Technical Team/Minutes/2020-05-26

From SPDX Wiki
Jump to: navigation, search

May 26, 2020


  • Rex Jaeschke
  • Kate Stewart
  • William Bartholomew
  • Gary O’Neall
  • Nisha Kumar
  • Steve Winslow
  • John Mudge
  • Takashi Ninjouji
  • Peter Shin
  • Rose Judge
  • Thomas Steenbergen
  • Jim Hutchison
  • GogginsS
  • Santiago Torres
  • Vicky Brasseur
  • Rishabh Bhatnagar


Document namespaces and download URL’s using PUURL – issue

SPDX 2.2

SPDX 2.2.1

  • Update from Rex
    • Steady progress
    • a few issues still open
    • John updating template so that there is no requirement for formatting
  • Discussion on proposal to add footnotes for XML
    • Agreed to remove the tables for the examples rather than go to footnotes
    • Still an issue with conciseness of the examples
    • Agree to keep the metadata as tables


SPDX 3.0 Security Profile

  • Thomas provided an overview of the proposal:
  • Proposal to focus scope on Vulnerability information
    • Create separate proposals for Virus information and other areas of security
    • William and Gary agreed with proposal, no objections
  • Do we need a data provider identity?
    • Tradeoff of complexity vs additional data
    • having a data provider may be useful for other profiles
    • useful at the vulnerability level
    • potentially useful at the document level
    • need an identity object
    • can be a field for vulnerability
    • can also be used as in a relationship
  • Do we want to include a remediation field?
    • Proposal to include a “first patched version” field
    • Proposal to use the description field to capture the remediation suggestion
    • Steve suggested we stick to the facts – similar to legal profile
    • Consensus to not include a remediation field (other than the first patched version field which will be included)
  • Discussion on filtering
  • Do we want to include any formatting for the description (e.g. HTML)?
  • Identifier Aliasing
    • Agreed to use ExternalRef approach under the security category
  • What do we do with packages that don’t maintain standard version
    • The fields that refer to version is a string – added many possible format
  • Aligning with CycloneDX
    • Agreed that we want to have common terms etc.
    • Briefly reviewed differences
      • ExternalRef is on area of difference
      • Description vs. summary is another area
        • Suggestion to change SPDX to use description for the summary and details

Next Week’s Agenda

  • How do we specify the profiles in use for 3.0
  • Legal update – suggest this would be a joint legal/tech call