Date   

Re: SPDX Company Membership

Dick Brooks
 

Phil,

 

               I just checked on REA’s LF membership status and it appears the lowest cost tier is $5,000 to become a LF member. Please confirm my understanding is correct that $5,000 is the lowest cost membership fee available.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, December 2, 2021 3:04 PM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Company Membership

 

Dear SPDX community,

 

With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.

 

We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.

 

As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.

 

Membership Benefits

 

Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.

 

Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection

 

Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.

 

Signing up

 

Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.

 

In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

 

(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)

 

Please let us know if you or your organization have any questions about becoming a member of SPDX.

 

SPDX Steering Committee

Phil, Kate, Gary, Jilayne, Steve, Paul and Jack

 

 


SPDX Company Membership

Phil Odence
 

Dear SPDX community,

 

With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.

 

We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.

 

As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.

 

Membership Benefits

 

Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.

 

Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection

 

Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.

 

Signing up

 

Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.

 

In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

 

(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)

 

Please let us know if you or your organization have any questions about becoming a member of SPDX.

 

SPDX Steering Committee

Phil, Kate, Gary, Jilayne, Steve, Paul and Jack

 

 


SPDX Outreach Team report for December General Meeting

Sebastian Crane
 

Dear all,

Since we didn't have time at the SPDX General Meeting today for the
usual team reports, I'm writing to send the Outreach Team's report in
textual form! Feel free to reply if you have any questions about the
activities of the SPDX Outreach Team, or would like to be involved.

Best wishes,

Sebastian

-----

# Wikipedia article

We've added a version history section to the article at
https://wikipedia.org/wiki/Software_Package_Data_Exchange with a
version table and explanatory paragraphs (as is the format used in
articles for a lot of other open source projects). Plus, the
disambiguation link that said 'license documentation standard' now
says 'software bill of materials standard'.

Here are a couple of 'perma-links' to the before and after states of
the article:

* Before:
https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&oldid=1053739112
* After:
https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&direction=next&oldid=1058145243

# SBOM Landscape page

At the most recent Outreach Team meeting, we discussed various
categories and taxonomies that could be used in the SBOM Landscape
page we are developing at: https://github.com/spdx/sbom-landscape

We'll be trying to form 'neighbourhoods' of related use-cases such as
attestation, automation etc.

The automated tests for the page are still failing, but builds seem to
work correctly so can continue work on it.

We now have Syft, OSS Review Toolkit, REUSE and Tern listed on the
SBOM Landscape page, and will be adding more in the coming weeks!

# SPDX Podcast

Joshua Marpet has resolved the audio issues, meaning that we can start
recording podcast episodes again.

Joshua is working on an episode with the SPDX Asia Team.

# 'SPDX Ambassadors'

Vicky Brasseur suggested that having an ambassadors programme would be
a good idea, so we are exploring the possibility of having contact
details of SPDX Ambassadors on our main website. This will help
newcomers to quickly contact representatives of SPDX.

# Replicant

I have been in correspondence with a steering committee member of the
Replicant project. Replicant aims to replace proprietary components in
Android, and are looking to improve their source code license
scanning. SPDX SBOMs could be useful in reducing unnecessary
repetition of audits here.

# FOSSLight

We have had good interaction with the developers of FOSSLight, an open
source license scanner from Logitech. Gary O'Neall and I have been
proactively examining SPDX-related failures in order to help them with
their use of the SPDX Java libraries.

FOSSLight is a top priority for addition to the spdx.dev Open Source
Tools page, as well as the SBOM Landscape!

-----


Thursday's SPDX General Meeting Reminder

Phil Odence
 

Hello, all, looking forward to seeing you Thursday.

Note, we’ll have guest presentation from Microsoft on what they are doing with SPDX.

Best,

Phil

 

GENERAL MEETING

 

Meeting Time: Thurs, Dec 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04

 

Brief update on governance and membership process - Phil

 

Presentation

Microsoft and SPDX

·  Microsoft standardizing on SPDX [Adrian Giglio]

·  MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]

 

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack 

  


OpenChain Automation Case Study #5 - Running a Supply Chain using open source tooling + SPDX

 

Recording now available. Part #5 explores how SPDX ISO/IEC 5962 works as a Software Bill of Materials (SBOM) in the supply chain through existing open source tooling for open source compliance.
https://www.openchainproject.org/news/2021/11/24/automation-case-study-5

Check out the entire case study here:
https://www.openchainproject.org/automation-case-study

Huge thanks to Maximilian Huber at TNG for running this webinar.

