRaWAN/Address-Space
There are a couple of "red flags" for non-compliant, incompatible, unsafe or "crappy" devices, which basically boils down to:
If anything other than the DevEUI is fixed, it's probably bad (fixed meaning that you as a developer can't change it)
- Fixed Device Address (DevAddr) - this means your device is locked to a specific operator
- Fixed Security Keys (NwkSKey, AppSKey, AppKey) - this is obviously insecure
- Fixed Single Channel/Frequency - that's really bad for the network, don't use only one frequency unless you really know what you're doing
- Fixed SF12 data rate - that's really bad for the network and energy consumption of your device. The LoRa Alliance requires network operators to block devices that are fixed to SF12
When shopping, try to find devices that are LoraWAN Certified. Always prefer devices that allow you to change the address and security keys.