https://wiki.spdx.org/api.php?action=feedcontributions&user=Podence&feedformat=atomSPDX Wiki - User contributions [en]2024-03-29T08:35:17ZUser contributionsMediaWiki 1.23.13https://wiki.spdx.org/view/University_ParticipationUniversity Participation2022-09-08T15:35:53Z<p>Podence: </p>
<hr />
<div>>>>>>>>>><br />
*THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx <br />
>>>>>>>>><br />
<br />
<br />
This page outlines participation by universities and students around SPDX. Support for these projects has been provided by the National Science Foundation, the University of Nebraska at Omaha, The Linux Foundation, Texas Instruments, Hewlett Packard, Google, and the entire SPDX community. <br />
<br />
== Google Summer of Code ==<br />
<br />
=== GSOC 2014 ===<br />
<br />
For the first time, the Linux Foundation’s SPDX Workgroup participated in the 2014 Google Summer of Code internship program. The goal was to engage students in open source projects, learn a bit about open source compliance, and meet open source community members. We had excellent engagement in our first year, with a total of four projects accepted from three different universities. These projects helped advance SPDX by connecting the specification with open source programming languages and open source license scanners. They helped move SPDX into communities that can aid and benefit from the distribution of open compliance practices. Specific projects, and the students who worked on them include:<br />
<br />
'''Python SPDX Parser Library'''<br />
''- Ahmed Hisham Ismail at the German University in Cairo''<br />
<br />
'''GO SPDX Parser Library'''<br />
''- Vlad Velici at the University of Southampton''<br />
<br />
'''SPDX Merge Tool'''<br />
''- Alex Ling at the University of Nebraska Omaha''<br />
<br />
'''FOSSology+SPDX Tooling'''<br />
''- Zachary McFarland at the University of Nebraska Omaha.''<br />
<br />
We would like to thank the Linux Foundation, specifically Till Kamppeter, for their support in the SPDX Google Summer of Code projects. We would also like to thank Google for providing the opportunity for university students to engage in these amazing projects.<br />
<br />
== Conference Participation ==<br />
<br />
===LinuxCon, Linux Collaboration Summit, and the Linux Open Compliance Summit===<br />
<br />
Since 2012, students have been active participants at LinuxCon, the Linux Foundation’s Collaboration Summit, and the Linux Foundation’s Open Compliance Summit. Their participation has included the introduction of students to open source communities, the presentation of university open compliance tooling projects, and the advancement of the SPDX standard with fellow community members.</div>Podencehttps://wiki.spdx.org/view/Business_TeamBusiness Team2022-09-08T15:34:13Z<p>Podence: </p>
<hr />
<div>>>>>>>>>><br />
*THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx <br />
>>>>>>>>><br />
<br />
This is the working area for the Outreach (formally Business) Team. This team has primary responsibility for go-to-market activities of SPDX, including: launch activities for new versions of the SPDX specification; outreach; participation in events; and the SPDX website.<br />
<br />
The Outreach Team meets every other Thursday at 18:00 GMT (10:00AM PT, 11:00 MT, 12:00 CT, 1:00PM ET) starting on 14 January 2016.<br />
<br />
Call this number: (United States): +1-857-216-2871 <br />
User PIN: 38633 <br />
International: visit the URL at http://uberconference.com/SPDXTeam<br />
<br />
<br />
* [[Business_Team/Priorities|Current Priorities and Work in Progress for the Outreach Team]]<br />
* [[Business_Team/Minutes|Meeting Minutes for the Outreach Team]]<br />
* [[Business_Team/Old|Older Items for the Outreach Team]]<br />
* [[SPDX_FAQ|SPDX FAQs]]<br />
<br />
[[Category:Business]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/MinutesGeneral Meeting/Minutes2022-09-08T15:33:40Z<p>Podence: </p>
<hr />
<div>>>>>>>>>><br />
*THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx <br />
>>>>>>>>><br />
<br />
<br />
<br />
These are the meeting minutes and decisions for the General Meeting.<br />
<br />
{{#subpages:|format=ul|kidsonly=no|pathstyle=none|sort=desc}}<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/Technical_TeamTechnical Team2022-09-08T15:30:24Z<p>Podence: </p>
<hr />
<div>>>>>>>>>><br />
*THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx <br />
>>>>>>>>><br />
<br />
This is the working area for the technical team. This team has primary responsibility for drafting the specification and developing documentation, templates, samples and tools.<br />
<br />
The Technical Team meets weekly on Tuesdays at 16:00 UTC (and best guess for local time – 9:00AM PDT, 10:00 AM MDT, 11:00 AM CDT, 12:00PM EDT, 18:00 CEST).<br />
<br />
* Canada +1 647 558 0588<br />
* Germany +49 30 3080 6188<br />
* Japan +81 3 4578 1488<br />
* US Toll-free 877 369 0926<br />
* Find your local number: https://zoom.us/u/ac9KKJWzJT<br />
<br />
Zoom meeting:<br />
* https://zoom.us/j/663426859<br />
* Meeting ID: 663 426 859<br />
<br />
* [[Technical_Team/SPDX_Upcoming_Meetings|SPDX Upcoming Meeting Agenda]]<br />
* [[Technical_Team/SPDX_Specification_Versions|SPDX Specification Versions]]<br />
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms|SPDX RDF Vocabularies and Terms]]<br />
* [[Technical_Team/Minutes|Meeting Minutes for the Technical Team]]<br />
* [[Technical_Team/Priorities|Current Priorities and Work in Progress for the Technical Team]]<br />
* [[Technical_Team/Old|Older Items for the Technical Team]]<br />
* [[Technical_Team/Field_Names|Field Names]]<br />
* [[Technical_Team/Spreadsheet_Template|Spreadsheet Template]]<br />
<br />
[[Category:Technical]]</div>Podencehttps://wiki.spdx.org/view/Legal_TeamLegal Team2022-09-08T15:30:05Z<p>Podence: </p>
<hr />
<div>>>>>>>>>><br />
*THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx <br />
>>>>>>>>><br />
<br />
This is the old working area for the Legal Team and is no longer used, but retained for historical work that was captured here. <br />
<br />
Please see https://spdx.dev/participate/legal/ for current information. <br />
<br />
The SPDX Legal Team supports and provides recommendations to the SPDX working groups regarding licensing issues for the specification itself; maintains the [http://spdx.org/licenses/ SPDX License List]; and promotes the SPDX specification to the legal community at-large.<br />
<br />
* [https://github.com/spdx/meetings/tree/master/legal Meeting Minutes of the Legal Team - June 2020 onward]<br />
* [[Legal_Team/Minutes|Meeting Minutes of the Legal Team - prior to March 2020]]<br />
* [[Legal_Team/Resources|Resources]]<br />
* [[Legal_Team/Decisions|Decisions of the Legal Team]] - summaries of past significant decisions of the SPDX Legal Team<br />
* [[Legal_Team/Archive|Archive]]<br />
<br />
'''Working pages for project in progress:'''<br />
* [[Legal_Team/non-English-licenses|Working page for policy on how to handle non-English licenses and matching]]<br />
<br />
<!-- * [[Legal_Team/Old|Older Items for the Legal Team]] nothing there, so hiding this link --><br />
<!--* [[Legal_Team/Priorities|Current Priorities and Work in Progress for the Legal Team]] link not really useful--><br />
<br />
[[Category:Legal]]</div>Podencehttps://wiki.spdx.org/view/General_MeetingGeneral Meeting2022-09-08T15:28:58Z<p>Podence: </p>
<hr />
<div>>>>>>>>>><br />
*THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx <br />
>>>>>>>>><br />
<br />
This is the working area for the General Team. This team has primary responsibility for summarizing the activities of the three working teams and discussing cross-functional issues. The minutes of this monthly meeting provide a good summary of what's going on across the SPDX group, so signing up for the General Meeting mailing list is a good way to stay in touch. <br />
<br />
The General Team meets on the first Thursday of every month at 11:00 EST or EDT depending.<br />
Join the meeting:<br />
https://meet.jit.si/SPDXGeneralMeeting<br />
To join by phone instead, tap this: +1.512.647.1431,,1310118349#<br />
Looking for a different dial-in number?<br />
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting<br />
If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true<br />
<br />
* [[General_Meeting/Minutes|Meeting Minutes]]<br />
* [[General_Meeting/Presentation_Materials|Presentation Materials]]<br />
* [[General_Meeting/Old|Older Items]]<br />
<br />
[[Category:General]]</div>Podencehttps://wiki.spdx.org/view/Main_PageMain Page2022-09-08T15:28:33Z<p>Podence: </p>
<hr />
<div>>>>>>>>>><br />
*THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx <br />
>>>>>>>>><br />
<br />
<br />
The Software Package Data Exchange® (SPDX®) [https://spdx.org/specifications specification] is a standard format for communicating the components, licenses and copyrights associated with a software package. This wiki site is one of the workspaces for SPDX Teams, along with our [https://github.com/spdx/ organisation on GitHub] and [https://lists.spdx.org/ mailing lists]. Please see [http://spdx.org spdx.org] for general information, the current specification, license list, etc.<br />
<br />
'''Documents'''<br />
* [[Documents|Working with SPDX Documents and the License List]]<br />
* [[SPDXReports | SPDX Reports]]<br />
'''Team Work Areas'''<br />
* [[General Meeting]]<br />
* [[Outreach Team | Outreach Team]]<br />
* [[Legal Team]]<br />
* [[Technical Team]]<br />
** [[Canonicalisation Committee]]<br />
* [[Old|Older Information]]<br />
'''Other'''<br />
* [[Business_Team/Tool_Link_Request | Tool Link Request and Process]]<br />
* [[GSOC | Google Summer of Code]]<br />
<br /> <br />
This is a media wiki. See [[Getting started with the SPDX wiki]]. Note that you need an account on the wiki to edit. See the Getting started page to request one.</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-12-02General Meeting/Minutes/2021-12-022021-12-07T15:25:46Z<p>Podence: </p>
<hr />
<div>* Attendance: 33<br />
* Lead by Phil Odence<br />
* Minutes from last approved<br />
<br />
* Phil will company membership announcement before end of week<br />
* We will be move General Meeting minutes to GitHub and crowdsource during meetings.<br />
<br />
== Microsoft and SPDX - Adrian/Steve ==<br />
<br />
* Microsoft standardizing on SPDX [Adrian Giglio]<br />
** Why SPDX?<br />
*** On ISO standard path<br />
*** Already participating<br />
*** Great group<br />
** Why build their own tool?<br />
*** Already had tooling<br />
*** Easy to move to SPDX<br />
*** Needed certainty to meet NTiA standards<br />
*** Utilize MS Detection<br />
*** Needed a great range of environments<br />
*** Support for very large, complex build systems; layered builds<br />
** The Tool<br />
*** Built on .Net and available for Windows/Linux/Mac<br />
*** Available as build step in Azure<br />
*** Plan is to open source<br />
*** Pulls OSS data from a variety of build system formats<br />
** Future<br />
*** Proving by early March, then rolling out across Microsoft<br />
*** Exploring different methods of SBOM distribution including web portal<br />
*** Exploring signing with others in the industry<br />
<br />
* MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]<br />
** How to distribute secured supply chain components? Specifically SBOMs<br />
** Supply chain artifact challenges:<br />
*** artifacts get promoted across environments, including production assets getting pulled from the Internet into restricted networks<br />
*** private virtual networks within cloud infrastructure<br />
** Solution: Validation artifacts need to travel together with the supply chain objects<br />
*** by default, SBOM might get blocked from being accessed due to "airgapped" / VNet setup<br />
*** instead, create a private registry within each vnet; with shared internal registry hosting all artifacts + SBOMs, then promoted into each vnet<br />
** ORAS: need signatures to be separable, verifiable, able to be validated, prior to bringing artifact / binary into the environment<br />
*** Microsoft built this for Azure Container Registry, but customers share with other registries and other infrastructure; registries should be a broader standard => OCI Artifacts, ORAS Artifacts<br />
*** Signatures and SPDX SBOMs get attached to the graph<br />
*** ACR support for ORAS Artifacts today => customers can store SPDX SBOMs today: https://aka.ms/acr/supply-chain-artifacts<br />
** Opportunity: having SPDX document travel alongside the target artifact; CLI that can natively push / pull / validate SPDX SBOMs to Registries<br />
** What does the SPDX community want to see in an SBOM?<br />
*** recording EULA text?<br />
*** something validated at the time the content is used? => needs to be accessible along with the artifact itself<br />
<br />
* Questions/Comments<br />
** Dick: what about having vulnerability disclosures together as a part of the distributed info?<br />
*** Appreciate that the SPDX structure enables describing all the pieces of what went into a software build in the first place => static information at a point in time<br />
*** Scan results are things that you learn about over time => e.g. might learn later about a problem that was discovered after it was shipped<br />
*** Scan results will continue to be additive, whereas the SBOM itself doesn't change<br />
*** Dick: some vendors are running scans and producing NVD reports together with vendor's findings; making that info available together with the SBOM. During customer risk assessments, they can see beforehand if a CVE is reported => if shows up in the disclosure, that helps address the risk.<br />
*** Scan results, etc., could be attached to the other documents that are included in the registry<br />
*** Eventually, looking to have a web-browsable portal to easily access these documents. But, the automation is the interesting part.<br />
** Just this morning, this was announced to be becoming part of an OCI working group; previously getting proven within the ORAS project<br />
** Sebastian: Ostree (Fedora): https://fedoraproject.org/wiki/Changes/OstreeNativeContainer<br />
** Signature format: shipped in Notary v2, but working on expanding via conversations with the broader community. Needs to be able to be validated broadly.<br />
** Dick: NIST workshop that took place this week: ability to distribute SDLC evidence and policy data. Will that be part of this?<br />
*** Viewing this as plumbing / core infrastructure, in a generic way; new types will emerge for what types of artifacts are used to be deployed / promoted on this infrastructure<br />
*** Because it's generic / abstracted, any new type can be hosted on this infrastructure<br />
<br />
<br />
== Tech Team Report – Kate/Gary/Others ==<br />
* Tools<br />
** New release of SPDX Java Tools available at https://github.com/spdx/tools-java/releases/tag/v1.0.3<br />
* Specification<br />
** Focused on the Core modeling<br />
** Made progress on collections, packages, and document definitions and relationships<br />
** Significant testing of the model with different use cases and serialization considerations<br />
<br />
<br />
== Legal Team Report - Jilayne/Pau/Steve ==<br />
* License List version 3.15 was released and published to https://spdx.org/licenses on Nov. 14<br />
* Shortened month for meetings due to Thanksgiving holiday in US<br />
* Warner Losh presented to the team about FreeBSD's use of SPDX short-form license identifiers: https://docs.google.com/presentation/d/1mRWj7DCiicK57BqD4XzUMSZs51TpUUIYIgI-UcB8XDw/edit#slide=id.p<br />
<br />
== Outreach Team Report - ==<br />
* No update, but Sebastian sent an email to the General Meeting list with notes on behalf of the team.<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Adrian Digli, Microsoft<br />
* Steve Lasker, Microsoft<br />
* Sebastian Crane<br />
* Steve Winslow, Boston Technology Law<br />
* Dick Brooks, REA<br />
* Rich Steenwyk, GE Healthcare<br />
* Annie <br />
* Brad Goldring, GTC<br />
* Jeff Schutt, Cisco<br />
* David Edelsohn, IBM<br />
* Jilayne Lovejoy, Red Hat<br />
* Aveek Basu, NextMark Printers<br />
* Marc Gisi, Windriver<br />
* Gary O’Neall, SourceAuditor<br />
* Philippe Ombrédanne- nexB<br />
* Dick Brooks<br />
* Alex Rybek<br />
* Brend Smits, Philips<br />
* Christopher Lusk, Lenovo<br />
* Christopher Phillips<br />
* Fellow Jitser<br />
* Jilayne Lovejoy, Red Hat<br />
* Mashid<br />
* Kendra Morton<br />
* Marco<br />
* Majira<br />
* Michael Herzog- nexB<br />
* Mike Nemmers<br />
* Molly Menoni<br />
* Paul Madick, Jenzabar<br />
* Rose Judge, VMWare<br />
* Vicky Brasseur, Wipro<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-12-02General Meeting/Minutes/2021-12-022021-12-07T15:25:03Z<p>Podence: Created page with "* Attendance: 33 * Lead by Phil Odence * Minutes from last approved * Phil will company membership announcement before end of week * We will be move General Meeting minutes t..."</p>
<hr />
<div>* Attendance: 33<br />
* Lead by Phil Odence<br />
* Minutes from last approved<br />
<br />
* Phil will company membership announcement before end of week<br />
* We will be move General Meeting minutes to GitHub and crowdsource during meetings.<br />
<br />
== Microsoft and SPDX - Adrian/Steve ==<br />
<br />
* Microsoft standardizing on SPDX [Adrian Giglio]<br />
** Why SPDX?<br />
*** On ISO standard path<br />
*** Already participating<br />
*** Great group<br />
** Why build their own tool?<br />
*** Already had tooling<br />
*** Easy to move to SPDX<br />
*** Needed certainty to meet NTiA standards<br />
*** Utilize MS Detection<br />
*** Needed a great range of environments<br />
*** Support for very large, complex build systems; layered builds<br />
** The Tool<br />
*** Built on .Net and available for Windows/Linux/Mac<br />
*** Available as build step in Azure<br />
*** Plan is to open source<br />
*** Pulls OSS data from a variety of build system formats<br />
** Future<br />
*** Proving by early March, then rolling out across Microsoft<br />
*** Exploring different methods of SBOM distribution including web portal<br />
*** Exploring signing with others in the industry<br />
<br />
* MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]<br />
** How to distribute secured supply chain components? Specifically SBOMs<br />
** Supply chain artifact challenges:<br />
*** artifacts get promoted across environments, including production assets getting pulled from the Internet into restricted networks<br />
*** private virtual networks within cloud infrastructure<br />
** Solution: Validation artifacts need to travel together with the supply chain objects<br />
*** by default, SBOM might get blocked from being accessed due to "airgapped" / VNet setup<br />
*** instead, create a private registry within each vnet; with shared internal registry hosting all artifacts + SBOMs, then promoted into each vnet<br />
** ORAS: need signatures to be separable, verifiable, able to be validated, prior to bringing artifact / binary into the environment<br />
*** Microsoft built this for Azure Container Registry, but customers share with other registries and other infrastructure; registries should be a broader standard => OCI Artifacts, ORAS Artifacts<br />
*** Signatures and SPDX SBOMs get attached to the graph<br />
*** ACR support for ORAS Artifacts today => customers can store SPDX SBOMs today: https://aka.ms/acr/supply-chain-artifacts<br />
** Opportunity: having SPDX document travel alongside the target artifact; CLI that can natively push / pull / validate SPDX SBOMs to Registries<br />
** What does the SPDX community want to see in an SBOM?<br />
*** recording EULA text?<br />
*** something validated at the time the content is used? => needs to be accessible along with the artifact itself<br />
<br />
* Questions/Comments<br />