Regards

Shane


Shane Coughlan
General Manager, OpenChain
e: scoughlan@linuxfoundation.org
p: +81 (0) 80 4035 8083
w: www.linuxfoundation.org

Schedule a call:
https://meetings.hubspot.com/scoughlan


REMINDER: SPDX in Virtual Supply Chain Webinar in 15 minutes (09:00 UTC)

 

REMINDER: OpenChain Automation Case Study showing SPDX Software Bill of Materials being used in a “virtual supply chain” @ 09:00 UTC.

Join without registration here:
https://zoom.us/j/4377592799
Everyone is welcome.

Need more timezone information?
The event will take place on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST.


REMINDER: Today is the Automation Case Study “virtual supply chain” showing code going through multiple scanners and maintaining SPDX integrity @ 09:00 UTC

 

REMINDER: Today is the OpenChain Automation Case Study “virtual supply chain” showing code going through multiple scanners and maintaining SPDX integrity @ 09:00 UTC.

We will hold it on Zoom:
https://zoom.us/j/4377592799

Everyone is welcome. No registration needed.

Need more timezone information?

The event will take place on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST. The event is in our global calendar:
https://www.openchainproject.org/community

Regards

Shane

Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan


Re: Taxonomy of software supply chain ecosystem?

Oliver Fendt
 

Hi Vicky

 

We also have a nice website https://oss-compliance-tooling.org/

Perhaps this is better suited for getting an overview

 

Ciao

Oliver

 

From: spdx@... <spdx@...> On Behalf Of Michael Dolan via lists.spdx.org
Sent: Donnerstag, 18. November 2021 16:07
To: spdx@...
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

You may also want to look at the SLSA framework. 

 

https://slsa.dev/levels

---
Mike Dolan
The Linux Foundation
Office: +1.330.460.3250   Cell: +1.440.552.5322
mdolan@...
---

 

 

On Thu, Nov 18, 2021 at 10:03 AM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:

Yessssss…

 

It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

 

From: <spdx@...> on behalf of "Steve Kilbane via lists.spdx.org" <stephen.kilbane=analog.com@...>
Reply-To: "spdx@..." <spdx@...>
Date: Thursday, November 18, 2021 at 01:28
To: "spdx@..." <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Hi Vicky,

 

There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:

 

https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape

 

(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)

 

steve

 

From: spdx@... <spdx@...> On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

[External]

 

There's been some industry wide agreement on the taxonomy to use to classify tools here:  https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf    I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.

 

We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX

 

Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy,  please fill in the template and add a comment.    Jack's done a great job in moving what we've got in that document to our website.

 

Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. 

 

That help?

 

Kate

 

On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: Taxonomy of software supply chain ecosystem?

Michael Dolan
 

You may also want to look at the SLSA framework. 

https://slsa.dev/levels

---
Mike Dolan
The Linux Foundation
Office: +1.330.460.3250   Cell: +1.440.552.5322
mdolan@...
---



On Thu, Nov 18, 2021 at 10:03 AM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:

Yessssss…

 

It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

 

From: <spdx@...> on behalf of "Steve Kilbane via lists.spdx.org" <stephen.kilbane=analog.com@...>
Reply-To: "spdx@..." <spdx@...>
Date: Thursday, November 18, 2021 at 01:28
To: "spdx@..." <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Hi Vicky,

 

There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:

 

https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape

 

(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)

 

steve

 

From: spdx@... <spdx@...> On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

[External]

 

There's been some industry wide agreement on the taxonomy to use to classify tools here:  https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf    I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.

 

We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX

 

Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy,  please fill in the template and add a comment.    Jack's done a great job in moving what we've got in that document to our website.

 

Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. 

 

That help?

 

Kate

 

On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: Taxonomy of software supply chain ecosystem?

VM (Vicky) Brasseur
 

Yessssss…

 

It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

 

From: <spdx@...> on behalf of "Steve Kilbane via lists.spdx.org" <stephen.kilbane=analog.com@...>
Reply-To: "spdx@..." <spdx@...>
Date: Thursday, November 18, 2021 at 01:28
To: "spdx@..." <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Hi Vicky,

 

There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:

 

https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape

 

(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)

 

steve

 

From: spdx@... <spdx@...> On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

[External]

 

There's been some industry wide agreement on the taxonomy to use to classify tools here:  https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf    I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.

 

We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX

 

Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy,  please fill in the template and add a comment.    Jack's done a great job in moving what we've got in that document to our website.

