Date   

Re: SPDX Goes ISO

Phil Odence
 

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

 

From: spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...>
Date: Tuesday, September 14, 2021 at 10:31 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Congratulations!

This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!


hip hip hurrah!
Matija
--
gsm:    tel:+386.41.849.552
www:    https://urldefense.com/v3/__https://matija.suklje.name__;!!A4F2R9G_pg!JDcVm_7nX5ihf6dF-lq5bEdOjwvrwPFEsQEyBY11L-icpBRYY7c2OV2t2w8ajmFojgc$
xmpp:   matija.suklje@...
sip:    matija_suklje@...







Re: SPDX Goes ISO

Matija Šuklje
 

Congratulations!

This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!


hip hip hurrah!
Matija
--
gsm: tel:+386.41.849.552
www: https://matija.suklje.name
xmpp: matija.suklje@...
sip: matija_suklje@...


Re: SPDX Goes ISO

Kate Stewart
 

The content that went into the standard is the same as what is
in our github repo today, and a pretty version is at:  https://spdx.github.io/spdx-spec/.
The sources for the 2.2.1 are at: https://github.com/spdx/spdx-spec that fed into the review
process.   There's some editorial changes we incorporated into the ISO spec after the review, but nothing substantive, and we're working on a plan right now to capture those in SPDX 2.2.2 release.

Net: the ISO version of the specification has some specific formatting requirements 
that ISO requests us to follow (document structure, table numbering, etc.), but the
actual fields are publicly available either at the web link or the github repo directly.

SPDX is a living standard that is evolving with open participation in the SPDX tech
mailing list and calls.   Issues and pull requests are encouraged and welcome as we continue
to evolve to SPDX 3.0.   Once we solidify on the next set of changes, we may decide to submit to ISO, but it's being worked on in the github repo first.

Kate


On Mon, Sep 13, 2021 at 1:34 PM Michael Richardson <mcr@...> wrote:

It now costs CHF198 to buy.  This is the ISO way, and I think it's literally criminal.
As in: violates UN Charter of Human Rights.

If it doesn't wind up on the Publically Available Standards list, then I
think it's just been killed as a specification.
No open source person is going to buy the document.









Re: SPDX Goes ISO

Phil Odence
 

I believe that is correct. It seems an odd systems, but as I understand it, it’s not unusual to have free and paid for versions of specs with the same content. Openchain is, I believe, and example of same.

 

From: spdx@... <spdx@...> on behalf of William Bartholomew via lists.spdx.org <iamwillbar=github.com@...>
Date: Monday, September 13, 2021 at 2:43 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

I’ll defer to Phil or Kate for an official answer, but my understanding is that SPDX will continue to publish the specification directly from the SPDX project to the community, but certain versions will be also published as ISO standards (the first being 2.2.1 which is materially the same as what’s published on the SPDX site today).

 

William

 

On 9/13/21, 11:34 AM, "spdx@..." <spdx@...> wrote:

 

It now costs CHF198 to buy.  This is the ISO way, and I think it's literally criminal.

As in: violates UN Charter of Human Rights.

 

If it doesn't wind up on the Publically Available Standards list, then I

think it's just been killed as a specification.

No open source person is going to buy the document.

 

 

 

 

 

 

 

 

 


Re: SPDX Goes ISO

William Bartholomew
 

I’ll defer to Phil or Kate for an official answer, but my understanding is that SPDX will continue to publish the specification directly from the SPDX project to the community, but certain versions will be also published as ISO standards (the first being 2.2.1 which is materially the same as what’s published on the SPDX site today).

 

William

 

On 9/13/21, 11:34 AM, "spdx@..." <spdx@...> wrote:

 

It now costs CHF198 to buy.  This is the ISO way, and I think it's literally criminal.

As in: violates UN Charter of Human Rights.

 

If it doesn't wind up on the Publically Available Standards list, then I

think it's just been killed as a specification.

No open source person is going to buy the document.

 

 

 

 

 

 

 

 


Re: SPDX Goes ISO

Michael Richardson
 

It now costs CHF198 to buy. This is the ISO way, and I think it's literally criminal.
As in: violates UN Charter of Human Rights.

If it doesn't wind up on the Publically Available Standards list, then I
think it's just been killed as a specification.
No open source person is going to buy the document.


