SPDX in GSoC 2023!
Alexios Zavras
Hi everyone!
As every year, Google runs their Summer of Code program, where contributors get the opportunity to become part of Open Source communities. The SPDX Project has participated in the program in a number of years in the past. The way it works is that we publish project ideas and, if selected, newcomers to open source express their interest in them. The ones finally selected will spend their summer writing code under the guidance of mentors from our project. In order for contributors to join our community and help us, we have to publish a set of ideas where help is needed!
Therefore, this is a plea for ideas – and more importantly, mentors who can guide the new contributors and help them accomplish their projects!
Firstly, we are looking for project ideas! Either small or large, either incremental improvements to existing open source code or new pieces of software; everything is welcome! Please read the basics on https://google.github.io/gsocguides/mentor/defining-a-project-ideas-list.html and then write a couple of lines on your great idea.
I’ve (hastily) created a special repo for all this: https://github.com/spdx/GSoC Feel free to create PRs with your ideas!
Perhaps even more important than ideas, we are also looking for mentors! Please get in contact via the repo if you are willing to help new members become active participants to SPDX this summer. Each project should have at least two mentors (a primary and a secondary one) who will guide the contributors in their journey.
Feel free to open an issue in the repo if you want to discuss in more detail any of the above. Looking forward to lots of participation!
-- zvr
PS. I’ve already added a project idea: help on the spec generation from our model files. Off the top of my head I can think of other ideas like:
But all these need mentors, otherwise they cannot be realistically proposed.
Intel Deutschland GmbH
|
||||
|
||||
Seeking Opinions/Participants about AI SBOM Features
Caven, Peter
Researchers at Indiana University’s Luddy School of Informatics, Computing, and Engineering are looking
for participants in the study of SBOM feature preferences. This is an online and asynchronous study about which features impinge trustworthiness. We ask you for fewer than fifteen minutes of your time to perform the virtual card sorting exercise and answer
a few questions.
|
||||
|
||||
Please participate: "State of Open Standards Survey"
Kate Stewart
The Linux Foundation (LF) has launched The State of Open Standards Survey to capture how different organizations are involved in open standards adoption and contribution, with the aim of measuring the development, use, growth, and value of standards across industries and technologies. As SPDX is one of the standards that has been supported by the LF, and we have experience with the development and use of standards, your feedback on this topic is important! It should only take 15-20 minutes to complete. https://www.research.net/r/Q7KG9JH The insights gained from this report will help the LF standards community interpret and communicate the current state of standards adoption and development, while taking strategic directions that best represent the needs and trends of the open standards ecosystem. Visibility: The data collected from this survey will be analyzed to produce an in-depth survey report that will be shared with all survey participants and will be published on the Linux Foundation website. Thanks for your help with this! Kate
|
||||
|
||||
Re: SPDX Thursday General Meeting Reminder
Phil Odence
Thanks, Max. I think that “bug” has been there for a while. I will endeavor to eliminate it going forward. Thanks for pointing it out. Phil
From:
spdx@... <spdx@...> on behalf of Maximilian Huber via lists.spdx.org <maximilian.huber=tngtech.com@...> Hey Phil, just checked the meeting time and there seems to be an inconsistency: 8am PT / 10 am CT / 11am ET mapps to 16: 00 UTC I assume that 16: 00 UTC, as it is the usual time, is right? Best Max On Wed, 2023-01-04 at 20: 56 +0000, Phil Odence ZjQcmQRYFpfptBannerStart
ZjQcmQRYFpfptBannerEnd Hey Phil,
just checked the meeting time and there seems to be an inconsistency:
8am PT / 10 am CT / 11am ET
mapps to
16:00 UTC
I assume that 16:00 UTC, as it is the usual time, is right?
