THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Minutes/2015-07-28"
From SPDX Wiki
< Technical Team | Minutes
(Created page with "July 28, 2015 == Attendees == * Gary O'Neall * Kate Stewart * Matt Germonprez * (UNO) * Bill Schineller * Scott Sterling * Yev Bronshteyn * Mark Gisi ==Security Identifier Pro...") |
|||
Line 4: | Line 4: | ||
* Kate Stewart | * Kate Stewart | ||
* Matt Germonprez | * Matt Germonprez | ||
− | * | + | * Shankar Korlimarla |
* Bill Schineller | * Bill Schineller | ||
* Scott Sterling | * Scott Sterling |
Latest revision as of 18:15, 28 July 2015
July 28, 2015
Attendees
- Gary O'Neall
- Kate Stewart
- Matt Germonprez
- Shankar Korlimarla
- Bill Schineller
- Scott Sterling
- Yev Bronshteyn
- Mark Gisi
Security Identifier Proposal
- Proposal at https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit#
- Proposal for an SPDX Item level property to hold a reference to an external database for packages
- Discussion on how much duplication of other efforts
- Proposal to only provide a link to the other efforts (using a common ID, e.g. CPE) and not duplicate any of the effort
- Do we want a special section dedicated to vulnerability information or do we want it broader?
- Discussion on the two proposals for external systems references
- General need for referencing external systems
- Proposal that there should be one solution
- Concern that the CPE/SWID is different from the repositories and should be a different schema
- Discussion on tag/value and RDF representations
- For tag/value - need to be a single string for the package reference
- RDF can either be a single string reference or could be a more general class model
- Gary to propose a follow-up after doing some research
- Proposal for a table with the following columns:
- prefix
- URL for database or definition of the external reference
- Checkbox if the syntax is validated by the SPDX
- ABNF format if syntax is to be validated
- Domain - could be checkboxes for each domain covered (e.g. security, asset management)
- Is this at the item level or at the package level?
- Other than hardware, all of the external references reference something we would describe as a package in SPDX terms
- There is an issue when we have a binary file which represents a package and that package is described by an SPDX document - we would like to have a way to reference the external package without requiring the full SPDX package information (which may not be available)
- There is a proposal for external package references in bugzilla (bug 1298 https://bugs.linuxfoundation.org/show_bug.cgi?id=1298)
- Agree to decide package or item level after the external package reference proposal is discussed next week