** Dick: what about having vulnerability disclosures together as a part of the distributed info?<br />
*** Appreciate that the SPDX structure enables describing all the pieces of what went into a software build in the first place => static information at a point in time<br />
*** Scan results are things that you learn about over time => e.g. might learn later about a problem that was discovered after it was shipped<br />
*** Scan results will continue to be additive, whereas the SBOM itself doesn't change<br />
*** Dick: some vendors are running scans and producing NVD reports together with vendor's findings; making that info available together with the SBOM. During customer risk assessments, they can see beforehand if a CVE is reported => if shows up in the disclosure, that helps address the risk.<br />
*** Scan results, etc., could be attached to the other documents that are included in the registry<br />
*** Eventually, looking to have a web-browsable portal to easily access these documents. But, the automation is the interesting part.<br />
** Just this morning, this was announced to be becoming part of an OCI working group; previously getting proven within the ORAS project<br />
** Sebastian: Ostree (Fedora): https://fedoraproject.org/wiki/Changes/OstreeNativeContainer<br />
** Signature format: shipped in Notary v2, but working on expanding via conversations with the broader community. Needs to be able to be validated broadly.<br />
** Dick: NIST workshop that took place this week: ability to distribute SDLC evidence and policy data. Will that be part of this?<br />
*** Viewing this as plumbing / core infrastructure, in a generic way; new types will emerge for what types of artifacts are used to be deployed / promoted on this infrastructure<br />
*** Because it's generic / abstracted, any new type can be hosted on this infrastructure<br />
<br />
<br />
== Tech Team Report – Kate/Gary/Others ==<br />
* Tools<br />
** New release of SPDX Java Tools available at https://github.com/spdx/tools-java/releases/tag/v1.0.3<br />
* Specification<br />
** Focused on the Core modeling<br />
** Made progress on collections, packages, and document definitions and relationships<br />
** Significant testing of the model with different use cases and serialization considerations<br />
<br />
<br />
== Legal team update - Jilayne/Pau/Steve ==<br />
* License List version 3.15 was released and published to https://spdx.org/licenses on Nov. 14<br />
* Shortened month for meetings due to Thanksgiving holiday in US<br />
* Warner Losh presented to the team about FreeBSD's use of SPDX short-form license identifiers: https://docs.google.com/presentation/d/1mRWj7DCiicK57BqD4XzUMSZs51TpUUIYIgI-UcB8XDw/edit#slide=id.p<br />
<br />
== Outreach Team - ==<br />
* No update, but Sebastian sent an email to the General Meeting list with notes on behalf of the team.<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Adrian Digli, Microsoft<br />
* Steve Lasker, Microsoft<br />
* Sebastian Crane<br />
* Steve Winslow, Boston Technology Law<br />
* Dick Brooks, REA<br />
* Rich Steenwyk, GE Healthcare<br />
* Annie <br />
* Brad Goldring, GTC<br />
* Jeff Schutt, Cisco<br />
* David Edelsohn, IBM<br />
* Jilayne Lovejoy, Red Hat<br />
* Aveek Basu, NextMark Printers<br />
* Marc Gisi, Windriver<br />
* Gary O’Neall, SourceAuditor<br />
* Philippe Ombrédanne- nexB<br />
* Dick Brooks<br />
* Alex Rybek<br />
* Brend Smits, Philips<br />
* Christopher Lusk, Lenovo<br />
* Christopher Phillips<br />
* Fellow Jitser<br />
* Jilayne Lovejoy, Red Hat<br />
* Mashid<br />
* Kendra Morton<br />
* Marco<br />
* Majira<br />
* Michael Herzog- nexB<br />
* Mike Nemmers<br />
* Molly Menoni<br />
* Paul Madick, Jenzabar<br />
* Rose Judge, VMWare<br />
* Vicky Brasseur, Wipro<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04General Meeting/Minutes/2021-11-042021-11-11T20:57:59Z<p>Podence: Created page with "* Attendance: 25 * Lead by Phil Odence * Minutes from last approved * Company membership mechanics will be rolled out within a couple weeks. == GSOC - Ujjwal == * JSON Su..."</p>
<hr />
<div>* Attendance: 25<br />
* Lead by Phil Odence<br />
* Minutes from last approved<br />
<br />
* Company membership mechanics will be rolled out within a couple weeks.<br />
<br />
<br />
== GSOC - Ujjwal ==<br />
<br />
* JSON Support for Golang libraries<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Tools <br />
** no update<br />
* Specification<br />
** Spec version compatible with ISO, now available<br />
* Version 3<br />
<br />
* Most of the work is focused on the core model. We’re making progress but still have a ways to go to settle on a good code the other profiles will be built on.<br />
* A new repo has been setup for the SPDX 3.0 spec since it will have a different way of generating the examples and spec and will also be under the new license as part of the new governance we put in place<br />
* We expect more activities on the profiles next month, especially security<br />
* Interest in the spec and tools continues to increase – we’re seeing some good signs of adoption from companies, other open source projects, and individuals (if you need more detail – SW360 is engaged in some issues conversations on the tools, the SPDX 2.1 spec issues has some new contributor)<br />
<br />
== Legal team update - Jilayne/Pau/Steve ==<br />
* FreeBSD will be adopting SPDX tags<br />
* Fedora is exploring as well<br />
* Conversations about adding better instructions on using Git to contribute to license repo<br />
<br />
== Outreach team - Sebastian ==<br />
* Processes<br />
** Transitioned to monthly meeting<br />
** Different ways of working in between under discussion<br />
* Wikipedia page updates<br />
** Adding history<br />
* Adding logos of companies and projects that are using<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Ujjwall Agarwal<br />
* Alexios Zavras, Intel<br />
* Eric Billingsley, Calculi<br />
* Jeff Schutt, Cisco<br />
* Sebastian Crane<br />
* Bob Martin, Mitre<br />
* Steve Winslow, Boston Technology Law<br />
* Christopher Lusk, Lenovo<br />
* David Edelsohn, IBM<br />
* Jilayne Lovejoy, Red Hat<br />
* Tony Aiuto<br />
* Karan Marjara, AWS<br />
* Joshua Marpet, RM-ISAO<br />
* Paul Madick, Jenzabar<br />
* Adrian Diglio, Microsoft<br />
* Alfredo Espinosa<br />
* Brad Goldring<br />
* Edgar<br />
* Joe<br />
* Vicky Brasseur, Wipro<br />
* Warner Losh, FreeBSD<br />
* Fellow Jitser<br />
* Aasim, Microsoft<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07General Meeting/Minutes/2021-10-072021-10-15T11:48:37Z<p>Podence: </p>
<hr />
<div>* Attendance: 27<br />
* Lead by Phil Odence<br />
<br />
<br />
== Special Topics- Phil / Vicky ==<br />
<br />
* Governance Update<br />
** New governance is in place<br />
** Will be announcing mechanism for signing up Member Companies<br />
** With that will announce the mechanism for nominating Steering Committee members<br />
<br />
* Wipro<br />
** Vicky discussed Wipro’s view of benefits and reasons for joining<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Tools <br />
** no update<br />
* Specification<br />
** Spec version compatible with ISO, now available<br />
* Version 3<br />
** Working on how to establish the repos<br />
* Question about SPDX Lite<br />
** That would be the minimum mandatory fields<br />
<br />
== Legal team update - Jilayne ==<br />
* New license request volume slowed down this month<br />
* Doing some general catchup with members of the legal team<br />
* Due for a new release at the end of the month<br />
* Update on collaboration with OSI and FSF<br />
* Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI<br />
* Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses<br />
* Recently, getting good response from FSF and OSI - especially from OSI<br />
* OSI has a machine readable format that is being actively worked on<br />
* In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates<br />
* Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive<br />
<br />
== Outreach team - Sebastian ==<br />
* Recent Docfest was a success, brought in several tool vendors to compare results<br />
* Updated Wikipedia page progressing slowing<br />
** Lead section updated - this is what you seen when you do a Google search<br />
* Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable<br />
* Website is being updated<br />
** A section will be added to showcase company usage of SPDX<br />
* Updating meeting time to be more time available<br />
** Times are shown as UTC Note: will change next month<br />
** new time will be the off weeks at the same time as legal<br />
* going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.<br />
* Joshua reported the SPDX official podcasts started<br />
** Once a month<br />
** Outreach team will meeting every other month<br />
** Will interview many community members<br />
** Will follow-up with Vicki and others in the general meeting<br />
* Kate - presented keynote at open source summit<br />
** well received, good interested<br />
* Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Alexios Zavras, Intel<br />
* Andrew Jorgenson, AWS<br />
* Kate Stewart, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Bill Jaeger<br />
* Bob Martin, Mitre<br />
* Eric Billingsley, Calculi<br />
* Chrissini de Castro<br />
* Michael Mehlberg, Dark Sky Technology<br />
* Maximilian Huber, TNG<br />
* Sebastian Crane<br />
* William Cox, Synopsys<br />
* Vicky Brasseur, Wipro<br />
* Matthew Crawford, ARM<br />
* Marc Gisi, Windriver<br />
* Pierre Tardy, <br />
* Joshua Marpet, RM-ISAO<br />
* Brad Goldring, GTC Law Group<br />
* Paul Madick, Jenzabar<br />
* Jilayne Lovejoy, Red Hat<br />
* Christopher Lusk<br />
* Clement Poulain<br />
* Joshua Dubin, Verizon<br />
* Takashi Ninjouji<br />
* Jeff Schutt, Cisco<br />
* Robert Boyd, Calculi<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07General Meeting/Minutes/2021-10-072021-10-15T11:43:56Z<p>Podence: </p>
<hr />
<div>* Attendance: 26<br />
* Lead by Phil Odence<br />
<br />
<br />
== Special Topics- Phil / Vicky ==<br />
<br />
* Governance Update<br />
** New governance is in place<br />
** Will be announcing mechanism for signing up Member Companies<br />
** With that will announce the mechanism for nominating Steering Committee members<br />
<br />
* Wipro<br />
** Vicky discussed Wipro’s view of benefits and reasons for joining<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Tools <br />
** no update<br />
* Specification<br />
** Spec version compatible with ISO, now available<br />
* Version 3<br />
** Working on how to establish the repos<br />
* Question about SPDX Lite<br />
** That would be the minimum mandatory fields<br />
<br />
== Legal team update - Jilayne ==<br />
* New license request volume slowed down this month<br />
* Doing some general catchup with members of the legal team<br />
* Due for a new release at the end of the month<br />
* Update on collaboration with OSI and FSF<br />
* Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI<br />
* Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses<br />
* Recently, getting good response from FSF and OSI - especially from OSI<br />
* OSI has a machine readable format that is being actively worked on<br />
* In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates<br />
* Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive<br />
<br />
== Outreach team - Sebastian ==<br />
* Recent Docfest was a success, brought in several tool vendors to compare results<br />
* Updated Wikipedia page progressing slowing<br />
** Lead section updated - this is what you seen when you do a Google search<br />
* Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable<br />
* Website is being updated<br />
** A section will be added to showcase company usage of SPDX<br />
* Updating meeting time to be more time available<br />
** Times are shown as UTC Note: will change next month<br />
** new time will be the off weeks at the same time as legal<br />
* going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.<br />
* Joshua reported the SPDX official podcasts started<br />
** Once a month<br />
** Outreach team will meeting every other month<br />
** Will interview many community members<br />
** Will follow-up with Vicki and others in the general meeting<br />
* Kate - presented keynote at open source summit<br />
** well received, good interested<br />
* Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Alexios Zavras, Intel<br />
* Andrew Jorgenson, AWS<br />
* Kate Stewart, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Bill Jaeger<br />
* Bob Martin, Mitre<br />
* Eric Billingsley, Calculi<br />
* Chrissini de Castro<br />
* Michael Mehlberg, Dark Sky Technology<br />
* Maximilian Huber, TNG<br />
* Sebastian Crane<br />
* William Cox, Synopsys<br />
* Vicky Brasseur, Wipro<br />
* Matthew Crawford, ARM<br />
* Marc Gisi, Windriver<br />
* Pierre Tardy, <br />
* Joshua Marpet, RM-ISAO<br />
* Brad Goldring, GTC Law Group<br />
* Paul Madick, Jenzabar<br />
* Jilayne Lovejoy, Red Hat<br />
* Christopher Lusk<br />
* Clement Poulain<br />
* Joshua Dubin, Verizon<br />
* Takashi Ninjouji<br />
* Jeff Schutt, Cisco<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07General Meeting/Minutes/2021-10-072021-10-08T14:22:20Z<p>Podence: </p>
<hr />
<div>* Attendance: 25<br />
* Lead by Phil Odence<br />
<br />
<br />
== Special Topics- Phil / Vicky ==<br />
<br />
* Governance Update<br />
** New governance is in place<br />
** Will be announcing mechanism for signing up Member Companies<br />
** With that will announce the mechanism for nominating Steering Committee members<br />
<br />
* Wipro<br />
** Vicky discussed Wipro’s view of benefits and reasons for joining<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Tools <br />
** no update<br />
* Specification<br />
** Spec version compatible with ISO, now available<br />
* Version 3<br />
** Working on how to establish the repos<br />
* Question about SPDX Lite<br />
** That would be the minimum mandatory fields<br />
<br />
== Legal team update - Jilayne ==<br />
* New license request volume slowed down this month<br />
* Doing some general catchup with members of the legal team<br />
* Due for a new release at the end of the month<br />
* Update on collaboration with OSI and FSF<br />
* Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI<br />
* Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses<br />
* Recently, getting good response from FSF and OSI - especially from OSI<br />
* OSI has a machine readable format that is being actively worked on<br />
* In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates<br />
* Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive<br />
<br />
== Outreach team - Sebastian ==<br />
* Recent Docfest was a success, brought in several tool vendors to compare results<br />
* Updated Wikipedia page progressing slowing<br />
** Lead section updated - this is what you seen when you do a Google search<br />
* Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable<br />
* Website is being updated<br />
** A section will be added to showcase company usage of SPDX<br />
* Updating meeting time to be more time available<br />
** Times are shown as UTC Note: will change next month<br />
** new time will be the off weeks at the same time as legal<br />
* going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.<br />
* Joshua reported the SPDX official podcasts started<br />
** Once a month<br />
** Outreach team will meeting every other month<br />
** Will interview many community members<br />
** Will follow-up with Vicki and others in the general meeting<br />
* Kate - presented keynote at open source summit<br />
** well received, good interested<br />
* Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Alexios Zavras, Intel<br />
* Andrew Jorgenson, AWS<br />
* Kate Stewart, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Bill Jaeger<br />
* Bob Martin, Mitre<br />
* Eric Billingsley, Calculi<br />
* Chrissini de Castro<br />
* Michael Mehlberg, Dark Sky Technology<br />
* Maximilian Huber, TNG<br />
* Sebastian Crane<br />
* William Cox, Synopsys<br />
* Vicky Brasseur, Wipro<br />
* Matthew Crawford, ARM<br />
* Marc Gisi, Windriver<br />
* Pierre Tardy, <br />
* Joshua Marpet, RM-ISAO<br />
* Brad Goldring, GTC Law Group<br />
* Paul Madick, Jenzabar<br />
* Jilayne Lovejoy, Red Hat<br />
* Christopher Lusk<br />
* Clement Poulain<br />
* Joshua Dubin, Verizon<br />
* Takashi Ninjouji<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07General Meeting/Minutes/2021-10-072021-10-08T12:03:35Z<p>Podence: Created page with "* Attendance: 25 * Lead by Phil Odence == Special Topics- Phil / Vicky == * Governance Update ** New governance is in place ** Will be announcing mechanism for signing up M..."</p>
<hr />
<div>* Attendance: 25<br />
* Lead by Phil Odence<br />
<br />
<br />
== Special Topics- Phil / Vicky ==<br />
<br />
* Governance Update<br />
** New governance is in place<br />
** Will be announcing mechanism for signing up Member Companies<br />
** With that will announce the mechanism for nominating Steering Committee members<br />
<br />
* Wipro<br />
** Vicky discussed Wipro’s view of benefits and reasons for joining<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Tools <br />
** no update<br />
* Specification<br />
** Spec version compatible with ISO, now available<br />
* Version 3<br />
** Working on how to establish the repos<br />
* Question about SPDX Lite<br />
** That would be the minimum mandatory fields<br />
<br />
== Legal team update - Jilayne ==<br />
* New license request volume slowed down this month<br />
* Doing some general catchup with members of the legal team<br />
* Due for a new release at the end of the month<br />
* Update on collaboration with OSI and FSF<br />
* Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI<br />
* Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses<br />
* Recently, getting good response from FSF and OSI - especially from OSI<br />
* OSI has a machine readable format that is being actively worked on<br />
* In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates<br />
* Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive<br />
<br />
== Outreach team - Sebastian ==<br />
* Recent Docfest was a success, brought in several tool vendors to compare results<br />
* Updated Wikipedia page progressing slowing<br />
** Lead section updated - this is what you seen when you do a Google search<br />
* Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable<br />
* Website is being updated<br />
** A section will be added to showcase company usage of SPDX<br />
* Updating meeting time to be more time available<br />
** Times are shown as UTC Note: will change next month<br />
** new time will be the off weeks at the same time as legal<br />
* going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.<br />
* Joshua reported the SPDX official podcasts started<br />
** Once a month<br />
** Outreach team will meeting every other month<br />
** Will interview many community members<br />
** Will follow-up with Vicki and others in the general meeting<br />
* Kate - presented keynote at open source summit<br />
** well received, good interested<br />
* Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Alexios Zavras, Intel<br />
* Andrew Jorgenson, AWS<br />
* Kate Stewart, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Bill Jaeger<br />
* Bob Martin, Mitre<br />
* Eric Billingsley, Calculi<br />
* Chrissini de Castro<br />
* Michael Mehlberg, Dark Sky Technology<br />
* Maximilian Huber, TNG<br />
* Sebastian Crane<br />
* William Cox, Synopsys<br />
* Vicky Brasseur, Wipro<br />
* Matthew Crawford, ARM<br />
* Marc Gisi, Windriver<br />
* Pierre Tardy, <br />
* Joshua Marpet, RM-ISAO<br />
* Brad Goldring<br />
* Paul Madick, Jenzabar<br />
* Jilayne Lovejoy, Red Hat<br />
* Christopher Lusk<br />