Best
Max
On Wed, 2023-01-04 at 20:56 +0000, Phil Odence via lists.spdx.org
wrote:
> Meeting Time: Thurs, Jan5, 8am PT / 10 am CT / 11am ET /
> 15:00 UTC. https://urldefense.com/v3/__http://www.timeanddate.com/worldclock/converter.html__;!!A4F2R9G_pg!bWd3rF8EjW7s9brSyWmr2O-RuoX8paEeB6ECvZk4Nipc9JxTlJC091gerznSmnodvEuOwe3jl3m5h1pXyyNuLNNbIgg4HM16$
--
TNG Technology Consulting GmbH, Beta-Str. 13a, 85774 Unterföhring
Geschäftsführer: Henrik Klagges, Dr. Robert Dahlke, Thomas Endres
Aufsichtsratsvorsitzender: Christoph Stock
Sitz: Unterföhring * Amtsgericht München * HRB 135082
|
||||
|
||||
Re: SPDX Thursday General Meeting Reminder
Maximilian Huber
Hey Phil,
just checked the meeting time and there seems to be an inconsistency: 8am PT / 10 am CT / 11am ET mapps to 16:00 UTC I assume that 16:00 UTC, as it is the usual time, is right? Best Max On Wed, 2023-01-04 at 20:56 +0000, Phil Odence via lists.spdx.org wrote: Meeting Time: Thurs, Jan5, 8am PT / 10 am CT / 11am ET /-- TNG Technology Consulting GmbH, Beta-Str. 13a, 85774 Unterföhring Geschäftsführer: Henrik Klagges, Dr. Robert Dahlke, Thomas Endres Aufsichtsratsvorsitzender: Christoph Stock Sitz: Unterföhring * Amtsgericht München * HRB 135082
|
||||
|
||||
SPDX Thursday General Meeting Reminder
Phil Odence
Happy New Year, all. I hope you have a meeting on your calendar for Thursday. In case there is an issue, the conference info is included below.
No special presentation this month.
Also please note that last meeting’s minutes are not yet “pulled” into GitHub, so I have included at the bottom.
Meeting Time: Thurs, Jan5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval: At the bottom of this email
Steering Committee Update - Phil
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian/Alexios
#SPDX General Meeting Minutes - Dec 1, 2022 Administrative
Attendance: 16Steering Committee Update - Phil
Special Presentations
Tech Team Report - Gary, William, Kate
Legal Team Update - Jilayne/Steve/Paul
Outreach Team Update - Sebastian/Alexios/Jack
Attendees
|
||||
|
||||
LF Research: Participate in the State of Open Standards Survey
Anna Hermansen
Hello SPDX community! I am the ecosystem manager for Linux Foundation Research and we have recently launched The State of Open Standards Survey to capture how different organizations are involved in open standards adoption and contribution, with the aim of measuring the development, use, growth, and value of standards across industries and technologies. The insights gained from this report will help our LF standards community interpret and communicate the current state of standards adoption and development, while taking strategic directions that best represent the needs and trends of the open standards ecosystem. Your feedback on this topic is important to us! If you have 15 minutes, please take the survey, and share the link with your peers and collaborators. As a token of our appreciation, you will receive a discount code for 25% off purchases from the LF Training & Certification course catalog (some restrictions may apply). Privacy & Visibility Your name and company name will not be displayed. Reviews are attributed to your role, company size, and industry. Responses will be subject to the Linux Foundation’s Privacy Policy, available at https://linuxfoundation.org/privacy. The data we collect from this survey will be analyzed to produce an in-depth survey report that will be shared with all survey participants and will be published on the Linux Foundation website. If you have questions regarding this survey, please email us at reseach@.... Thanks, Anna
|
||||
|
||||
SBOM is included in the latest Omnibus bill
‘‘SEC. 524B. ENSURING CYBERSECURITY OF DEVICES. ‘‘(3) provide to the Secretary a software bill of 20 materials, including commercial, open-source, and 21 off-the-shelf software components;
This text is referring to medical devices. https://www.appropriations.senate.gov/imo/media/doc/JRQ121922.PDF
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||
|
||||
SBOM stripped from NDAA may reappear in the Omnibus bill
Hello Everyone,
I’ve heard the SBOM provision that was in the NDAA is under consideration for the Omnibus Bill. I sent written testimony to the Senate Appropriations Committee deliberating the Omnibus Bill and posted a nearly identical version of my written testimony online:
Please show your support for SBOM by sending written testimony to Congress.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||
|
||||
Re: Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
It’s all moot now. The bill passed the House and Senate today and is on it’s way to the President’s desk. https://www.congress.gov/bill/117th-congress/house-bill/7776/text
All of the software supply chain provisions have been gutted in the final NDAA.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Brian Fox
Sent: Friday, December 16, 2022 5:43 PM To: spdx@... Subject: Re: [spdx] Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
You shared this previously https://insidecybersecurity.com/share/14118
I think that's a significant reason. And even as a proponent / agitator of SBOMs myself, I find the arguments they lay out compelling as we sit right now.
On Fri, Dec 16, 2022 at 4:33 PM Dick Brooks <dick@...> wrote:
|
||||
|
||||
Re: Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Brian Fox
You shared this previously https://insidecybersecurity.com/share/14118 I think that's a significant reason. And even as a proponent / agitator of SBOMs myself, I find the arguments they lay out compelling as we sit right now.
On Fri, Dec 16, 2022 at 4:33 PM Dick Brooks <dick@...> wrote:
|
||||
|
||||
Re: Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Eliot,
I’m not familiar with the GSA work you mention. Can you provide a pointer to GSA documents indicating that SBOM’s are required.
I’ve seen where SBOM’s are required in the Department of State Evolve RFP.
Also, why would ITI and others be lobbying Congress to have SBOM removed from the NDAA, as the linked article indicates.
There must be a reason. I suspect it’s because Congress creates laws, and the NDAA law makes SBOM a legal requirement.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Eliot Lear
Sent: Friday, December 16, 2022 4:13 PM To: spdx@... Subject: Re: [spdx] Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Why? GSA is already specifying SBOMs. And is the list to encourage congressional lobbying? On 16.12.22 20:38, Dick Brooks wrote:
|
||||
|
||||
Re: Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
Eliot Lear
Why? GSA is already specifying SBOMs. And is the list to
encourage congressional lobbying? On 16.12.22 20:38, Dick Brooks wrote:
|
||||
|
||||
Congress is considering removing the SBOM provision from the NDAA Bill now before Congress
FYI:
Please get the word out to restore the SBOM provision in the NDAA.
“I don't see why any member of Congress would want to hamstring their own cybersecurity professionals from monitoring and mitigating software vulnerabilities that are detectable using an SBOM. Members of Congress please help your own cybersecurity professionals that work so hard to keep you and your districts safe from hacker attacks. Restore the SBOM provision in the NDAA.”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||
|
||||
Possible Vendor Day
Sending this to the SPDX list per Gary’s suggestion at today’s SPDX tech team meeting. .
Last Week I attended a FERC-DOE supply chain technical conference and a suggestion was made to host a “SBOM Vendor Day” to show the energy industry what is available for processing (creating/consuming) SBOM’s.
At this point it’s “just an idea” and there is nothing concrete. I’ve been collecting email from parties with an interest in participating in a SBOM Vendor Day, IF this “Vendor Day” concept comes to fruition.
Please email me if interested in participating in a SBOM Vendor Day presentation for the Energy industry.
FYI: So far OWASP and Microsoft have expressed interest in participating, IF this SBOM Vendor Day comes to fruition.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||
|
||||
Your feedback as open source licenses expert/user about OSLiFe-DiSC tool
Sihem Ben Sassi
Dear all, A step forward to automate license processing is to characterize legal terms dealt with by licenses and describe licenses accordingly in order to reach a standardized model. To that end, we developed the OSLiFe-DiSC tool (https://sihem.pythonanywhere.com/ -- please refresh the page if an error is displayed--) based on an open source licenses feature model. It allows (1) discovering licenses features (i.e. description according to the model), (2) selecting licenses satisfying desired features, and (3) comparing two licenses. A 8 minutes video demo (https://youtu.be/VwzBq7XBTvk) shows the OSLiFe-DiSC functionalities. I would ask you, as licenses expert and/or user, to try the tool and give your feedback by filling the questionnaire accessible through the peach colored button inside the OSLiFe-DiSC tool, or directly through https://cutt.ly/G0eiq92 If needed, you may see the manuscript available at https://cutt.ly/P0wsuA for more information about extracted legal terms represented by the features of the licenses model. Your feedback is very appreciated and needed. Best Regards, Sihem Ben Sassi PhD, HDR in computer sciences
|
||||
|
||||
Re: Interpreting SPDX Validator Error: SpdxIdInUseException ... ExtractedLicensingInfo
Keith Zantow
Thank you, Gary! I wasn't sure where the right place was to ask this question. Issue submitted with example: https://github.com/spdx/spdx-online-tools/issues/414
On Wed, Dec 7, 2022 at 5:01 PM Gary O'Neall <gary@...> wrote:
|
||||
|
||||
Re: Interpreting SPDX Validator Error: SpdxIdInUseException ... ExtractedLicensingInfo
Gary O'Neall
Hi Keith,
The “Unexpected Error” usually indicates an issue with the validation tool itself. Can you post an issue at https://github.com/spdx/spdx-online-tools/issues and attach a file that reproduces the problem? Alternatively, you can email me the information at gary@....
Thanks,
From: spdx@... <spdx@...> On Behalf Of Keith Zantow via lists.spdx.org
Sent: Tuesday, December 6, 2022 1:19 PM To: spdx@... Subject: [spdx] Interpreting SPDX Validator Error: SpdxIdInUseException ... ExtractedLicensingInfo
Hi,
I'm using the SPDX online validator and I'm trying to understand what this error means. Could someone shed some light on it?
Analysis exception processing SPDX file: Unexpected Error: org.spdx.library.model.SpdxIdInUseException: Can not create Apache-2.0. It is already in use with type ListedLicense which is incompatible with type ExtractedLicensingInfo
Thanks much, -Keith Zantow
|
||||
|
||||
Interpreting SPDX Validator Error: SpdxIdInUseException ... ExtractedLicensingInfo
Keith Zantow
Hi, I'm using the SPDX online validator and I'm trying to understand what this error means. Could someone shed some light on it? Analysis exception processing SPDX file: Unexpected Error: org.spdx.library.model.SpdxIdInUseException: Can not create Apache-2.0. It is already in use with type ListedLicense which is incompatible with type ExtractedLicensingInfo Thanks much, -Keith Zantow
|
||||
|
||||
Re: SPDX creation phase
Having also been in that call I would also like this clarification. The idea behind having this information available is for the recipient to make her or his own judgement on how accurate they expect such to be.
If this has been solved in the SPDX community that would be great. 😊 Steve’s comments on different “stages” was not something I had considered, but it does potentially complicate things.
BR J
From: spdx@... <spdx@...>
On Behalf Of Steve Kilbane via lists.spdx.org
Hi all,
One of the suggestions in today’s call for the OpenChain Telco SIG, where we’re discussing proposals for an SBOM standard for the Telecommunications industry, was:
> SBOMs conforming to the Telco SBOM Specification need to contain the information when the SBOM was created in the “Created” SPDX field and at what phase of the software build it was created (“pre-build”, “build-time” or “post-build”) in the CreatorComment SPDX field.
(See https://github.com/OpenChain-Project/Telco-WG/pull/15)
I raised a concern about ambiguity here, in that your application may be built from libraries that are built at an earlier stage, so the SBOM information may be created after some components are built, but before others. A recipient of the SBOM might also interpret each of these three phrases differently from the creator of the SBOM. I recall hearing that there have been conversations about many different SBOMs according to phase (source SBOM, build SBOM, deploy SBOM, cloud SBOM, etc.), so I wondered whether there was advice that the Telco SIG could lean upon, rather than trying to formulate a solution when it’s already a solved problem.
Apologies if this isn’t the right group.
steve
|
||||
|