Technical Team/Minutes/2015-07-28

From SPDX Wiki
Jump to: navigation, search

July 28, 2015


  • Gary O'Neall
  • Kate Stewart
  • Matt Germonprez
  • Shankar Korlimarla
  • Bill Schineller
  • Scott Sterling
  • Yev Bronshteyn
  • Mark Gisi

Security Identifier Proposal

  • Proposal at
  • Proposal for an SPDX Item level property to hold a reference to an external database for packages
  • Discussion on how much duplication of other efforts
    • Proposal to only provide a link to the other efforts (using a common ID, e.g. CPE) and not duplicate any of the effort
  • Do we want a special section dedicated to vulnerability information or do we want it broader?
  • Discussion on the two proposals for external systems references
    • General need for referencing external systems
    • Proposal that there should be one solution
    • Concern that the CPE/SWID is different from the repositories and should be a different schema
  • Discussion on tag/value and RDF representations
    • For tag/value - need to be a single string for the package reference
    • RDF can either be a single string reference or could be a more general class model
      • Gary to propose a follow-up after doing some research
  • Proposal for a table with the following columns:
    • prefix
    • URL for database or definition of the external reference
    • Checkbox if the syntax is validated by the SPDX
    • ABNF format if syntax is to be validated
    • Domain - could be checkboxes for each domain covered (e.g. security, asset management)
  • Is this at the item level or at the package level?
    • Other than hardware, all of the external references reference something we would describe as a package in SPDX terms
    • There is an issue when we have a binary file which represents a package and that package is described by an SPDX document - we would like to have a way to reference the external package without requiring the full SPDX package information (which may not be available)
    • There is a proposal for external package references in bugzilla (bug 1298
    • Agree to decide package or item level after the external package reference proposal is discussed next week