THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Minutes/2020-03-31

From SPDX Wiki
< Technical Team‎ | Minutes
Revision as of 18:34, 20 April 2020 by Goneall (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

March 31, 2020

Attendees

  • Santiago Torres Arias
  • Gary O’Neall
  • Jack Manbeck
  • Jim Hutchinson
  • Peter Shin
  • Alexios Zavras
  • Andrea Denisse Gomez (new)
  • Nisha Kumar
  • Steve Winsolw
  • William Bartholmew
  • Kate Stewart
  • Vicfred Petrelli
  • Jiyun Kang

3.0

  • Santiago provide overview of linking profile being proposed for 3.0

Recording of the presentation can be found at https://zoom.us/rec/share/-90lL_Lo03hOfLPv2QbZAa8kH5j4X6a8hihKqaBczEpJTJHaMzbGpfUcPBpgfz7y

  • 8 locations in abstract supply chain can be compromised
  • Looking for people to participate in work group on this.
  • Nisha: what's the difference between relationships vs. links?
    • Looking for these artifacts come from build stage.
  • Alexios: Multiple inputs/outputs - love this idea of documenting what is happening, very much in favor of having this information. Only objection with name "linking profile" - points to something else.
    • Santiago receptive for changing the name if we can find a better idea.
  • Gary: The way I'm thinking about it is relationships are static - the state how the artifacts are related at the time the SPDX document is created. Links are more dynamic, they describe an action taken which probably creates a relationship - including the who and how in addition to the "what" of the relationship.
  • Nisha Kumar: Post build state vs build time state?
  • Steve Winslow:
  • I think that's right, Gary. A relationship just describes "this thing is this way", e.g. "Package A depends on Package B". A Link goes further to assert who does what, e.g. "I added Package B as a dependency for Package A, I got B's source code and built it"
  • Peter Shin: Which words do you use to describe "link" in the in-toto process? Do you use the word, "link" or multiple words?
  • Gary - very interested in participating in these discussions, and interested to do some object modeling here. Linking relating to relationships.
  • - Santiago interested in making this an SPDX native concept. Possibly extend relationships.
  • Explicit Interest in making this a focus of 3.0 from: Santiago, WIlliam, Gary, Rose, Nitsha, Alexios, Kate, Steve
    • Decision to work on spdx-tech mail list. Then possibly dedicate some weekly call.

2.2 issues