* Clement Poulain<br />
* Joshua Dubin, Verizon<br />
* Takashi Ninjouji<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-09-02General Meeting/Minutes/2021-09-022021-09-07T20:50:06Z<p>Podence: Created page with "* Attendance: 26 * Lead by Phil Odence * GSoC Presentation was postponed == SPDX Governance - Phil == * Intro -Phil ** GOAL of today: Consensus **Background *** About..."</p>
<hr />
<div>* Attendance: 26<br />
* Lead by Phil Odence<br />
<br />
* GSoC Presentation was postponed<br />
<br />
== SPDX Governance - Phil ==<br />
<br />
* Intro -Phil<br />
<br />
** GOAL of today: Consensus <br />
<br />
**Background<br />
*** About 8 years ago, we put in place a governance structure for SPDX.<br />
*** Factors<br />
**** ISO standardization- near to announcing<br />
**** Executive Order<br />
**** More participation from comm members with standards body experience<br />
**** Working with other standards, i.e. SWID and CycloneDX<br />
<br />
** Goal of Change - retain spirit and ways of working<br />
*** more accurately reflect the current reality and future direction of the project <br />
*** establishing a mechanism for official company membership in the project <br />
*** using contribution processes and a license for the spec that ensure explicit patent license commitments from contributors <br />
*** improving clarity around decision-making processes and establishing an appeals process <br />
*** adopting a code of conduct <br />
<br />
** Solution - Steve to explain further<br />
*** Legal Entity creation- switched from JDF to a much simpler<br />
*** Retained Community Specification model<br />
<br />
* Review of pdf Summary - Steave<br />
** Legal Entity<br />
** Membership Agreement<br />
** Community Specs process and license<br />
<br />
* Q&A/Discussion<br />
** Various clarifications<br />
** Code of Conduct<br />
*** Agreed that under new structure it could, if need be, be modified in the future<br />
** Possibility of Dual-licensing Spec<br />
*** Agreed to not address at this time<br />
<br />
* Resolution<br />
** Consensus reached<br />
** ...unless significant concerns were raised on the General Mailing List within a day of so of the meeting's close<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Sebastian Crane<br />
* Joshua Marpet, RM-ISAO<br />
* Mike Nemmers<br />
* William Cox, Synopsys<br />
* Andrew Jorgenson, AWS<br />
* Bob Martin, Mitre<br />
* Philippe Emmanuel Douziech, CAST<br />
* Alexios Zavras, Intel<br />
* Marc Etienne Vargenau, Nokia<br />
* Jilayne Lovejoy, Red Hat<br />
* Steve Winslow, LF<br />
* Mike Dolan, LF<br />
* Mark Atwood, Amazon<br />
* Gary O’Neall, SourceAuditor<br />
* Paul Madick, Jenzabar<br />
* Jeff Schutt, Cisco<br />
* Vicky Brasseur, Wipro<br />
* Warner Losh, FreeBSD<br />
* Zach Hill, Anchore<br />
* Pierre Tardy<br />
* David Edelsohn, IBM<br />
* Maximilian Huber, TNG<br />
* Bill Jaeger<br />
* Michael Mehlberg, Dark Sky Technology<br />
* Henk Birkholz, Fraunhofe<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-07-01General Meeting/Minutes/2021-07-012021-07-06T13:02:25Z<p>Podence: Created page with "* Attendance: 22 * Lead by Phil Odence * Minutes of June meeting Approved == SPDX Governance - Phil == Status of governance changes * Still working through a using the prep..."</p>
<hr />
<div>* Attendance: 22<br />
* Lead by Phil Odence<br />
* Minutes of June meeting Approved<br />
<br />
<br />
== SPDX Governance - Phil ==<br />
<br />
Status of governance changes<br />
* Still working through a using the prepackaged JDF docs with LF lawyers<br />
** Lots there due to general nature<br />
** It will have to go through the specified process for discussion and voting<br />
* Why?<br />
** More scrutiny<br />
** Standards requirement- Companies supporting, logos<br />
*** OMG CISQ 3T joining SPDX <br />
*** ISO direction – Need more <br />
*** Executive Order<br />
*** Working with other standards, i.e. SWID and CycloneDX<br />
* Specific concerns that came up<br />
** Community Spec License vs. CCBY<br />
*** Patent license to address concerns that have arisen from companies we want to support<br />
** Also, tangentially related SBOM gen tool showed up in repo<br />
*** Need criteria for including<br />
* A question came up about discussion of governance on the Gen Mailing list<br />
** We try to limit traffic on the list so one can use to monitor activity without being overwhelmed<br />
** There will be a chance for discussion of a governance proposal once process goes in motion<br />
** Contact Phil with inputs<br />
** We’ll look into a separate list<br />
<br />
== Outreach Team Report - Sebastian/Jack ==<br />
<br />
* Rebooted<br />
* SPDX website rework - license for content CC-BY-4.0<br />
** Looking to rebuild website as static site.<br />
** Code and license - more flex over precise styling and functionality.<br />
** Prototype of site in next few weeks.<br />
* Technical slides - present about SPDX in own organizations.<br />
** Reviewed collateral, audience focus for collateral that will meet audience needs.<br />
** More explanation of “why”. Point to specification when get to details. <br />
* IRC channel <br />
** Sebastian set up #spdx on libera.chat<br />
** previous channels on OFTC, Freenode; hadn’t taken off<br />
** libera.chat has 11 people in it currently<br />
** “cloaking” - hides IP address in some cases, replaces with badge for organization you’re associated with; Sebastian can provide “SPDX cloak”<br />
* Matrix bridge - feature of libera.chat, enables joining via Matrix<br />
* Meeting date and time: 1500 UTC on Wednesdays will be new meeting time, on 14th of July<br />
<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* Several new folks participating<br />
* Ariel and Candice from ClearlyDefined have been digging into the Python stack of licenses<br />
* License List 3.14 release - targeting end of July<br />
<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Tools <br />
** GSoC - JSON support in Golang; will seek to get GSoC student to present at a future General Meeting<br />
** New participants interacting with tools, and seeing pull requests.<br />
** NTIA Plugfest <br />
*** new tools emerging from communities <br />
*** SPDX was most common format in use<br />
*** Can’t get down to SPDX field to field <br />
** SPDX Plugfest?<br />
*** Desire to have Japan SPDX Plugfest<br />
*** One for north america <br />
** Anchore has a tool supporting SPDX output if you need more 3.0 examples we can on it. (github.com/anchore/syft). We have 2.2 now but can fairly quickly iterate for some 3.0 support.<br />
* Specification<br />
** ISO/IEC PRF 5962 - Information Technology — SPDX® Specification V2.2.1- moved to PRF status Publication date : 2021-08<br />
** OCI registry overview and how SPDX could interact with containers. <br />
** Specification 3.0 Work <br />
*** Looking for more 3.0 examples in serialization<br />
*** Lacking critical mass for some decisions - vacations<br />
**** Moving through punch list on core model.<br />
*** Vulnerability - waiting for core. Snyk put up a nice post. <br />
**** Feedback in progress. <br />
**** Serialization needs to become clearer.<br />
**** More examples are needed. <br />
**** Follow up VEX and CSAF<br />
*** Licensing profile - pretty similar to 2.2 already.<br />
**** Once formatting for how template can be expressed.<br />
<br />
<br />
== Other Topics ==<br />
<br />
* Open Question - why spdx.dev vs. spdx.org; license list dynamically generated spdx.org - Drupal → Wordpress. How to keep License list still populate to website.<br />
* Keep license list URL stable. <br />
* Wikipedia page on SPDX is pretty stale. <br />
** Needs to be updated. Outreach will take it. <br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Philippe Emmanuel Douziech, CAST<br />
* Bob Martin, Mitre<br />
* Joshua Marpet, RM-ISAO<br />
* David Edelsohn, IBM<br />
* Sebastian Crane<br />
* Marc Etienne Vargenau, Nokia<br />
* Zach Hill, Anchore<br />
* Steve Winslow, LF<br />
* Kate Stewart, Linux Foundation<br />
* William Cox, Synopsys<br />
* Jack Manbeck, TI<br />
* Alexios Zavras, Intel<br />
* Warner Losh, FreeBSD<br />
* Alfredo Espinosa<br />
* Jilayne Lovejoy, Red Hat<br />
* Chris Lusk<br />
* Andrew Jorganson, AWS<br />
* Thomas Steenbergen, HERE<br />
* Ronda, <br />
* Brian Fox, Sonotype<br />
* Michael Herzog- nexB<br />
<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-06-03General Meeting/Minutes/2021-06-032021-06-04T13:46:12Z<p>Podence: </p>
<hr />
<div>* Attendance: 17<br />
* Lead by Phil Odence<br />
* Minutes of May meeting Approved<br />
<br />
<br />
== SPDX Governance Review - Phil ==<br />
<br />
* Background: About 8 years ago, we put in place a governance structure for SPDX. It was a good effort at the time and has served us, but it’s never really been stressed. Factors are in play today that suggest the need for a legally tighter structure:<br />
** OMG CISQ 3T joining SPDX<br />
** ISO direction<br />
** Executive Order<br />
** Working with other standards, i.e. SWID and CycloneDX<br />
* The Linux Foundation has a pre-packaged governance solution for standards bodies, call the Joint Development Foundation, a “consortium in a box,” as they refer to it. It’s a free, fast way to set up a highly configurable legal entity and structure designed for specification development. With support LF attorneys who have been involved in a number of such projects for the LF, the Core Team is exploring this option and it looks like it will suit our needs.<br />
* There are many ways to configure, and we are going down the path of the simplest possible configuration. Essentially, we can tailor the documents so as to continue to operate as we have. The most significant change would be to change the license for the spec to the Community Specification License. This is a license purpose built for specifications. Like the existing CC license, it grants a broad copyright license to the spec itself. Additionally, requires contributors to grant licenses to any patents that might cover implementations of the spec. This would address user concerns about the possibility that an SPDX contributor seeking to enforce patents that they might hold that cover the spec.<br />
* This is really to give you a heads up of something coming in the future. The current governance mechanism defines a mechanism and timetable for such a change that involves a formal announcement and a general meeting to try to reach consensus. That clock is not starting now; just want you to be aware that it’s coming.<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Tools - Gary<br />
** Python project is progressing<br />
** Exec Order will bring with is some funding for cleaning up tooling gaps<br />
** New project<br />
*** Generating SBOM to work with CI/CD pipelines<br />
*** Written in Go<br />
*** Yocto keen to use<br />
** NTIA slugfest is upcoming <br />
* Spec – Kate<br />
** Work<br />
** Core:<br />
*** William Bartholomew and others working to show initial serializations, migration issues<br />
*** rough format using Markdown as source of truth<br />
*** GSoC project to translate into schemas<br />
** Vulnerabilities:<br />
*** Thomas has given initial presentation, gathering feedback, meetings to be called to discuss<br />
** Usage - Moving forward<br />
** Licensing – Steve:<br />
*** in process, expect to have updated draft by end of July<br />
*** major open piece is documenting / specifying the license expression model classes<br />
** Linkage – Nisha experimenting, looking at re: e.g. containers<br />
** Build – Bob, David Edelsohn<br />
<br />
* Sebastian: Meeting times – out of date, time incorrect for General Meeting<br />
** Sync to a particular time – Eastern US or UTC?<br />
** and just list that time on the wiki, with link to a time/date converter<br />
** Steve to sync with Phil to confirm on regular invite time<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* 3.13 released in May<br />
** issue with version numbers for tagged releases<br />
** thank you to Gary for helping address this while on vacation<br />
* 3.14 in process now, to be released end of July<br />
<br />
<br />
== Outreach Team Report - Jack ==<br />
<br />
* Next meeting June 7<br />
* Calendar invite at https://lists.spdx.org/g/Spdx-tech/message/4059<br />
** use this and not old info on the wiki<br />
<br />
== Other Topics ==<br />
<br />
* IRC channel for SPDX – Sebastian / Philippe<br />
** One channel on Freenode, another on OFTC; libera.chat also existing<br />
** Switching to libera.chat<br />
** Sebastian to register and share with general list<br />
* GSoC students also tend to use gitter.im (also accessible via IRC / Matrix)<br />
* channel name to be #spdx<br />
* After registered and shared with general list, will also add to website<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Sebastian Crane<br />
* Steve Winslow, LF<br />
* Kate Stewart, Linux Foundation<br />
* William Cox, Synopsys<br />
* Marc Etienne Vargenau, Nokia<br />
* Mikihito Matsuura, Tokyo University<br />
* Bob Martin, Mitre<br />
* Philippe Emmanuel Douziech, CAST<br />
* Joshua Marpet, MGM Growth<br />
* Tiberius Hefflin, Intel<br />
* Jilayne Lovejoy, Red Hat<br />
* Warner Lost,<br />
* Aveek Basu, NextMark Printers<br />
* Sharon Burke,<br />
* Gary O’Neall, SourceAuditor<br />
<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]<br />
<br />
<br />
*********</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-06-03General Meeting/Minutes/2021-06-032021-06-04T13:13:14Z<p>Podence: Created page with "* Attendance: 17 * Lead by Phil Odence * Minutes of May meeting Approved == SPDX Governance Review - Phil == * Background: About 8 years ago, we put in place a governance s..."</p>
<hr />
<div>* Attendance: 17<br />
* Lead by Phil Odence<br />
* Minutes of May meeting Approved<br />
<br />
<br />
== SPDX Governance Review - Phil ==<br />
<br />
* Background: About 8 years ago, we put in place a governance structure for SPDX. It was a good effort at the time and has served us, but it’s never really been stressed. Factors are in play today that suggest the need for a legally tighter structure:<br />
** OMG CISQ 3T joining SPDX<br />
** ISO direction<br />
** Executive Order<br />
** Working with other standards, i.e. SWID and CycloneDX<br />
* The Linux Foundation has a pre-packaged governance solution for standards bodies, call the Joint Development Foundation, a “consortium in a box,” as they refer to it. It’s a free, fast way to set up a highly configurable legal entity and structure designed for specification development. With support LF attorneys who have been involved in a number of such projects for the LF, the Core Team is exploring this option and it looks like it will suit our needs.<br />
* There are many ways to configure, and we are going down the path of the simplest possible configuration. Essentially, we can tailor the documents so as to continue to operate as we have. The most significant change would be to change the license for the spec to the Community Specification License. This is a license purpose built for specifications. Like the existing CC license, it grants a broad copyright license to the spec itself. Additionally, requires contributors to grant licenses to any patents that might cover implementations of the spec. This would address user concerns about the possibility that an SPDX contributor seeking to enforce patents that they might hold that cover the spec.<br />
* This is really to give you a heads up of something coming in the future. The current governance mechanism defines a mechanism and timetable for such a change that involves a formal announcement and a general meeting to try to reach consensus. That clock is not starting now; just want you to be aware that it’s coming.<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Tools - Gary<br />
** Python project is progressing<br />
** Exec Order will bring with is some funding for cleaning up tooling gaps<br />
** New project<br />
*** Generating SBOM to work with CI/CD pipelines<br />
*** Written in Go<br />
*** Yocto keen to use<br />
** NTIA slugfest is upcoming <br />
* Spec – Kate<br />
** Work<br />
** Core:<br />
*** William Bartholomew and others working to show initial serializations, migration issues<br />
*** rough format using Markdown as source of truth<br />
*** GSoC project to translate into schemas<br />
** Vulnerabilities:<br />
*** Thomas has given initial presentation, gathering feedback, meetings to be called to discuss<br />
** Usage - Moving forward<br />
** Licensing – Steve:<br />
*** in process, expect to have updated draft by end of July<br />
*** major open piece is documenting / specifying the license expression model classes<br />
** Linkage – Nisha experimenting, looking at re: e.g. containers<br />
** Build – Bob, David Edelsohn<br />
<br />
* Sebastian: Meeting times – out of date, time incorrect for General Meeting<br />
** Sync to a particular time – Eastern US or UTC?<br />
** and just list that time on the wiki, with link to a time/date converter<br />
** Steve to sync with Phil to confirm on regular invite time<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* 3.13 released in May<br />
** issue with version numbers for tagged releases<br />
** thank you to Gary for helping address this while on vacation<br />
* 3.14 in process now, to be released end of July<br />
<br />
<br />
== Outreach Team Report - Kate ==<br />
<br />
* Next meeting June 7<br />
* Calendar invite at https://lists.spdx.org/g/Spdx-tech/message/4059<br />
** use this and not old info on the wiki<br />
<br />
== Other Topics ==<br />
<br />
* IRC channel for SPDX – Sebastian / Philippe<br />
** One channel on Freenode, another on OFTC; libera.chat also existing<br />
** Switching to libera.chat<br />
** Sebastian to register and share with general list<br />
* GSoC students also tend to use gitter.im (also accessible via IRC / Matrix)<br />
* channel name to be #spdx<br />
* After registered and shared with general list, will also add to website<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Sebastian Crane<br />
* Steve Winslow, LF<br />
* Kate Stewart, Linux Foundation<br />
* William Cox, Synopsys<br />
* Marc Etienne Vargenau, Nokia<br />
* Mikihito Matsuura, Tokyo University<br />
* Bob Martin, Mitre<br />
* Philippe Emmanuel Douziech, CAST<br />
* Joshua Marpet, MGM Growth<br />
* Tiberius Hefflin, Intel<br />
* Jilayne Lovejoy, Red Hat<br />
* Warner Lost,<br />
* Aveek Basu, NextMark Printers<br />
* Sharon Burke,<br />
* Gary O’Neall, SourceAuditor<br />
<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]<br />
<br />
<br />
*********</div>Podencehttps://wiki.spdx.org/view/General_MeetingGeneral Meeting2021-06-04T12:56:33Z<p>Podence: </p>
<hr />
<div>This is the working area for the General Team. This team has primary responsibility for summarizing the activities of the three working teams and discussing cross-functional issues. The minutes of this monthly meeting provide a good summary of what's going on across the SPDX group, so signing up for the General Meeting mailing list is a good way to stay in touch. <br />
<br />
The General Team meets on the first Thursday of every month at 11:00 EST or EDT depending.<br />
Join the meeting:<br />
https://meet.jit.si/SPDXGeneralMeeting<br />
To join by phone instead, tap this: +1.512.647.1431,,1310118349#<br />
Looking for a different dial-in number?<br />
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting<br />
If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true<br />
<br />
* [[General_Meeting/Minutes|Meeting Minutes]]<br />
* [[General_Meeting/Presentation_Materials|Presentation Materials]]<br />
* [[General_Meeting/Old|Older Items]]<br />
<br />
