THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

General Meeting/Minutes/2021-02-04

From SPDX Wiki
Jump to: navigation, search
  • Attendance: 26
  • Lead by Phil Odence
  • Minutes of Dec meeting Approved


3T-SBOM - Kay/Bob

  • Basis
    • To standardize, tools need to talk to each other
    • Developed 9 use cases
    • Started up in 2019; several groups involved
    • Provenance/Pedigree distinction
    • Started w/NTIA fields as basis
    • Developed model very similar to SPDX
    • Started w/ software but can be broader
  • Merging Efforts
    • Common goals/members; working for some time
    • So, made sense to merge
    • Harmonized meetings
      • Profile groups meeting separately from Tech meeting
      • All a little fluid
    • Longer Term thoughts
      • Licensing and contribution agreements for spec
      • User scenarios, broader scope
        • May need to update naming scheme
        • Broader scope may require expanded governance and funding
  • Questions
    • Funding discs

Tech Team Report - Kate/Gary/Others

  • Spec - Kate
    • Overview
      • SPDX 2.2 being refactored into upcoming 3.0 effort, with Core and separate topical Profiles
      • Has been happening in parallel with 3T SBOM efforts
    • Core - William
      • Area with most overlap with 3T efforts
      • Have been working on identifying areas of differences between the two, gradually converging
      • Last month was focused on identifying remaining differences and working through them, determining how critical they are
      • Remaining differences are centered on (1) naming things and (2) external references
      • Also working through tooling and how to document the core standard
      • Close to done on what the model will look like, want to turn next to actually writing it up in a format that is suitable for use cases – transition from modeling to authoring of spec text
    • Licensing - Steve
      • Described background of licensing fields combined with “core” in 2.2 and prior spec versions
      • Splitting out licensing-related fields into a separate optional profile
      • Previously discussed and brainstorming in a shared Google Doc
      • Was previously planning to wait on migrating into GitHub until spec format was finalized; sounds like that will still be some time until finalized
      • Will work on migrating Google Doc brainstorming outcomes into GitHub in MarkDown or plain text
    • Defects – Thomas
      • Includes “vulnerabilities”
      • Worked with William on documenting an example
      • Still working on remediation-related fields
      • Hoping to have more concrete examples, and to restart the security discussions before the end of this month
    • Linking – Nisha
      • Mockups: https://github.com/SantiagoTorres/spdx-linking-mockups
      • “Linking” – how different software components are related to each other, and to separate components in the broader ecosystem
      • Profile aims to capture, if using e.g. a container or a CNAB (Cloud Native Application Bundle), meant to surface those connections
      • Focused on cloud native use case, but could also be used in e.g. the embedded world, for something like an embedded OS utilizing multiple components
        • Kay – other scenarios thinking about: e.g. IoT devices, wanting to list out both software and hardware components
        • Santiago – working on similar for in-toto, to authenticate components
      • Currently stuck on sorting out the overlap between the Linking profile and the Integrity profile. Current thinking, integrity signatures should be handled via “relationships” between elements
    • Integrity – Santiago
      • Slides: [TO BE FILLED IN]
      • There are a lot of outstanding questions, still being sorted through
      • Milestone structure: Document integrity >> Document Authentication >> Document & supply chain policy >> Linkage & supply chain integrity
      • Discussed roles of each stage and current status of milestones
    • Usage and Other Emerging – Kate
      • Spearheaded by team in Japan
      • Looking at carrying e.g. contract info along in SPDX documents
      • Also looking at Pedigree / Provenance profiles, for fields to carry build information
  • Tools and Google Summer of Code (GSoC) - Gary
    •  GSoC: Applications open for projects, Gary is applying now, will update next month
    • Will post link to project page
    • Looking at different tooling for supporting spec process

 

Legal Team Report - Paul/Jilayne/Steve

 

  • 3.12 release, pushed back to Feb. 19/20, may push further back depending on issue status
  • Ran into some issues with CI/build system, thank you to Gary and William for helping to resolve
  • Jilayne – description of what the legal team works on

 

Outreach Team Report - Aveek

 

  • Recurring meeting with several community members about how to welcome new folks to the community
  • Discussing initial tools, assigning initial issues to newcomers


Attendees

  • Phil Odence, Black Duck/Synopsys
  • David Martin, Mitre
  • Kay Williams, Microsoft
  • Steve Winslow, LF
  • Jilayne Lovejoy
  • Paul Madick, Jenzabar
  • Kate Stewart, Linux Foundation
  • Gary O’Neall, SourceAuditor
  • Aveek Basu, NextMark Printers
  • Sean Geary, Revenera
  • William Cox, Synopsys
  • Maximilian Huber, TNG
  • Emmanuel Tournier, Black Duck/Synopsys
  • Thomas Steenbergen, HERE
  • Alfredo Espinosa
  • Nishad Thalhath
  • David Edelsohn
  • Philippe Emmanuel Douziech
  • William Bartholomew, GitHub
  • Alexios Zavras, Intel
  • Santiago
  • Henk Birkholz
  • Ariel Patano
  • Jorge Rodriguez-Moreno
  • Nisha Kumar, VMware
  • Michael Herzog- nexB