 

Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. 

 

That help?

 

Kate

 

On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: Taxonomy of software supply chain ecosystem?

Steve Kilbane
 

Hi Vicky,

 

There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:

 

https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape

 

(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)

 

steve

 

From: spdx@... <spdx@...> On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?

 

[External]

 

There's been some industry wide agreement on the taxonomy to use to classify tools here:  https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf    I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.

 

We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX

 

Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy,  please fill in the template and add a comment.    Jack's done a great job in moving what we've got in that document to our website.

 

Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. 

 

That help?

 

Kate

 

On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: Taxonomy of software supply chain ecosystem?

Kate Stewart
 

There's been some industry wide agreement on the taxonomy to use to classify tools here:  https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf    I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.

We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX

Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy,  please fill in the template and add a comment.    Jack's done a great job in moving what we've got in that document to our website.

Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. 

That help?

Kate

On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Taxonomy of software supply chain ecosystem?

VM (Vicky) Brasseur
 

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

 

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

 

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

 

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)

Sebastian Crane
 

Dear Marc-Etienne,

Hi all,

Great news: ISO SPDX standard is now publicly available at:
https://standards.iso.org/ittf/PubliclyAvailableStandards/
Yay! I was indeed just wondering about this earlier today, so thank
you very much for the notification :)

Best wishes,

Sebastian


Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)

Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
 

Hi all,

 

Great news: ISO SPDX standard is now publicly available at:

https://standards.iso.org/ittf/PubliclyAvailableStandards/

 

Best regards,

 

Marc-Etienne

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org
Sent: Monday, September 13, 2021 12:04 PM
To: savery@...; Spdx-tech@...
Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
Subject: Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)

 

Hi Simon,

 

About the availability of the SPDX spec.

 

It is the other way round. Since SPDX was not developed by ISO itself, the ISO standard should be available for free on this website: https://standards.iso.org/ittf/PubliclyAvailableStandards/

 

But it might take some time before it is put there.

 

Best regards,

 

Marc-Etienne

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Simon Avery via lists.spdx.org
Sent: Thursday, September 9, 2021 10:17 PM
To: Spdx-tech@...
Subject: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)

 

Hello everyone.  First time poster here, so I hope this topic is considered appropriate.

 

My favorite open source project is Julia (https://julialang.org).  It's build process pulls in a lot of code from many other repositories.  I thought that the project would benefit from having an SPDX document describing all these packages, streamlining the review and approval process at organizations that want to use Julia.

 

I've put together a pull request that adds an SPDX document to the repository. At this point it contains only a few packages to demonstrate what it looks like and will be filled in over time. If anyone on this list would like to provide feedback that would be appreciated.

 

 

On a related question since I see that SPDX just became an ISO standard. Does that mean that version 2.2.1 (and 3.0) of the specification will not be available for free at spdx.dev?  Will the spdx-spec repository on Github remain available so that open source developers can access the current specification?  If all developers had to pay $200, that would be a significant barrier to adoption in the OSS world.

 

Thank you in advance for any feedback provided.

 

Simon Avery


Minutes from Nov 4 SPDX General Meeting

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04

 

General Meeting/Minutes/2021-11-04

General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

·         Minutes from last approved

·         Company membership mechanics will be rolled out within a couple weeks.

 

Contents

 [hide

GSOC - Ujjwal[edit]

·         JSON Support for Golang libraries

Tech Team Report - Kate/Gary/Others[edit]

 

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Most of the work is focused on the core model.  We’re making progress but still have a ways to go to settle on a good code the other profiles will be built on.

·         A new repo has been setup for the SPDX 3.0 spec since it will have a different way of generating the examples and spec and will also be under the new license as part of the new governance we put in place

·         We expect more activities on the profiles next month, especially security

·         Interest in the spec and tools continues to increase – we’re seeing some good signs of adoption from companies, other open source projects, and individuals (if you need more detail – SW360 is engaged in some issues conversations on the tools, the SPDX 2.1 spec issues has some new contributor)

Legal team update - Jilayne/Pau/Steve[edit]

·         FreeBSD will be adopting SPDX tags

·         Fedora is exploring as well

·         Conversations about adding better instructions on using Git to contribute to license repo

 

Outreach team - Sebastian[edit]

