THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

General Meeting/Minutes/2020-04-02

From SPDX Wiki
Jump to: navigation, search
  • Attendance: 19
  • Lead by Phil Odence
  • Minutes of April meeting

Guest Speaker- Allan Friedman, NTIA

  • NTIA’s Multistakeholder SBOM Process
    • Concerns about software supply chain risks have garnered more attention and energy in the OSS community, industry, and governments around the world. One natural starting point is a greater expectation of transparency of software components and dependencies. Any solution must scale up and down the software supply chain, and across the incredibly diverse software ecosystem, from modern CI/CD application development to critical infrastructure and embedded systems. Over the past two years, NTIA has helped a diverse set of stakeholders find a common vision for a "software bill of materials" (SBOM) that has the potential to scale as needed, and serve as a foundation for even more innovation around software supply chain security and quality. The SPDX community has played a key role in this discussion, and emerged as a key standard. This presentation will give an overview of the policy landscape, the progress made, and the work yet to be done around SBOM. 
    • Allan’s slides  https://drive.google.com/open?id=1KOsm6grnSZ5FsSnzTI9ybYT9m84F8Zfe

Tech Team Report - Gary & Kate

  • Spec
    • Wrapping up 2.2 spec
      • NTIA's request for mechanism to illustrate Known unknowns made it in
    • 3.0 Visions
      • William Bartholomew’s talk about profiles was great (recorded)
      • Santiago talk about linking artifacts and signing helped clarify a lot of misconceptions (recorded)
  • Tools
    • Gary’s been working on 2.2 tooling
      • Working on a complete rewrite to the java tools to support multiple formats
    • Google SoC
      • 15 different submissions
      • Google is looking for additional mentors on each project
      • So, we need more mentors; contact Gary

Legal Team Report - Steve


Outreach Team Report - Jack

  • Will be looking for help to update content for Website as per above
  • Documenting comprehensive list of SPDX-related tooling

Cross Functional -

  • None

Attendees

  • Phil Odence, Black Duck/Synopsys
  • Alan Friedman, NTIA
  • Rose Judge, VMware
  • Steve Winslow, LF
  • Kate Stewart, Linux Foundation
  • Alexios Zavras, Intel
  • Jack Manbeck, TI
  • Jim Hutchison, Qualcomm
  • William Bartholomew, GitHub
  • Dave McLoughlin, Flexera
  • Michael Herzog- nexB
  • Alex Rybak, Flexera
  • Gary O’Neall, SourceAuditor
  • Paul Madick
  • Brad Goldring, GTC Law
  • David Wheeler, Linux Foundation
  • Mike Dolan, Linux Foundation
  • Bob Campbell, DXC
  • Mark Atwood, Amazon