THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Minutes/2020-07-28
From SPDX Wiki
July 28, 2020
Attendees
- Kate Stewart
- Thomas Steenbergen
- Rose Judge
- Nisha Kumar
- William Bartholomew
- Steve Winslow
- Gary O’Neall
- Jim Hutchison
Topics: SPDX 3.0 Base Profile
SPDX 3.0 Base Profile
- Continuing discussion from last week on the model
- relationship Model as it relates to container
- There will be a large number of external references
- Potential issue of sharability across different deployment
- Keep the SBOM with the artifact – so there will be a lot of external document references
- Snippets simplification proposal
- Do we relax the guiding principles for using external definitions (e.g. pointer model)?
- Proposal to relax guiding principle to review existing standards but only adopt those that do not overly complicate the SPDX standard
- Do we relax the guiding principles for using external definitions (e.g. pointer model)?
- Overview of Template for profiles
- Discussion on how we represent the mandatory/optional requirements
- Only change for an existing field is to make the field mandatory
- Should we allow any arbitrary additional tools?
- Allows for easy extension
- Most tools will ignore what they don’t understand
- Possible issue with allowing proprietary extensions which may not be helpful to the open standard
- Validation may break
- Different design principle from 2.0 where extensions are only in annotations and comments
- Proposal to allow adding new profiles and new fields in point release
- General agreement
- Appendix should be added to describe how the fields should be added
- Model update – replaced string field of PackageName with “FromFile”
- General agreement the update made sense – but is different from 2.0
- Agreed on a different name – packageFile
- Checksum would be in the file and can be removed from the Package as a property
- Relationship model for containers (continued)
- Do we support the decomposition of SBOM’s as described by Nisha
- General agreement and support
- Suggestion to add external reference location information to find the external documents
- Do we support the decomposition of SBOM’s as described by Nisha
Next Week
- Continue discussion on container SBOM relationships
- Aug 11 Legal profile