THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Minutes/2020-07-28

From SPDX Wiki
< Technical Team‎ | Minutes
Revision as of 20:17, 28 July 2020 by Goneall (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

July 28, 2020

Attendees

  • Kate Stewart
  • Thomas Steenbergen
  • Rose Judge
  • Nisha Kumar
  • William Bartholomew
  • Steve Winslow
  • Gary O’Neall
  • Jim Hutchison
  • Peter Shin

Topics: SPDX 3.0 Base Profile

SPDX 3.0 Base Profile

  • Continuing discussion from last week on the model
  • relationship Model as it relates to container
    • There will be a large number of external references
    • Potential issue of sharability across different deployment
    • Keep the SBOM with the artifact – so there will be a lot of external document references
  • Snippets simplification proposal
    • Do we relax the guiding principles for using external definitions (e.g. pointer model)?
      • Proposal to relax guiding principle to review existing standards but only adopt those that do not overly complicate the SPDX standard
  • Overview of Template for profiles
    • Discussion on how we represent the mandatory/optional requirements
    • Only change for an existing field is to make the field mandatory
  • Should we allow any arbitrary additional tools?
    • Allows for easy extension
    • Most tools will ignore what they don’t understand
    • Possible issue with allowing proprietary extensions which may not be helpful to the open standard
    • Validation may break
    • Different design principle from 2.0 where extensions are only in annotations and comments
    • Proposal to allow adding new profiles and new fields in point release
      • General agreement
    • Appendix should be added to describe how the fields should be added
  • Model update – replaced string field of PackageName with “FromFile”
    • General agreement the update made sense – but is different from 2.0
    • Agreed on a different name – packageFile
    • Checksum would be in the file and can be removed from the Package as a property
  • Relationship model for containers (continued)
    • Do we support the decomposition of SBOM’s as described by Nisha
      • General agreement and support
      • Suggestion to add external reference location information to find the external documents

Next Week

  • Continue discussion on container SBOM relationships
  • Aug 11 Legal profile