Podence: Created page with "* Attendance: 26 * Lead by Phil Odence * Minutes of Dec meeting Approved == 3T-SBOM - Kay/Bob == * Basis To standardize, tools need to talk to each other Developed 9..."

2021-03-02T13:12:04Z

Created page with "* Attendance: 26 * Lead by Phil Odence * Minutes of Dec meeting Approved == 3T-SBOM - Kay/Bob == * Basis ** To standardize, tools need to talk to each other ** Developed 9..."

New page

* Attendance: 26
* Lead by Phil Odence
* Minutes of Dec meeting Approved

== 3T-SBOM - Kay/Bob ==

* Basis
** To standardize, tools need to talk to each other
** Developed 9 use cases
** Started up in 2019; several groups involved
** Provenance/Pedigree distinction
** Started w/NTIA fields as basis
** Developed model very similar to SPDX
** Started w/ software but can be broader
* Merging Efforts
** Common goals/members; working for some time
** So, made sense to merge
** Harmonized meetings
*** Profile groups meeting separately from Tech meeting
*** All a little fluid
** Longer Term thoughts
*** Licensing and contribution agreements for spec
*** User scenarios, broader scope
**** May need to update naming scheme
**** Broader scope may require expanded governance and funding
* Questions
** Funding discs

== Tech Team Report - Kate/Gary/Others ==

* Spec - Kate
** Overview
*** SPDX 2.2 being refactored into upcoming 3.0 effort, with Core and separate topical Profiles
*** Has been happening in parallel with 3T SBOM efforts
**Core - William
*** Area with most overlap with 3T efforts
*** Have been working on identifying areas of differences between the two, gradually converging
*** Last month was focused on identifying remaining differences and working through them, determining how critical they are
*** Remaining differences are centered on (1) naming things and (2) external references
*** Also working through tooling and how to document the core standard
*** Close to done on what the model will look like, want to turn next to actually writing it up in a format that is suitable for use cases – transition from modeling to authoring of spec text
** Licensing - Steve
*** Described background of licensing fields combined with “core” in 2.2 and prior spec versions
*** Splitting out licensing-related fields into a separate optional profile
*** Previously discussed and brainstorming in a shared Google Doc
*** Was previously planning to wait on migrating into GitHub until spec format was finalized; sounds like that will still be some time until finalized
*** Will work on migrating Google Doc brainstorming outcomes into GitHub in MarkDown or plain text
** Defects – Thomas
*** Includes “vulnerabilities”
*** Worked with William on documenting an example
*** Still working on remediation-related fields
*** Hoping to have more concrete examples, and to restart the security discussions before the end of this month
** Linking – Nisha
*** Mockups: https://github.com/SantiagoTorres/spdx-linking-mockups
*** “Linking” – how different software components are related to each other, and to separate components in the broader ecosystem
*** Profile aims to capture, if using e.g. a container or a CNAB (Cloud Native Application Bundle), meant to surface those connections
*** Focused on cloud native use case, but could also be used in e.g. the embedded world, for something like an embedded OS utilizing multiple components
**** Kay – other scenarios thinking about: e.g. IoT devices, wanting to list out both software and hardware components
**** Santiago – working on similar for in-toto, to authenticate components
*** Currently stuck on sorting out the overlap between the Linking profile and the Integrity profile. Current thinking, integrity signatures should be handled via “relationships” between elements
** Integrity – Santiago
*** Slides: [TO BE FILLED IN]
*** There are a lot of outstanding questions, still being sorted through
*** Milestone structure: Document integrity >> Document Authentication >> Document & supply chain policy >> Linkage & supply chain integrity
*** Discussed roles of each stage and current status of milestones
** Usage and Other Emerging – Kate
*** Spearheaded by team in Japan
*** Looking at carrying e.g. contract info along in SPDX documents
*** Also looking at Pedigree / Provenance profiles, for fields to carry build information
* Tools and Google Summer of Code (GSoC) - Gary
** GSoC: Applications open for projects, Gary is applying now, will update next month
** Will post link to project page
** Looking at different tooling for supporting spec process

== Legal Team Report - Paul/Jilayne/Steve ==

* 3.12 release, pushed back to Feb. 19/20, may push further back depending on issue status
* Ran into some issues with CI/build system, thank you to Gary and William for helping to resolve
* Jilayne – description of what the legal team works on
** License list for those not familiar with it: https://spdx.org/licenses

== Outreach Team Report - Aveek ==

* Recurring meeting with several community members about how to welcome new folks to the community
* Discussing initial tools, assigning initial issues to newcomers

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* David Martin, Mitre
* Kay Williams, Microsoft
* Steve Winslow, LF
* Jilayne Lovejoy
* Paul Madick, Jenzabar
* Kate Stewart, Linux Foundation
* Gary O’Neall, SourceAuditor
* Aveek Basu, NextMark Printers
* Sean Geary, Revenera
* William Cox, Synopsys
* Maximilian Huber, TNG
* Emmanuel Tournier, Black Duck/Synopsys
* Thomas Steenbergen, HERE
* Alfredo Espinosa
* Nishad Thalhath
* David Edelsohn
* Philippe Emmanuel Douziech
* William Bartholomew, GitHub
* Alexios Zavras, Intel
* Santiago
* Henk Birkholz
* Ariel Patano
* Jorge Rodriguez-Moreno
* Nisha Kumar, VMware
* Michael Herzog- nexB

[[Category:General|Minutes]]
[[Category:Minutes]]

General Meeting/Minutes/2021-02-04 - Revision history

Podence: Created page with "* Attendance: 26 * Lead by Phil Odence * Minutes of Dec meeting Approved == 3T-SBOM - Kay/Bob == * Basis ** To standardize, tools need to talk to each other ** Developed 9..."

Podence: Created page with "* Attendance: 26 * Lead by Phil Odence * Minutes of Dec meeting Approved == 3T-SBOM - Kay/Bob == * Basis To standardize, tools need to talk to each other Developed 9..."