SPDX Thursday General Meeting Reminder

Phil Odence

Happy New Year, all. I hope you have a meeting on your calendar for Thursday. In case there is an issue, the conference info is included below.


No special presentation this month.


Also please note that last meeting’s minutes are not yet “pulled” into GitHub, so I have included at the bottom.



Meeting Time: Thurs, Jan5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 

If also dialing-in through a room phone, join without connecting to audio: 


Etherpad for minutes:



Administrative Agenda


Minutes Approval: At the bottom of this email


Steering Committee Update - Phil


Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling


Legal Team Report – Jilayne/Paul/Steve


Outreach/Website Team Report – Jack/Sebastian/Alexios


#SPDX General Meeting Minutes - Dec 1, 2022


  • Lead by Phil Odence
  • Minutes from last meeting approved

Attendance: 16

Steering Committee Update - Phil

  • Lots of discussion of participation
  • Certainly could use help on
  • Tech- drafting 3.0
  • Legal- license review
  • Outreach- website
  • Stay tuned for SPDX for Security article

Special Presentations

  • Contribution to SPDX 3.0 Specification - Alexios
  • Preliminary feedback from DocFest - Gary

Tech Team Report - Gary, William, Kate

  • SPDX 2.3
  • SPDX 3.0
    • Core Profile - William/Gary/Kate
      • Worked through bulk of outstanding punchlist, now just focusing on identity/agent clarifications.
      • Established workflow to collect profile contributions (see talk from Alexios above)
    • Licensing Profile - Steve/Alexios
      • Profile contributions to SPDX 3.0 unblocked.
    • Security Profile - Thomas/Jeff
      • In addition to linking to VEX documents, team is evaluating minimal VEX elements to embed in SPDX to convey security info in a simplified manner
      • Documenting Security Use Cases in 3.0
      • Planning 3 hour workshops on 12/15 & 12/21 to move preliminary security profile information into the model.
    • Build Profile - Brandon/Nisha
      • Draft relationship and build element completed (https://github.com/spdx/spdx-3-build-profile)
      • Created examples to validate two use cases, one github actions and YOCTO (including nested build)
      • Dependency on identity/agent 3.0 model discussion.
      • Working on presentation about Build and Safety for OCS Japan event.
    • Usage Profile - Ito/Ninjouji/Asaba/Kobota
      • Basic set of fields established but some possible overlap with Build Profile, to be discussed next week.
      • Planning for presentation at SPDX Minifest at OCS Japan
    • AI & Dataset Profile - Gopi/Karen/Kate
  • Working on examples using Dataset profile, to look for coverage.
  • Have worked though 3 Datasets, so far no adjustments needed, looking to get more examples from OpenDataology group.
  • Will start to work through AI application examples in December, and upstream dataset profile
  • Standford Cybersecurity talk mention of our work at: https://youtu.be/ZGnQGfzhwjI
  • Prep for SPDX Minifest at OCS Japan
    • Functional Safety - Nicole/Kate
      • Diagraming of all safety artifacts in progress
      • Some possible new relationships under consideration to be added.

Legal Team Update - Jilayne/Steve/Paul

  • 3.19 released yesterday
    • focused on documentation, made good improvements (more to do)
    • some process discussions still in the works
    • reworked FAQs, now in the repo so easier to update, welcome suggestions / additions via PRs
  • 3.20 - lots of submissions ready for review
    • most coming from Fedora adopting SPDX IDs
    • previously, SPDX had based several additions off of Fedora's "good" licenses
    • many are things that aren't just in Fedora -- e.g. Warner from FreeBSD has been weighing in; many are old licenses
  • Process of how to review licenses -- aiming to make more accessible to people
    • may have a training session for the community
    • watch the spdx-legal mailing list for updates

Outreach Team Update - Sebastian/Alexios/Jack

  • Working on messaging around SPDX and security -- making clearer and simpler for others to reuse as well
  • Started to collect presentations about SPDX, or about SBOMs generally that mention SPDX -- will look to publish somewhere collectively - https://github.com/spdx/outreach


  • Alex Rybak (Revenera)
  • Alexios Zavras
  • Bob Martin
  • Bryan Cowan (Fortress)
  • Gale McCommons (Comcast)
  • Gary O'Neall
  • Jilayne Lovejoy
  • Karen Bennet
  • Marc-Etienne Vargenau
  • Mary Hardy (Microsoft)
  • Maximilian Huber
  • Michael Herzog
  • Paul Madick
  • Phil Odence (Black Duck Audits, Synopsys)
  • Ritesh Sonawane
  • Steve Winslow


Join spdx@lists.spdx.org to automatically receive all group messages.