From SPDX Wiki
- Attendance: 22
- Lead by Phil Odence
- Minutes of June meeting Approved
SPDX Governance - Phil
Status of governance changes
- Still working through a using the prepackaged JDF docs with LF lawyers
- Lots there due to general nature
- It will have to go through the specified process for discussion and voting
- More scrutiny
- Standards requirement- Companies supporting, logos
- OMG CISQ 3T joining SPDX
- ISO direction – Need more
- Executive Order
- Working with other standards, i.e. SWID and CycloneDX
* Specific concerns that came up
- Community Spec License vs. CCBY
- Patent license to address concerns that have arisen from companies we want to support
- Also, tangentially related SBOM gen tool showed up in repo
- Need criteria for including
- Community Spec License vs. CCBY
- A question came up about discussion of governance on the Gen Mailing list
- We try to limit traffic on the list so one can use to monitor activity without being overwhelmed
- There will be a chance for discussion of a governance proposal once process goes in motion
- Contact Phil with inputs
- We’ll look into a separate list
Outreach Team Report - Sebastian/Jack
- SPDX website rework - license for content CC-BY-4.0
- Looking to rebuild website as static site.
- Code and license - more flex over precise styling and functionality.
- Prototype of site in next few weeks.
- Technical slides - present about SPDX in own organizations.
- Reviewed collateral, audience focus for collateral that will meet audience needs.
- More explanation of “why”. Point to specification when get to details.
- IRC channel
- Sebastian set up #spdx on libera.chat
- previous channels on OFTC, Freenode; hadn’t taken off
- libera.chat has 11 people in it currently
- “cloaking” - hides IP address in some cases, replaces with badge for organization you’re associated with; Sebastian can provide “SPDX cloak”
- Matrix bridge - feature of libera.chat, enables joining via Matrix
- Meeting date and time: 1500 UTC on Wednesdays will be new meeting time, on 14th of July
Legal Team Report - Jilayne/Paul/Steve
- Several new folks participating
- Ariel and Candice from ClearlyDefined have been digging into the Python stack of licenses
- License List 3.14 release - targeting end of July
Tech Team Report - Kate/Gary/Others
- GSoC - JSON support in Golang; will seek to get GSoC student to present at a future General Meeting
- New participants interacting with tools, and seeing pull requests.
- NTIA Plugfest
- new tools emerging from communities
- SPDX was most common format in use
- Can’t get down to SPDX field to field
- SPDX Plugfest?
- Desire to have Japan SPDX Plugfest
- One for north america
- Anchore has a tool supporting SPDX output if you need more 3.0 examples we can on it. (github.com/anchore/syft). We have 2.2 now but can fairly quickly iterate for some 3.0 support.
- ISO/IEC PRF 5962 - Information Technology — SPDX® Specification V2.2.1- moved to PRF status Publication date : 2021-08
- OCI registry overview and how SPDX could interact with containers.
- Specification 3.0 Work
- Looking for more 3.0 examples in serialization
- Lacking critical mass for some decisions - vacations
- Moving through punch list on core model.
- Vulnerability - waiting for core. Snyk put up a nice post.
- Feedback in progress.
- Serialization needs to become clearer.
- More examples are needed.
- Follow up VEX and CSAF
- Licensing profile - pretty similar to 2.2 already.
- Once formatting for how template can be expressed.
- Open Question - why spdx.dev vs. spdx.org; license list dynamically generated spdx.org - Drupal → Wordpress. How to keep License list still populate to website.
- Keep license list URL stable.
- Wikipedia page on SPDX is pretty stale.
- Needs to be updated. Outreach will take it.
- Phil Odence, Black Duck/Synopsys
- Philippe Emmanuel Douziech, CAST
- Bob Martin, Mitre
- Joshua Marpet, RM-ISAO
- David Edelsohn, IBM
- Sebastian Crane
- Marc Etienne Vargenau, Nokia
- Zach Hill, Anchore
- Steve Winslow, LF
- Kate Stewart, Linux Foundation
- William Cox, Synopsys
- Jack Manbeck, TI
- Alexios Zavras, Intel
- Warner Losh, FreeBSD
- Alfredo Espinosa
- Jilayne Lovejoy, Red Hat
- Chris Lusk
- Andrew Jorganson, AWS
- Thomas Steenbergen, HERE
- Brian Fox, Sonotype
- Michael Herzog- nexB