THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
General Meeting/Minutes/2021-02-04
From SPDX Wiki
- Attendance: 26
- Lead by Phil Odence
- Minutes of Dec meeting Approved
Contents
3T-SBOM - Kay/Bob
- Basis
- To standardize, tools need to talk to each other
- Developed 9 use cases
- Started up in 2019; several groups involved
- Provenance/Pedigree distinction
- Started w/NTIA fields as basis
- Developed model very similar to SPDX
- Started w/ software but can be broader
- Merging Efforts
- Common goals/members; working for some time
- So, made sense to merge
- Harmonized meetings
- Profile groups meeting separately from Tech meeting
- All a little fluid
- Longer Term thoughts
- Licensing and contribution agreements for spec
- User scenarios, broader scope
- May need to update naming scheme
- Broader scope may require expanded governance and funding
- Questions
- Funding discs
Tech Team Report - Kate/Gary/Others
- Spec - Kate
- Overview
- SPDX 2.2 being refactored into upcoming 3.0 effort, with Core and separate topical Profiles
- Has been happening in parallel with 3T SBOM efforts
- Core - William
- Area with most overlap with 3T efforts
- Have been working on identifying areas of differences between the two, gradually converging
- Last month was focused on identifying remaining differences and working through them, determining how critical they are
- Remaining differences are centered on (1) naming things and (2) external references
- Also working through tooling and how to document the core standard
- Close to done on what the model will look like, want to turn next to actually writing it up in a format that is suitable for use cases – transition from modeling to authoring of spec text
- Licensing - Steve
- Described background of licensing fields combined with “core” in 2.2 and prior spec versions
- Splitting out licensing-related fields into a separate optional profile
- Previously discussed and brainstorming in a shared Google Doc
- Was previously planning to wait on migrating into GitHub until spec format was finalized; sounds like that will still be some time until finalized
- Will work on migrating Google Doc brainstorming outcomes into GitHub in MarkDown or plain text
- Defects – Thomas
- Includes “vulnerabilities”
- Worked with William on documenting an example
- Still working on remediation-related fields
- Hoping to have more concrete examples, and to restart the security discussions before the end of this month
- Linking – Nisha
- Mockups: https://github.com/SantiagoTorres/spdx-linking-mockups
- “Linking” – how different software components are related to each other, and to separate components in the broader ecosystem
- Profile aims to capture, if using e.g. a container or a CNAB (Cloud Native Application Bundle), meant to surface those connections
- Focused on cloud native use case, but could also be used in e.g. the embedded world, for something like an embedded OS utilizing multiple components
- Kay – other scenarios thinking about: e.g. IoT devices, wanting to list out both software and hardware components
- Santiago – working on similar for in-toto, to authenticate components
- Currently stuck on sorting out the overlap between the Linking profile and the Integrity profile. Current thinking, integrity signatures should be handled via “relationships” between elements
- Integrity – Santiago
- Slides: [TO BE FILLED IN]
- There are a lot of outstanding questions, still being sorted through
- Milestone structure: Document integrity >> Document Authentication >> Document & supply chain policy >> Linkage & supply chain integrity
- Discussed roles of each stage and current status of milestones
- Usage and Other Emerging – Kate
- Spearheaded by team in Japan
- Looking at carrying e.g. contract info along in SPDX documents
- Also looking at Pedigree / Provenance profiles, for fields to carry build information
- Overview
- Tools and Google Summer of Code (GSoC) - Gary
- GSoC: Applications open for projects, Gary is applying now, will update next month
- Will post link to project page
- Looking at different tooling for supporting spec process
Legal Team Report - Paul/Jilayne/Steve
- 3.12 release, pushed back to Feb. 19/20, may push further back depending on issue status
- Ran into some issues with CI/build system, thank you to Gary and William for helping to resolve
- Jilayne – description of what the legal team works on
- License list for those not familiar with it: https://spdx.org/licenses
Outreach Team Report - Aveek
- Recurring meeting with several community members about how to welcome new folks to the community
- Discussing initial tools, assigning initial issues to newcomers
Attendees
- Phil Odence, Black Duck/Synopsys
- David Martin, Mitre
- Kay Williams, Microsoft
- Steve Winslow, LF
- Jilayne Lovejoy
- Paul Madick, Jenzabar
- Kate Stewart, Linux Foundation
- Gary O’Neall, SourceAuditor
- Aveek Basu, NextMark Printers
- Sean Geary, Revenera
- William Cox, Synopsys
- Maximilian Huber, TNG
- Emmanuel Tournier, Black Duck/Synopsys
- Thomas Steenbergen, HERE
- Alfredo Espinosa
- Nishad Thalhath
- David Edelsohn
- Philippe Emmanuel Douziech
- William Bartholomew, GitHub
- Alexios Zavras, Intel
- Santiago
- Henk Birkholz
- Ariel Patano
- Jorge Rodriguez-Moreno
- Nisha Kumar, VMware
- Michael Herzog- nexB