Re: SPDX Goes ISO

Henk Birkholz
 

"I guess it will..." does not sound very reassuring, to be honest 🤠

So will it definitely become an "ISO Publicly Available Standard" and is that just a question of time?

Viele Grü0e,

Henk

On 13.09.21 09:23, Alexios Zavras wrote:
I guess it will…
The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated.
-- zvr
*From:* spdx@... <spdx@...> *On Behalf Of *Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
*Sent:* Friday, 10 September, 2021 16:40
*To:* spdx@...
*Cc:* Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
*Subject:* Re: [spdx] SPDX Goes ISO
Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ <https://standards.iso.org/ittf/PubliclyAvailableStandards/> ?
I think it should.
Do we know?
Marc-Etienne
*From:*spdx@... <mailto:spdx@...> <spdx@... <mailto:spdx@...>> *On Behalf Of *Phil Odence via lists.spdx.org
*Sent:* Thursday, September 9, 2021 5:03 PM
*To:* SPDX-general <spdx@... <mailto:spdx@...>>
*Subject:* [spdx] SPDX Goes ISO
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021 <https://urldefense.com/v3/__https:/www.iso.org/standard/81870.html__;!!A4F2R9G_pg!IzcEk2nRZUdfzZmQ8bT_tVgInVURy_PWptKdAupJoT8av2upo-tStlSbY_4GqlpA$>.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials <https://urldefense.com/v3/__http:/www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials__;!!A4F2R9G_pg!IzcEk2nRZUdfzZmQ8bT_tVgInVURy_PWptKdAupJoT8av2upo-tStlSbY89Cvfim$>
Best regards,
Phil
**
*L. Philip Odence*
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@... <mailto:phil.odence@...>
https://www.synopsys.com/audits <https://www.synopsys.com/audits>
SIG-emailsig-2020
signature_653089988<https://www.linkedin.com/showcase/sw_integrity/>signature_1312878970<https://twitter.com/SW_Integrity>signature_1721301777<https://www.youtube.com/channel/UC0I_hKR1E-Ty0roBUEQN4Ww>signature_106429426<https://www.facebook.com/SynopsysSoftwareIntegrity>
Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de>
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Re: SPDX Goes ISO

Alexios Zavras
 

I guess it will…

The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated.

 

-- zvr

 

From: spdx@... <spdx@...> On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
Sent: Friday, 10 September, 2021 16:40
To: spdx@...
Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
Subject: Re: [spdx] SPDX Goes ISO

 

Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?

 

I think it should.

 

Do we know?

 

Marc-Etienne

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, September 9, 2021 5:03 PM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Goes ISO

 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Re: SPDX Goes ISO

Zachary Fetters
 

This is wonderful news! Congrats to Kate and everyone else who had a hand in this! Hopefully this means wider adoption and growth for the future!

Zachary Fetters
Freelance graphic/web designer.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Thursday, September 9th, 2021 at 11:02 AM, Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



Re: SPDX Goes ISO

Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
 

Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?

 

I think it should.

 

Do we know?

 

Marc-Etienne

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, September 9, 2021 5:03 PM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Goes ISO

 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 


Re: SPDX Goes ISO

Dick Brooks
 

I just realized that the DocFest will be demonstrating interoperability of an ISO standard SBOM.

Great timing getting the ISO standard status before the 9/16 DocFest. Very cool!

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, September 10, 2021 6:45 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 

 

On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

 

Please do 🙂

On Sep 10, 2021, at 19:45, Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:



We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 



On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

Richard Purdie
 

On Thu, 2021-09-09 at 15:02 +0000, Phil Odence via lists.spdx.org wrote:
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
 
Many people have worked hard over the last decade to get us to this point. Big
credit goes to my Steering Committee colleagues who have all been instrumental.
And we should recognize that this was all Kate’s brainchild. I believe it was
Fall of 2009 when she started informally socializing the idea of a standard SBOM
format at Linux Foundation events. Not too long thereafter, in the then single
weekly meeting, early participants began debating whether it should be SPDE,
ultimately deciding “X” at the end would be catchier. And now it’s officially
caught.
 
Here’s the LF press release:
http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
This is great news, very happy to see it and kudos to everyone involved.

People may also be interested to know that we just merged SPDX SBOM generation
into OpenEmbedded-Core, just before our feature freeze for our October release
(3.4).

This means that Yocto Project will have SPDX and hence ISO compliant SBOM
generation out the box from then and hence on our next LTS planned for April.

http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=f1a34a63e44dc444ed213c48bfeab9da1196bfc8
(and following patches)

Cheers,

Richard


Re: SPDX Goes ISO

Phil Odence
 

We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 



On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

 

Seconded!

This is tremendously important for the governance ecosystem.

Regards

Shane 

On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:


A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

Steve

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   
<image003.jpg>
   
<image004.jpg>
   
<image005.jpg>

 



--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

Dick Brooks
 

A truly amazing achievement – well done and congratulations to Kate and the entire SPDX and Linux Foundation community that made this happen.

 

So much looking forward to advancing SPDX interoperability via the DocFest event.

 

Thanks,

 

Dick Brooks

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Steve Winslow
Sent: Thursday, September 9, 2021 11:15 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

Steve Winslow
 

A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

Steve


On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


SPDX Goes ISO

Phil Odence
 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 


Re: SPDX Sept General Meeting Minutes & Announcement

VM (Vicky) Brasseur
 

Thanks, Phil.

 

Will there be a press release of some sort? And at what point will the project be ready to start accepting member companies?

 

Asking for a friend…

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

 

From: <spdx@...> on behalf of "Phil Odence via lists.spdx.org" <phil.odence=synopsys.com@...>
Reply-To: "spdx@..." <spdx@...>
Date: Wednesday, September 8, 2021 at 06:37
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Sept General Meeting Minutes & Announcement

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

SPDX Community,

 

Minutes: https://wiki.spdx.org/view/General_Meeting/Minutes/2021-09-02

 

As you are aware, in last week’s meeting we discussed a proposal to change the SPDX workgroup’s governance framework. The discussion was a good one and resulted in consensus. As things were rushed a bit at the end of the meeting and wanting to ensure no one was uncomfortable, we left the door open for concerns to be voiced “within a day or so” on this list. Subsequently there was a brief exchange on the list in support of the proposal as presented. And so, from this point forward, the SPDX is operating under the new framework.

 

For anyone who may have missed, a summary is attached. Additionally, here are links to the website that now specifies the newly adopted framework and a link directly to the repo that contains the details of the governance framework:

·  website: https://spdx.dev/about/governance/

·  GitHub repo: https://github.com/spdx/governance/

 

Thanks to all who participated in the smooth transition to the new framework.

 

Best regards,

Phil

Chair, SPDX Steering Committee

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_454131419   signature_92975526   signature_1517895499   signature_1172968236

 

 

 

 

General Meeting/Minutes/2021-09-02

General Meeting‎ | Minutes

·         Attendance: 26

·         Lead by Phil Odence

·         GSoC Presentation was postponed

SPDX Governance - Phil[edit]

·         Intro -Phil

·          

·         GOAL of today: Consensus  

·          

·         Background

·         About 8 years ago, we put in place a governance structure for SPDX.

·         Factors

·         ISO standardization- near to announcing

·         Executive Order

·         More participation from comm members with standards body experience

·         Working with other standards, i.e. SWID and CycloneDX

·          

·         Goal of Change - retain spirit and ways of working

·         more accurately reflect the current reality and future direction of the project

·         establishing a mechanism for official company membership in the project

·         using contribution processes and a license for the spec that ensure explicit patent license commitments from contributors

·         improving clarity around decision-making processes and establishing an appeals process

·         adopting a code of conduct

·          

·         Solution - Steve to explain further

·         Legal Entity creation- switched from JDF to a much simpler

·         Retained Community Specification model

·         Review of pdf Summary - Steave

·         Legal Entity

·         Membership Agreement

·         Community Specs process and license

·         Q&A/Discussion

·         Various clarifications

·         Code of Conduct

·         Agreed that under new structure it could, if need be, be modified in the future

·         Possibility of Dual-licensing Spec

·         Agreed to not address at this time

·         Resolution

·         Consensus reached

·         ...unless significant concerns were raised on the General Mailing List within a day of so of the meeting's close

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Sebastian Crane

·         Joshua Marpet, RM-ISAO

·         Mike Nemmers

·         William Cox, Synopsys

·         Andrew Jorgenson, AWS

·         Bob Martin, Mitre

·         Philippe Emmanuel Douziech, CAST

·         Alexios Zavras, Intel

·         Marc Etienne Vargenau, Nokia

·         Jilayne Lovejoy, Red Hat

·         Steve Winslow, LF

·         Mike Dolan, LF

·         Mark Atwood, Amazon

·         Gary O’Neall, SourceAuditor

·         Paul Madick, Jenzabar

·         Jeff Schutt, Cisco

·         Vicky Brasseur, Wipro

·         Warner Losh, FreeBSD

·         Zach Hill, Anchore

·         Pierre Tardy

·         David Edelsohn, IBM

·         Maximilian Huber, TNG

·         Bill Jaeger

·         Michael Mehlberg, Dark Sky Technology

·         Henk Birkholz, Fraunhofe

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


SPDX Sept General Meeting Minutes & Announcement

Phil Odence
 

SPDX Community,

 

Minutes: https://wiki.spdx.org/view/General_Meeting/Minutes/2021-09-02

 

As you are aware, in last week’s meeting we discussed a proposal to change the SPDX workgroup’s governance framework. The discussion was a good one and resulted in consensus. As things were rushed a bit at the end of the meeting and wanting to ensure no one was uncomfortable, we left the door open for concerns to be voiced “within a day or so” on this list. Subsequently there was a brief exchange on the list in support of the proposal as presented. And so, from this point forward, the SPDX is operating under the new framework.

 

For anyone who may have missed, a summary is attached. Additionally, here are links to the website that now specifies the newly adopted framework and a link directly to the repo that contains the details of the governance framework:

·  website: https://spdx.dev/about/governance/

·  GitHub repo: https://github.com/spdx/governance/

 

Thanks to all who participated in the smooth transition to the new framework.

 

Best regards,

Phil

Chair, SPDX Steering Committee

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_454131419   signature_92975526   signature_1517895499   signature_1172968236

 

 

 

General Meeting/Minutes/2021-09-02

General Meeting‎ | Minutes

·         Attendance: 26

·         Lead by Phil Odence

·         GSoC Presentation was postponed

SPDX Governance - Phil[edit]

·         Intro -Phil

·          

·         GOAL of today: Consensus  

·          

·         Background

·         About 8 years ago, we put in place a governance structure for SPDX.

·         Factors

·         ISO standardization- near to announcing

·         Executive Order

·         More participation from comm members with standards body experience

·         Working with other standards, i.e. SWID and CycloneDX

·          

·         Goal of Change - retain spirit and ways of working

·         more accurately reflect the current reality and future direction of the project

·         establishing a mechanism for official company membership in the project

·         using contribution processes and a license for the spec that ensure explicit patent license commitments from contributors

·         improving clarity around decision-making processes and establishing an appeals process

·         adopting a code of conduct

·          

·         Solution - Steve to explain further

·         Legal Entity creation- switched from JDF to a much simpler

·         Retained Community Specification model

·         Review of pdf Summary - Steave

·         Legal Entity

·         Membership Agreement

·         Community Specs process and license

·         Q&A/Discussion

·         Various clarifications

·         Code of Conduct

·         Agreed that under new structure it could, if need be, be modified in the future

·         Possibility of Dual-licensing Spec

·         Agreed to not address at this time

·         Resolution

·         Consensus reached

·         ...unless significant concerns were raised on the General Mailing List within a day of so of the meeting's close

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Sebastian Crane

·         Joshua Marpet, RM-ISAO

·         Mike Nemmers

·         William Cox, Synopsys

·         Andrew Jorgenson, AWS

·         Bob Martin, Mitre

·         Philippe Emmanuel Douziech, CAST

·         Alexios Zavras, Intel

·         Marc Etienne Vargenau, Nokia

·         Jilayne Lovejoy, Red Hat

·         Steve Winslow, LF

·         Mike Dolan, LF

·         Mark Atwood, Amazon

·         Gary O’Neall, SourceAuditor

·         Paul Madick, Jenzabar

·         Jeff Schutt, Cisco

·         Vicky Brasseur, Wipro

·         Warner Losh, FreeBSD

·         Zach Hill, Anchore

·         Pierre Tardy

·         David Edelsohn, IBM

·         Maximilian Huber, TNG

·         Bill Jaeger

·         Michael Mehlberg, Dark Sky Technology

·         Henk Birkholz, Fraunhofe

 

141 - 160 of 1592