THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Minutes/2019-12-03
From SPDX Wiki
December 3, 2019
Contents
Attendees
- Gary O’Neall
- Alexios Zavras
- Kate Stewart
- Jim Hutchinson
- Steve Winslow
- Matthew Crawford
- William Bartholomew
- Alan Tse
- Mark Atwood
- Rose Judge
- Nisha Kumar
- Philippe Ombredanne
- Thomas Steenbergen
- Brad Edmondston
Other Initiatives Discussion
- Nisha attended Kubecon and remarked on seeing lots of interest in SBOM's in the container space, but folks not sure where to engage.
- Multiple efforts underway, OCI, CNCF/InToto, CDF Security Sig/OMG SBOM working group, NTIA - each has own perspective
3.0 Model
- Proposed update from William
- Came out of feedback from OMG workgroup, which looked at approach from Framing group from NTIA (see www.ntia.gov/SBOM)
- Feedback on current model:
- Exclusively focused on licensing and IP
- Not very approachable
- Different profiles for the different usages (e.g. IP, Security)
- Feedback: Change “Intellection Property” to “Licensing” for profile name
- Tooling – do we need to support all profiles?
- SPDX focused on syntax
- Producers and consumers have policies on what profiles are supported
- Discussion on Relationship – issue has already been added
- Discussion on FilesAnalyzed – William will add an issue to track
SPDX Document License
- We didn’t have a quorum to discuss completely
- Steve and Jilyane are researching the reasons for the mandatory DataLicense: CC0-1.0 declaration currently in use
- Request that those who would like it changed to document the reasons
- Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
- Steve will open an issue to track
Joint Legal/Tech calls
- Settle on start of new year, Steve to put out a calendar invite.