[[Category:General]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-05-06General Meeting/Minutes/2021-05-062021-05-07T18:11:46Z<p>Podence: Created page with "* Attendance: 18 * Lead by Phil Odence * Minutes of Apri meeting Approved * Plan was to switch to Zoom * Considering using Jitsu == SPDX License Name Space at Amazon - Mark..."</p>
<hr />
<div>* Attendance: 18<br />
* Lead by Phil Odence<br />
* Minutes of Apri meeting Approved<br />
<br />
* Plan was to switch to Zoom<br />
* Considering using Jitsu<br />
<br />
<br />
== SPDX License Name Space at Amazon - Mark ==<br />
<br />
* https://docs.google.com/presentation/d/1uCAJW79hzqLAPhXfAn4maCRk9TZUhLJDAPEOBlgUFTw/edit?usp=sharing<br />
<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Spec – Kate<br />
** Specification conversations continuing to move forward<br />
** Rough template for categories of topics (what were previously being called “profiles”)<br />
** Core Model - Gary<br />
*** No Update<br />
** Licensing<br />
*** filed PR with initial draft for discussion of template format, etc.; will update to newer template; previously discussed much of its substance last year<br />
** Integrity – Kay<br />
*** working with in-toto community, framework for end-to-end supply chain security; collaborating with them to see if the specs can be aligned<br />
** Defects / Security – Thomas not here today<br />
*** pushed first draft of fields for (1) vulnerabilities, and (2) defects => impact on packages, false positives, etc.<br />
**** https://github.com/spdx/spdx-spec/pull/510 <br />
*** Meetings next week to look at other security specs, their use cases, whether they can / how they should be incorporated<br />
** Linking – Nisha not here today<br />
*** Kate discussing with Nisha / Rose<br />
** Usage – Yoshiyuki Ito <br />
*** No update<br />
** Pedigree / Build / Creation – Kate<br />
*** No Update<br />
* GSoC- Alexios<br />
** Got 5 slots; can run up to 5 projects<br />
** Likely to accept 5 proposals:<br />
*** 2 for improving Golang tooling libraries (one RDF writing, one JSON reading/writing)<br />
*** 1 for transitioning / updating online SPDX tools<br />
*** 1 for spec processing tools<br />
*** 1 for improved license matcher, taking matching guidelines into account (unplanned submission)<br />
<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* Working for 3.13, planning to push out over the weekend<br />
* Have been trying to clean up old issues<br />
* Some updates on documentation in the repo<br />
* New participants recently – some discussions on recent calls have included reviewing past history; may want to put together more historical documentation of past context, etc.<br />
* Some interest from Debian – interest in getting a Debian-free tickbox into the license list<br />
* License submissions – starting to take a harder line on participation from people submitting license requests without sticking with them. For this release, started asking people to create the PR’s themselves – a few of the submitters at least responded and indicated they would do so<br />
* Still relying on the calls too much; having people commenting in issues out-of-band would be very helpful<br />
<br />
<br />
== Outreach Team Report - Kate ==<br />
<br />
* Continuing to see interest in SPDX across different communities<br />
* Zephyr – auto-generation<br />
* Possible interest in re-starting Outreach team meetings – Sebastian interest, Aveek also<br />
* Kate will reach out to Jack and either ask him to restart or else Kate will restart<br />
<br />
<br />
== Other Topics ==<br />
<br />
* Sebastian – interest in Arch Linux in using SPDX<br />
** Some work being done on the Arch packaging system, interest in using SPDX licenses<br />
* Jitsi<br />
** Jilayne - Jitsi – this has gone well, plan to update to this for future General calls<br />
** Legal and Tech teams can update if/when they choose<br />
** Europe, UK, etc. seems to be working<br />
** Bob – recommend putting passwords on it<br />
** Steve – discuss whether to put one on. Possible but appears to prevent dial-ins afterwards.<br />
*** Steve will look into options<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Mark Atwood, Amazon<br />
* Matthew Crawford, ARM<br />
* Bob Martin, Mitre<br />
* Philippe Emmanuel Douziech, CAST<br />
* Jilayne Lovejoy, Red Hat<br />
* Maximilian Huber, TNG<br />
* Alexios Zavras, Intel<br />
* Kay Williams, Microsoft<br />
* David Edelsohn, IBM<br />
* Thomas Steenbergen, HERE<br />
* Jeff Schutt, Cisco<br />
* Kate Stewart, Linux Foundation<br />
* Michael Herzog- nexB<br />
* Sebastian Crane<br />
* Steve Winslow, LF<br />
* Marc Etienne Vargenau, Nokia<br />
* Jonas Smedegaard, self<br />
<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-04-01General Meeting/Minutes/2021-04-012021-04-06T19:39:18Z<p>Podence: </p>
<hr />
<div>* Attendance: 22<br />
* Lead by Phil Odence<br />
* Minutes of Feb meeting Approved<br />
<br />
* Plan was to switch to Zoom<br />
* Considering using Jitsi<br />
<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Spec – Kate<br />
** Core Model - Gary<br />
*** Lots of time on how to manage multiple profiles <br />
*** How to make it easier for tools<br />
*** Priority is on consumer/producers of docs<br />
**** Specifically, how to handle multiple profiles<br />
** Licensing<br />
*** Pull request for early first cut<br />
*** Incomplete (intentionally) for feedback<br />
*** Take a look: https://github.com/spdx/spdx-spec/pull/503<br />
*** Comments welcome<br />
** Integrity – Kay<br />
*** Doing Protyping<br />
*** Binary signing<br />
*** PGP and X509 and small IOT devices targeted<br />
*** Demoed two weeks ago<br />
** Defects / Security – Thomas not here today<br />
*** no update<br />
** Linking – Nisha not here today<br />
*** no update<br />
** Usage – Yoshiyuki Ito <br />
*** There was a meeting<br />
*** Working on ideas<br />
** Pedigree / Build / Creation – Kate<br />
*** Looking for participants<br />
<br />
* Namespace<br />
** Kate raised question of anyone using namespace registration<br />
** Two organizations are employing<br />
*** https://tools.spdx.org/app/license_namespace_requests/<br />
*** Example: LicenseRef-.com.amazon.-AmznSL-1.0<br />
** Mark will present next month<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* 3.12 License List now live<br />
* Adding some informal roles on the team, e.g. New License Steward <br />
* Discussions of automation opportunities <br />
* Kicking off 3.13 release, likely small end of April<br />
* https://spdx.dev/faq/#licenses<br />
<br />
== Outreach Team Report ==<br />
* No Report<br />
<br />
== A Few More Items ==<br />
* Sebastian volunteered to review the FAQ<br />
* Google Summer of Code GSC<br />
** Kate mentioned that SPDX has been accepted to the Google Summer of Code program and to please let any students know who might be interested.<br />
** Aveek mentioned that student submissions end on 4/15 and that some students need some help with the submission<br />
** Gary indicated that the preferred method for communication concerning GSC is on gitter.<br />
<br />
== Attendees ==<br />
* Phil Odence, Black Duck/Synopsys<br />
* Philippe Emmanuel Douziech, CAST<br />
* William Cox, Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Steve Winslow, LF<br />
* Sebastian Crane<br />
* Gary O’Neall, SourceAuditor<br />
* David Edelsohn, IBM<br />
* Kay Williams, Microsoft<br />
* Aveek Basu, NextMark Printers<br />
* Paul Madick, Jenzabar<br />
* Rose Judge, VMware<br />
* Bob Martin, Mitre<br />
* Michael Herzog- nexB<br />
* Karsten Klein<br />
* Wayne Beaton, Eclipse<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Jeff Schutt<br />
* Marc Etienne Vargenau, Nokia<br />
* Jilayne Lovejoy, Red Hat<br />
* Mark Atwood, Amazon<br />
* Jim Hutchison, Qualcomm<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-04-01General Meeting/Minutes/2021-04-012021-04-02T13:29:03Z<p>Podence: </p>
<hr />
<div>* Attendance: 22<br />
* Lead by Phil Odence<br />
* Minutes of Feb meeting Approved<br />
<br />
* Plan was to switch to Zoom<br />
* Considering using Jitsu<br />
<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Spec – Kate<br />
** Core Model - Gary<br />
*** Lots of time on how to manage multiple profiles <br />
*** How to make it easier for tools<br />
*** Priority is on consumer/producers of docs<br />
**** Specifically, how to handle multiple profiles<br />
** Licensing<br />
*** Pull request for early first cut<br />
*** Incomplete (intentionally) for feedback<br />
*** Take a look: https://github.com/spdx/spdx-spec/pull/503<br />
*** Comments welcome<br />
** Integrity – Kay<br />
*** Doing Protyping<br />
*** Binary signing<br />
*** PGP and X509 and small IOT devices targeted<br />
*** Demoed two weeks ago<br />
** Defects / Security – Thomas not here today<br />
*** no update<br />
** Linking – Nisha not here today<br />
*** no update<br />
** Usage – Yoshiyuki Ito <br />
*** There was a meeting<br />
*** Working on ideas<br />
** Pedigree / Build / Creation – Kate<br />
*** Looking for participants<br />
<br />
* Namespace<br />
** Kate raised question of anyone using namespace registration<br />
** Two organizations are employing<br />
*** https://tools.spdx.org/app/license_namespace_requests/<br />
*** Example: LicenseRef-.com.amazon.-AmznSL-1.0<br />
** Mark will present next month<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* 3.12 License List now live<br />
* Adding some informal roles on the team, e.g. New License Steward <br />
* Discussions of automation opportunities <br />
* Kicking off 3.13 release, likely small end of April<br />
* https://spdx.dev/faq/#licenses<br />
<br />
== Outreach Team Report ==<br />
* No Report<br />
<br />
== A Few More Items ==<br />
* Sebastian volunteered to review the FAQ<br />
* Google Summer of Code GSC<br />
** Kate mentioned that SPDX has been accepted to the Google Summer of Code program and to please let any students know who might be interested.<br />
** Aveek mentioned that student submissions end on 4/15 and that some students need some help with the submission<br />
** Gary indicated that the preferred method for communication concerning GSC is on gitter.<br />
<br />
== Attendees ==<br />
* Phil Odence, Black Duck/Synopsys<br />
* Philippe Emmanuel Douziech, CAST<br />
* William Cox, Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Steve Winslow, LF<br />
* Sebastian Crane<br />
* Gary O’Neall, SourceAuditor<br />
* David Edelsohn, IBM<br />
* Kay Williams, Microsoft<br />
* Aveek Basu, NextMark Printers<br />
* Paul Madick, Jenzabar<br />
* Rose Judge, VMware<br />
* Bob Martin, Mitre<br />
* Michael Herzog- nexB<br />
* Karsten Klein<br />
* Wayne Beaton, Eclipse<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Jeff Schutt<br />
* Marc Etienne Vargenau, Nokia<br />
* Jilayne Lovejoy, Red Hat<br />
* Mark Atwood, Amazon<br />
* Jim Hutchison, Qualcomm<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-04-01General Meeting/Minutes/2021-04-012021-04-02T13:28:33Z<p>Podence: </p>
<hr />
<div>* Attendance: 22<br />
* Lead by Phil Odence<br />
* Minutes of Feb meeting Approved<br />
<br />
* Plan was to switch to Zoom<br />
* Considering using Jitsu<br />
<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Spec – Kate<br />
** Core Model - Gary<br />
*** Lots of time on how to manage multiple profiles <br />
*** How to make it easier for tools<br />
*** Priority is on consumer/producers of docs<br />
**** Specifically, how to handle multiple profiles<br />
** Licensing<br />
*** Pull request for early first cut<br />
*** Incomplete (intentionally) for feedback<br />
*** Take a look: https://github.com/spdx/spdx-spec/pull/503<br />
*** Comments welcome<br />
** Integrity – Kay<br />
*** Doing Protyping<br />
*** Binary signing<br />
*** PGP and X509 and small IOT devices targeted<br />
*** Demoed two weeks ago<br />
** Defects / Security – Thomas not here today<br />
*** no update<br />
** Linking – Nisha not here today<br />
*** no update<br />
** Usage – Yoshiyuki Ito <br />
*** There was a meeting<br />
*** Working on ideas<br />
** Pedigree / Build / Creation – Kate<br />
*** Looking for participants<br />
<br />
* Namespace<br />
** Kate raised question of anyone using namespace registration<br />
** Two organizations are employing<br />
*** https://tools.spdx.org/app/license_namespace_requests/<br />
*** Example: LicenseRef-.com.amazon.-AmznSL-1.0<br />
** Mark will present next month<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* 3.12 License List now live<br />
* Adding some informal roles on the team, e.g. New License Steward <br />
* Discussions of automation opportunities <br />
* Kicking off 3.13 release, likely small end of April<br />
* https://spdx.dev/faq/#licenses<br />
<br />
== Outreach Team Report ==<br />
* No Report<br />
<br />
== A Few More Items ==<br />
* Sebastian volunteered to review the FAQ<br />
* Google Summer of Code GSC<br />
** Kate mentioned that SPDX has been accepted to the Google Summer of Code program and to please let any students know who might be <br />
interested.<br />
** Aveek mentioned that student submissions end on 4/15 and that some students need some help with the submission<br />
** Gary indicated that the preferred method for communication concerning GSC is on gitter.<br />
<br />
== Attendees ==<br />
* Phil Odence, Black Duck/Synopsys<br />
* Philippe Emmanuel Douziech, CAST<br />
* William Cox, Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Steve Winslow, LF<br />
* Sebastian Crane<br />
* Gary O’Neall, SourceAuditor<br />
* David Edelsohn, IBM<br />
* Kay Williams, Microsoft<br />
* Aveek Basu, NextMark Printers<br />
* Paul Madick, Jenzabar<br />
* Rose Judge, VMware<br />
* Bob Martin, Mitre<br />
* Michael Herzog- nexB<br />
* Karsten Klein<br />
* Wayne Beaton, Eclipse<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Jeff Schutt<br />
* Marc Etienne Vargenau, Nokia<br />
* Jilayne Lovejoy, Red Hat<br />
* Mark Atwood, Amazon<br />
* Jim Hutchison, Qualcomm<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-04-01General Meeting/Minutes/2021-04-012021-04-02T13:24:45Z<p>Podence: </p>
<hr />
<div>* Attendance: 22<br />
* Lead by Phil Odence<br />
* Minutes of Feb meeting Approved<br />
<br />
* Plan was to switch to Zoom<br />
* Considering using Jitsu<br />
<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Spec – Kate<br />
** Core Model - Gary<br />
*** Lots of time on how to manage multiple profiles <br />
*** How to make it easier for tools<br />
*** Priority is on consumer/producers of docs<br />
**** Specifically, how to handle multiple profiles<br />
** Licensing<br />
*** Pull request for early first cut<br />
*** Incomplete (intentionally) for feedback<br />
*** Take a look: https://github.com/spdx/spdx-spec/pull/503<br />
*** Comments welcome<br />
** Integrity – Kay<br />
*** Doing Protyping<br />
*** Binary signing<br />
*** PGP and X509 and small IOT devices targeted<br />
*** Demoed two weeks ago<br />
** Defects / Security – Thomas not here today<br />
*** no update<br />
** Linking – Nisha not here today<br />
*** no update<br />
** Usage – Yoshiyuki Ito <br />
*** There was a meeting<br />
*** Working on ideas<br />
** Pedigree / Build / Creation – Kate<br />
*** Looking for participants<br />
<br />
* Namespace<br />
** Kate raised question of anyone using namespace registration<br />
** Two organizations are employing<br />
*** https://tools.spdx.org/app/license_namespace_requests/<br />
*** Example: LicenseRef-.com.amazon.-AmznSL-1.0<br />
** Mark will present next month<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* 3.12 License List now live<br />
* Adding some informal roles on the team, e.g. New License Steward <br />
* Discussions of automation opportunities <br />
* Kicking off 3.13 release, likely small end of April<br />
* https://spdx.dev/faq/#licenses<br />
<br />
== Outreach Team Report ==<br />
* No Report<br />
<br />
== A Few More Items ==<br />
* Sebastian volunteered to review the FAQ<br />
* Google Summer of Code GSC<br />
** Kate mentioned that SPDX has been accepted to the Google Summer of <br />
Code program and to please let any students know who might be <br />
interested.<br />
** Aveek mentioned that student submissions end on 4/15 and that some <br />
students need some help with the submission<br />
** Gary indicated that the preferred method for communication concerning <br />
GSC is on gitter.<br />
<br />
== Attendees ==<br />
* Phil Odence, Black Duck/Synopsys<br />
* Philippe Emmanuel Douziech, CAST<br />
* William Cox, Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Steve Winslow, LF<br />
* Sebastian Crane<br />
* Gary O’Neall, SourceAuditor<br />
* David Edelsohn, IBM<br />
* Kay Williams, Microsoft<br />
* Aveek Basu, NextMark Printers<br />
* Paul Madick, Jenzabar<br />
* Rose Judge, VMware<br />
* Bob Martin, Mitre<br />
* Michael Herzog- nexB<br />
* Karsten Klein<br />
* Wayne Beaton, Eclipse<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Jeff Schutt<br />
* Marc Etienne Vargenau, Nokia<br />
* Jilayne Lovejoy, Red Hat<br />
* Mark Atwood, Amazon<br />
* Jim Hutchison, Qualcomm<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-04-01General Meeting/Minutes/2021-04-012021-04-01T15:42:30Z<p>Podence: Created page with "* Attendance: 22 * Lead by Phil Odence * Minutes of Feb meeting Approved * Plan was to switch to Zoom * Considering using Jitsu == Tech Team Report - Kate/Gary/Others ==..."</p>
<hr />
<div>* Attendance: 22<br />
* Lead by Phil Odence<br />
* Minutes of Feb meeting Approved<br />
<br />
* Plan was to switch to Zoom<br />
* Considering using Jitsu<br />
<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Spec – Kate<br />
** Core Model - Gary<br />
*** Lots of time on how to manage multiple profiles <br />
*** How to make it easier for tools<br />
*** Priority is on consumer/producers of docs<br />
**** Specifically, how to handle multiple profiles<br />
** Licensing<br />
*** Pull request for early first cut<br />
*** Incomplete (intentionally) for feedback<br />
*** Take a look: https://github.com/spdx/spdx-spec/pull/503<br />
*** Comments welcome<br />
** Integrity – Kay<br />
*** Doing Protyping<br />
*** Binary signing<br />
*** PGP and X509 and small IOT devices targeted<br />
*** Demoed two weeks ago<br />
** Defects / Security – Thomas not here today<br />
*** no update<br />
** Linking – Nisha not here today<br />
*** no update<br />
** Usage – Yoshiyuki Ito <br />
*** There was a meeting<br />
*** Working on ideas<br />
** Pedigree / Build / Creation – Kate<br />
*** Looking for participants<br />
<br />
* Namespace<br />
** Kate raised question of anyone using namespace registration<br />
** Two organizations are employing<br />
*** https://tools.spdx.org/app/license_namespace_requests/<br />
*** Example: LicenseRef-.com.amazon.-AmznSL-1.0<br />
** Mark will present next month<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* 3.12 License List now live<br />
* Adding some informal roles on the team, e.g. New License Steward <br />
* Discussions of automation opportunities <br />
* Kicking off 3.13 release, likely small end of April<br />
* https://spdx.dev/faq/#licenses<br />
<br />
== Outreach Team Report ==<br />
<br />
* No Report<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Philippe Emmanuel Douziech, CAST<br />
* William Cox, Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Steve Winslow, LF<br />
* Sebastian Crane<br />
* Gary O’Neall, SourceAuditor<br />
* David Edelsohn, IBM<br />
* Kay Williams, Microsoft<br />
* Aveek Basu, NextMark Printers<br />
* Paul Madick, Jenzabar<br />
* Rose Judge, VMware<br />
* Bob Martin, Mitre<br />
* Michael Herzog- nexB<br />
* Karsten Klein<br />
* Wayne Beaton, Eclipse<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Jeff Schutt<br />
* Marc Etienne Vargenau, Nokia<br />
* Jilayne Lovejoy, Red Hat<br />
* Mark Atwood, Amazon<br />
* Jim Hutchison, Qualcomm<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-03-04General Meeting/Minutes/2021-03-042021-04-01T12:18:55Z<p>Podence: </p>
<hr />
<div>* Attendance: 18<br />
* Lead by Phil Odence<br />
* Minutes of Feb meeting Approved<br />
<br />
*Housekeeping<br />
** Zoom - Will be migrating to Zoom for these meetings; working with LF<br />
** Phil will need to cut out early; Steve will take over notes<br />
<br />
== SPDX BOM for CMake Project ==<br />
<br />
* Background<br />
** Presented previously at FOSDEM<br />
** Used Zephyr, lightweight RTOS<br />
** Goal in parallel with CMake build generate an SPDX file<br />
*** including relationships<br />
*** fully automated<br />
*** not pull from external sources (license data for example)<br />
*** make is Zephyr-agnostic, so could be reusable<br />
* POC<br />
** On GHub<br />
** Used File-based API on CMake<br />
*** to tell CMake to dump JSON meta-data files for each artifact<br />
*** and then build<br />
** Created SPDX<br />
*** Pull from <br />
**** Sources directory<br />
**** Artifacts directory<br />
**** Pull SPDX short form license names from files<br />
**** Create relationships <br />
*** Output is two files<br />
**** Sources<br />
**** Build artifacts<br />
**** w links between<br />
* Findings<br />
** Some limitations to the CMake API data, missing some info that CMake seems to “know”<br />
** Some invalid IDs<br />
** Graphiz was helpful in visualize the relationships represented in JSON files<br />
* Next Steps<br />
** Takeaways: the concept basically works; start small and can be improved<br />
** Working w Zephyr community<br />
*** may have made it overly agnostic<br />
*** could tailor to Z build system<br />
*** but generalized version is a great starting point<br />
** Michael Herzog: developed TraceCode as a tool to similarly look at details during the build process; more generalized, but extremely hard to use for anything sizeable b/c creates so much data<br />
** Also looked at Yocto as a way to gather this information<br />
** Kate: Richard Purdie interested in this also from the Yocto side – perhaps get together a working group focused on this. Yocto also doing work around reproducible builds, and has been adopting SPDX identifiers.<br />
<br />
** Kay: thoughts on a “Build” profile for SPDX 3.0 to incorporate build-time data about e.g. the call used to start the compilation, the environment / compilation settings, etc. We should get various compiler people talking about how to align practices for this<br />
** Kate: agreed, let’s get a working group together on this<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* Gary and William got the license list CI system moved from Travis to GitHub Actions – thank you!<br />
* 3.12 – aiming to release this weekend; will tie up remaining issues in call after this meeting<br />
* Jilayne and Steve looking at getting some bigger projects going<br />
* Invite to all to jump into the conversations in issue threads - https://github.com/spdx/license-list-XML/issues<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Model and Process update – Gary<br />
** William leading discussions on Base profile model – reconciling feedback<br />
** Template for how to draft and write the profile specifications<br />
* Google Summer of Code – Gary<br />
** Should be hearing back shortly whether SPDX was accepted for 2021<br />
<br />
* Spec – Kate<br />
** Defects / Security – Thomas<br />
*** currently revising what was discussed on prior meetings<br />
*** worked with William on expressing vulnerabilities<br />
*** also looking at: whether / how to express mitigation measures<br />
** Linking – Nisha<br />
*** Sounds like people do want a Linking / Linkage profile<br />
*** Currently described in the spec as an “External Map” from 3T discussions, but not sure what this means – looking for more details<br />
** Integrity – Kay<br />
*** Working on creating POC for taking an SBOM, serializing it to binary, signing it using the COSI (?) standard<br />
*** could be signed in other ways, but using this for POC b/c small format and usable for small devices<br />
*** expect to have this the week after next<br />
*** spec for document integrity – “here’s how you sign SBOMs” – after having that as an example, plan to start reviewing with broader group<br />
*** may be a month before ready to discuss on a tech team call<br />
** Usage – Yoshiyuki Ito<br />
*** discussing what info to include in usage profile<br />
*** looking at using external map to refer to external information sources<br />
** Pedigree / Build / Creation – Kate<br />
*** can start those meetings happening, flesh out ideas<br />
*** reach out to in-toto folks to align with them<br />
<br />
* SPDX 2.2.1 – Kate:<br />
** ISO balloting has finished on the specification, via JDF<br />
** Approved from balloting, so should be getting an ISO number in the next few months<br />
** May have some tweaks to the 2.2.1 repo coming in, based on comments from ISO reviewers<br />
<br />
<br />
== Outreach Team Report ==<br />
<br />
* No Report<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Steve Winslow, LF<br />
* Michael Herzog- nexB<br />
* Gary O’Neall, SourceAuditor<br />
* David Edelsohn<br />
* Jeff Schutt<br />
* Rose Judge, VMware<br />
* Nisha Kumar, VMware<br />
* Jilayne Lovejoy, Red Hat<br />
* Kate Stewart, Linux Foundation<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Jorge Rodriguez-Moreno<br />
* Alfredo Espinosa<br />
* Kay Williams, Microsoft<br />
* Paul Madick, Jenzabar<br />
* William Cox, Synopsys<br />
* Bob Martin, Mitre<br />
* Thomas Steenbergen, HERE<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-03-04General Meeting/Minutes/2021-03-042021-04-01T11:20:26Z<p>Podence: Created page with "* Attendance: 18 * Lead by Phil Odence * Minutes of Feb meeting Approved *Housekeeping ** Zoom - Will be migrating to Zoom for these meetings; working with LF ** Phil will ne..."</p>
<hr />
<div>* Attendance: 18<br />
* Lead by Phil Odence<br />
* Minutes of Feb meeting Approved<br />
<br />
*Housekeeping<br />
** Zoom - Will be migrating to Zoom for these meetings; working with LF<br />
** Phil will need to cut out early; Steve will take over notes<br />
<br />
== SPDX BOM for CMake Project ==<br />
<br />
* Background<br />
** Presented previously at FOSDEM<br />
** Used Zephyr, lightweight RTOS<br />
** Goal in parallel with CMake build generate an SPDX file<br />
*** including relationships<br />
*** fully automated<br />
*** not pull from external sources (license data for example)<br />
*** make is Zephyr-agnostic, so could be reusable<br />
* POC<br />
** On GHub<br />
** Used File-based API on CMake<br />
*** to tell CMake to dump JSON meta-data files for each artifact<br />
*** and then build<br />
** Created SPDX<br />
*** Pull from <br />
**** Sources directory<br />
**** Artifacts directory<br />
**** Pull SPDX short form license names from files<br />
**** Create relationships <br />
*** Output is two files<br />
**** Sources<br />
**** Build artifacts<br />
**** w links between<br />
* Findings<br />
** Some limitations to the CMake API data, missing some info that CMake seems to “know”<br />
** Some invalid IDs<br />
** Graphiz was helpful in visualize the relationships represented in JSON files<br />
* Next Steps<br />
** Takeaways: the concept basically works; start small and can be improved<br />
** Working w Zephyr community<br />
*** may have made it overly agnostic<br />
*** could tailor to Z build system<br />
*** but generalized version is a great starting point<br />
** Michael Herzog: developed TraceCode as a tool to similarly look at details during the build process; more generalized, but extremely hard to use for anything sizeable b/c creates so much data<br />
** Also looked at Yocto as a way to gather this information<br />
** Kate: Richard Purdie interested in this also from the Yocto side – perhaps get together a working group focused on this. Yocto also doing work around reproducible builds, and has been adopting SPDX identifiers.<br />
<br />
** Kay: thoughts on a “Build” profile for SPDX 3.0 to incorporate build-time data about e.g. the call used to start the compilation, the environment / compilation settings, etc. We should get various compiler people talking about how to align practices for this<br />
** Kate: agreed, let’s get a working group together on this<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* Gary and William got the license list CI system moved from Travis to GitHub Actions – thank you!<br />
* 3.12 – aiming to release this weekend; will tie up remaining issues in call after this meeting<br />
* Jilayne and Steve looking at getting some bigger projects going<br />
* Invite to all to jump into the conversations in issue threads - https://github.com/spdx/license-list-XML/issues<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Model and Process update – Gary<br />
** William leading discussions on Base profile model – reconciling feedback<br />
** Template for how to draft and write the profile specifications<br />
* Google Summer of Code – Gary<br />
** Should be hearing back shortly whether SPDX was accepted for 2021<br />
<br />
* Spec – Kate<br />
** Defects / Security – Thomas<br />
*** currently revising what was discussed on prior meetings<br />
*** worked with William on expressing vulnerabilities<br />
*** also looking at: whether / how to express mitigation measures<br />
** Linking – Nisha<br />
*** Sounds like people do want a Linking / Linkage profile<br />
*** Currently described in the spec as an “External Map” from 3T discussions, but not sure what this means – looking for more details<br />
** Integrity – Kay<br />
*** Working on creating POC for taking an SBOM, serializing it to binary, signing it using the COSI (?) standard<br />
*** could be signed in other ways, but using this for POC b/c small format and usable for small devices<br />
*** expect to have this the week after next<br />
*** spec for document integrity – “here’s how you sign SBOMs” – after having that as an example, plan to start reviewing with broader group<br />
*** may be a month before ready to discuss on a tech team call<br />
** Usage – Yoshiyuki Ito<br />
*** discussing what info to include in usage profile<br />
*** looking at using external map to refer to external information sources<br />
** Pedigree / Build / Creation – Kate<br />
*** can start those meetings happening, flesh out ideas<br />
*** reach out to in-toto folks to align with them<br />
<br />
* SPDX 2.2.1 – Kate:<br />
** ISO balloting has finished on the specification, via JDF<br />
** Approved from balloting, so should be getting an ISO number in the next few months<br />
** May have some tweaks to the 2.2.1 repo coming in, based on comments from ISO reviewers<br />
<br />
<br />
== Outreach Team Report ==<br />
<br />
* No Report<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Steve Winslow, LF<br />
* Michael Herzog- nexB<br />
* Gary O’Neall, SourceAuditor<br />
* David Edelsohn<br />
* Jeff Schutt<br />
* Rose Judge, VMware<br />
* Nisha Kumar, VMware<br />
* Jilayne Lovejoy, Red Hat<br />
* Kate Stewart, Linux Foundation<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Jorge Rodriguez-Moreno<br />
* Alfredo Espinosa<br />
* Kay Williams, Microsoft<br />
* Paul Madick, Jenzabar<br />
* William Cox, Synopsys<br />
* David Martin, Mitre<br />
* Thomas Steenbergen, HERE<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-02-04General Meeting/Minutes/2021-02-042021-03-02T13:12:04Z<p>Podence: Created page with "* Attendance: 26 * Lead by Phil Odence * Minutes of Dec meeting Approved == 3T-SBOM - Kay/Bob == * Basis ** To standardize, tools need to talk to each other ** Developed 9..."</p>
<hr />
<div>* Attendance: 26<br />
* Lead by Phil Odence<br />
* Minutes of Dec meeting Approved<br />
<br />
<br />
== 3T-SBOM - Kay/Bob ==<br />
<br />
* Basis<br />
** To standardize, tools need to talk to each other<br />
** Developed 9 use cases<br />
** Started up in 2019; several groups involved<br />
** Provenance/Pedigree distinction <br />
** Started w/NTIA fields as basis<br />
** Developed model very similar to SPDX<br />
** Started w/ software but can be broader<br />
* Merging Efforts<br />
** Common goals/members; working for some time<br />
** So, made sense to merge<br />
** Harmonized meetings<br />
*** Profile groups meeting separately from Tech meeting<br />
*** All a little fluid<br />
** Longer Term thoughts<br />
*** Licensing and contribution agreements for spec<br />
*** User scenarios, broader scope<br />
**** May need to update naming scheme<br />
**** Broader scope may require expanded governance and funding<br />
* Questions<br />
** Funding discs<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Spec - Kate<br />
** Overview<br />
*** SPDX 2.2 being refactored into upcoming 3.0 effort, with Core and separate topical Profiles<br />
*** Has been happening in parallel with 3T SBOM efforts<br />
**Core - William<br />
*** Area with most overlap with 3T efforts<br />
*** Have been working on identifying areas of differences between the two, gradually converging<br />
*** Last month was focused on identifying remaining differences and working through them, determining how critical they are<br />
*** Remaining differences are centered on (1) naming things and (2) external references<br />
*** Also working through tooling and how to document the core standard<br />
*** Close to done on what the model will look like, want to turn next to actually writing it up in a format that is suitable for use cases – transition from modeling to authoring of spec text<br />
** Licensing - Steve<br />
*** Described background of licensing fields combined with “core” in 2.2 and prior spec versions<br />
*** Splitting out licensing-related fields into a separate optional profile<br />
*** Previously discussed and brainstorming in a shared Google Doc<br />
*** Was previously planning to wait on migrating into GitHub until spec format was finalized; sounds like that will still be some time until finalized<br />
*** Will work on migrating Google Doc brainstorming outcomes into GitHub in MarkDown or plain text<br />
** Defects – Thomas<br />
*** Includes “vulnerabilities”<br />
*** Worked with William on documenting an example<br />
*** Still working on remediation-related fields<br />
*** Hoping to have more concrete examples, and to restart the security discussions before the end of this month<br />
** Linking – Nisha<br />
*** Mockups: https://github.com/SantiagoTorres/spdx-linking-mockups<br />
*** “Linking” – how different software components are related to each other, and to separate components in the broader ecosystem<br />
*** Profile aims to capture, if using e.g. a container or a CNAB (Cloud Native Application Bundle), meant to surface those connections<br />
*** Focused on cloud native use case, but could also be used in e.g. the embedded world, for something like an embedded OS utilizing multiple components<br />
**** Kay – other scenarios thinking about: e.g. IoT devices, wanting to list out both software and hardware components<br />
**** Santiago – working on similar for in-toto, to authenticate components<br />
*** Currently stuck on sorting out the overlap between the Linking profile and the Integrity profile. Current thinking, integrity signatures should be handled via “relationships” between elements<br />
** Integrity – Santiago<br />
*** Slides: [TO BE FILLED IN]<br />
*** There are a lot of outstanding questions, still being sorted through<br />
*** Milestone structure: Document integrity >> Document Authentication >> Document & supply chain policy >> Linkage & supply chain integrity<br />
*** Discussed roles of each stage and current status of milestones<br />
** Usage and Other Emerging – Kate<br />
*** Spearheaded by team in Japan<br />
*** Looking at carrying e.g. contract info along in SPDX documents<br />
*** Also looking at Pedigree / Provenance profiles, for fields to carry build information<br />
* Tools and Google Summer of Code (GSoC) - Gary<br />
** GSoC: Applications open for projects, Gary is applying now, will update next month<br />
** Will post link to project page<br />
** Looking at different tooling for supporting spec process<br />
<br />
== Legal Team Report - Paul/Jilayne/Steve ==<br />
<br />
* 3.12 release, pushed back to Feb. 19/20, may push further back depending on issue status<br />
* Ran into some issues with CI/build system, thank you to Gary and William for helping to resolve<br />
* Jilayne – description of what the legal team works on<br />
** License list for those not familiar with it: https://spdx.org/licenses<br />
<br />
== Outreach Team Report - Aveek ==<br />
<br />
* Recurring meeting with several community members about how to welcome new folks to the community<br />
* Discussing initial tools, assigning initial issues to newcomers<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* David Martin, Mitre<br />
* Kay Williams, Microsoft<br />
* Steve Winslow, LF<br />
* Jilayne Lovejoy<br />
* Paul Madick, Jenzabar<br />
* Kate Stewart, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Aveek Basu, NextMark Printers<br />
* Sean Geary, Revenera<br />
* William Cox, Synopsys<br />
* Maximilian Huber, TNG<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Thomas Steenbergen, HERE<br />
* Alfredo Espinosa<br />
* Nishad Thalhath<br />
* David Edelsohn<br />
* Philippe Emmanuel Douziech<br />
* William Bartholomew, GitHub<br />
* Alexios Zavras, Intel<br />
* Santiago<br />
* Henk Birkholz<br />
* Ariel Patano<br />
* Jorge Rodriguez-Moreno<br />
* Nisha Kumar, VMware<br />
* Michael Herzog- nexB<br />
<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-12-03General Meeting/Minutes/2020-12-032020-12-04T17:11:52Z<p>Podence: Created page with "* Attendance: 11 * Lead by Phil Odence * Minutes of Nov meeting Approved == Tech Team Report - Gary == * Spec ** Nov, busy month ** Mostly working on Base Model *** Working..."</p>
<hr />
<div>* Attendance: 11<br />
* Lead by Phil Odence<br />
* Minutes of Nov meeting Approved<br />
<br />
<br />
== Tech Team Report - Gary ==<br />
<br />
* Spec<br />
** Nov, busy month<br />
** Mostly working on Base Model<br />
*** Working on Relationships <br />
**** Between, for example, files, packages, etc<br />
**** Exploring verification methods, digital signatures, etc<br />
**** Supporting Contains<br />
*** This should clear the way to get more work done on the other profiles<br />
**** Process work too<br />
**** Hoping enough is in place after next meeting to remove blockers<br />
* Tools<br />
** New release of online tools is up<br />
*** Quite significant<br />
*** Much new functionality<br />
*** As such, there will likely be issues<br />
**** Report in GitHub or emailing Gary<br />
**** There was a character encoding issues that was quickly resolved<br />
** New license list generator has improved the LL<br />
** Good work/improvements on Go libraries<br />
*** THANKS, Rishabh<br />
<br />
== Legal Team Report - Paul/Jilayne/Steve ==<br />
<br />
* Main Nov work 3.11 License release<br />
** A little smaller than previous was<br />
* 3.12 discussions starting today <br />
** Aiming for end of Jan<br />
** Dealing with a little backlog of new requests<br />
** Could use help, as usual<br />
* Documentation/Website<br />
** Core team has been overhauling<br />
** Updating License List page<br />
*** Including moving to GitHub<br />
<br />
== Outreach Team Report ==<br />
<br />
* Aveek’s ideas for increasing SPDX Participation<br />
** Started discussing last meeting<br />
* Rough plan<br />
