General Meeting/Minutes/2020-04-02

• Attendance: 19
• Lead by Phil Odence
• Minutes of April meeting

Guest Speaker- Allan Friedman, NTIA

• NTIA’s Multistakeholder SBOM Process
  • Concerns about software supply chain risks have garnered more attention and energy in the OSS community, industry, and governments around the world. One natural starting point is a greater expectation of transparency of software components and dependencies. Any solution must scale up and down the software supply chain, and across the incredibly diverse software ecosystem, from modern CI/CD application development to critical infrastructure and embedded systems. Over the past two years, NTIA has helped a diverse set of stakeholders find a common vision for a "software bill of materials" (SBOM) that has the potential to scale as needed, and serve as a foundation for even more innovation around software supply chain security and quality. The SPDX community has played a key role in this discussion, and emerged as a key standard. This presentation will give an overview of the policy landscape, the progress made, and the work yet to be done around SBOM. 
  • Allan’s slides  https://drive.google.com/open?id=1KOsm6grnSZ5FsSnzTI9ybYT9m84F8Zfe

Tech Team Report - Kate

• Spec
  • Wrapping up 2.2 spec
    • Known unknowns made it in
  • 3.0 Visions
    • William Bartholomew’s talk about profiles was great (and recorded)
• Tools
  • Gary’s been working on 2.2 tooling
    • Requiring a complete rewrite to the java tools
    • Not API compatible
  • Google SoC
    • 15 different submissions
    • Google is looking for additional mentors on each project
    • So, we need more mentors; contact Gary

Legal Team Report - Steve

• Finalized updates to license inclusion principles
  • Mostly clarifications
  • But also to broaden a bit for non-OSS source available licenses
  • https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md
• 3.9 list release has been pushed out a bit
  • Were waiting for above
  • https://github.com/spdx/license-list-XML/issues?q=is%3Aopen+is%3Aissue+milestone%3A%223.9+release%22
• In anticipation of 3.0 working on a licensing profile
• With Tech Team, updating back end of SPDX website to manage move from Drupal to Wordpress
  • Maintaining license URLs
  • Static pages moving do a different domain.

Outreach Team Report - Jack

• Will be looking for help to update content for Website as per above
• Documenting comprehensive list of SPDX-related tooling

Cross Functional -

• None

Attendees

• Phil Odence, Black Duck/Synopsys
• Alan Friedman, NTIA
• Rose Judge, VMware
• Steve Winslow, LF
• Kate Stewart, Linux Foundation
• Alexios Zavras, Intel
• Jack Manbeck, TI
• Jim Hutchison, Qualcomm
• William Bartholomew, GitHub
• Dave McLoughlin, Flexera
• Michael Herzog- nexB
• Alex Rybak, Flexera
• Gary O’Neall, SourceAuditor
• Paul Madick
• Brad Goldring, GTC Law
• David Wheeler, Linux Foundation
• Mike Dolan, Linux Foundation
• Bob Campbell, DXC
• Mark Atwood, Amazon