THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Minutes/2019-12-03"
From SPDX Wiki
< Technical Team | Minutes
(→SPDX Document License) |
(Add some comments from start, and couple of tweaks.) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 13: | Line 13: | ||
* Nisha Kumar | * Nisha Kumar | ||
* Philippe Ombredanne | * Philippe Ombredanne | ||
| + | * Thomas Steenbergen | ||
| + | * Brad Edmondston | ||
| + | |||
| + | ==Other Initiatives Discussion== | ||
| + | * Nisha attended Kubecon and remarked on seeing lots of interest in SBOM's in the container space, but folks not sure where to engage. | ||
| + | * Multiple efforts underway, OCI, CNCF/InToto, CDF Security Sig/OMG SBOM working group, NTIA - each has own perspective | ||
==3.0 Model== | ==3.0 Model== | ||
* Proposed update from William | * Proposed update from William | ||
| − | * Came out of feedback from OMG group | + | * Came out of feedback from OMG workgroup, which looked at approach from Framing group from NTIA (see www.ntia.gov/SBOM) |
* Feedback on current model: | * Feedback on current model: | ||
** Exclusively focused on licensing and IP | ** Exclusively focused on licensing and IP | ||
| Line 34: | Line 40: | ||
* Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself | * Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself | ||
* Steve will open an issue to track | * Steve will open an issue to track | ||
| + | |||
| + | ==Joint Legal/Tech calls== | ||
| + | * Settle on start of new year, Steve to put out a calendar invite. | ||
[[Category:Technical|Minutes]] | [[Category:Technical|Minutes]] | ||
[[Category:Minutes]] | [[Category:Minutes]] | ||
Latest revision as of 19:44, 3 December 2019
December 3, 2019
Contents
Attendees
- Gary O’Neall
- Alexios Zavras
- Kate Stewart
- Jim Hutchinson
- Steve Winslow
- Matthew Crawford
- William Bartholomew
- Alan Tse
- Mark Atwood
- Rose Judge
- Nisha Kumar
- Philippe Ombredanne
- Thomas Steenbergen
- Brad Edmondston
Other Initiatives Discussion
- Nisha attended Kubecon and remarked on seeing lots of interest in SBOM's in the container space, but folks not sure where to engage.
- Multiple efforts underway, OCI, CNCF/InToto, CDF Security Sig/OMG SBOM working group, NTIA - each has own perspective
3.0 Model
- Proposed update from William
- Came out of feedback from OMG workgroup, which looked at approach from Framing group from NTIA (see www.ntia.gov/SBOM)
- Feedback on current model:
- Exclusively focused on licensing and IP
- Not very approachable
- Different profiles for the different usages (e.g. IP, Security)
- Feedback: Change “Intellection Property” to “Licensing” for profile name
- Tooling – do we need to support all profiles?
- SPDX focused on syntax
- Producers and consumers have policies on what profiles are supported
- Discussion on Relationship – issue has already been added
- Discussion on FilesAnalyzed – William will add an issue to track
SPDX Document License
- We didn’t have a quorum to discuss completely
- Steve and Jilyane are researching the reasons for the mandatory DataLicense: CC0-1.0 declaration currently in use
- Request that those who would like it changed to document the reasons
- Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
- Steve will open an issue to track
Joint Legal/Tech calls
- Settle on start of new year, Steve to put out a calendar invite.
