THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Minutes/2019-10-08
From SPDX Wiki
October 8, 2019
Attendees
- Gary O’Neall
- Alexios Zavras
- Philippe Ombredanne
- Kate Stewart
- William Bartholomew
- Jeff McAffer
- Nisha Kumar
- Steve Winslow
- Jim Hutchinson
Recording
Recording for this call can be found at https://zoom.us/recording/share/YXxkHjw6MWhafhBxxyyABE14Yh3Ihoewjqv4nxiUzEGwIumekTziMw
SPDX for sBOM
- Google doc available at https://docs.google.com/document/d/1XfNrDmlVdnUzvtrPsylJZFfz1LLDoqnm_vi_PguSzy8/edit
- Short time to market for SPDX 3.0 would be key
- Large spec – formidable to the uninitiated
- Very focused on licensing
- Introduce profiles – base profile is minimal
- Licensing specifics are moved to a licensing profile
- Modify documentation to allow staged adoption
- Steve suggested joint call with legal and tech teams
- Would include a discussion on the requirement of the NOASSERTION fields
- Schedule joint call for next Tuesday
- Any entity that represents a person or organization should have more structure
- Concern about privacy – esp. European regulations
- Agreement on unifying the terminology for the license information in file and declared license for package
- Discussion Declared, Discovered and Concluded
- Everyone on the call agreed to this approach
License Mapping
- Mapping repo added to SPDX
- Issue with discussions: https://github.com/spdx/package-licenses-mapping/issues/1
- Mapping will be 3 columns:
- Package manager (e.g. maven)
- License string
- SPDX license expression
Upcoming SPDX tech call
- 15 Oct: Joint SPDX tech/legal call