Technical Team/Minutes/2020-05-05

From SPDX Wiki
Jump to: navigation, search

May 5, 2020


  • Alexios Zavras
  • Nisha Kumar
  • Steve Winslow
  • Kate Stewart
  • William Bartholomew
  • Gary O’Neall
  • Sean Goggins
  • Jim Hutchison
  • Karsten Klein
  • Vicky Brasseur
  • Rose Judge
  • Thomas Steenbergen
  • Takashi Ninjouji
  • Santiago Torres


  • 4 projects selected
  • Looking for mentoring possibility for one of the students who should have been selected but wasn’t
  • Currently in community bonding
  • Active coding about a month away, will start having the students join the call at that time
  • Discussion on the approach for repos:
    • Up to student and mentor – Gary can create a repo in SPDX, can use a branch in an existing SPDX repo, or can use the student’s repo and transfer to SPDX at the end of the project
  • Question on Gitter
    • We’ll use the public SPDX channel for most communications

SPDX 2.2

  • Release done over the weekend
  • development/v2.2.1 branch created and made the default branch
  • Thanks to the many contributors and reviewers – especially Alexios, Steve, Thomas, William, Kate and Gary
  • Rendering for the v2 draft has some problems – William is looking into

SPDX 2.2.1

  • Focused on the ISO standard
  • Conversion to the standard as first phase and move to word for submission as a second phase


  • See slides for the overview presented by Nisha
  • Issue with download URL not being a URL
  • Issue with the size – 7MB for the example shown
  • Issue with difference in representation in the layer descriptions and in the flattened image
    • Name are based on the SHA checksum, not a natural filename
  • Is it possible to define an SPDX document for each layer
    • Yes – external document refs can be used
    • Discussion on tooling support
  • Discussion on different relationship types for the manifest.json and config.json
  • How do we account for content addressable “Packages”?
  • What does an external reference look like for deployments?
  • Can we compose/decompose SPDX documents?
  • Can we provide pipeline context?
  • General agreement that the relationships between docs and pipeline is related to the linking proposal Santiago is working on