·         Processes

·         Transitioned to monthly meeting

·         Different ways of working in between under discussion

·         Wikipedia page updates

·         Adding history

·         Adding logos of companies and projects that are using

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Ujjwall Agarwal

·         Alexios Zavras, Intel

·         Eric Billingsley, Calculi

·         Jeff Schutt, Cisco

·         Sebastian Crane

·         Bob Martin, Mitre

·         Steve Winslow, Boston Technology Law

·         Christopher Lusk, Lenovo

·         David Edelsohn, IBM

·         Jilayne Lovejoy, Red Hat

·         Tony Aiuto

·         Karan Marjara, AWS

·         Joshua Marpet, RM-ISAO

·         Paul Madick, Jenzabar

·         Adrian Diglio, Microsoft

·         Alfredo Espinosa

·         Brad Goldring

·         Edgar

·         Joe

·         Vicky Brasseur, Wipro

·         Warner Losh, FreeBSD

·         Fellow Jitser

·         Aasim, Microsoft

 


Asia SPDX Meeting- China government data processing draft policy

 

Came up on the call today. For those interested, here is an overview:

https://asia.nikkei.com/Business/China-tech/New-China-data-transfer-rules-to-be-costly-for-foreign-companies

Asia SPDX Meeting

When
Tue Nov 9, 2021 10am – 11am Japan Standard Time
Where
https://zoom.us/j/199624001 (map)
Who
Kate Stewart - organizer
Gary O'Neall

Agenda:
- SPDX-Lite
- other profiles?

Join Zoom Meeting
https://zoom.us/j/199624001

One tap mobile
+16465588656,,199624001# US (New York)
+16699006833,,199624001# US (San Jose)

Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 6833 US (San Jose)
877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 199 624 001
Find your local number: https://zoom.us/u/ac9KKJWzJT


──────────


Today's SPDX General Meeting Reminder

Phil Odence
 

Apologies for the late reminder.

 

Notes:

  • For Euro folks, time diff is off by an hour as US doesn’t go back to standard time until this weekend
  • We will have a Google Summer of Code presentation on Json support for Golang libs

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Nov 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

Presentation

  • JSON Support for Golang libraries
    After the introduction of Spdx Specifications v2.2 JSON, YAML, and a development version of XML have been added as supported file formats. However , the tools-golang package currently did not have the support to parse the spdx files nor had the support to save a spdx doc in JSON format .The main objective of this project is to add support in the tools-golang package so that it can parse as well as save SPDX® v2.2 files in JSON format . 
    Background : I am a passionate individual who always strives to work on end to end products which develop sustainable and scalable social and technical systems to create impact. 

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack 

  

 

 

 


Re: Public Domain license identifier

Richard Fontana
 

The "public domain" part appears to be the text of the Unlicense, so
I'd assume "MIT OR Unlicense".

Richard

On Tue, Oct 19, 2021 at 4:02 PM Pierre Tardy <tardyp@gmail.com> wrote:

Hello,

I am trying to identify this software in term of license expression

https://github.com/nothings/stb

It's is claimed to be "public domain or MIT".
I don't see any license identifier for public domain. It is arguabily not a license, and not valid across jurisdictions, but anyway we would like to document the authors will even if we will conclude the use of MIT.

So what should we document in your opinion?

Regards

Pierre


Re: Message Approval Needed - tardyp@gmail.com posted to spdx@lists.spdx.org

J Lovejoy
 

Hi Pierre,

I am moving the general SPDX list to BCC and sending this via the SPDX legal list, as that is the right place for this question! Also not - I have approved your message and copied you here so you will get the response, but you generally have to join the SPDX mailing list to post and receive message. https://lists.spdx.org/groups

Looking at the license file for that project: Alternative A is indeed MIT and Alternative B is the Unlicense (https://spdx.org/licenses/Unlicense.html)

Thus, the SPDX license expression would be:  MIT OR Unlicense

FYI - you might want to install the license diff browser plugin to help you with these kinds of things - https://chrome.google.com/webstore/detail/spdx-license-diff/kfoadicmilbgnicoldjmccpaicejacdh?hl=en (also available for Firefox)

Thanks
Jilayne
SPDX legal team co-lead



From: "Pierre Tardy" <tardyp@...>
Subject: Public Domain license identifier
Date: October 19, 2021 at 7:12:29 AM MDT


Hello,

I am trying to identify this software in term of license expression


It's is claimed to be "public domain or MIT".
I don't see any license identifier for public domain. It is arguabily not a license, and not valid across jurisdictions, but anyway we would like to document the authors will even if we will conclude the use of MIT.

So what should we document in your opinion?

Regards

Pierre



1 - 20 of 1485