THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Minutes/2015-07-28

From SPDX Wiki
< Technical Team‎ | Minutes
Revision as of 18:14, 28 July 2015 by Goneall (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

July 28, 2015

Attendees

  • Gary O'Neall
  • Kate Stewart
  • Matt Germonprez
  • (UNO)
  • Bill Schineller
  • Scott Sterling
  • Yev Bronshteyn
  • Mark Gisi

Security Identifier Proposal

  • Proposal at https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit#
  • Proposal for an SPDX Item level property to hold a reference to an external database for packages
  • Discussion on how much duplication of other efforts
    • Proposal to only provide a link to the other efforts (using a common ID, e.g. CPE) and not duplicate any of the effort
  • Do we want a special section dedicated to vulnerability information or do we want it broader?
  • Discussion on the two proposals for external systems references
    • General need for referencing external systems
    • Proposal that there should be one solution
    • Concern that the CPE/SWID is different from the repositories and should be a different schema
  • Discussion on tag/value and RDF representations
    • For tag/value - need to be a single string for the package reference
    • RDF can either be a single string reference or could be a more general class model
      • Gary to propose a follow-up after doing some research
  • Proposal for a table with the following columns:
    • prefix
    • URL for database or definition of the external reference
    • Checkbox if the syntax is validated by the SPDX
    • ABNF format if syntax is to be validated
    • Domain - could be checkboxes for each domain covered (e.g. security, asset management)
  • Is this at the item level or at the package level?
    • Other than hardware, all of the external references reference something we would describe as a package in SPDX terms
    • There is an issue when we have a binary file which represents a package and that package is described by an SPDX document - we would like to have a way to reference the external package without requiring the full SPDX package information (which may not be available)
    • There is a proposal for external package references in bugzilla (bug 1298 https://bugs.linuxfoundation.org/show_bug.cgi?id=1298)
    • Agree to decide package or item level after the external package reference proposal is discussed next week