Special Presentation and SPDX Thurs General Meeting Reminder


Phil Odence
 

NOTE: I am a little behind and have not posted the minutes from the March meeting in GH. In advance of that, I have included that minutes in roughg form at the bottom of this email.

 

PRESENTATION: Please join us for this presentation to kick off the meeting. Yocto have been very supportive of SPDX and active in incorporating the technology.

 

SPDX in the Yocto Project – Joshua Watt

Abstract:

As Software Bills of Material (SBoMs) become more important in the software industry, the generation of high quality SBoMs from the beginning of the Software Supply Chain has also become more important. The Yocto Project is designed to build up software images from source, and such is a prime candidate to generate these SBoMs at the point where software packages are compiled and assembled into customer images. Joshua will talk about how the Yocto Project is able to do this, and some of the interesting quirks encountered when implementing this feature.

 

Joshua Watt is a Software Engineer for Garmin, where he has been working for the past 13 years. He has been a developer with OpenEmebedded and the Yocto Project for the past 7 years, and is a member of the OpenEmbedded Technical Steering Committee.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, April 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-02-03.md

 

Special Presentation 

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack/Sebastian

 

 

 

 

# SPDX General Meeting Minutes - March 3, 2022

 

 

## Administrative

- Attendance: 

Phil Odence, Black Duck Audits/Synopsys

* Patrick Reilly

* Sebastian Crane

* Bob Martin

* Joshua Dubin, Verizon

* Steve Winslow

* Brad Goldring, GTC Law Group

* Joshua Marpet

* Joshua Watt

* Jon Geater, Jitsuin (presenter)

* Alex Rybak

* Jeff Schutt

* Kate Stewart, Linux Foundation

* Maximillian Huber 

* Mark Atwood, Amazon.com

* Philippe-Emmanuel Douziech, CAST GmbH / CISQ

* David Edelsohn

* Paul Madick

* Jilayne Lovejoy, Red Hat

* Ria Schalnat

* Molly Menomi

* Robert Boyd

 

 

- Lead by Phil Odence

- Minutes from last meeting approved.

 

## How RKVST Uses SPDX for Software Transparency by Jon Geater, CTO Jitsuin

### Jitsuin, RVST, Digital Twin Consortium

### The Problem

#### Cyber physical systems- Data is the new oil. Big Opportunity...but requires trusting data

#### Trust can be difficult because everyone is in a supply chain, crossing org boundaries

### Solution approach: Shared asset history w/evidence

#### Including BOM

##### Software and hardware combination (depending on industy)

##### SBOM- super crutial first step

#### Common understanding takes out human time-consuming steps

#### Anyone in the chain should be able to make their own risk assessment

##### Trust is not the same as security

##### Things change/are dynamic...and with software that's frequent

##### So systems need to be able to handle quickly, in real time

### Conclusions

#### What's needed is resilient operation of dynamic systems

#### Important first step is what's in the box

#### ...then vulernablities and what do to about them

#### interoperatiblity of standard formats

### Q&A

 

 

 

## Tech Team Report - Gary/Kate/Thomas

### Spec

#### Defects

Meetings have started up,  join the mailing list for details.

#### Core 3.0

Kate / William - have been making good progress on punch list

#### 2.3 Release

* will be adding in some fields that people have been asking for interoperability with CycloneDX community

* license namespaces - Mark Atwood and Steve Winslow to sync

* SPDX Lite - add Package Supplier to match NTIA minimum definition for SPDX Lite profile

 

 

### Tools

#### GSOC

* Submission in,  project ideas still welcome.

 

 

## Legal Team Report - Jilayne/Paul/Steve

* 3.16 released at beginning of February; continuing with issues / PRs for 3.17

change in meeting cadence - moved to 2nd / 4th Thursday of every month, Steve to update downloadable invites on website

## Outreach Team Report -  Sebastian

* Updates to landscape in process

* FOSDEM talk from Sebastian - recording not yet on FOSDEM website 

  * highlighting key aspects of effective, high-quality SBOMs

  * will be available at https://fosdem.org/2022/schedule/event/security_sbom/ once it's posted

* March 20 - LibrePlanet talk - package management

  * https://libreplanet.org/2022/speakers/#5830

* OpenSSF interest in vulnerabilities website

* Kate and Jack - updates to website

 

 

Join spdx@lists.spdx.org to automatically receive all group messages.