Hi all,

we recently published some insights on our license database. You can find details on

https://github.com/org-metaeffekt/metaeffekt-universe

and a visualization of the data on

https://metaeffekt.com/#universe-a

(apologies for the metaeffekt.com pages being currently only available in German language; however the visualization piece is “universal”).

The data is meant to convey the richness/complexity of licenses/exceptions in the wild and demonstrates our endeavor for normalization as a fundamental work for identification, scanning and documentation. In particular, the tables on Github show - by linking into the different license spaces - coverage of SPDX, OSI and ScanCode Toolkit.

We hope you enjoy “playing around with licenses”.

Please note – this is all work in progress. Curiously looking forward for your feedback…

Kind regards,

Karsten

Also attached are slides from Adrian and Steve’s very interesting presentations.

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-12-02

< General Meeting‎ | Minutes

·         Attendance: 33

·         Lead by Phil Odence

·         Minutes from last approved

·         Phil will company membership announcement before end of week

·         We will be move General Meeting minutes to GitHub and crowdsource during meetings.

Contents

 [hide] 

• 1 Microsoft and SPDX - Adrian/Steve
• 2 Tech Team Report – Kate/Gary/Others
• 3 Legal Team Report - Jilayne/Pau/Steve
• 4 Outreach Team Report -
• 5 Attendees

·         Microsoft standardizing on SPDX [Adrian Giglio]

·         Why SPDX?

·         On ISO standard path

·         Already participating

·         Great group

·         Why build their own tool?

·         Already had tooling

·         Easy to move to SPDX

·         Needed certainty to meet NTiA standards

·         Utilize MS Detection

·         Needed a great range of environments

·         Support for very large, complex build systems; layered builds

·         The Tool

·         Built on .Net and available for Windows/Linux/Mac

·         Available as build step in Azure

·         Plan is to open source

·         Pulls OSS data from a variety of build system formats

·         Future

·         Proving by early March, then rolling out across Microsoft

·         Exploring different methods of SBOM distribution including web portal

·         Exploring signing with others in the industry

·         MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]

·         How to distribute secured supply chain components? Specifically SBOMs

·         Supply chain artifact challenges:

·         artifacts get promoted across environments, including production assets getting pulled from the Internet into restricted networks

·         private virtual networks within cloud infrastructure

·         Solution: Validation artifacts need to travel together with the supply chain objects

·         by default, SBOM might get blocked from being accessed due to "airgapped" / VNet setup

·         instead, create a private registry within each vnet; with shared internal registry hosting all artifacts + SBOMs, then promoted into each vnet

·         ORAS: need signatures to be separable, verifiable, able to be validated, prior to bringing artifact / binary into the environment

·         Microsoft built this for Azure Container Registry, but customers share with other registries and other infrastructure; registries should be a broader standard => OCI Artifacts, ORAS Artifacts

·         Signatures and SPDX SBOMs get attached to the graph

·         ACR support for ORAS Artifacts today => customers can store SPDX SBOMs today: https://aka.ms/acr/supply-chain-artifacts

·         Opportunity: having SPDX document travel alongside the target artifact; CLI that can natively push / pull / validate SPDX SBOMs to Registries

·         What does the SPDX community want to see in an SBOM?

·         recording EULA text?

·         something validated at the time the content is used? => needs to be accessible along with the artifact itself

·         Questions/Comments

·         Dick: what about having vulnerability disclosures together as a part of the distributed info?

·         Appreciate that the SPDX structure enables describing all the pieces of what went into a software build in the first place => static information at a point in time

·         Scan results are things that you learn about over time => e.g. might learn later about a problem that was discovered after it was shipped

·         Scan results will continue to be additive, whereas the SBOM itself doesn't change

·         Dick: some vendors are running scans and producing NVD reports together with vendor's findings; making that info available together with the SBOM. During customer risk assessments, they can see beforehand if a CVE is reported => if shows up in the disclosure, that helps address the risk.

·         Scan results, etc., could be attached to the other documents that are included in the registry

·         Eventually, looking to have a web-browsable portal to easily access these documents. But, the automation is the interesting part.

·         Just this morning, this was announced to be becoming part of an OCI working group; previously getting proven within the ORAS project

·         Sebastian: Ostree (Fedora): https://fedoraproject.org/wiki/Changes/OstreeNativeContainer

·         Signature format: shipped in Notary v2, but working on expanding via conversations with the broader community. Needs to be able to be validated broadly.

·         Dick: NIST workshop that took place this week: ability to distribute SDLC evidence and policy data. Will that be part of this?

·         Viewing this as plumbing / core infrastructure, in a generic way; new types will emerge for what types of artifacts are used to be deployed / promoted on this infrastructure

·         Because it's generic / abstracted, any new type can be hosted on this infrastructure

·         Tools

·         New release of SPDX Java Tools available at https://github.com/spdx/tools-java/releases/tag/v1.0.3

·         Specification

·         Focused on the Core modeling

·         Made progress on collections, packages, and document definitions and relationships

·         Significant testing of the model with different use cases and serialization considerations

·         License List version 3.15 was released and published to https://spdx.org/licenses on Nov. 14

·         Shortened month for meetings due to Thanksgiving holiday in US

·         Warner Losh presented to the team about FreeBSD's use of SPDX short-form license identifiers: https://docs.google.com/presentation/d/1mRWj7DCiicK57BqD4XzUMSZs51TpUUIYIgI-UcB8XDw/edit#slide=id.p

·         No update, but Sebastian sent an email to the General Meeting list with notes on behalf of the team.

·         Phil Odence, Black Duck/Synopsys

·         Adrian Digli, Microsoft

·         Steve Lasker, Microsoft

·         Sebastian Crane

·         Steve Winslow, Boston Technology Law

·         Dick Brooks, REA

·         Rich Steenwyk, GE Healthcare

·         Annie

·         Brad Goldring, GTC

·         Jeff Schutt, Cisco

·         David Edelsohn, IBM

·         Jilayne Lovejoy, Red Hat

·         Aveek Basu, NextMark Printers

·         Marc Gisi, Windriver

·         Gary O’Neall, SourceAuditor

·         Philippe Ombrédanne- nexB

·         Dick Brooks

·         Alex Rybek

·         Brend Smits, Philips

·         Christopher Lusk, Lenovo

·         Christopher Phillips

·         Fellow Jitser

·         Jilayne Lovejoy, Red Hat

·         Mashid

·         Kendra Morton

·         Marco

·         Majira

·         Michael Herzog- nexB

·         Mike Nemmers

·         Molly Menoni

·         Paul Madick, Jenzabar

·         Rose Judge, VMWare

·         Vicky Brasseur, Wipro

Phil,

               I just checked on REA’s LF membership status and it appears the lowest cost tier is $5,000 to become a LF member. Please confirm my understanding is correct that $5,000 is the lowest cost membership fee available.

Dear SPDX community,

With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.

We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.

As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.

Membership Benefits

Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.

Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection

Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.

Signing up

Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.

In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)

Please let us know if you or your organization have any questions about becoming a member of SPDX.

SPDX Steering Committee

Phil, Kate, Gary, Jilayne, Steve, Paul and Jack

Hello, all, looking forward to seeing you Thursday.

Note, we’ll have guest presentation from Microsoft on what they are doing with SPDX.

Best,

Phil

GENERAL MEETING

Meeting Time: Thurs, Dec 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04

Brief update on governance and membership process - Phil

Presentation

Microsoft and SPDX

·  Microsoft standardizing on SPDX [Adrian Giglio]

·  MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]

Technical Team Report – Kate/Gary/Others

• Specification and Profiles
• Overview
• Core
• Legal
• Integrity
• Defects
• Usage and Other Emerging
• Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack 

Hi Vicky

We also have a nice website https://oss-compliance-tooling.org/

Perhaps this is better suited for getting an overview

Ciao

Oliver

Yessssss…

It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!

--V

Time Zone: Pacific/West Coast US

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Hi Vicky,

There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:

https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape

(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)

steve

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

--V

Time Zone: Pacific/West Coast US

Hi all,

Great news: ISO SPDX standard is now publicly available at:

https://standards.iso.org/ittf/PubliclyAvailableStandards/

Best regards,

Marc-Etienne

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04

< General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

·         Minutes from last approved

·         Company membership mechanics will be rolled out within a couple weeks.

Contents

 [hide] 

• 1 GSOC - Ujjwal
• 2 Tech Team Report - Kate/Gary/Others
• 3 Legal team update - Jilayne/Pau/Steve
• 4 Outreach team - Sebastian
• 5 Attendees

·         JSON Support for Golang libraries

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Most of the work is focused on the core model.  We’re making progress but still have a ways to go to settle on a good code the other profiles will be built on.

·         A new repo has been setup for the SPDX 3.0 spec since it will have a different way of generating the examples and spec and will also be under the new license as part of the new governance we put in place

·         We expect more activities on the profiles next month, especially security

·         Interest in the spec and tools continues to increase – we’re seeing some good signs of adoption from companies, other open source projects, and individuals (if you need more detail – SW360 is engaged in some issues conversations on the tools, the SPDX 2.1 spec issues has some new contributor)

·         FreeBSD will be adopting SPDX tags

·         Fedora is exploring as well

·         Conversations about adding better instructions on using Git to contribute to license repo

·         Processes

·         Transitioned to monthly meeting

·         Different ways of working in between under discussion

·         Wikipedia page updates

·         Adding history

·         Adding logos of companies and projects that are using

·         Phil Odence, Black Duck/Synopsys

·         Ujjwall Agarwal

·         Alexios Zavras, Intel

·         Eric Billingsley, Calculi

·         Jeff Schutt, Cisco

·         Sebastian Crane

·         Bob Martin, Mitre

·         Steve Winslow, Boston Technology Law

·         Christopher Lusk, Lenovo

·         David Edelsohn, IBM

·         Jilayne Lovejoy, Red Hat

·         Tony Aiuto

·         Karan Marjara, AWS

·         Joshua Marpet, RM-ISAO

·         Paul Madick, Jenzabar

·         Adrian Diglio, Microsoft

·         Alfredo Espinosa

·         Brad Goldring

·         Edgar

·         Joe

·         Vicky Brasseur, Wipro

·         Warner Losh, FreeBSD

·         Fellow Jitser

·         Aasim, Microsoft

Apologies for the late reminder.

Notes:

• For Euro folks, time diff is off by an hour as US doesn’t go back to standard time until this weekend
• We will have a Google Summer of Code presentation on Json support for Golang libs

GENERAL MEETING

Meeting Time: Thurs, Nov 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

Presentation

• JSON Support for Golang libraries
  After the introduction of Spdx Specifications v2.2 JSON, YAML, and a development version of XML have been added as supported file formats. However , the tools-golang package currently did not have the support to parse the spdx files nor had the support to save a spdx doc in JSON format .The main objective of this project is to add support in the tools-golang package so that it can parse as well as save SPDX® v2.2 files in JSON format . 
  Background : I am a passionate individual who always strives to work on end to end products which develop sustainable and scalable social and technical systems to create impact. 

Technical Team Report – Kate/Gary/Others

• Specification and Profiles
• Overview
• Core
• Legal
• Integrity
• Defects
• Usage and Other Emerging
• Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack