https://wiki.spdx.org/index.php?action=history&feed=atom&title=General_Meeting%2FMinutes%2F2019-01-03General Meeting/Minutes/2019-01-03 - Revision history2026-05-07T13:26:13ZRevision history for this page on the wikiMediaWiki 1.23.13https://wiki.spdx.org/index.php?title=General_Meeting/Minutes/2019-01-03&diff=4653&oldid=prevPodence: Created page with "* Attendance: 15 * Lead by Phil Odence * Minutes of Dec meeting approved == Guest Presentation, JC Herz == * Background ** Years of working with companies and DOD in open..."2019-01-03T16:50:18Z<p>Created page with "* Attendance: 15 * Lead by Phil Odence * Minutes of Dec meeting approved == Guest Presentation, JC Herz == * Background ** Years of working with companies and DOD in open..."</p>
<p><b>New page</b></p><div>* Attendance: 15<br />
* Lead by Phil Odence<br />
* Minutes of Dec meeting approved <br />
<br />
<br />
== Guest Presentation, JC Herz ==<br />
<br />
* Background<br />
** Years of working with companies and DOD in open source<br />
* The Issues/concerns<br />
** License issues- SPDX handles well<br />
** Concerns about security close on the heels<br />
** Compliance is an additional step- Jumping through the hoops to document<br />
* SEVA Software Evidence Archive<br />
** Elements<br />
*** Serves S-BOM function<br />
*** Augments with content that needs to travel with software<br />
*** Therefore allowing compliance work to be automated<br />
*** Freeing up valuable resources to do what they are supposed to do<br />
*** Can apply to a single component or a full application, so SEVA doesn’t distinguish<br />
** Format Issue<br />
*** Customers required XML, beyond SEVA JSON<br />
*** To be useable by a highly secure facility, data has to be hardened for which XML is better suited<br />
*** Can be constrained and format can be verified (and extended)<br />
* SPDX and SEVA Overlap<br />
** License Info<br />
*** For the most part SPDX handles beautifully<br />
**** Government also needs to distinguish government open source<br />
**** A little more information about state of software (e.g. pre-release)<br />
** Security extra needs<br />
*** Some concern about spurious vulnerabilities<br />
*** Answer is to extend a BoM to include patch info, etc<br />
*** End of life indicator<br />
*** They take SPDX familiar thing and provide some extensibility<br />
** How to name “supplier”?<br />
*** Working with Kate <br />
*** OSS organization for example<br />
*** A bank’s black list<br />
** Vulnerabilities<br />
*** Key requirement for vulnerabilities info in SBOM, although just a link might make more sense<br />
**** Reason is “audit” function. What you knew when. So needs a time stamp.<br />
**** Bureaucratic are not going to change in favor of something that makes more sense for developers <br />
**** Concerns that this will get worse over time<br />
* Other Side - Logistics<br />
** Moving and shipping of SW/chain of custody- Where did it come from exactly<br />
*** Not something OSS community has had to worry about<br />
*** Bad mirror issue, for example.<br />
** Signed? Timestamp? Delivery date and time for software.<br />
*** Something like FedEx analogy<br />
** Package URL helps identify<br />
* Q&A<br />
** What can SPDX group do?<br />
*** JC thinks that they should open source SEVA<br />
**** Could contribute to LinuxF perhaps<br />
*** Understand and need to balance needs of OSS consumers and dev communities<br />
**** Don’t want to burden them<br />
**** Automate<br />
*** Challenge- How to distinguish enterprise quality OSS vs. pet projects<br />
<br />
<br />
== Tech Team Report - Kate/Gary ==<br />
<br />
* Tools<br />
** Starting to plan for GSoC submissions with Gary/Kate<br />
** Steve has been trained on releasing License list, so Gary now has backup<br />
** Steve has been working on some new tools for summarizing the SPDX_license_ids based on a new SPDX go library - currently its just supporting TV, but he hopes to add in the other formats<br />
* Specification<br />
** Gary & James have been working through SeVA XML and working through how it can be added.<br />
<br />
== Legal Team Report - Jilayne ==<br />
<br />
* License List<br />
** V3.4 out before Christmas<br />
*** Big success to not have to scramble through holidays<br />
*** Release notes in the GitHub repo<br />
** Instructions for requesting now live in Repo as well<br />
*** Leverage GSOC work has been automated.<br />
** New frontier- Getting open hardware licenses on list<br />
*** Expanding definition of what goes on the list<br />
<br />
<br />
== Outreach Team Report ==<br />
<br />
* None this month<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* Kate Stewart, Linux Foundation<br />
* Jilayne Lovejoy<br />
* Steve Winslow, LF<br />
* Alexios Zavras, Intel<br />
* Luis Villa, Tidelift<br />
* Jams Neushal, Neushul Solutions<br />
* Matthew Crawford, ARM<br />
* Kevin Nelson, Optim Tech UHG<br />
* Dennis Clark, NexB<br />
* Thomas Steenbergen, HERE<br />
* Bradlee Edmondson, Harvard<br />
* Gary O’Neall, SourceAuditor<br />
* Nicholas Toussaint, Orange<br />
* JC Herz, Ionchannel<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podence