https://wiki.spdx.org/index.php?title=General_Meeting/Minutes/2021-02-04&feed=atom&action=historyGeneral Meeting/Minutes/2021-02-04 - Revision history2024-03-29T09:04:23ZRevision history for this page on the wikiMediaWiki 1.23.13https://wiki.spdx.org/index.php?title=General_Meeting/Minutes/2021-02-04&diff=4895&oldid=prevPodence: Created page with "* Attendance: 26 * Lead by Phil Odence * Minutes of Dec meeting Approved == 3T-SBOM - Kay/Bob == * Basis ** To standardize, tools need to talk to each other ** Developed 9..."2021-03-02T13:12:04Z<p>Created page with "* Attendance: 26 * Lead by Phil Odence * Minutes of Dec meeting Approved == 3T-SBOM - Kay/Bob == * Basis ** To standardize, tools need to talk to each other ** Developed 9..."</p>
<p><b>New page</b></p><div>* Attendance: 26<br />
* Lead by Phil Odence<br />
* Minutes of Dec meeting Approved<br />
<br />
<br />
== 3T-SBOM - Kay/Bob ==<br />
<br />
* Basis<br />
** To standardize, tools need to talk to each other<br />
** Developed 9 use cases<br />
** Started up in 2019; several groups involved<br />
** Provenance/Pedigree distinction <br />
** Started w/NTIA fields as basis<br />
** Developed model very similar to SPDX<br />
** Started w/ software but can be broader<br />
* Merging Efforts<br />
** Common goals/members; working for some time<br />
** So, made sense to merge<br />
** Harmonized meetings<br />
*** Profile groups meeting separately from Tech meeting<br />
*** All a little fluid<br />
** Longer Term thoughts<br />
*** Licensing and contribution agreements for spec<br />
*** User scenarios, broader scope<br />
**** May need to update naming scheme<br />
**** Broader scope may require expanded governance and funding<br />
* Questions<br />
** Funding discs<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
<br />
* Spec - Kate<br />
** Overview<br />
*** SPDX 2.2 being refactored into upcoming 3.0 effort, with Core and separate topical Profiles<br />
*** Has been happening in parallel with 3T SBOM efforts<br />
**Core - William<br />
*** Area with most overlap with 3T efforts<br />
*** Have been working on identifying areas of differences between the two, gradually converging<br />
*** Last month was focused on identifying remaining differences and working through them, determining how critical they are<br />
*** Remaining differences are centered on (1) naming things and (2) external references<br />
*** Also working through tooling and how to document the core standard<br />
*** Close to done on what the model will look like, want to turn next to actually writing it up in a format that is suitable for use cases – transition from modeling to authoring of spec text<br />
** Licensing - Steve<br />
*** Described background of licensing fields combined with “core” in 2.2 and prior spec versions<br />
*** Splitting out licensing-related fields into a separate optional profile<br />
*** Previously discussed and brainstorming in a shared Google Doc<br />
*** Was previously planning to wait on migrating into GitHub until spec format was finalized; sounds like that will still be some time until finalized<br />
*** Will work on migrating Google Doc brainstorming outcomes into GitHub in MarkDown or plain text<br />
** Defects – Thomas<br />
*** Includes “vulnerabilities”<br />
*** Worked with William on documenting an example<br />
*** Still working on remediation-related fields<br />
*** Hoping to have more concrete examples, and to restart the security discussions before the end of this month<br />
** Linking – Nisha<br />
*** Mockups: https://github.com/SantiagoTorres/spdx-linking-mockups<br />
*** “Linking” – how different software components are related to each other, and to separate components in the broader ecosystem<br />
*** Profile aims to capture, if using e.g. a container or a CNAB (Cloud Native Application Bundle), meant to surface those connections<br />
*** Focused on cloud native use case, but could also be used in e.g. the embedded world, for something like an embedded OS utilizing multiple components<br />
**** Kay – other scenarios thinking about: e.g. IoT devices, wanting to list out both software and hardware components<br />
**** Santiago – working on similar for in-toto, to authenticate components<br />
*** Currently stuck on sorting out the overlap between the Linking profile and the Integrity profile. Current thinking, integrity signatures should be handled via “relationships” between elements<br />
** Integrity – Santiago<br />
*** Slides: [TO BE FILLED IN]<br />
*** There are a lot of outstanding questions, still being sorted through<br />
*** Milestone structure: Document integrity >> Document Authentication >> Document & supply chain policy >> Linkage & supply chain integrity<br />
*** Discussed roles of each stage and current status of milestones<br />
** Usage and Other Emerging – Kate<br />
*** Spearheaded by team in Japan<br />
*** Looking at carrying e.g. contract info along in SPDX documents<br />
*** Also looking at Pedigree / Provenance profiles, for fields to carry build information<br />
* Tools and Google Summer of Code (GSoC) - Gary<br />
** GSoC: Applications open for projects, Gary is applying now, will update next month<br />
** Will post link to project page<br />
** Looking at different tooling for supporting spec process<br />
<br />
== Legal Team Report - Paul/Jilayne/Steve ==<br />
<br />
* 3.12 release, pushed back to Feb. 19/20, may push further back depending on issue status<br />
* Ran into some issues with CI/build system, thank you to Gary and William for helping to resolve<br />
* Jilayne – description of what the legal team works on<br />
** License list for those not familiar with it: https://spdx.org/licenses<br />
<br />
== Outreach Team Report - Aveek ==<br />
<br />
* Recurring meeting with several community members about how to welcome new folks to the community<br />
* Discussing initial tools, assigning initial issues to newcomers<br />
<br />
<br />
== Attendees ==<br />
<br />
* Phil Odence, Black Duck/Synopsys<br />
* David Martin, Mitre<br />
* Kay Williams, Microsoft<br />
* Steve Winslow, LF<br />
* Jilayne Lovejoy<br />
* Paul Madick, Jenzabar<br />
* Kate Stewart, Linux Foundation<br />
* Gary O’Neall, SourceAuditor<br />
* Aveek Basu, NextMark Printers<br />
* Sean Geary, Revenera<br />
* William Cox, Synopsys<br />
* Maximilian Huber, TNG<br />
* Emmanuel Tournier, Black Duck/Synopsys<br />
* Thomas Steenbergen, HERE<br />
* Alfredo Espinosa<br />
* Nishad Thalhath<br />
* David Edelsohn<br />
* Philippe Emmanuel Douziech<br />
* William Bartholomew, GitHub<br />
* Alexios Zavras, Intel<br />
* Santiago<br />
* Henk Birkholz<br />
* Ariel Patano<br />
* Jorge Rodriguez-Moreno<br />
* Nisha Kumar, VMware<br />
* Michael Herzog- nexB<br />
<br />
<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Podence