THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Minutes/2019-12-03

From SPDX Wiki
Jump to: navigation, search

December 3, 2019

Attendees

  • Gary O’Neall
  • Alexios Zavras
  • Kate Stewart
  • Jim Hutchinson
  • Steve Winslow
  • Matthew Crawford
  • William Bartholomew
  • Alan Tse
  • Mark Atwood
  • Rose Judge
  • Nisha Kumar
  • Philippe Ombredanne
  • Thomas Steenbergen
  • Brad Edmondston

Other Initiatives Discussion

  • Nisha attended Kubecon and remarked on seeing lots of interest in SBOM's in the container space, but folks not sure where to engage.
  • Multiple efforts underway, OCI, CNCF/InToto, CDF Security Sig/OMG SBOM working group, NTIA - each has own perspective

3.0 Model

  • Proposed update from William
  • Came out of feedback from OMG workgroup, which looked at approach from Framing group from NTIA (see www.ntia.gov/SBOM)
  • Feedback on current model:
    • Exclusively focused on licensing and IP
    • Not very approachable
  • Different profiles for the different usages (e.g. IP, Security)
  • Feedback: Change “Intellection Property” to “Licensing” for profile name
  • Tooling – do we need to support all profiles?
    • SPDX focused on syntax
    • Producers and consumers have policies on what profiles are supported
  • Discussion on Relationship – issue has already been added
  • Discussion on FilesAnalyzed – William will add an issue to track

SPDX Document License

  • We didn’t have a quorum to discuss completely
  • Steve and Jilyane are researching the reasons for the mandatory DataLicense: CC0-1.0 declaration currently in use
  • Request that those who would like it changed to document the reasons
  • Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
  • Steve will open an issue to track

Joint Legal/Tech calls

  • Settle on start of new year, Steve to put out a calendar invite.