Technical Team/Minutes/2019-12-03

December 3, 2019

Attendees

• Gary O’Neall
• Alexios Zavras
• Kate Stewart
• Jim Hutchinson
• Steve Winslow
• Matthew Crawford
• William Bartholomew
• Alan Tse
• Mark Atwood
• Rose Judge
• Nisha Kumar
• Philippe Ombredanne
• Thomas Steenbergen
• Brad Edmondston

Other Initiatives Discussion

• Nisha attended Kubecon and remarked on seeing lots of interest in SBOM's in the container space, but folks not sure where to engage.
• Multiple efforts underway, OCI, CNCF/InToto, CDF Security Sig/OMG SBOM working group, NTIA - each has own perspective

3.0 Model

• Proposed update from William
• Came out of feedback from OMG workgroup, which looked at approach from Framing group from NTIA (see www.ntia.gov/SBOM)
• Feedback on current model:
  • Exclusively focused on licensing and IP
  • Not very approachable
• Different profiles for the different usages (e.g. IP, Security)
• Feedback: Change “Intellection Property” to “Licensing” for profile name
• Tooling – do we need to support all profiles?
  • SPDX focused on syntax
  • Producers and consumers have policies on what profiles are supported
• Discussion on Relationship – issue has already been added
• Discussion on FilesAnalyzed – William will add an issue to track

SPDX Document License

• We didn’t have a quorum to discuss completely
• Steve and Jilyane are researching the reasons for the mandatory DataLicense: CC0-1.0 declaration currently in use
• Request that those who would like it changed to document the reasons
• Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
• Steve will open an issue to track

Joint Legal/Tech calls

• Settle on start of new year, Steve to put out a calendar invite.