THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "General Meeting/Minutes/2018-08-02"

From SPDX Wiki
Jump to: navigation, search
(Outreach Team Report - Jack)
 
(One intermediate revision by one other user not shown)
Line 19: Line 19:
 
== Tech Team Report - Kate/Gary ==
 
== Tech Team Report - Kate/Gary ==
  
* Tooling
+
* Tools:  GSoC is wrapping up in the next couple of weeks.  Thank you to the students for their hard work and improvements to the project tools!
** Mostly GSoC work
+
 
** License XML Editor
+
* Specification:  
*** Gary posting new version today  http://spdxtools.sourceauditor.com
+
** Working through resolution of the external identifiers of the PURL specfication and our External Identifiers.  We’re trying to get key discussion participants (Yev, Philippe, Treveor, Gary, Kate) all on the same call.
**** If you want to test, make it clear that these are tests, to make clear in the pull requests
+
** on that note,  we’re seeing a lot of interest in Security and ties into External Identifiers
* Spec work
+
 
** Working for consistency in external identifiers
+
* Security:
** Interest coming up from security community
+
** NTIA held a software transparency workshop 2 weeks ago, and are moving forward with a workgroup to reconcile the formats that are out there.  When there are more details on the workgroup,  Kate will send out the invitation to participate to the SPDX general and technical lists.
*** SWID
+
** SPDX team will also be spinning up a security working group to focus on improving SPDX to support the SBOM for security issues, so watch out for more information,  and if you have security contacts who are interested in participating,  please subscribe to https://lists.spdx.org/g/spdx-security  We'll be starting discussions there in the next month.
*** NTIA conference that featured SPDX
+
*** Working in interop and SPDX standardization
+
*** Looking at spinning up a security subgroup
+
*** Interest from US House and Senate in a SW BoM and SPDX is on the docket
+
**** NIST and other organizations are involved in the background
+
  
  
Line 52: Line 47:
 
* Website
 
* Website
 
** Making more sense of the License List and Documents section
 
** Making more sense of the License List and Documents section
* Shane Coughlin, from Open Chain, is getting involved
 
** Outreach to companies
 
** New time for Outreach calls is 7pm EDT
 
*** (Shane is in Japan)
 
* OSS Summit
 
** Backoff on the Tuesday
 
** And a session on Consuming SPDX
 
  
 +
* New time for Outreach calls is 7pm EDT
 +
** * Shane Coughlin, from Open Chain, is getting involved to lead the Outreach to Companies (Japan based)
  
 +
* OSS Summit
 +
** Bake-off is on the Tuesday
 +
** Morning will be on producing SPDX documents, and checking valid
 +
** Afternoon session will be on consuming them.
 +
** 6 tools (3 open source,  3 commercial) will be participating.
  
 
== Attendees ==
 
== Attendees ==

Latest revision as of 01:18, 3 August 2018

  • Attendance: 13
  • Lead by Phil Odence
  • Minutes of July meeting approved

Guest Presentation, - Supporting Continuous Integration, Ndip Tanyi

  • Idea- Automatically generating SPDX docs as part of CI process
  • Scope
    • Focused on Travis CI, NPM and Python
  • Demo
    • Add an install and SPDX build script to build script
    • And some statements to push the SPDX docs to the repo
  • Future extensions
    • Pushing to GItHub as a commit
    • Other CI systems
  • Has been designed generically enough to be extensible to other languages and environments


Tech Team Report - Kate/Gary

  • Tools: GSoC is wrapping up in the next couple of weeks. Thank you to the students for their hard work and improvements to the project tools!
  • Specification:
    • Working through resolution of the external identifiers of the PURL specfication and our External Identifiers. We’re trying to get key discussion participants (Yev, Philippe, Treveor, Gary, Kate) all on the same call.
    • on that note, we’re seeing a lot of interest in Security and ties into External Identifiers
  • Security:
    • NTIA held a software transparency workshop 2 weeks ago, and are moving forward with a workgroup to reconcile the formats that are out there. When there are more details on the workgroup, Kate will send out the invitation to participate to the SPDX general and technical lists.
    • SPDX team will also be spinning up a security working group to focus on improving SPDX to support the SBOM for security issues, so watch out for more information, and if you have security contacts who are interested in participating, please subscribe to https://lists.spdx.org/g/spdx-security We'll be starting discussions there in the next month.


Legal Team Report - Jilayne/Paul

  • 3.2 is out
  • Some clean up of old issues in process
  • Request to that legal folks try out Tushar’s tool
  • Exceptions
    • The term is imperfect as it handles some items that are not “exceptions” per se
      • Patent grants, for example
      • Considering changing the term to be more neutral and inclusive
        • “Modifiers” maybe?
        • Will send an email to a wide audience get people thinking about it and set up a special meeting


Outreach Team Report - Jack

  • Website
    • Making more sense of the License List and Documents section
  • New time for Outreach calls is 7pm EDT
    • * Shane Coughlin, from Open Chain, is getting involved to lead the Outreach to Companies (Japan based)
  • OSS Summit
    • Bake-off is on the Tuesday
    • Morning will be on producing SPDX documents, and checking valid
    • Afternoon session will be on consuming them.
    • 6 tools (3 open source, 3 commercial) will be participating.

Attendees

  • Phil Odence, Black Duck/Synopsys
  • Kate Stewart, Linux Foundation
  • Ndip Tanyi, Alberta University
  • Tushar Mittal, GSoC Student
  • Gary O’Neall, SourceAuditor
  • Yash Nisar, GSoC Student
  • Jack Manbeck, TI
  • Steve Winslow, LF
  • Jilayne Lovejoy, ARM
  • Paul Madick, Dimension Data
  • Mike Dolan, Linux Foundation
  • Matije Suklje, Liferay
  • Mark Atwood, Amazon