I just realized that the DocFest will be demonstrating interoperability of an ISO standard SBOM.

Great timing getting the ISO standard status before the 9/16 DocFest. Very cool!

We may quote you on that!

Seconded!

A truly amazing achievement – well done and congratulations to Kate and the entire SPDX and Linux Foundation community that made this happen.

So much looking forward to advancing SPDX interoperability via the DocFest event.

Thanks,

Dick Brooks

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

Thanks, Phil.

Will there be a press release of some sort? And at what point will the project be ready to start accepting member companies?

Asking for a friend…

--V

Time Zone: Pacific/West Coast US

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

SPDX Community,

Minutes: https://wiki.spdx.org/view/General_Meeting/Minutes/2021-09-02

As you are aware, in last week’s meeting we discussed a proposal to change the SPDX workgroup’s governance framework. The discussion was a good one and resulted in consensus. As things were rushed a bit at the end of the meeting and wanting to ensure no one was uncomfortable, we left the door open for concerns to be voiced “within a day or so” on this list. Subsequently there was a brief exchange on the list in support of the proposal as presented. And so, from this point forward, the SPDX is operating under the new framework.

For anyone who may have missed, a summary is attached. Additionally, here are links to the website that now specifies the newly adopted framework and a link directly to the repo that contains the details of the governance framework:

·  website: https://spdx.dev/about/governance/

·  GitHub repo: https://github.com/spdx/governance/

Thanks to all who participated in the smooth transition to the new framework.

Best regards,

Phil

Chair, SPDX Steering Committee

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

< General Meeting‎ | Minutes

·         Attendance: 26

·         Lead by Phil Odence

·         GSoC Presentation was postponed

·         Intro -Phil

·          

·         GOAL of today: Consensus  

·          

·         Background

·         About 8 years ago, we put in place a governance structure for SPDX.

·         Factors

·         ISO standardization- near to announcing

·         Executive Order

·         More participation from comm members with standards body experience

·         Working with other standards, i.e. SWID and CycloneDX

·          

·         Goal of Change - retain spirit and ways of working

·         more accurately reflect the current reality and future direction of the project

·         establishing a mechanism for official company membership in the project

·         using contribution processes and a license for the spec that ensure explicit patent license 
commitments from contributors

·         improving clarity around decision-making processes and establishing an appeals process

·         adopting a code of conduct

·          

·         Solution - Steve to explain further

·         Legal Entity creation- switched from JDF to a much simpler

·         Retained Community Specification model

·         Review of pdf Summary - Steave

·         Legal Entity

·         Membership Agreement

·         Community Specs process and license

·         Q&A/Discussion

·         Various clarifications

·         Code of Conduct

·         Agreed that under new structure it could, if need be, be modified in the future

·         Possibility of Dual-licensing Spec

·         Agreed to not address at this time

·         Resolution

·         Consensus reached

·         ...unless significant concerns were raised on the General Mailing List within a day of so of the meeting's close

·         Phil Odence, Black Duck/Synopsys

·         Sebastian Crane

·         Joshua Marpet, RM-ISAO

·         Mike Nemmers

·         William Cox, Synopsys

·         Andrew Jorgenson, AWS

·         Bob Martin, Mitre

·         Philippe Emmanuel Douziech, CAST

·         Alexios Zavras, Intel

·         Marc Etienne Vargenau, Nokia

·         Jilayne Lovejoy, Red Hat

·         Steve Winslow, LF

·         Mike Dolan, LF

·         Mark Atwood, Amazon

·         Gary O’Neall, SourceAuditor

·         Paul Madick, Jenzabar

·         Jeff Schutt, Cisco

·         Vicky Brasseur, Wipro

·         Warner Losh, FreeBSD

·         Zach Hill, Anchore

·         Pierre Tardy

·         David Edelsohn, IBM

·         Maximilian Huber, TNG

·         Bill Jaeger

·         Michael Mehlberg, Dark Sky Technology

·         Henk Birkholz, Fraunhofe

Thanks, Sebastian for your thoughts, support and understanding.

Regarding licensing, my sense was that your desire to make the spec easy to publish is covered by the proposed licensing scheme. Perhaps you and Steve could discuss to resolve.

Regarding the Code of Conduct. I think we’ve forked it from the upstream with which you are concerned and, in any case, the option to improve upon in the future exists.

Best,

Phil

We will deviate from our usual standing agenda for this special meeting. We will start with a presentation from a Google Summer of Code student (see topic below) and then will pick up the discussion of the SPDX Governance change with the aim of reaching consensus and moving forward.

