NOTE: As mentioned last meeting, the General Meeting will adopt the practice of the SPDX teams for taking minutes.

We will use Etherpad live in the meeting and others can contribute. This will be particularly helpful for attendance and also handing off when I (as I regularly do) have to head off at half past the hour.

Etherpad:  

https://spdx.swinslow.net/p/spdx-general-minutes

And, starting with this meeting, GitHub will be our repo for archiving minutes. The wiki.spdx.org archive will still exist with the Dec21 minutes being the last entry.

GHub Repo

https://github.com/spdx/meetings/tree/master/general

Thanks,

Phil

GENERAL MEETING

Meeting Time: Thurs, Jan6, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-12-02

Brief update on governance and membership process - Phil

Technical Team Report – Kate/Gary/Others

• Specification and Profiles
• Overview
• Core
• Legal
• Integrity
• Defects
• Usage and Other Emerging
• Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack 

Hi all,

we recently published some insights on our license database. You can find details on

https://github.com/org-metaeffekt/metaeffekt-universe

and a visualization of the data on

https://metaeffekt.com/#universe-a

(apologies for the metaeffekt.com pages being currently only available in German language; however the visualization piece is “universal”).

The data is meant to convey the richness/complexity of licenses/exceptions in the wild and demonstrates our endeavor for normalization as a fundamental work for identification, scanning and documentation. In particular, the tables on Github show - by linking into the different license spaces - coverage of SPDX, OSI and ScanCode Toolkit.

We hope you enjoy “playing around with licenses”.

Please note – this is all work in progress. Curiously looking forward for your feedback…

Kind regards,

Karsten

Also attached are slides from Adrian and Steve’s very interesting presentations.

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-12-02

< General Meeting‎ | Minutes

·         Attendance: 33

·         Lead by Phil Odence

·         Minutes from last approved

·         Phil will company membership announcement before end of week

·         We will be move General Meeting minutes to GitHub and crowdsource during meetings.

Contents

 [hide] 

• 1 Microsoft and SPDX - Adrian/Steve
• 2 Tech Team Report – Kate/Gary/Others
• 3 Legal Team Report - Jilayne/Pau/Steve
• 4 Outreach Team Report -
• 5 Attendees

·         Microsoft standardizing on SPDX [Adrian Giglio]

·         Why SPDX?

·         On ISO standard path

·         Already participating

·         Great group

·         Why build their own tool?

·         Already had tooling

·         Easy to move to SPDX

·         Needed certainty to meet NTiA standards

·         Utilize MS Detection

·         Needed a great range of environments

·         Support for very large, complex build systems; layered builds

·         The Tool

·         Built on .Net and available for Windows/Linux/Mac

·         Available as build step in Azure

·         Plan is to open source

·         Pulls OSS data from a variety of build system formats

·         Future

·         Proving by early March, then rolling out across Microsoft

·         Exploring different methods of SBOM distribution including web portal

·         Exploring signing with others in the industry

·         MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]

·         How to distribute secured supply chain components? Specifically SBOMs

·         Supply chain artifact challenges:

·         artifacts get promoted across environments, including production assets getting pulled from the Internet into restricted networks

·         private virtual networks within cloud infrastructure

·         Solution: Validation artifacts need to travel together with the supply chain objects

·         by default, SBOM might get blocked from being accessed due to "airgapped" / VNet setup

·         instead, create a private registry within each vnet; with shared internal registry hosting all artifacts + SBOMs, then promoted into each vnet

·         ORAS: need signatures to be separable, verifiable, able to be validated, prior to bringing artifact / binary into the environment

·         Microsoft built this for Azure Container Registry, but customers share with other registries and other infrastructure; registries should be a broader standard => OCI Artifacts, ORAS Artifacts

·         Signatures and SPDX SBOMs get attached to the graph

·         ACR support for ORAS Artifacts today => customers can store SPDX SBOMs today: https://aka.ms/acr/supply-chain-artifacts

·         Opportunity: having SPDX document travel alongside the target artifact; CLI that can natively push / pull / validate SPDX SBOMs to Registries

·         What does the SPDX community want to see in an SBOM?

·         recording EULA text?

·         something validated at the time the content is used? => needs to be accessible along with the artifact itself

·         Questions/Comments

·         Dick: what about having vulnerability disclosures together as a part of the distributed info?

·         Appreciate that the SPDX structure enables describing all the pieces of what went into a software build in the first place => static information at a point in time

·         Scan results are things that you learn about over time => e.g. might learn later about a problem that was discovered after it was shipped

·         Scan results will continue to be additive, whereas the SBOM itself doesn't change

·         Dick: some vendors are running scans and producing NVD reports together with vendor's findings; making that info available together with the SBOM. During customer risk assessments, they can see beforehand if a CVE is reported => if shows up in the disclosure, that helps address the risk.

