General Meeting/Minutes/2021-07-01

From SPDX Wiki
< General Meeting‎ | Minutes
Revision as of 13:02, 6 July 2021 by Podence (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
  • Attendance: 22
  • Lead by Phil Odence
  • Minutes of June meeting Approved


SPDX Governance - Phil

Status of governance changes

  • Still working through a using the prepackaged JDF docs with LF lawyers
    • Lots there due to general nature
    • It will have to go through the specified process for discussion and voting
  • Why?
    • More scrutiny
    • Standards requirement- Companies supporting, logos
      • OMG CISQ 3T joining SPDX
      • ISO direction – Need more
      • Executive Order
      • Working with other standards, i.e. SWID and CycloneDX

 * Specific concerns that came up

    • Community Spec License vs. CCBY
      • Patent license to address concerns that have arisen from companies we want to support
    • Also, tangentially related SBOM gen tool showed up in repo
      • Need criteria for including
  • A question came up about discussion of governance on the Gen Mailing list
    • We try to limit traffic on the list so one can use to monitor activity without being overwhelmed
    • There will be a chance for discussion of a governance proposal once process goes in motion
    • Contact Phil with inputs
    • We’ll look into a separate list

Outreach Team Report - Sebastian/Jack

 

  • Rebooted
  • SPDX website rework - license for content CC-BY-4.0
    • Looking to rebuild website as static site.
    • Code and license - more flex over precise styling and functionality.
    • Prototype of site in next few weeks.
  • Technical slides - present about SPDX in own organizations.
    • Reviewed collateral,  audience focus for collateral that will meet audience needs.
    • More explanation of “why”.   Point to specification when get to details. 
  • IRC channel 
    • Sebastian set up #spdx on libera.chat
    • previous channels on OFTC, Freenode; hadn’t taken off
    • libera.chat has 11 people in it currently
    • “cloaking” - hides IP address in some cases, replaces with badge for organization you’re associated with; Sebastian can provide “SPDX cloak”
  • Matrix bridge - feature of libera.chat, enables joining via Matrix
  • Meeting date and time: 1500 UTC on Wednesdays will be new meeting time, on 14th of July


Legal Team Report - Jilayne/Paul/Steve

 

  • Several new folks participating
  • Ariel and Candice from ClearlyDefined have been digging into the Python stack of licenses
  • License List 3.14 release - targeting end of July

 

Tech Team Report - Kate/Gary/Others

 

  • Tools 
    • GSoC - JSON support in Golang; will seek to get GSoC student to present at a future General Meeting
    • New participants interacting with tools, and seeing pull requests.
    • NTIA Plugfest 
      • new tools emerging from communities 
      • SPDX was most common format in use
      • Can’t get down to SPDX field to field 
    • SPDX Plugfest?
      • Desire to have Japan SPDX Plugfest
      • One for north america   
    • Anchore has a tool supporting SPDX output if you need more 3.0 examples we can on it. (github.com/anchore/syft). We have 2.2 now but can fairly quickly iterate for some 3.0 support.
  • Specification
    • ISO/IEC PRF 5962 - Information Technology — SPDX® Specification V2.2.1- moved to PRF status Publication date : 2021-08
    • OCI registry overview and how SPDX could interact with containers. 
    • Specification 3.0 Work 
      • Looking for more 3.0 examples in serialization
      • Lacking critical mass for some decisions - vacations
        • Moving through punch list on core model.
      • Vulnerability - waiting for core.   Snyk put up a nice post.   
        • Feedback in progress.   
        • Serialization needs to become clearer.
        • More examples are needed. 
        • Follow up VEX and CSAF
      • Licensing profile - pretty similar to 2.2 already.
        • Once formatting for how template can be expressed.


Other Topics

  • Open Question - why spdx.dev vs. spdx.org;   license list dynamically generated spdx.org - Drupal → Wordpress.   How to keep License list still populate to website.
  • Keep license list URL stable. 
  • Wikipedia page on SPDX is pretty stale.    
    • Needs to be updated.    Outreach will take it. 

Attendees

  • Phil Odence, Black Duck/Synopsys
  • Philippe Emmanuel Douziech, CAST
  • Bob Martin, Mitre
  • Joshua Marpet, RM-ISAO
  • David Edelsohn, IBM
  • Sebastian Crane
  • Marc Etienne Vargenau, Nokia
  • Zach Hill, Anchore
  • Steve Winslow, LF
  • Kate Stewart, Linux Foundation
  • William Cox, Synopsys
  • Jack Manbeck, TI
  • Alexios Zavras, Intel
  • Warner Losh, FreeBSD
  • Alfredo Espinosa
  • Jilayne Lovejoy, Red Hat
  • Chris Lusk
  • Andrew Jorganson, AWS
  • Thomas Steenbergen, HERE
  • Ronda,
  • Brian Fox, Sonotype
  • Michael Herzog- nexB