** Approach student communities at different schools<br />
** Give assignments to students or onboarding<br />
*** e.g. Open Printing has a generic, easy, but comprehensive assignment defined<br />
*** May need different ones for different technologies<br />
** Single point of contact to guide students<br />
*** Perhaps students from previous years<br />
** Identify basic issues to assign<br />
** Encourage participation in GSOC and LFMP<br />
** Encourage previous students to mentor<br />
** Organize Virtual Meetups<br />
** From student groups in schools<br />
* Also has the idea of talking to other projects about benefits<br />
** Will start with Open Printing<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* David Wheeler, Linux Foundation<br />
* Rishabh Bhatnagar, St Francis Inst Tech<br />
* Aveek Basu, NextMark Printers<br />
* Steve Winslow, LF<br />
* Jilayne Lovejoy, Canonical<br />
* Mark Atwood, Amazon<br />
* Paul Madick<br />
* Mike Dolan, Linux Foundation<br />
* Jim Hutchison, Qualcomm<br />
* Rose Judge, VMware<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-11-05General Meeting/Minutes/2020-11-052020-12-02T12:15:34Z<p>Podence: Created page with "* Attendance: 16 * Lead by Steve Winslow == Presentation: William Bartholomew == * Discussed efforts working with 3T-SBOM group to align approaches and modeling * Walked thr..."</p>
<hr />
<div>* Attendance: 16<br />
* Lead by Steve Winslow<br />
<br />
== Presentation: William Bartholomew ==<br />
<br />
* Discussed efforts working with 3T-SBOM group to align approaches and modeling<br />
* Walked through key points of changes to base profile<br />
** Relationships being promoted to “object” level<br />
** Artifact; external references<br />
** Extensibility, potential for other authenticity measures than just hashes (e.g. public keys)<br />
* Briefly discussed other profiles<br />
<br />
== Legal Team Report – Steve / Jilayne ==<br />
<br />
* 3.11 release update<br />
** originally scheduled for Oct. 31<br />
** most of 3.11 cycle was focused on SPDX 3.0 licensing profile discussions<br />
** shifted release to approx. Nov. 25<br />
* call for participants to review license submissions / provide comments on “yes/no, should this be added” out-of-band from biweekly calls<br />
<br />
== Tech Team Report – Kate ==<br />
<br />
* Work proceeding on SPDX 3.0<br />
* Linking profile: focus on aligning with container-based ecosystems, work by Nisha and Santiago<br />
* Other profiles proceeding as well<br />
* Tooling: Online Tools recently updated<br />
<br />
== Other matters ==<br />
<br />
* Comments from Aveek re: ways to provide better on-ramps into the SPDX community for newcomers<br />
** Availability of Gitter as a real-time chat option; possibly explore other options<br />
** May discuss on next month’s General meeting<br />
<br />
== Additional Notes from KATE ==<br />
Here are the notes I took, since Steve was kind enough to host.<br />
<br />
Attendees: Steve Winslow, Kate Stewart, Mark baushke, Rishabh Bhatnagar, Aveek, Jilayne Lovejoy, Emmanuel Tournier, William Bartholomew, Alexios Zavras, Mike Dolan, Paul Madick, Mark Atwood, Michael Herzog, David Wheeler<br />
<br />
William went through and did a review of SPDX 3.0 Base Profile highlighting the differences.<br />
<br />
Artifacts - are promoting a specific External Reference (likely PURL) to be used<br />
Document - Now has a set of profiles that <br />
<br />
Complies with a profile - expect that mandatory are supported.<br />
If not have profile - can use the field, but not expected to meet the full requirements. <br />
<br />
Next step is converting this into the written text. <br />
Move into the other areas as well. <br />
<br />
Now’s the time to chime in in SPDX 3.0 specification if you have <br />
<br />
Mark Baushke - problem on how to express the overall license. Userland and Kernel based licensing in one package. Use Case interested in - Fast packet forwarding - kernel module with GPL2, and userland. …. show how to represent. <br />
<br />
Legal Team - 3.11 release - pushing it out until Nov 25th, today one more meeting. <br />
11 new license requests have been submitted in September. <br />
Help requested. : Commenting on licenses in github comments. XML files. <br />
<br />
Web site <br />
Refresh is ongoing. Feedback and suggestions are welcome. <br />
Mission discussed last month has now been incorporated<br />
<br />
Technical Team - <br />
SPDX 3.0 in progress<br />
Online tools - yaml conversions coming. <br />
<br />
Aveek - Observing SPDX - Community building and bringing new people into group. <br />
Group chat/slack? — use gitter, start discussing there as well. <br />
Need to improve our launching platform.<br />
Slack group? - with mentoring and advocates how to start off. <br />
<br />
Aveek has volunteered to provide his findings to help us grow the community next month as a guest speaker.<br />
<br />
Possibly Steve, Jilayne & Paul can provide overview of SPDX 3.0 License Profile in January?</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-10-01General Meeting/Minutes/2020-10-012020-10-01T15:31:02Z<p>Podence: Created page with "* Attendance: 8 * Lead by Phil Odence * Minutes of Sept meeting Approved == Webpage Update- Phil == * No objections to new copy for website == Tech Team Report - Steve sta..."</p>
<hr />
<div>* Attendance: 8<br />
* Lead by Phil Odence<br />
* Minutes of Sept meeting Approved<br />
<br />
== Webpage Update- Phil ==<br />
<br />
* No objections to new copy for website<br />
<br />
== Tech Team Report - Steve standing in ==<br />
<br />
* Spec<br />
** DCO bot has been turned on for the spec<br />
** 2.2.1<br />
*** ISO requested more information<br />
*** Developed and submitted<br />
** 3.0<br />
*** WilliamB has set up new branch<br />
*** Still working on main profile<br />
*** Minor mods for OMG/NTIA<br />
*** Japan user group has provided inputs<br />
*** Vulnerabilities Profile<br />
**** Working with 3TS group<br />
*** Linkage Profile<br />
**** Name still up in the air<br />
**** Something about of linking docs and vetting provenance<br />
*** Build Profile<br />
**** Kate working on looking at different built systems<br />
* Tools<br />
** Google SoC<br />
*** All students passed. Congrats!<br />
**** Rishabh has stayed involved and done some great work<br />
*** Community Bridge<br />
**** 2 projects going<br />
*** Tools.spdx.org<br />
**** Funding is $2100 / $2400<br />
**** All tools being transitioned<br />
**** Test instance in place http://52.32.53.255/<br />
***** Please Poke!<br />
<br />
== Legal Team Report - Paul/Jilayne/Steve ==<br />
<br />
* Licensing Profie<br />
** This has been the recent focus of the team<br />
** Simplify/Clarify what’s been in place<br />
** Working doc for initial draft: https://docs.google.com/document/d/1k_2tSlFXvW_SbW-I1DcSEoCNBMQJd4FEFIQr6KCJuyU/edit#<br />
** Base + Licensing is targeted at the historical use case for SPDX<br />
** Next step will be to clean up the initial draft for further discussion<br />
* License List<br />
** Little change due to focus on Licensing Profile<br />
** Building up a little backlog<br />
* Minutes for Legal Team going forward keeps minutes here:<br />
** https://github.com/spdx/meetings<br />
<br />
== Outreach Team Report ==<br />
<br />
* No Update<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Paul Madick<br />
* Rishabh Bhatnagar, St Francis Inst Tech<br />
* Aveek, NextMark Printers<br />
* Steve Winslow, LF<br />
* Jilayne Lovejoy, Canonical<br />
* Michael Herzog- nexB<br />
* Mike Dolan, Linux Foundation<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-09-03General Meeting/Minutes/2020-09-032020-09-04T11:15:48Z<p>Podence: Created page with "* Attendance: 11 * Lead by Paul Madick * Minutes of Sept. meeting == Tech Team Report - Kate == * Spec ** 3.0 discussions occurring now including joint discussions with le..."</p>
<hr />
<div>* Attendance: 11<br />
* Lead by Paul Madick<br />
* Minutes of Sept. meeting<br />
<br />
<br />
== Tech Team Report - Kate ==<br />
<br />
* Spec<br />
** 3.0 discussions occurring now including joint discussions with legal team is in good shape<br />
** Shout out to Steve Winslow who has been put up examples and others encouraged to participate<br />
* ISO<br />
** paperwork has been submitted and we are expecting a vote by end of year<br />
* Special Use Cases<br />
**work continuing on with medical center<br />
<br />
* GSoC<br />
** All projects are progressing quite well and wrapping up <br />
** Thank you to all participants (Mentors and Mentees)<br />
<br />
<br />
== Legal Team Report - Steve ==<br />
<br />
* License List<br />
** released 3.10 license list in August<br />
** starting on 3.11<br />
* lot of everyday work continuing <br />
*Spec<br />
**working with Tech team on license profile as break out from other profiles like security profile<br />
<br />
== Outreach Team Report Jack==<br />
<br />
* Going through web site to give it a facelift in three phases<br />
**phase one content verification<br />
**phase two small improvements to communicate better<br />
**phase three Additional content to help folks start up with SPDX<br />
*Aveek has gone through website as a new member of SPDX<br />
**from printer side (NextMark) and working on GsoC<br />
**Aveek speaking with Kate and Jack on some things that might be helpful regarding website<br />
*Vicki volunteered to coordinate some help with the website but requested direction on what Jack would be looking for.<br />
<br />
== Cross Functional ==<br />
<br />
* <br />
<br />
<br />
== Attendees ==<br />
<br />
*Jack Manbeck, TI<br />
* Brad Goldring, GTC Law<br />
* Nisha Kumar, VMware<br />
* David Wheeler, Linux Foundation<br />
* Steve Winslow, LF<br />
* Jim Hutchison, Qualcomm<br />
* Aveek Basu, NextMark Printers<br />
* Kate Stewart, Linux Foundation<br />
*Vicki B.<br />
*Rishabh Bhatnagar, St. Francis Institute of Technology<br />
*Paul Madick<br />
<br />
<br />
<br />
<br />
• <br />
• [[Category:General|Minutes]]<br />
• [[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-08-06General Meeting/Minutes/2020-08-062020-08-06T15:35:49Z<p>Podence: Created page with "* Attendance: 14 * Lead by Phil Odence * Minutes of Aug meeting == Presentation - GSoC Smith Tanjong Agbor == * Validating License Cross References == Tech Team Report - K..."</p>
<hr />
<div>* Attendance: 14<br />
* Lead by Phil Odence<br />
* Minutes of Aug meeting<br />
<br />
== Presentation - GSoC Smith Tanjong Agbor ==<br />
<br />
* Validating License Cross References<br />
<br />
== Tech Team Report - Kate / Gary ==<br />
<br />
* Spec<br />
** 2.1 is in good shape<br />
*** Ready to submit to ISO<br />
*** Many big thanks to Steve, Jack, Rex and others for great work<br />
*** Should be an ISO Spec in 4-5 months<br />
** Also looking at 3.0 for ISO<br />
* Tools<br />
** Community Bridge funding project <br />
*** We are through phase 1 (funding for this year)<br />
*** On track for phase 2 next year<br />
** Should have new infrastructure up in the next month or two<br />
*** Including real URL<br />
*** and SSL for security<br />
* GSoC<br />
** All projects are progressing quite well<br />
*** All students have passed 2nd evaluation<br />
** Aveek started this for SPDX (in addition to LF) and it’s been great for us<br />
*** We get more slots as a consequence<br />
<br />
== Legal Team Report - Paul/Steve ==<br />
<br />
* License List<br />
** Monday we relapsed 3.10 license list<br />
*** 20 new ones<br />
**Joint meeting upcoming with the tech team to look at 3.0<br />
<br />
== Outreach Team Report ==<br />
<br />
* No Update<br />
<br />
== Cross Functional ==<br />
<br />
* <br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* David Wheeler, Linux Foundation<br />
* Mark Baushke, Juniper<br />
* Kate Stewart, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Paul Madick<br />
* Michael Herzog- nexB<br />
* Steve Winslow, LF<br />
* Michael Herzog- nexB<br />
* Matije Suklje, Liferay<br />
* Aveek, NextMark Printers<br />
* Alexios Zavras, Intel<br />
* Michael Richardson<br />
* Mike Dolan, Linux Foundation<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-06-04General Meeting/Minutes/2020-06-042020-06-12T13:21:05Z<p>Podence: Created page with "* Attendance: 17 * Lead by Phil Odence * Minutes of May meeting == Presentation - Health Care PoC & NTiA, Ed Heierman, Abbott Labs == * Discussed medical device manufacturer..."</p>
<hr />
<div>* Attendance: 17<br />
* Lead by Phil Odence<br />
* Minutes of May meeting<br />
<br />
== Presentation - Health Care PoC & NTiA, Ed Heierman, Abbott Labs ==<br />
<br />
* Discussed medical device manufacturers’ development of proof-of-concept SBOMs using SPDX<br />
* Demonstrated tag-value SPDX file, and tooling to generate through Excel spreadsheets as well as an open online tool<br />
** the latter is also able to import existing SPDX files<br />
* He will make slides available.<br />
<br />
<br />
== Tech Team Report - Kate / Gary ==<br />
<br />
* GSoC<br />
** Coding period just started<br />
** Also doing funding for one student through CommunityBridge Mentorships, will start in July<br />
* Tools<br />
** Java tooling updated to released 2.2 spec<br />
** Python – partial implementation, still in progress<br />
* Spec<br />
** v2.2 published<br />
** now focusing on refactoring into specific profiles for v3.0 – security; revised licensing profile<br />
** also transforming v2.2 spec into format for submission to ISO<br />
** if looking at repo, will be seeing churn from section renumbering, table formats, etc. to align with ISO guidelines – will be v2.2.1<br />
** will use transformed version as basis for v3.0<br />
** active areas: security, licensing, base, integrity, usage rules (lifecycle of software, etc.)<br />
** Tuesday weekly calls as well as out-of-band calls<br />
** SPDX Japan calls – once a month, happening second Monday of each month – 8PM Eastern, for now reach out to Kate for invite (will document on website)<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* License List<br />
** v3.9 released in May<br />
** Announcement: https://spdx.dev/license-list-v3-9-released/<br />
** Continuing with v3.10 work, good involvement from new participants<br />
<br />
== Outreach Team Report – Steve (Jack unable to attend) ==<br />
<br />
* Website<br />
** static website migrated from Drupal to WordPress, now at https://spdx.dev<br />
** old license list URLs remain the same under https://spdx.org/licenses<br />
** redirects should be seamless from old to new URLs (and vice versa)<br />
** now turning to updating old content on the static pages, etc.<br />
** any issues, suggestions, feedback can be emailed to Jack, Kate and Steve, or submitted at https://github.com/spdx/spdx-website/issues<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Ed Heieman, Abbott Labs<br />
* Kate Stewart, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Steve Winslow, LF<br />
* Alexios Zavras, Intel<br />
* Takashi Ninjouji, Toshiba<br />
* Peter Shin, Canvass Labs<br />
* Jilayne Lovejoy, Canonical<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* David Wheeler, Linux Foundation<br />
* Mike Dolan, Linux Foundation<br />
* Ed Heierman, Abbott Labs<br />
* Mark Atwood, Amazon<br />
*Jeremiah Foster, Purism<br />
* Mark Baushke, Juniper<br />
* McCoy Smith, LexPan<br />
<br />
• <br />
• [[Category:General|Minutes]]<br />
• [[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-05-07General Meeting/Minutes/2020-05-072020-05-07T21:27:18Z<p>Podence: </p>
<hr />
<div>* Attendance: 19<br />
* Lead by Phil Odence<br />
* Minutes of April meeting<br />
<br />
== Presentation - SPDX 2.2 Overview, Kate ==<br />
<br />
* Great job<br />
* https://docs.google.com/presentation/d/1JGVS6vzGwueTDCBHWUNy9ItEFHZ5BwFZoUZsl7Ccxsw/edit#slide=id.p87<br />
<br />
== Tech Team Report - Kate / Gary ==<br />
<br />
* Spec<br />
** See above<br />
* Tools<br />
** Just released java tools updating to 2.2<br />
*** Will be separate tool for new formats and will be migrating that way in the next month or two<br />
*** Leaner, faster, more modern<br />
*** Python libs support new JSON today<br />
** Maintaining full forward/backward compatibility<br />
* GSoC<br />
** Students will be joining<br />
** They are getting oriented now<br />
** Will start coding in a month<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* License List<br />
** Release postponed to Mid-May so as not to clash with 2.2<br />
** Another week of work on tagging remaining requests<br />
<br />
== Outreach Team Report - Jack ==<br />
<br />
* Twitter<br />
** SPDX Tools is no a Twitter handle<br />
<br />
== Cross Functional - Steve ==<br />
<br />
* Website<br />
** Existing website is on Drupal<br />
** All LF stuff moving to Wordpress<br />
*** Some issues with auto generated pages on Wordpress<br />
*** Critical to maintain URLs<br />
*** Solution- License and RDF will stay at their current locations<br />
*** New site will be spdx.dev<br />
**** Full redirects will be in place<br />
**** So no issues for users with migration<br />
*** Contents has been largely maintained<br />
**** Some cleanup of formatting and organization<br />
*** Plan to improve content over time.<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Mark Atwood, Amazon<br />
* Steve Winslow, LF<br />
* Kate Stewart, Linux Foundation<br />
* Alexios Zavras, Intel<br />
* David Wheeler, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Matthew Crawford, ARM<br />
* Jack Manbeck, TI<br />
* Bradlee Edmondson, Harvard<br />
* Hal Hearst, Synopsys<br />
* Anisha Srivastava, Student<br />
* Takashi Ninjouji, Toshiba<br />
* Paul Madick<br />
* Brad Goldring, GTC Law<br />
* William Bartholomew, GitHub<br />
* Jilayne Lovejoy, Canonical<br />
* Matije Suklje, Liferay<br />
* Philippe Ombrédanne- nexB<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-05-07General Meeting/Minutes/2020-05-072020-05-07T21:13:22Z<p>Podence: Created page with "* Attendance: 19 * Lead by Phil Odence * Minutes of April meeting == Presentation - SPDX 2.2 Overview, Kate == * Great job * https://docs.google.com/presentation/d/1JGVS6vz..."</p>
<hr />
<div>* Attendance: 19<br />
* Lead by Phil Odence<br />
* Minutes of April meeting<br />
<br />
== Presentation - SPDX 2.2 Overview, Kate ==<br />
<br />
* Great job<br />
* https://docs.google.com/presentation/d/1JGVS6vzGwueTDCBHWUNy9ItEFHZ5BwFZoUZsl7Ccxsw/edit#slide=id.p87<br />
<br />
== Tech Team Report - Kate / Gary ==<br />
<br />
* Spec<br />
** See above<br />
* Tools<br />
** Just released java tools updating to 2.2<br />
*** Will be separate tool for new formats and will be migrating that way in the next month or two<br />
*** Leaner, faster, more modern<br />
*** Python libs support new JSON today<br />
** Maintaining full forward/backward compatibility<br />
* GSoC<br />
** Students will be joining<br />
** They are getting oriented now<br />
** Will start coding in a month<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* License List<br />
** Release postponed to Mid-May so as not to clash with 2.2<br />
** Another week of work on tagging remaining requests<br />
<br />
== Outreach Team Report - Jack ==<br />
<br />
* Twitter<br />
** SPDX Tools is no a Twitter handle<br />
<br />
== Cross Functional - Steve ==<br />
<br />
* Website<br />
** Existing website is on Drupal<br />
** All LF stuff moving to Wordpress<br />
*** Some issues with auto generated pages on Wordpress<br />
*** Critical to maintain URLs<br />
*** Solution- License and RDF will stay at their current locations<br />
*** New site will be sped.dev<br />
**** Full redirects will be in place<br />
**** So no issues for users with migration<br />
*** Contents has been largely maintained<br />
**** Some cleanup of formatting and organization<br />
*** Plan to improve content over time.<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Mark Atwood, Amazon<br />
* Steve Winslow, LF<br />
* Kate Stewart, Linux Foundation<br />
* Alexios Zavras, Intel<br />
* David Wheeler, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Matthew Crawford, ARM<br />
* Jack Manbeck, TI<br />