·         Scan results, etc., could be attached to the other documents that are included in the registry

·         Eventually, looking to have a web-browsable portal to easily access these documents. But, the automation is the interesting part.

·         Just this morning, this was announced to be becoming part of an OCI working group; previously getting proven within the ORAS project

·         Sebastian: Ostree (Fedora): https://fedoraproject.org/wiki/Changes/OstreeNativeContainer

·         Signature format: shipped in Notary v2, but working on expanding via conversations with the broader community. Needs to be able to be validated broadly.

·         Dick: NIST workshop that took place this week: ability to distribute SDLC evidence and policy data. Will that be part of this?

·         Viewing this as plumbing / core infrastructure, in a generic way; new types will emerge for what types of artifacts are used to be deployed / promoted on this infrastructure

·         Because it's generic / abstracted, any new type can be hosted on this infrastructure

·         Tools

·         New release of SPDX Java Tools available at https://github.com/spdx/tools-java/releases/tag/v1.0.3

·         Specification

·         Focused on the Core modeling

·         Made progress on collections, packages, and document definitions and relationships

·         Significant testing of the model with different use cases and serialization considerations

·         License List version 3.15 was released and published to https://spdx.org/licenses on Nov. 14

·         Shortened month for meetings due to Thanksgiving holiday in US

·         Warner Losh presented to the team about FreeBSD's use of SPDX short-form license identifiers: https://docs.google.com/presentation/d/1mRWj7DCiicK57BqD4XzUMSZs51TpUUIYIgI-UcB8XDw/edit#slide=id.p

·         No update, but Sebastian sent an email to the General Meeting list with notes on behalf of the team.

·         Phil Odence, Black Duck/Synopsys

·         Adrian Digli, Microsoft

·         Steve Lasker, Microsoft

·         Sebastian Crane

·         Steve Winslow, Boston Technology Law

·         Dick Brooks, REA

·         Rich Steenwyk, GE Healthcare

·         Annie

·         Brad Goldring, GTC

·         Jeff Schutt, Cisco

·         David Edelsohn, IBM

·         Jilayne Lovejoy, Red Hat

·         Aveek Basu, NextMark Printers

·         Marc Gisi, Windriver

·         Gary O’Neall, SourceAuditor

·         Philippe Ombrédanne- nexB

·         Dick Brooks

·         Alex Rybek

·         Brend Smits, Philips

·         Christopher Lusk, Lenovo

·         Christopher Phillips

·         Fellow Jitser

·         Jilayne Lovejoy, Red Hat

·         Mashid

·         Kendra Morton

·         Marco

·         Majira

·         Michael Herzog- nexB

·         Mike Nemmers

·         Molly Menoni

·         Paul Madick, Jenzabar

·         Rose Judge, VMWare

·         Vicky Brasseur, Wipro

Phil,

               I just checked on REA’s LF membership status and it appears the lowest cost tier is $5,000 to become a LF member. Please confirm my understanding is correct that $5,000 is the lowest cost membership fee available.

Dear SPDX community,

With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.

We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.

As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.

Membership Benefits

Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.

Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection

Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.

Signing up

Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.

In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)

Please let us know if you or your organization have any questions about becoming a member of SPDX.

SPDX Steering Committee

Phil, Kate, Gary, Jilayne, Steve, Paul and Jack

Hello, all, looking forward to seeing you Thursday.

Note, we’ll have guest presentation from Microsoft on what they are doing with SPDX.

Best,

Phil

GENERAL MEETING

Meeting Time: Thurs, Dec 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04

Brief update on governance and membership process - Phil

Presentation

Microsoft and SPDX

·  Microsoft standardizing on SPDX [Adrian Giglio]

·  MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]

Technical Team Report – Kate/Gary/Others

• Specification and Profiles
• Overview
• Core
• Legal
• Integrity
• Defects
• Usage and Other Emerging
• Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack 

Hi Vicky

We also have a nice website https://oss-compliance-tooling.org/

Perhaps this is better suited for getting an overview

Ciao

Oliver

Yessssss…

It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!

--V

Time Zone: Pacific/West Coast US

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Hi Vicky,

There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:

https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape

(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)

steve

A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.

For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.

Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊

My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?

--V

Time Zone: Pacific/West Coast US

Hi all,

Great news: ISO SPDX standard is now publicly available at:

https://standards.iso.org/ittf/PubliclyAvailableStandards/

Best regards,

Marc-Etienne