I encourage you to read through the attached. Steve will give a very quick overview and can answer questions, but we will assume participants of read the pdf of not all the details referenced. And as a reminder, here’s the context I provided last week:

SPDX Community,

As previewed in the June General Meeting, the Core Team has submitted a proposal for changing the governance of SPDX. The reasoning for the change and substance are the same as what we discussed in that meeting. However, we have simplified the implementation considerably. Importantly, the project will continue to operate day to day as we have for over a decade but with better defined governance. Attached is a document that summarizes the proposal and provide links to the details.

In the second half of next Thursday’s General Meeting we will try to reach consensus on the proposal. In the meantime, once you have studied the matter, provide feedback or raise any questions on this thread. (Note, the many of the details are housed in a GitHub repo but again comments/questions go here.) If we do not reach consensus on Thursday, we may hold the discussion over to the following meeting.

Best regards,

Phil

GSoC Presentation

Title- Support for spdx Go lang tools

by Ujjwal Agarwal

I will talk about the possible approaches that we could have adopted for the project and the approach I choose to go ahead with .The challenges I faced throughout the GSoC coding phase while coding the project and furthermore what are the future implementations that we can expect .

I am a B.tech student at Thapar Institute of Engineering and Technology India . Skilled in Go lang, DevOps, Leadership, Cryptocurrency, and web development. Strong information technology student with a keen interest in open source development .

See you Thursday,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

SPDX Community,

As previewed in the June General Meeting, the Core Team has submitted a proposal for changing the governance of SPDX. The reasoning for the change and substance are the same as what we discussed in that meeting. However, we have simplified the implementation considerably. Importantly, the project will continue to operate day to day as we have for over a decade but with better defined governance. Attached is a document that summarizes the proposal and provide links to the details.

In the second half of next Thursday’s General Meeting we will try to reach consensus on the proposal. In the meantime, once you have studied the matter, provide feedback or raise any questions on this thread. (Note, the many of the details are housed in a GitHub repo but again comments/questions go here.) If we do not reach consensus on Thursday, we may hold the discussion over to the following meeting.

Best regards,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

As a follow-up to this morning SPDX general meeting, below is the information on the upcoming SPDX DocFest:

The SPDX project will be hosting an initial working "DocFest" to bring together the producers of SPDX documents and walk through the differences between tools for the same artifacts.   Artifacts included in the DocFest will include sources, build assembly, containers, and executable images that can be analyzed. 

The goals of this DocFest are to:
1) come to agreement on how the fields should be populated for a given artifact
2) identify instances where different use cases might lead to different choices for fields and structures of documents
3) assess how well the NTIA SBOM minimum elements are covered
4) create a set of reference SPDX SBOMs as part of the corpus for further tooling evaluation.

This event will require "sweat equity" - participants are expected to have generated at least one SPDX document from the target set (either source, built from source, built image or container equivalent). Those who have signed up and have submitted files by September 3, 2021, will receive a meeting invite to the DocFest.

To indicate interest to participate, please fill in the following form:
https://forms.gle/gEfBZfaNmPXUJ6Xg7

Further details on how to participate will be mailed to those that have filled in the form on August 6, 2021.

Thanks,
DocFest Organizers   (Rose, Gary, Kate)

This week’s meeting with feature two GSoC presentations. Note I have a conflict so Gary will host.

PLEASE: When you sign in, please include your name and company (or put them in the chat) to facilitate logging attendance. With relatively heavy attendance these days is the trickiest bit of running the meeting.

Presentations

                New License Matching Library

During my presentation, I will show a demo of a new license matching library, followed by a short talk on implementation summary. In the latter part, I would like to talk about the difficulties and issues I faced.Since my final goal is to deliver something we can call a reference implementation of SPDX license matching, I want to hear your feedback and improve the library from them!

I am Mikihito Matsuura (@m1kit), a master course student at the University of Tokyo.

I was looking for an interesting GSoC project this March. During project hunting, I saw an open-source organization looking for a good license matching library. Later I realized SPDX is also recruiting a GSoC student and contacted people here a few days before the deadline. I'm excited to be able to work with this community as a part of GSoC despite the late contact!

Validate and Generate multiple representations of specifications

This project is related to the tooling of SPDX specification, specification which is being collaboratively produced. The aim of this project is to build a program that can be used to validate and convert Structured input to the pretty markdowns for documentation purposes and also generate Specification Representation. The end goal of this project is to make it run as Github action for the SPDX specification.
Hey all, I am Nirmal Suthar, a final year undergraduate student, studying at IIT Kanpur, India. 

This is my second time participating in GSoC and working under open-source organization is always filled with a lot of learning.

GENERAL MEETING

Meeting Time: Thurs, Aug 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-07-01

Technical Team Report – Kate/Gary/Others

• Specification and Profiles

Technical Team Report – Kate/Gary/Others

• Specification and Profiles
• Overview
• Core
• Legal
• Integrity
• Defects
• Usage and Other Emerging
• Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack