|
Re: SPDX Company Membership
Phil,
I just checked on REA’s LF membership status and it appears the lowest cost tier is $5,000 to become a LF member. Please confirm my understanding is correct that $5,000 is the lowest cost membership fee available.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, December 2, 2021 3:04 PM To: SPDX-general <spdx@...> Subject: [spdx] SPDX Company Membership
Dear SPDX community,
With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.
We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.
As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.
Membership Benefits
Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.
Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection
Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.
Signing up
Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.
In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.
(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)
Please let us know if you or your organization have any questions about becoming a member of SPDX.
SPDX Steering Committee Phil, Kate, Gary, Jilayne, Steve, Paul and Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
SPDX Company Membership
Phil Odence
Dear SPDX community,
With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.
We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.
As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.
Membership Benefits
Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.
Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection
Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.
Signing up
Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.
In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.
(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)
Please let us know if you or your organization have any questions about becoming a member of SPDX.
SPDX Steering Committee Phil, Kate, Gary, Jilayne, Steve, Paul and Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
SPDX Outreach Team report for December General Meeting
Dear all,
Since we didn't have time at the SPDX General Meeting today for the usual team reports, I'm writing to send the Outreach Team's report in textual form! Feel free to reply if you have any questions about the activities of the SPDX Outreach Team, or would like to be involved. Best wishes, Sebastian ----- # Wikipedia article We've added a version history section to the article at https://wikipedia.org/wiki/Software_Package_Data_Exchange with a version table and explanatory paragraphs (as is the format used in articles for a lot of other open source projects). Plus, the disambiguation link that said 'license documentation standard' now says 'software bill of materials standard'. Here are a couple of 'perma-links' to the before and after states of the article: * Before: https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&oldid=1053739112 * After: https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&direction=next&oldid=1058145243 # SBOM Landscape page At the most recent Outreach Team meeting, we discussed various categories and taxonomies that could be used in the SBOM Landscape page we are developing at: https://github.com/spdx/sbom-landscape We'll be trying to form 'neighbourhoods' of related use-cases such as attestation, automation etc. The automated tests for the page are still failing, but builds seem to work correctly so can continue work on it. We now have Syft, OSS Review Toolkit, REUSE and Tern listed on the SBOM Landscape page, and will be adding more in the coming weeks! # SPDX Podcast Joshua Marpet has resolved the audio issues, meaning that we can start recording podcast episodes again. Joshua is working on an episode with the SPDX Asia Team. # 'SPDX Ambassadors' Vicky Brasseur suggested that having an ambassadors programme would be a good idea, so we are exploring the possibility of having contact details of SPDX Ambassadors on our main website. This will help newcomers to quickly contact representatives of SPDX. # Replicant I have been in correspondence with a steering committee member of the Replicant project. Replicant aims to replace proprietary components in Android, and are looking to improve their source code license scanning. SPDX SBOMs could be useful in reducing unnecessary repetition of audits here. # FOSSLight We have had good interaction with the developers of FOSSLight, an open source license scanner from Logitech. Gary O'Neall and I have been proactively examining SPDX-related failures in order to help them with their use of the SPDX Java libraries. FOSSLight is a top priority for addition to the spdx.dev Open Source Tools page, as well as the SBOM Landscape! -----
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Thursday's SPDX General Meeting Reminder
Phil Odence
Hello, all, looking forward to seeing you Thursday. Note, we’ll have guest presentation from Microsoft on what they are doing with SPDX. Best, Phil
GENERAL MEETING
Meeting Time: Thurs, Dec 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04
Brief update on governance and membership process - Phil
Presentation Microsoft and SPDX · Microsoft standardizing on SPDX [Adrian Giglio] · MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
OpenChain Automation Case Study #5 - Running a Supply Chain using open source tooling + SPDX
Recording now available. Part #5 explores how SPDX ISO/IEC 5962 works as a Software Bill of Materials (SBOM) in the supply chain through existing open source tooling for open source compliance.
https://www.openchainproject.org/news/2021/11/24/automation-case-study-5 Check out the entire case study here: https://www.openchainproject.org/automation-case-study Huge thanks to Maximilian Huber at TNG for running this webinar. Regards Shane — Shane Coughlan General Manager, OpenChain e: scoughlan@... p: +81 (0) 80 4035 8083 w: www.linuxfoundation.org Schedule a call: https://meetings.hubspot.com/scoughlan
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
REMINDER: SPDX in Virtual Supply Chain Webinar in 15 minutes (09:00 UTC)
REMINDER: OpenChain Automation Case Study showing SPDX Software Bill of Materials being used in a “virtual supply chain” @ 09:00 UTC.
Join without registration here: https://zoom.us/j/4377592799 Everyone is welcome. Need more timezone information? The event will take place on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST.
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
REMINDER: Today is the Automation Case Study “virtual supply chain” showing code going through multiple scanners and maintaining SPDX integrity @ 09:00 UTC
REMINDER: Today is the OpenChain Automation Case Study “virtual supply chain” showing code going through multiple scanners and maintaining SPDX integrity @ 09:00 UTC.
We will hold it on Zoom: https://zoom.us/j/4377592799 Everyone is welcome. No registration needed. Need more timezone information? The event will take place on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST. The event is in our global calendar: https://www.openchainproject.org/community Regards Shane Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
Oliver Fendt
Hi Vicky
We also have a nice website https://oss-compliance-tooling.org/ Perhaps this is better suited for getting an overview
Ciao Oliver
From: spdx@... <spdx@...> On Behalf Of
Michael Dolan via lists.spdx.org
You may also want to look at the SLSA framework.
---
On Thu, Nov 18, 2021 at 10:03 AM VM (Vicky) Brasseur via
lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
You may also want to look at the SLSA framework. https://slsa.dev/levels ---
On Thu, Nov 18, 2021 at 10:03 AM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
VM (Vicky) Brasseur
Yessssss…
It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!
--V
-- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited Time Zone: Pacific/West Coast US
From:
<spdx@...> on behalf of "Steve Kilbane via lists.spdx.org" <stephen.kilbane=analog.com@...>
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
Hi Vicky,
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
steve
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
That help?
Kate
On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via
lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
Hi Vicky,
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
steve
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
That help?
Kate
On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via
lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
Kate Stewart
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy. We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website. Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. That help? Kate
On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Taxonomy of software supply chain ecosystem?
VM (Vicky) Brasseur
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
-- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited Time Zone: Pacific/West Coast US
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)
Dear Marc-Etienne,
Hi all,Yay! I was indeed just wondering about this earlier today, so thank you very much for the notification :) Best wishes, Sebastian
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)
Hi all,
Great news: ISO SPDX standard is now publicly available at: https://standards.iso.org/ittf/PubliclyAvailableStandards/
Best regards,
Marc-Etienne
From: Spdx-tech@... <Spdx-tech@...>
On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org
Hi Simon,
About the availability of the SPDX spec.
It is the other way round. Since SPDX was not developed by ISO itself, the ISO standard should be available for free on this website: https://standards.iso.org/ittf/PubliclyAvailableStandards/
But it might take some time before it is put there.
Best regards,
Marc-Etienne
From: Spdx-tech@... <Spdx-tech@...>
On Behalf Of Simon Avery via lists.spdx.org
Hello everyone. First time poster here, so I hope this topic is considered appropriate.
My favorite open source project is Julia (https://julialang.org). It's build process pulls in a lot of code from many other repositories. I thought that the project would benefit from having an SPDX document describing all these packages, streamlining the review and approval process at organizations that want to use Julia.
I've put together a pull request that adds an SPDX document to the repository. At this point it contains only a few packages to demonstrate what it looks like and will be filled in over time. If anyone on this list would like to provide feedback that would be appreciated.
On a related question since I see that SPDX just became an ISO standard. Does that mean that version 2.2.1 (and 3.0) of the specification will not be available for free at spdx.dev? Will the spdx-spec repository on Github remain available so that open source developers can access the current specification? If all developers had to pay $200, that would be a significant barrier to adoption in the OSS world.
Thank you in advance for any feedback provided.
Simon Avery
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Minutes from Nov 4 SPDX General Meeting
Phil Odence
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04
General Meeting/Minutes/2021-11-04< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence · Minutes from last approved · Company membership mechanics will be rolled out within a couple weeks.
Contents[hide]
GSOC - Ujjwal[edit]· JSON Support for Golang libraries Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Most of the work is focused on the core model. We’re making progress but still have a ways to go to settle on a good code the other profiles will be built on. · A new repo has been setup for the SPDX 3.0 spec since it will have a different way of generating the examples and spec and will also be under the new license as part of the new governance we put in place · We expect more activities on the profiles next month, especially security · Interest in the spec and tools continues to increase – we’re seeing some good signs of adoption from companies, other open source projects, and individuals (if you need more detail – SW360 is engaged in some issues conversations on the tools, the SPDX 2.1 spec issues has some new contributor) Legal team update - Jilayne/Pau/Steve[edit]· FreeBSD will be adopting SPDX tags · Fedora is exploring as well · Conversations about adding better instructions on using Git to contribute to license repo
Outreach team - Sebastian[edit]· Processes · Transitioned to monthly meeting · Different ways of working in between under discussion · Wikipedia page updates · Adding history · Adding logos of companies and projects that are using
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Ujjwall Agarwal · Alexios Zavras, Intel · Eric Billingsley, Calculi · Jeff Schutt, Cisco · Sebastian Crane · Bob Martin, Mitre · Steve Winslow, Boston Technology Law · Christopher Lusk, Lenovo · David Edelsohn, IBM · Jilayne Lovejoy, Red Hat · Tony Aiuto · Karan Marjara, AWS · Joshua Marpet, RM-ISAO · Paul Madick, Jenzabar · Adrian Diglio, Microsoft · Alfredo Espinosa · Brad Goldring · Edgar · Joe · Vicky Brasseur, Wipro · Warner Losh, FreeBSD · Fellow Jitser · Aasim, Microsoft
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Asia SPDX Meeting- China government data processing draft policy
Came up on the call today. For those interested, here is an overview:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Today's SPDX General Meeting Reminder
Phil Odence
Apologies for the late reminder.
Notes:
GENERAL MEETING
Meeting Time: Thurs, Nov 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Public Domain license identifier
Richard Fontana
The "public domain" part appears to be the text of the Unlicense, so
toggle quoted messageShow quoted text
I'd assume "MIT OR Unlicense". Richard
On Tue, Oct 19, 2021 at 4:02 PM Pierre Tardy <tardyp@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Message Approval Needed - tardyp@gmail.com posted to spdx@lists.spdx.org
J Lovejoy
Hi Pierre,
toggle quoted messageShow quoted text
I am moving the general SPDX list to BCC and sending this via the SPDX legal list, as that is the right place for this question! Also not - I have approved your message and copied you here so you will get the response, but you generally have to join the SPDX mailing list to post and receive message. https://lists.spdx.org/groups Looking at the license file for that project: Alternative A is indeed MIT and Alternative B is the Unlicense (https://spdx.org/licenses/Unlicense.html) Thus, the SPDX license expression would be: MIT OR Unlicense FYI - you might want to install the license diff browser plugin to help you with these kinds of things - https://chrome.google.com/webstore/detail/spdx-license-diff/kfoadicmilbgnicoldjmccpaicejacdh?hl=en (also available for Firefox) Thanks Jilayne SPDX legal team co-lead
|
|||||||||||||||||||||||||
|
|
