From SPDX Wiki
March 31, 2020
- Santiago Torres Arias
- Gary O’Neall
- Jack Manbeck
- Jim Hutchinson
- Peter Shin
- Alexios Zavras
- Andrea Denisse Gomez (new)
- Nisha Kumar
- Steve Winsolw
- William Bartholmew
- Kate Stewart
- Vicfred Petrelli
- Jiyun Kang
- Santiago provide overview of linking profile being proposed for 3.0
Recording of the presentation can be found at https://zoom.us/rec/share/-90lL_Lo03hOfLPv2QbZAa8kH5j4X6a8hihKqaBczEpJTJHaMzbGpfUcPBpgfz7y
- 8 locations in abstract supply chain can be compromised
- Looking for people to participate in work group on this.
- Nisha: what's the difference between relationships vs. links?
- Looking for these artifacts come from build stage.
- Alexios: Multiple inputs/outputs - love this idea of documenting what is happening, very much in favor of having this information. Only objection with name "linking profile" - points to something else.
- Santiago receptive for changing the name if we can find a better idea.
- Gary: The way I'm thinking about it is relationships are static - the state how the artifacts are related at the time the SPDX document is created. Links are more dynamic, they describe an action taken which probably creates a relationship - including the who and how in addition to the "what" of the relationship.
- Nisha Kumar: Post build state vs build time state?
- Steve Winslow:
- I think that's right, Gary. A relationship just describes "this thing is this way", e.g. "Package A depends on Package B". A Link goes further to assert who does what, e.g. "I added Package B as a dependency for Package A, I got B's source code and built it"
- Peter Shin: Which words do you use to describe "link" in the in-toto process? Do you use the word, "link" or multiple words?
- Gary - very interested in participating in these discussions, and interested to do some object modeling here. Linking relating to relationships.
- - Santiago interested in making this an SPDX native concept. Possibly extend relationships.
- Explicit Interest in making this a focus of 3.0 from: Santiago, WIlliam, Gary, Rose, Nitsha, Alexios, Kate, Steve
- Decision to work on spdx-tech mail list. Then possibly dedicate some weekly call.
- Other issues recorded in Github