https://github.com/spdx/meetings/blob/master/general/2022-02-03.md

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

SPDX General Meeting Minutes - Feb 3, 2022

Administrative

• Attendance: 33
• Lead by Phil Odence
• Minutes from last meeting approved

Steve Hendrick w/report on SBOM readiness

• Press release about the report
• Report itself
• Showing a selected set of slides from the report
• In all his years as an industry analyst, he never heard of SBOMs. Now though, it's about to become a massive market.
• Was careful to not be too LF biased by surveying a broad end user community.
• Anticipate a 60+ percent growth of orgs using SBOMs…if the tooling exists to support that growth. He hasn't yet looked at the tools that are out there.
• Not a lot of visibility for this from the vendors & tooling providers. Analysts also haven't yet done a market forecast for this, either.
• Discussion on formats that wasn't included in the report. Won't summarise here as it's not really public.

Tech Team Report - Gary/Kate/Thomas

Spec

Defects

• Thomas sent out Doodle poll to figure out date for next team call
• Multiple options on how to include vulnerabilities: include, separate, and link
• Working on one document

Core 3.0

• Good progress on building concensus on when to use properties or relationships (packages containing files for example). Follow along in spdx-3.0-model repo.

2.3 Release

• Follow up from Docfest on some clarifications that emerged from comparisons.
• Anything that we need to help people adopt SPDX for presidential order. Dick points out CMC issued an RFI that incorporates SBOM: https://sam.gov/opp/fe53a2be20094034b178e260f29cd0ad/view
• For licensing-related fields that are currently mandatory but can have noassertion, looking at permitting them to be made as optional for 2.3, presuming NOASSERTION if field is omitted.

Tools

DocFest (Rose)

• Held on 1/27, 24 attendee, identified - 6 topics - made it through all 6
• Thanks to analysis team for helping to understand the differences!

GSOC

• GSOC Summer of Code - Alexios will be lead.
• Please feel free to contribute

Tooling Release

• Rohit working on merge for Online tools.
• Working with CycloneDX team to have tools that interoperate.
• FOSDEM coming up this weekend - Software Composition and Dependency devroom, https://fosdem.org/2022/schedule/track/software_composition_and_dependency_management/

Legal Team Report - Jilayne/Paul/Steve

License List

• Will release 3.16 this weekend.
• Good discussion on Fedora use of identifiers, and use between communities.
• Historically added about 80 licenses to license list in 2014, based on Fedora's own list of licenses
• Similar to discussion previously with Warner about use in FreeBSD
• Will provide updates to General team on Fedora and FreeBSD as it proceeds

Outreach Team Report - Sebastian

• (getting update from email)

Attendees

• VM Brasseur
• Brad Goldring, GTC Law Group
• Christina Chen
• Thomas Steenbergen
• Steve Hendrick
• Jilayne Lovejoy
• Dick Brooks
• Kate Stewart
• Alex Rybak
• Alexios Zavras
• Gary O'Neall
• Christine Chen
• David Edelsohn
• Edgar
• Jacob Wilson
• Jesse Porter, Qualcomm
• Karan Marjara
• Lena Smart
• Marc Etienne Vargenau
• Matthew Neal Miller, Red Hat Product Security
• Michael Herzog
• Paul Madick
• Pete Allor, Red Hat Product Security
• Phil Odence
• Steve Winslow
• William Cox
• Andrew Jorgensen
• Alfredo Espinosa
• Rose Judge
• Ria Schalnat
• Joe Bussell
• Joshua Dubin
• Michael Herzog