THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
General Meeting/Minutes/2019-01-03
From SPDX Wiki
- Attendance: 15
- Lead by Phil Odence
- Minutes of Dec meeting approved
Contents
Guest Presentation, JC Herz
- Background
- Years of working with companies and DOD in open source
- The Issues/concerns
- License issues- SPDX handles well
- Concerns about security close on the heels
- Compliance is an additional step- Jumping through the hoops to document
- SEVA Software Evidence Archive
- Elements
- Serves S-BOM function
- Augments with content that needs to travel with software
- Therefore allowing compliance work to be automated
- Freeing up valuable resources to do what they are supposed to do
- Can apply to a single component or a full application, so SEVA doesn’t distinguish
- Format Issue
- Customers required XML, beyond SEVA JSON
- To be useable by a highly secure facility, data has to be hardened for which XML is better suited
- Can be constrained and format can be verified (and extended)
- Elements
- SPDX and SEVA Overlap
- License Info
- For the most part SPDX handles beautifully
- Government also needs to distinguish government open source
- A little more information about state of software (e.g. pre-release)
- For the most part SPDX handles beautifully
- Security extra needs
- Some concern about spurious vulnerabilities
- Answer is to extend a BoM to include patch info, etc
- End of life indicator
- They take SPDX familiar thing and provide some extensibility
- How to name “supplier”?
- Working with Kate
- OSS organization for example
- A bank’s black list
- Vulnerabilities
- Key requirement for vulnerabilities info in SBOM, although just a link might make more sense
- Reason is “audit” function. What you knew when. So needs a time stamp.
- Bureaucratic are not going to change in favor of something that makes more sense for developers
- Concerns that this will get worse over time
- Key requirement for vulnerabilities info in SBOM, although just a link might make more sense
- License Info
- Other Side - Logistics
- Moving and shipping of SW/chain of custody- Where did it come from exactly
- Not something OSS community has had to worry about
- Bad mirror issue, for example.
- Signed? Timestamp? Delivery date and time for software.
- Something like FedEx analogy
- Package URL helps identify
- Moving and shipping of SW/chain of custody- Where did it come from exactly
- Q&A
- What can SPDX group do?
- JC thinks that they should open source SEVA
- Could contribute to LinuxF perhaps
- Understand and need to balance needs of OSS consumers and dev communities
- Don’t want to burden them
- Automate
- Challenge- How to distinguish enterprise quality OSS vs. pet projects
- JC thinks that they should open source SEVA
- What can SPDX group do?
Tech Team Report - Kate/Gary
- Tools
- Starting to plan for GSoC submissions with Gary/Kate
- Steve has been trained on releasing License list, so Gary now has backup
- Steve has been working on some new tools for summarizing the SPDX_license_ids based on a new SPDX go library - currently its just supporting TV, but he hopes to add in the other formats
- Specification
- Gary & James have been working through SeVA XML and working through how it can be added.
Legal Team Report - Jilayne
- License List
- V3.4 out before Christmas
- Big success to not have to scramble through holidays
- Release notes in the GitHub repo
- Instructions for requesting now live in Repo as well
- Leverage GSOC work has been automated.
- New frontier- Getting open hardware licenses on list
- Expanding definition of what goes on the list
- V3.4 out before Christmas
Outreach Team Report
- None this month
Attendees
- Phil Odence, Black Duck/Synopsys
- Kate Stewart, Linux Foundation
- Jilayne Lovejoy
- Steve Winslow, LF
- Alexios Zavras, Intel
- Luis Villa, Tidelift
- Jams Neushal, Neushul Solutions
- Matthew Crawford, ARM
- Kevin Nelson, Optim Tech UHG
- Dennis Clark, NexB
- Thomas Steenbergen, HERE
- Bradlee Edmondson, Harvard
- Gary O’Neall, SourceAuditor
- Nicholas Toussaint, Orange
- JC Herz, Ionchannel