* Bradlee Edmondson, Harvard<br />
* Hal Hearst, Synopsys<br />
* Anisha Srivastava, Student<br />
* Takashi Ninjouji, Toshiba<br />
* Paul Madick<br />
* Brad Goldring, GTC Law<br />
* William Bartholomew, GitHub<br />
* Jilayne Lovejoy, Canonical<br />
* Matije Suklje, Liferay<br />
* Philippe Ombrédanne- nexB<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-04-02General Meeting/Minutes/2020-04-022020-04-03T11:25:09Z<p>Podence: Created page with "* Attendance: 19 * Lead by Phil Odence * Minutes of April meeting == Guest Speaker- Allan Friedman, NTIA == * NTIA’s Multistakeholder SBOM Process ** Concerns about softw..."</p>
<hr />
<div>* Attendance: 19<br />
* Lead by Phil Odence<br />
* Minutes of April meeting<br />
<br />
== Guest Speaker- Allan Friedman, NTIA ==<br />
<br />
* NTIA’s Multistakeholder SBOM Process<br />
** Concerns about software supply chain risks have garnered more attention and energy in the OSS community, industry, and governments around the world. One natural starting point is a greater expectation of transparency of software components and dependencies. Any solution must scale up and down the software supply chain, and across the incredibly diverse software ecosystem, from modern CI/CD application development to critical infrastructure and embedded systems. Over the past two years, NTIA has helped a diverse set of stakeholders find a common vision for a "software bill of materials" (SBOM) that has the potential to scale as needed, and serve as a foundation for even more innovation around software supply chain security and quality. The SPDX community has played a key role in this discussion, and emerged as a key standard. This presentation will give an overview of the policy landscape, the progress made, and the work yet to be done around SBOM. <br />
** Allan’s slides https://drive.google.com/open?id=1KOsm6grnSZ5FsSnzTI9ybYT9m84F8Zfe<br />
<br />
== Tech Team Report - Kate ==<br />
<br />
* Spec<br />
** Wrapping up 2.2 spec <br />
*** Known unknowns made it in<br />
** 3.0 Visions<br />
*** William Bartholomew’s talk about profiles was great (and recorded)<br />
* Tools<br />
** Gary’s been working on 2.2 tooling<br />
*** Requiring a complete rewrite to the java tools<br />
*** Not API compatible<br />
** Google SoC<br />
*** 15 different submissions<br />
*** Google is looking for additional mentors on each project<br />
*** So, we need more mentors; contact Gary<br />
<br />
== Legal Team Report - Steve ==<br />
<br />
* Finalized updates to license inclusion principles<br />
** Mostly clarifications<br />
** But also to broaden a bit for non-OSS source available licenses<br />
** https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md<br />
* 3.9 list release has been pushed out a bit<br />
** Were waiting for above<br />
** https://github.com/spdx/license-list-XML/issues?q=is%3Aopen+is%3Aissue+milestone%3A%223.9+release%22<br />
* In anticipation of 3.0 working on a licensing profile<br />
* With Tech Team, updating back end of SPDX website to manage move from Drupal to Wordpress<br />
** Maintaining license URLs<br />
** Static pages moving do a different domain.<br />
<br />
<br />
== Outreach Team Report - Jack ==<br />
<br />
* Will be looking for help to update content for Website as per above<br />
* Documenting comprehensive list of SPDX-related tooling<br />
<br />
== Cross Functional - ==<br />
<br />
* None<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Alan Friedman, NTIA<br />
* Rose Judge, VMware<br />
* Steve Winslow, LF<br />
* Kate Stewart, Linux Foundation<br />
* Alexios Zavras, Intel<br />
* Jack Manbeck, TI<br />
* Jim Hutchison, Qualcomm<br />
* William Bartholomew, GitHub<br />
* Dave McLoughlin, Flexera<br />
* Michael Herzog- nexB<br />
* Alex Rybak, Flexera<br />
* Gary O’Neall, SourceAuditor<br />
* Paul Madick<br />
* Brad Goldring, GTC Law<br />
* David Wheeler, Linux Foundation<br />
* Mike Dolan, Linux Foundation<br />
* Bob Campbell, DXC<br />
* Mark Atwood, Amazon<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-02-06General Meeting/Minutes/2020-02-062020-02-06T16:18:18Z<p>Podence: Created page with "* Attendance: 8 * Lead by Phil Odence * Minutes of Dec meeting == Tech Team Report - Kate == * Spec ** Working on closing open pull requests in 2.2 *** Should be frozen th..."</p>
<hr />
<div>* Attendance: 8<br />
* Lead by Phil Odence<br />
* Minutes of Dec meeting<br />
<br />
<br />
== Tech Team Report - Kate ==<br />
<br />
* Spec<br />
<br />
** Working on closing open pull requests in 2.2<br />
*** Should be frozen this month<br />
*** At which point we will commence a review period<br />
*** Goal is to get 2.2 out to catch up with the tools<br />
* Tools<br />
** GSOC starting up again<br />
*** Gary, Kate and Phillippe are driving<br />
*** Could you some projects; add to wiki page<br />
** That will free up for focus on next rev<br />
*** Main feature is generalized profiles for different SBoM types<br />
** Europe meet up<br />
*** Suggestions came back to legal team<br />
<br />
== Legal Team Report - Steve ==<br />
<br />
* Finalizing additions for 3.8 release<br />
** Should be out this weekend<br />
* Expanding license inclusion guidelines<br />
** In practical directions<br />
** Team is aligned conceptually<br />
** Need to get words down on paper<br />
** Aiming to have in place to use as filter for 3.9 list<br />
* Reviewing license expression syntax as well<br />
<br />
== Outreach Team Report ==<br />
<br />
* Closed out the survey<br />
<br />
== Cross Functional - ==<br />
<br />
* None<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Steve Winslow, LF<br />
* Kate Stewart, Linux Foundation<br />
* Jilayne Lovejoy, Canonical<br />
* Jack Manbeck, TI<br />
* Jim Hutchison, Qualcomm<br />
* Kevin Nelson, UHG<br />
* Nisha Kumar, VMware<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-12-05General Meeting/Minutes/2019-12-052019-12-05T16:29:08Z<p>Podence: Created page with "* Attendance: 10 * Lead by Phil Odence * Minutes of Nov meeting- Lightly attended, no minutes kept == Tech Team Report - Kate/Gary == * SPDX 2.2 ** moving on pull requests..."</p>
<hr />
<div>* Attendance: 10<br />
* Lead by Phil Odence<br />
* Minutes of Nov meeting- Lightly attended, no minutes kept<br />
<br />
<br />
== Tech Team Report - Kate/Gary ==<br />
<br />
* SPDX 2.2 <br />
** moving on pull requests being merged/included.<br />
** Tools for generating Multiple formats being tested (help welcome). <br />
* SPDX 3.0 <br />
** Identifying a common base (based on some of NTIA framing work) with specific profiles (licensing, security, pedigree, provenance, export) <br />
** SPDX 2.2 would be a base+licensing profile. <br />
* Related Groups<br />
* OMG including part of the SPDX models, people regarding as a point to add security information. <br />
* NTIA phase 1 documents are published at https://www.ntia.gov/sbom (SPDX is a recognized format there).<br />
* NTIA phase 2 workgroups are forming, and there will be one on "formats & tooling” (which will feature SPDX tools ;-) ) those interested in participating in discussions on tooling and how to use tools are welcome to subscribe at: https://lists.linuxfoundation.org/mailman/listinfo/ntia-sbom-formats<br />
<br />
* Tools<br />
** nothing beyond above, mostly testing new formats<br />
<br />
== Legal Team Report - Paul/Steve ==<br />
<br />
* Fairly quiet this Q, lighter participation<br />
** 3.8 release will be light on new licenses<br />
* Reviewing and updating license inclusion guidelines<br />
** Should end up with broader inclusion at some level<br />
*** particularly for non-OSS licenses that include making source available<br />
** Good legal/tech team collaboration on 3.0<br />
*** One key topic is the license for the docs<br />
**** Currently CC0<br />
**** This has raised some concerns<br />
**** Dredging up historic rationale<br />
<br />
<br />
== Outreach Team Report ==<br />
<br />
* Survey reminder went out.<br />
** End of year down line. <br />
* Pushing Jan meeting to 1/9. <br />
<br />
== Cross Functional - ==<br />
<br />
* None<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Steve Winslow, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Mark Atwood, Amazon<br />
* Paul Madick<br />
* Alexios Zavras, Intel<br />
* Dave McLoughlin, Flexera<br />
* Rose Judge, VMware<br />
* Michael Herzog- nexB<br />
* Philippe Ombrédanne- nexB<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-09-05General Meeting/Minutes/2019-09-052019-09-05T18:52:24Z<p>Podence: Created page with "* Attendance: 17 * Lead by Phil Odence * Minutes of Aug meeting approved == Special Presentations - Hiro Fukuchi, Sony == * SPDX- Lite ** Open Chain Japan Work Group *** M..."</p>
<hr />
<div>* Attendance: 17<br />
* Lead by Phil Odence<br />
* Minutes of Aug meeting approved <br />
<br />
<br />
== Special Presentations - Hiro Fukuchi, Sony ==<br />
<br />
* SPDX- Lite<br />
** Open Chain Japan Work Group<br />
*** Member companies- Toyota, Denso, Panasonic, Pioneer, Sony, Fujitsu, Olympus, Renesas<br />
** Common Problem- Can’t get OSS information from suppliers (HW vendors, ODMs, SOC, partners…in Asia (China/Taiwan) and Japan<br />
*** They don’t have complete information<br />
*** Don’t have the tools to generate and evaluate<br />
** SPDX Lite is part of guidelines<br />
*** Fits in at a fairly high level of maturity<br />
**** OpenChain - “Making Process”<br />
**** SPDX (and OSS tooling) - “Improving Process”<br />
**** Most suppliers are at low levels of maturity<br />
*** Looking not to fork, but to expand usage of SPDX Lite<br />
** Lite Description<br />
*** Subset of SPDX<br />
*** Minimum requirement<br />
*** Can be manually generated<br />
*** Proved in actual business use<br />
** Scenarios<br />
*** 1 Unskilled suppliers<br />
**** Useful at a lower level of maturity than SPDX requires<br />
*** 2 Non-engineering Staff<br />
**** More understandable by Legal and Procurement staff.<br />
*** Skilled suppliers would still use full SPDX<br />
**** OpenChain compliant suppliers would be sophisticated enough<br />
** Question: Is SPDX Lite fully SPDX compliant<br />
*** Yes, all mandatory fields are included in SPDX Lite plus some of the optional fields may be included.<br />
<br />
== Tech Team Report - Gary ==<br />
<br />
* Spec<br />
** Being worked in a GitHub repo<br />
*** Set up for pull requests for 2.2<br />
*** Anyone who has ideas or proposed changes, please submit as a pull request<br />
*** One in place is SPDX Lite<br />
**** Proposal is as an Appendix<br />
**** Thought is a profile for a specific use case<br />
**** Could be first of a number of profiles<br />
* Tools<br />
** Successful conclusion to GSoC<br />
*** All passed<br />
*** A number of new libraries including Python, Golang<br />
*** Mentors and students were great<br />
*** Record number of projects<br />
** Challenge now is integrating and putting into production<br />
*** All legal team tools have been submitted as pull requests<br />
**** Should be up and running in a month or so.<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* Legal Team License Submittal Demo (GSoC)<br />
** Video and minutes available<br />
** Need to update contribution instructions<br />
* Team call today<br />
* License List<br />
** 3.7 release at end of month<br />
*** Fewer licenses in release that some recents<br />
** Recent discussions have been more high level on principles than specific licenses<br />
<br />
<br />
== Outreach Team Report - Jack ==<br />
<br />
* Survey<br />
** Has been out for a few months<br />
** 37 responses so far<br />
** Will make one more pass<br />
** Looking at presenting at Gen Meeting in Nov<br />
* Philipe has been talking to the Python community about using SPDX License IDs and expressions in Python package manifest<br />
** Could be a model for other communities<br />
*** …some of which have been using formally or informally<br />
*** Potentially high leverage<br />
*** RUST and Go are using sporadically<br />
<br />
== Cross Functional - ==<br />
<br />
* None<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Steve Winslow, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Jack Manbeck, TI<br />
* Nicolas Toussaint, Orange<br />
* Mark Atwood, Amazon<br />
* Jilayne Lovejoy, Canonical<br />
* Hiro Fukuchi, Sony<br />
* Shinsuke Kato, Panasonic<br />
* Philippe Ombrédanne- nexB<br />
* Michael Herzog, NexB<br />
* Patrice-Emmanuel Schmitz, Trasys International, European Commission<br />
* Richard Fontana, Red Hat<br />
* Mark Baushke, Juniper<br />
* Paul Madick, Dimension Data<br />
* Nisha Kumar, VMWare<br />
* David Marr, Qualcomm<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-08-01General Meeting/Minutes/2019-08-012019-08-01T15:50:54Z<p>Podence: Created page with "* Attendance: 11 * Lead by Phil Odence * Minutes of July meeting approved == Special Presentations - Umang Taneja, Tanjong Smith, GSoC == * Umang ** License submittal work..."</p>
<hr />
<div>* Attendance: 11<br />
* Lead by Phil Odence<br />
* Minutes of July meeting approved <br />
<br />
<br />
== Special Presentations - Umang Taneja, Tanjong Smith, GSoC ==<br />
<br />
* Umang<br />
** License submittal workflow automation<br />
*** Aim is to enhance user experience<br />
*** Compare submitted text against existing licenses to see if there’s duplication or close match<br />
*** Problems he’s trying address<br />
**** What if the license is on the list, proposed, rejected…or a close match to one of those<br />
**** Current XML formatting- word-wrap doesn’t match license<br />
*** Also creating/documenting an API<br />
** Tasks:<br />
*** Create API- use without logging in, so can be accessed by other tools<br />
*** Create License Matcher- looks for exact and close matches<br />
**** Returns all matches and close matches<br />
*** Compare with not accepted as well as rejected licenses. <br />
**** Reports appropriately according to match<br />
**** Relies on user input regarding whether to go ahead with submittal<br />
*** Improve formatting of generated license<br />
** Screenshots available at: https://docs.google.com/document/d/1NMcLZVXxBV2PZobPJh1OugbCfC2d8kbAOX4m4TauEYk/edit?usp=sharing <br />
** Some discussion of how the workflow should work with close matches<br />
** Aiming for demo in future Legal Team meeting<br />
<br />
* Tanjong<br />
** License namespace<br />
*** A way to name valid licenses outside of the License List<br />
*** Created namespace and UI<br />
*** Also a mechanism for turning into a license request<br />
*** Took feedback from the joint/legal team meeting<br />
<br />
== Tech Team Report - Kate/Gary ==<br />
<br />
* Spec<br />
** Progress on Appendix for including other fields in the source like the license ID<br />
*** Keeping scope at file level<br />
*** Tags with SPDX prefix<br />
*** Allows to make it easier for tools to pick up.<br />
** Source file analysis<br />
*** Philip demoed<br />
*** Heavy testing mode<br />
* Tools<br />
** GSoC<br />
*** Continues to go very well<br />
*** All students passed second evaluation<br />
** Looking for feedback from community:<br />
*** License matching algorithm approaches<br />
**** Some encoded rules<br />
**** Some depended on XML markup<br />
**** Should we encode in XML or handle programmatically? (Discuss with Gary)<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* License List<br />
** 3.6 version went out last month<br />
** Working issues in 3.7<br />
*** Good input/support from Tech Team<br />
** Recent meetings have been joint with Tech Team<br />
*** Very helpful at this point<br />
<br />
<br />
== Outreach Team Report - Kate ==<br />
<br />
* Shane has readied the survey<br />
<br />
== Cross Functional - ==<br />
<br />
* None<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Matthew Crawford, ARM<br />
* Umang Taneja, GSoC<br />
* Tanjong Smith, GSoC<br />
* Steve Winslow, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Kate Stewart, Linux Foundation<br />
* Paul Madick, Dimension Data<br />
* Mark Atwood, Amazon<br />
* Jilayne Lovejoy, Canonical<br />
* Jack Manbeck, TI<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-07-11General Meeting/Minutes/2019-07-112019-07-11T15:54:48Z<p>Podence: Created page with "* Attendance: 14 * Lead by Phil Odence * Minutes of June meeting approved == Special Presentations - Xavier Figouoa/ Philip Ekong Obie, GSoC == * Python Library- Adding su..."</p>
<hr />
<div>* Attendance: 14<br />
* Lead by Phil Odence<br />
* Minutes of June meeting approved <br />
<br />
<br />
== Special Presentations - Xavier Figouoa/ Philip Ekong Obie, GSoC ==<br />
<br />
* Python Library- Adding support for more formats<br />
* Generating SPDX docs from IDs in code<br />
<br />
== Tech Team Report - Kate/Gary ==<br />
<br />
* Spec<br />
** All known issues are addressed in 2.2<br />
** Under discussion: <br />
*** Idea of a short format for copyrights ala license IDs from FSFE<br />
**** Would be added as an appendix (like license IDs)<br />
**** Could use a joint tech/legal teams call<br />
*** Exploring branching strategy<br />
*** Pared down version, defining minimal subset (from Japan work group)<br />
**** Still SPDX compliant as it will utilize mandatory fields<br />
**** Part of the spec<br />
**** Important to communicate that; it’s not a fork<br />
* Tools<br />
** GSoC<br />
*** 8 projects total (a record)<br />
*** Great progress, all passed first evaluations <br />
** Flurry of tooling work with the new license list<br />
*** Better matching/copyright matching<br />
*** License format improvements<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
<br />
* License List<br />
** 3.6 version went live yesterday<br />
*** 10 new licenses and exceptions<br />
*** Other mark up and doc updates<br />
** Attention now turning to 3.7<br />
** Other topics of discussion already covered.<br />
* Namespace Project<br />
** Need to make clear the difference between LL and NS registry<br />
** NS is an option for rejected licenses<br />
** Could be a stop before being accepted<br />
<br />
<br />
== Outreach Team Report - Kate ==<br />
<br />
* Shane has readied the survey<br />
** Based on input from Phil, Jack, Kate, Gary<br />
** Will go do the General Meeting mailing list<br />
<br />
== Cross Functional - ==<br />
<br />
* Will designate one Tech Call per month to include Legal Team<br />
** Third one of the month<br />
** Starting next week<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Jilayne Lovejoy, Canonical<br />
* Steve Winslow, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Kate Stewart, Linux Foundation<br />
* Philippe Ombrédanne- nexB<br />
* Alexios Zavras, Intel<br />
* Michael Herzog- nexB<br />
* David Ryan<br />
* Dave McLaughlin, Rogue Wave<br />
* Paul Madick, Dimension Data<br />
* Mark Atwood, Amazon<br />
* Xavier Figouoa<br />
* Philip Ekong Obie<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-06-06General Meeting/Minutes/2019-06-062019-06-21T14:39:20Z<p>Podence: Created page with "* Attendance: 12 (attendance list at bottom) * Lead by Paul Madick * Minutes of May meeting approved == Tech Team Report - Gary == * Spec No issues remaining to latest spe..."</p>
<hr />
<div>* Attendance: 12 (attendance list at bottom)<br />
* Lead by Paul Madick<br />
* Minutes of May meeting approved <br />
<br />
<br />
== Tech Team Report - Gary ==<br />
<br />
* Spec No issues remaining to latest spec, 8 GOSC students approved and working. Looking forward to new tools this summer. Lots of new projects adopting SPDX and Linux kernel clean up of licensing still working (about 2/3 through). Making great progress.<br />
* Tools<br />
<br />
<br />
== Legal Team Report - Jilayne/Paul ==<br />
<br />
* License List <br />
*GSOC student on last call. Great information. Legal Meeting minutes has the description, take a look if you are interested or would like to provide input.<br />
