THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "Technical Team/Minutes/2019-12-03"

From SPDX Wiki
Jump to: navigation, search
(Attendees: add 2 attendees missed in original list.)
(Add some comments from start, and couple of tweaks.)
 
Line 15: Line 15:
 
* Thomas Steenbergen
 
* Thomas Steenbergen
 
* Brad Edmondston
 
* Brad Edmondston
 +
 +
==Other Initiatives Discussion==
 +
* Nisha attended Kubecon and remarked on seeing lots of interest in SBOM's in the container space, but folks not sure where to engage.
 +
* Multiple efforts underway,  OCI,  CNCF/InToto,  CDF Security Sig/OMG SBOM working group,  NTIA - each has own perspective
  
 
==3.0 Model==
 
==3.0 Model==
 
* Proposed update from William
 
* Proposed update from William
* Came out of feedback from OMG group
+
* Came out of feedback from OMG workgroup,  which looked at approach from Framing group from NTIA (see www.ntia.gov/SBOM)
 
* Feedback on current model:
 
* Feedback on current model:
 
** Exclusively focused on licensing and IP
 
** Exclusively focused on licensing and IP
Line 36: Line 40:
 
* Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
 
* Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
 
* Steve will open an issue to track
 
* Steve will open an issue to track
 +
 +
==Joint Legal/Tech calls==
 +
* Settle on start of new year,  Steve to put out a calendar invite.
  
 
  [[Category:Technical|Minutes]]
 
  [[Category:Technical|Minutes]]
 
[[Category:Minutes]]
 
[[Category:Minutes]]

Latest revision as of 19:44, 3 December 2019

December 3, 2019

Attendees

  • Gary O’Neall
  • Alexios Zavras
  • Kate Stewart
  • Jim Hutchinson
  • Steve Winslow
  • Matthew Crawford
  • William Bartholomew
  • Alan Tse
  • Mark Atwood
  • Rose Judge
  • Nisha Kumar
  • Philippe Ombredanne
  • Thomas Steenbergen
  • Brad Edmondston

Other Initiatives Discussion

  • Nisha attended Kubecon and remarked on seeing lots of interest in SBOM's in the container space, but folks not sure where to engage.
  • Multiple efforts underway, OCI, CNCF/InToto, CDF Security Sig/OMG SBOM working group, NTIA - each has own perspective

3.0 Model

  • Proposed update from William
  • Came out of feedback from OMG workgroup, which looked at approach from Framing group from NTIA (see www.ntia.gov/SBOM)
  • Feedback on current model:
    • Exclusively focused on licensing and IP
    • Not very approachable
  • Different profiles for the different usages (e.g. IP, Security)
  • Feedback: Change “Intellection Property” to “Licensing” for profile name
  • Tooling – do we need to support all profiles?
    • SPDX focused on syntax
    • Producers and consumers have policies on what profiles are supported
  • Discussion on Relationship – issue has already been added
  • Discussion on FilesAnalyzed – William will add an issue to track

SPDX Document License

  • We didn’t have a quorum to discuss completely
  • Steve and Jilyane are researching the reasons for the mandatory DataLicense: CC0-1.0 declaration currently in use
  • Request that those who would like it changed to document the reasons
  • Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
  • Steve will open an issue to track

Joint Legal/Tech calls

  • Settle on start of new year, Steve to put out a calendar invite.