THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
General Meeting/Minutes/2020-04-02
From SPDX Wiki
- Attendance: 19
- Lead by Phil Odence
- Minutes of April meeting
Contents
Guest Speaker- Allan Friedman, NTIA
- NTIA’s Multistakeholder SBOM Process
- Concerns about software supply chain risks have garnered more attention and energy in the OSS community, industry, and governments around the world. One natural starting point is a greater expectation of transparency of software components and dependencies. Any solution must scale up and down the software supply chain, and across the incredibly diverse software ecosystem, from modern CI/CD application development to critical infrastructure and embedded systems. Over the past two years, NTIA has helped a diverse set of stakeholders find a common vision for a "software bill of materials" (SBOM) that has the potential to scale as needed, and serve as a foundation for even more innovation around software supply chain security and quality. The SPDX community has played a key role in this discussion, and emerged as a key standard. This presentation will give an overview of the policy landscape, the progress made, and the work yet to be done around SBOM.
- Allan’s slides https://drive.google.com/open?id=1KOsm6grnSZ5FsSnzTI9ybYT9m84F8Zfe
Tech Team Report - Kate
- Spec
- Wrapping up 2.2 spec
- Known unknowns made it in
- 3.0 Visions
- William Bartholomew’s talk about profiles was great (and recorded)
- Wrapping up 2.2 spec
- Tools
- Gary’s been working on 2.2 tooling
- Requiring a complete rewrite to the java tools
- Not API compatible
- Google SoC
- 15 different submissions
- Google is looking for additional mentors on each project
- So, we need more mentors; contact Gary
- Gary’s been working on 2.2 tooling
Legal Team Report - Steve
- Finalized updates to license inclusion principles
- Mostly clarifications
- But also to broaden a bit for non-OSS source available licenses
- https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md
- 3.9 list release has been pushed out a bit
- In anticipation of 3.0 working on a licensing profile
- With Tech Team, updating back end of SPDX website to manage move from Drupal to Wordpress
- Maintaining license URLs
- Static pages moving do a different domain.
Outreach Team Report - Jack
- Will be looking for help to update content for Website as per above
- Documenting comprehensive list of SPDX-related tooling
Cross Functional -
- None
Attendees
- Phil Odence, Black Duck/Synopsys
- Alan Friedman, NTIA
- Rose Judge, VMware
- Steve Winslow, LF
- Kate Stewart, Linux Foundation
- Alexios Zavras, Intel
- Jack Manbeck, TI
- Jim Hutchison, Qualcomm
- William Bartholomew, GitHub
- Dave McLoughlin, Flexera
- Michael Herzog- nexB
- Alex Rybak, Flexera
- Gary O’Neall, SourceAuditor
- Paul Madick
- Brad Goldring, GTC Law
- David Wheeler, Linux Foundation
- Mike Dolan, Linux Foundation
- Bob Campbell, DXC
- Mark Atwood, Amazon