Technical Team/Minutes/2019-10-08

October 8, 2019

Attendees

• Gary O’Neall
• Alexios Zavras
• Philippe Ombredanne
• Kate Stewart
• William Bartholomew
• Jeff McAffer
• Nisha Kumar
• Steve Winslow
• Jim Hutchinson

Recording

Recording for this call can be found at https://zoom.us/recording/share/YXxkHjw6MWhafhBxxyyABE14Yh3Ihoewjqv4nxiUzEGwIumekTziMw

SPDX for sBOM

• Google doc available at https://docs.google.com/document/d/1XfNrDmlVdnUzvtrPsylJZFfz1LLDoqnm_vi_PguSzy8/edit
• Short time to market for SPDX 3.0 would be key
• Large spec – formidable to the uninitiated
• Very focused on licensing
• Introduce profiles – base profile is minimal
• Licensing specifics are moved to a licensing profile
• Modify documentation to allow staged adoption
• Steve suggested joint call with legal and tech teams
  • Would include a discussion on the requirement of the NOASSERTION fields
  • Schedule joint call for next Tuesday
• Any entity that represents a person or organization should have more structure
  • Concern about privacy – esp. European regulations
• Agreement on unifying the terminology for the license information in file and declared license for package
  • Discussion Declared, Discovered and Concluded
• Everyone on the call agreed to this approach

License Mapping

• Mapping repo added to SPDX
• Issue with discussions: https://github.com/spdx/package-licenses-mapping/issues/1
• Mapping will be 3 columns:
  • Package manager (e.g. maven)
  • License string
  • SPDX license expression

Upcoming SPDX tech call

• 15 Oct: Joint SPDX tech/legal call