Re: Jan 3 SPDX General Meeting Reminder

Phil Odence
 

Apologies for the extra email, but someone kindly pointed out an error on my part. The correct time for the General Meeting is 16:00 UTC.

Meeting Time: Thurs, Jan 3, 8am PT / 10 am CT / 11am ET / 16:00 UTC. 

 

From: "podence@..." <podence@...>
Date: Wednesday, January 2, 2019 at 8:17 AM
To: "spdx@..." <spdx@...>
Cc: JC Herz <jc.herz@...>
Subject: FW: Jan 3 SPDX General Meeting Reminder

 

Re-reminding now that most folks are back from the holidays.

 

From: "podence@..." <podence@...>
Date: Thursday, December 20, 2018 at 10:04 AM
To: "spdx@..." <spdx@...>
Cc: JC Herz <jc.herz@...>
Subject: Jan 3 SPDX General Meeting Reminder

 

Hello, all. Wishing the best to you for the holidays. As many will have time off between now and the New Year.

 

A new direction from SPDX is to expand into handling security information in addition to license and copyrights. JCC Herz will be talking about this in in the Jan 3 meeting. JC is the COO of Ion Channel, a software supply chain assurance and software logistics platform. JC co-wrote open source acquisition policy for the Defense Department in the mid-2000’s to curtail vendor-driven FUD about OSS, and has worked in large-scale enterprises to accelerate and enable verification, audit and continuous assurance of OSS for mission critical applications. 

 

Here's what she’ll be talking about-

“Evolving SPDX for Open Source Security: Lessons Learned from the Software Evidence Archive (SEVA)”

In the early days of enterprise OSS use, corporate concern tended to stem from licensing status, and SPDX operationalizes and automates risk management in that domain. As concerns around OSS have shifted towards security and supply chain risk, there are enterprise workflows for security approval, audit and compliance that require more and different details to augment transitive dependencies and licensing - some of which are not immediately obvious to developer communities outside the bureaucracies where these workflows exist. In the development of the SEVA (Software Evidence Archive), Ion Channel needed to augment the content of a standard SBOM with security, audit and compliance fields to satisfy the security, audit and compliance requirements of large IT bureaucracies in an an automated fashion. Because of large and escalating regulatory requirements for security, audit and compliance, these workflows are not going away. To that end, Ion Channel seeks to support SPDX with an open source XML implementation that includes these fields, so that large regulated customers can more easily adopt, maintain and update OSS applications and components. 

 

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Jan 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-12-06

 

Guest Speaker  – JC Herz

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 

L. Philip Odence
General Manager, Black Duck On-Demand
Synopsys Software Integrity Group
800 District Avenue, Suite 101, Burlington, MA 01803-5061
Note new work #: W: +1.781.313.6801; M: +1.781.258.9502

www.blackducksoftware.com  

 

 

Join spdx@lists.spdx.org to automatically receive all group messages.