https://wiki.spdx.org/index.php?action=history&feed=atom&title=Technical_Team%2FMinutes%2F2020-05-26 2026-05-07T12:33:16Z Revision history for this page on the wiki MediaWiki 1.23.13 https://wiki.spdx.org/index.php?title=Technical_Team/Minutes/2020-05-26&diff=4834&oldid=prev 2020-05-28T13:28:33Z

<p>posted minutes for Gary</p> <p><b>New page</b></p><div>May 26, 2020<br /> == Attendees ==<br /> * Rex Jaeschke<br /> * Kate Stewart<br /> * William Bartholomew<br /> * Gary O’Neall<br /> * Nisha Kumar<br /> * Steve Winslow<br /> * John Mudge<br /> * Takashi Ninjouji<br /> * Peter Shin<br /> * Rose Judge<br /> * Thomas Steenbergen<br /> * Jim Hutchison<br /> * GogginsS<br /> * Santiago Torres<br /> * Vicky Brasseur<br /> * Rishabh Bhatnagar<br /> <br /> Topics:<br /> <br /> Document namespaces and download URL’s using PUURL – issue https://github.com/spdx/spdx-spec/issues/372<br /> <br /> ==SPDX 2.2==<br /> <br /> ==SPDX 2.2.1==<br /> * Update from Rex<br /> ** Steady progress<br /> ** a few issues still open<br /> ** John updating template so that there is no requirement for formatting<br /> * Discussion on proposal to add footnotes for XML<br /> ** Agreed to remove the tables for the examples rather than go to footnotes<br /> ** Still an issue with conciseness of the examples<br /> ** Agree to keep the metadata as tables<br /> <br /> ==GSoC==<br /> <br /> <br /> ==SPDX 3.0 Security Profile==<br /> * Thomas provided an overview of the proposal: https://docs.google.com/document/d/1GyUMEcv4G8ZUGbXB8T_-pkDFxYUAbP0W0Tuts2cpZiw/edit#heading=h.szfwkkflaxx2<br /> * Proposal to focus scope on Vulnerability information<br /> ** Create separate proposals for Virus information and other areas of security<br /> ** William and Gary agreed with proposal, no objections<br /> * Do we need a data provider identity?<br /> ** Tradeoff of complexity vs additional data<br /> ** having a data provider may be useful for other profiles<br /> ** useful at the vulnerability level<br /> ** potentially useful at the document level<br /> ** need an identity object <br /> ** can be a field for vulnerability<br /> ** can also be used as in a relationship<br /> * Do we want to include a remediation field?<br /> ** Proposal to include a “first patched version” field<br /> ** Proposal to use the description field to capture the remediation suggestion<br /> ** Steve suggested we stick to the facts – similar to legal profile<br /> ** Consensus to not include a remediation field (other than the first patched version field which will be included)<br /> * Discussion on filtering<br /> * Do we want to include any formatting for the description (e.g. HTML)?<br /> * Identifier Aliasing<br /> ** Agreed to use ExternalRef approach under the security category<br /> * What do we do with packages that don’t maintain standard version<br /> ** The fields that refer to version is a string – added many possible format<br /> * Aligning with CycloneDX<br /> ** Agreed that we want to have common terms etc.<br /> ** Briefly reviewed differences<br /> *** ExternalRef is on area of difference<br /> *** Description vs. summary is another area<br /> **** Suggestion to change SPDX to use description for the summary and details <br /> <br /> <br /> ==Next Week’s Agenda==<br /> * How do we specify the profiles in use for 3.0<br /> * Legal update – suggest this would be a joint legal/tech call<br /> <br /> [[Category:Technical|Minutes]]</div>

Swinslow