*Reworking the license inclusion guidelines and moving into github repository in the documentation folder. Please weigh in if you are interested in more licenses. Still looking for more volunteers to move license submissions into license approvals. <br />
*A big welcome to new co-lead of legal team Steve Winslow and a big thank you to Karen for her years of stewardship as she steps away from the co-lead position.<br />
<br />
<br />
== Outreach Team Report - Jack Manbeck ==<br />
<br />
* Not a lot going on now, but working on a survey. Intention is to send the survey to companies to see where they are at in using/implementing SPDX. Maybe include some community in survey, but not sure yet.<br />
<br />
== General Items ==<br />
<br />
*Conversation: are we meeting for summer LF event in SD. Not currently, but Kate will look into getting meeting room for ½ day, etc. Jack, Paul, Kate, Steve and others are potentially available to attend at least one day in SD. <br />
<br />
<br />
== Attendees ==<br />
* Alexios Zavras, Intel<br />
* JC Herz, Ion Channel<br />
* Dave McLoughlin<br />
* Paul Madick, Dimension Data<br />
* Jilayne Lovejoy<br />
* Steve Winslow, LF<br />
* Kate Stewart, Linux Foundation<br />
* Alexios Zavras, Intel<br />
* Philippe Ombrédanne- nexB<br />
* Jack Manbeck<br />
* Mike Herzog<br />
* Mark Atwood<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-05-02General Meeting/Minutes/2019-05-022019-06-05T13:04:45Z<p>Podence: Created page with "* Attendance: 15 * Lead by Phil Odence * Minutes of April meeting approved == Special Presentation - Aaron/Jilayne == * FINOS Presentation on new handbook: https://github...."</p>
<hr />
<div>* Attendance: 15<br />
* Lead by Phil Odence<br />
* Minutes of April meeting approved <br />
<br />
<br />
== Special Presentation - Aaron/Jilayne ==<br />
<br />
* FINOS Presentation on new handbook: https://github.com/finos-osr/OSLC-handbook <br />
** Discussion on including License Exceptions in the handbook<br />
*** Gary to contribute to issue on license exceptions, proposal for how to write the exception YAML so it can be included in tooling for license expressions<br />
*( Suggestion to coordinate with reuse.software<br />
** Suggestion to reach out to OASDL<br />
<br />
== Tech Team Report - Gary ==<br />
<br />
* GSOC all 8 slots granted, projects will be announced on May 6<br />
* Jack got the PDF generation working for the spec, we will be transitioning to the github based spec process (thanks Jack!)<br />
* 2.1.1 based on Thomas' Github work and Jack's PDF work will be out for review soon - 2 week review<br />
* Tool bake-off and SPDX generation comparison proposed for October at European OSS Europe France<br />
** Anyone interested in participating should contact Gary or Kate<br />
<br />
== Legal Team Report - Jilayne/Paul ==<br />
<br />
* License List<br />
** Callout for help, request for more contributors and participants in the calls<br />
** Agenda for today<br />
*** Improving the documentation - make it easier to find key information (like inclusion principles), especially for people contributing first time/requesting a new license<br />
*** Discussion scheduled for today’s call regarding the inclusion principles, e.g., OSI approved but if OSI rejects, do we reject? <br />
**** We do reject non-open source licenses today, but do we want to include licenses commonly found in the wild?<br />
<br />
<br />
== Outreach Team Report ==<br />
<br />
* None<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Denver Gingerich, SFC<br />
* Aaron Williamson, FINOS<br />
* Jilayne Lovejoy<br />
* Steve Winslow, LF<br />
* Gary O’Neall, SourceAuditor<br />
* Kate Stewart, Linux Foundation<br />
* Alexios Zavras, Intel<br />
* John Horan, next<br />
* JC Herz, Ion Channel<br />
* Dave McLoughlin<br />
* Paul Madick, Dimension Data<br />
* Philippe Ombrédanne- nexB<br />
* Mark Atwood, Amazon<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-04-04General Meeting/Minutes/2019-04-042019-04-04T15:51:48Z<p>Podence: Created page with "* Attendance: 18 * Lead by Phil Odence * Minutes of March meeting approved == Special Presentation - Gary/Steve == * SPDX: Bridging the Compliance Tool Gap * https://even..."</p>
<hr />
<div>* Attendance: 18<br />
* Lead by Phil Odence<br />
* Minutes of March meeting approved <br />
<br />
<br />
<br />
== Special Presentation - Gary/Steve ==<br />
<br />
* SPDX: Bridging the Compliance Tool Gap<br />
* https://events.linuxfoundation.org/wp-content/uploads/2018/07/SPDX-Bridging-the-Compliance-Tooling-Gap.pdf <br />
<br />
== Tech Team Report - Gary ==<br />
<br />
* Spec<br />
** Starting to put out 2.1.1 in pdf form<br />
*** Kudos to Jack<br />
** Starting in on 2.2<br />
* Tools<br />
** GSoc<br />
*** Very active<br />
*** Lots of students and mentors<br />
*** Good project<br />
<br />
== Legal Team Report - Jilayne/Paul ==<br />
<br />
* License List<br />
** 3.5 Release out! <br />
*** 7 new licenses and exceptions<br />
*** including 3 open hardware licenses<br />
**** More open hw planned for 3.6<br />
<br />
<br />
== Outreach Team Report - Jack Manbeck ==<br />
<br />
* Rethinking a bit and redefining <br />
* Survey is next step<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Steve Winslow, LF<br />
* Nisha Kumar, VMWare<br />
* Dave Huseby, LF<br />
* Alexios Zavras, Intel<br />
* Nicolas Toussaint, Orange<br />
* Mark Atwood, Amazon<br />
* Kate Stewart, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Jilayne Lovejoy<br />
* Philippe Ombrédanne- nexB<br />
* JC Herz, Ion Channel<br />
* Andrew Sinclair, Canonical<br />
* Paul Madick, Dimension Data<br />
* Jack Manbeck, TI<br />
* Michael Herzog- nexB<br />
* Mark Baushke, Juniper<br />
* Stephanie, Qualcomm<br />
* Uwe, Qualcomm<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-03-07General Meeting/Minutes/2019-03-072019-03-07T16:14:21Z<p>Podence: Created page with "* Attendance: 5 * Lead by Phil Odence * Minutes of Feb meeting approved == Tech Team Report - Gary == * Tools ** Google Summer of Code *** Accepted again *** Lots of activ..."</p>
<hr />
<div>* Attendance: 5<br />
* Lead by Phil Odence<br />
* Minutes of Feb meeting approved <br />
<br />
<br />
== Tech Team Report - Gary ==<br />
<br />
* Tools<br />
** Google Summer of Code<br />
*** Accepted again<br />
*** Lots of activity from students<br />
** *Plenty of ideas<br />
* Spec<br />
** Jack jumped in to help with publishing from GitHub <br />
** Started up APAC SPDX call<br />
*** Lots of interest from Automotive<br />
*** Discussion of “SPDX Lite”<br />
**** “Files analyzed” field set to zero changes many required fields to option<br />
** Will be monthly<br />
<br />
<br />
== Legal Team Report - Paul ==<br />
<br />
* License List<br />
** Working through new licenses, normal stuff<br />
<br />
<br />
== Outreach Team Report ==<br />
<br />
* No update.<br />
<br />
== Cross Function ==<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Steve Winslow, LF<br />
* Mark Atwood, Amazon<br />
* Paul Madick, Dimension Data<br />
* Gary O’Neall, SourceAuditor<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-02-07General Meeting/Minutes/2019-02-072019-02-07T16:59:58Z<p>Podence: Created page with "* Attendance: 10 * Lead by Phil Odence * Minutes of Jan meeting approved == Tech Team Report - Kate/Gary == * Tools ** SoC in again *** Variety of proposals on Wiki *** We..."</p>
<hr />
<div>* Attendance: 10<br />
* Lead by Phil Odence<br />
* Minutes of Jan meeting approved <br />
<br />
<br />
== Tech Team Report - Kate/Gary ==<br />
<br />
* Tools<br />
** SoC in again<br />
*** Variety of proposals on Wiki<br />
*** We’ll hear back end of Feb<br />
** Steve W <br />
*** created a tool to scan the kernel looking for SPDX<br />
*** Contributed Go libraries<br />
*** Go Steve<br />
* Specification<br />
** Discussing Marks Idea for alternative name spaces<br />
*** Spec can handle<br />
*** What guidance do we provide?<br />
** Starting to take pull requests into 2.2 spec<br />
*** Focus for next few months<br />
* Started a tech call in Asia friendly <br />
<br />
== Legal Team Report - Jilayne ==<br />
<br />
* License List<br />
** New process and links posted<br />
*** Published policy says advocates need to stay engaged or requests may drop off the radar<br />
*** GitHub process seems like a great way to handle requests<br />
** Need work outside the call <br />
<br />
<br />
== Outreach Team Report - Jack ==<br />
<br />
* LinuxCon Aussie Presentation<br />
** Included Stat1/3 of files in Kernel have SPDX in them<br />
** Great momentum<br />
* Panel at FOSDEM on OSS Compliance tooling<br />
** Alexios attended<br />
*** Lots or proposals on tools, so organizers turned into a panel w/ Bradley K moderating<br />
*** Theme was need for interoperatblity<br />
** Video will be published<br />
** Alexios also mentioned that at recent copyleft conference, SPDX came up in every talk<br />
* Website<br />
** Looking into status of move to Wordpress with LF<br />
** Request a new license page has been directed to GitHub repo<br />
* Need an Outreach reboot<br />
<br />
== Cross Functions ==<br />
<br />
* Alternate name space<br />
** Basics<br />
*** Many companies have source available non-OSS licenses<br />
*** Would be good for companies to be able to have standard local names<br />
** Proposal is to use DNS<br />
*** Addresses issues with flat, first come first served<br />
*** DNS will be around for a long time<br />
*** Allows companies to self-assign<br />
*** Internationalized by default<br />
*** Immediately readable<br />
*** Leading dot clearly differentiates from SPDX standard names<br />
*** Challenges<br />
**** Doesn’t cary text<br />
**** Companies’ names may change through M&A and may lose domains in the process<br />
**** How to ensure that a company doesn’t change license text <br />
** Sentiment is in favor of<br />
*** Retain “License Ref” prefix<br />
*** Standardize on place to log license data<br />
*** In a one-license SPDX doc<br />
*** Mark will mock up with one of the Amazon licenses, collaborating with Kate<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Mark Atwood, Amazon<br />
* Jilayne Lovejoy<br />
* Gary O’Neall, SourceAuditor<br />
* Dennis Clark, NexB<br />
* Alexios Zavras, Intel<br />
* Jack Manbeck, TI<br />
* Mark Baushke, Juniper<br />
* David Ryan<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2019-01-03General Meeting/Minutes/2019-01-032019-01-03T16:50:18Z<p>Podence: Created page with "* Attendance: 15 * Lead by Phil Odence * Minutes of Dec meeting approved == Guest Presentation, JC Herz == * Background ** Years of working with companies and DOD in open..."</p>
<hr />
<div>* Attendance: 15<br />
* Lead by Phil Odence<br />
* Minutes of Dec meeting approved <br />
<br />
<br />
== Guest Presentation, JC Herz ==<br />
<br />
* Background<br />
** Years of working with companies and DOD in open source<br />
* The Issues/concerns<br />
** License issues- SPDX handles well<br />
** Concerns about security close on the heels<br />
** Compliance is an additional step- Jumping through the hoops to document<br />
* SEVA Software Evidence Archive<br />
** Elements<br />
*** Serves S-BOM function<br />
*** Augments with content that needs to travel with software<br />
*** Therefore allowing compliance work to be automated<br />
*** Freeing up valuable resources to do what they are supposed to do<br />
*** Can apply to a single component or a full application, so SEVA doesn’t distinguish<br />
** Format Issue<br />
*** Customers required XML, beyond SEVA JSON<br />
*** To be useable by a highly secure facility, data has to be hardened for which XML is better suited<br />
*** Can be constrained and format can be verified (and extended)<br />
* SPDX and SEVA Overlap<br />
** License Info<br />
*** For the most part SPDX handles beautifully<br />
**** Government also needs to distinguish government open source<br />
**** A little more information about state of software (e.g. pre-release)<br />
** Security extra needs<br />
*** Some concern about spurious vulnerabilities<br />
*** Answer is to extend a BoM to include patch info, etc<br />
*** End of life indicator<br />
*** They take SPDX familiar thing and provide some extensibility<br />
** How to name “supplier”?<br />
*** Working with Kate <br />
*** OSS organization for example<br />
*** A bank’s black list<br />
** Vulnerabilities<br />
*** Key requirement for vulnerabilities info in SBOM, although just a link might make more sense<br />
**** Reason is “audit” function. What you knew when. So needs a time stamp.<br />
**** Bureaucratic are not going to change in favor of something that makes more sense for developers <br />
**** Concerns that this will get worse over time<br />
* Other Side - Logistics<br />
** Moving and shipping of SW/chain of custody- Where did it come from exactly<br />
*** Not something OSS community has had to worry about<br />
*** Bad mirror issue, for example.<br />
** Signed? Timestamp? Delivery date and time for software.<br />
*** Something like FedEx analogy<br />
** Package URL helps identify<br />
* Q&A<br />
** What can SPDX group do?<br />
*** JC thinks that they should open source SEVA<br />
**** Could contribute to LinuxF perhaps<br />
*** Understand and need to balance needs of OSS consumers and dev communities<br />
**** Don’t want to burden them<br />
**** Automate<br />
*** Challenge- How to distinguish enterprise quality OSS vs. pet projects<br />
<br />
<br />
== Tech Team Report - Kate/Gary ==<br />
<br />
* Tools<br />
** Starting to plan for GSoC submissions with Gary/Kate<br />
** Steve has been trained on releasing License list, so Gary now has backup<br />
** Steve has been working on some new tools for summarizing the SPDX_license_ids based on a new SPDX go library - currently its just supporting TV, but he hopes to add in the other formats<br />
* Specification<br />
** Gary & James have been working through SeVA XML and working through how it can be added.<br />
<br />
== Legal Team Report - Jilayne ==<br />
<br />
* License List<br />
** V3.4 out before Christmas<br />
*** Big success to not have to scramble through holidays<br />
*** Release notes in the GitHub repo<br />
** Instructions for requesting now live in Repo as well<br />
*** Leverage GSOC work has been automated.<br />
** New frontier- Getting open hardware licenses on list<br />
*** Expanding definition of what goes on the list<br />
<br />
<br />
== Outreach Team Report ==<br />
<br />
* None this month<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Jilayne Lovejoy<br />
* Steve Winslow, LF<br />
* Alexios Zavras, Intel<br />
* Luis Villa, Tidelift<br />
* Jams Neushal, Neushul Solutions<br />
* Matthew Crawford, ARM<br />
* Kevin Nelson, Optim Tech UHG<br />
* Dennis Clark, NexB<br />
* Thomas Steenbergen, HERE<br />
* Bradlee Edmondson, Harvard<br />
* Gary O’Neall, SourceAuditor<br />
* Nicholas Toussaint, Orange<br />
* JC Herz, Ionchannel<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2018-11-01General Meeting/Minutes/2018-11-012018-11-01T15:50:24Z<p>Podence: Created page with "* Attendance: 6 * Lead by Phil Odence * Minutes of Oct meeting approved == Tech Team Report - Kate/Gary == * Spec ** Ceva discussions *** Looking at fields that we might i..."</p>
<hr />
<div>* Attendance: 6<br />
* Lead by Phil Odence<br />
* Minutes of Oct meeting approved <br />
<br />
<br />
== Tech Team Report - Kate/Gary ==<br />
<br />
* Spec<br />
** Ceva discussions<br />
*** Looking at fields that we might incorporate<br />
**** Security<br />
**** Evidence<br />
*** Idea is to bring in as a separate section<br />
*** Good Progress<br />
**Some discussions with NTIA Group as well<br />
*** SWID<br />
** May start using the security mailing list soon<br />
* Tooling<br />
** Multiple formats<br />
*** Challenges solves<br />
*** XML, JSON, YAML, Tag value, RDF<br />
** Attention back to updating tooling with spec<br />
** Some concern about file sizes with certain packages/formats<br />
*** May simply be an issue of LOTS of files<br />
** Generating License List <br />
*** Didn’t work perfectly<br />
*** Giving another run<br />
** Updating tooling for license submittal/editing<br />
*** A few bugs need to be worked around<br />
<br />
<br />
== Legal Team Report - Jilayne ==<br />
<br />
* There’s a fair backlog of issues to work through<br />
** Ongoing process<br />
* 3.1 Is out<br />
** Started new practice of release notes<br />
* Tooling and new request system has to be nailed down<br />
** People are going through multiple paths/processes<br />
** Need to standardize<br />
** Tooling is close<br />
*** Need a few more text fields<br />
*** All submissions seem to come from Gary<br />
* License inclusion guidelines<br />
** Inbound request regarding open hardware languages<br />
** Already included open data license<br />
** May need to revisit inclusion guidelines<br />
* OSI discussion about naming issues with SPDX<br />
** Need to find opportunity for better collaboration <br />
<br />
<br />
== Outreach Team Report - All ==<br />
<br />
* Seems to be a lot more use of SPDX in the wild than we are aware of<br />
** How do we run down and catalog?<br />
** Wonder if it’s time for another poll<br />
*** Last poll results: https://spdx.org/sites/cpstandard/files/pages/files/spdx_survey_results_may_2013.zip <br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Andrew Katz, Orcro<br />
* Jilayne Lovejoy<br />
* Steve Winslow, LF<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podencehttps://wiki.spdx.org/view/General_Meeting/Minutes/2018-10-04General Meeting/Minutes/2018-10-042018-10-04T15:35:28Z<p>Podence: </p>
<hr />
<div>* Attendance: 8<br />
* Lead by Phil Odence<br />
* Minutes of Sept meeting approved <br />
<br />
<br />
== Tech Team Report - Kate/Gary ==<br />
<br />
* Spec<br />
** Focus on multiple formats<br />
*** How do deal with XML, JSON, YAML<br />
*** Proposal to link to software heritage identifies<br />
**** SW heritage- presentation came out recently on how code should be ID’ed in repos<br />
**** Seems to make sense to extend references to point to<br />
**** General agreement on last tech call<br />
* Tooling<br />
** Got integrated on line tools up<br />
*** License submittal<br />
*** XML editor<br />
*** Beta quality, ready to go. http://spdxtools.sourceauditor.com<br />
* GSOC has worked very well<br />
** Should thank Google<br />
*** Post on Website<br />
*** Could use some social media<br />
*** Topic for Outreach <br />
** May want to point projects to FSFEurope software reuse site which advocates SPDX https://reuse.software/ <br />
*** Would be a good credibility builder<br />
*** The link is on the site, but not easy to find<br />
* Other Groups<br />
** NTIA- Government group defining a BoM standard<br />
** Prototype work in health care<br />
*** Fingers crossed that they will use SPDX<br />
** SWID<br />
*** Active discussion<br />
*** Mapping fields between SPDX an SW<br />
** Other groups may be able to use our use cases<br />
*** They are wrestling with what is a components<br />
*** Also, how a company can keep their own supplementary license list<br />
**** Can do via a SPDX doc that is just licenses and make external reference to<br />
*** Steve W will help out<br />
<br />
== Legal Team Report - Jilayne ==<br />
<br />
* New license backlog<br />
** Trying to clear out for next release<br />
**Looking forward to new tooling<br />
** Could use testing help<br />
** Need some Python help on the tools<br />
*** Mostly fixing up formatting stuff<br />
<br />
== Outreach Team Report - Jack ==<br />
<br />
* Little activity<br />
* Regrouping<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Matthew Crawford, ARM<br />
* Jilayne Lovejoy<br />
* Jack Manbeck, TI<br />
* Steve Winslow, LF<br />
* Mark Atwood, Amazon<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podence