|
Re: Taxonomy of software supply chain ecosystem?
Hi Vicky,
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
steve
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35 To: SPDX-general <spdx@...> Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
That help?
Kate
On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
Kate Stewart
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy. We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website. Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. That help? Kate On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Taxonomy of software supply chain ecosystem?
VM (Vicky) Brasseur
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
-- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited Time Zone: Pacific/West Coast US
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)
Dear Marc-Etienne,
Hi all,Yay! I was indeed just wondering about this earlier today, so thank you very much for the notification :) Best wishes, Sebastian |
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)
Hi all,
Great news: ISO SPDX standard is now publicly available at: https://standards.iso.org/ittf/PubliclyAvailableStandards/
Best regards,
Marc-Etienne
From: Spdx-tech@... <Spdx-tech@...>
On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org
Sent: Monday, September 13, 2021 12:04 PM To: savery@...; Spdx-tech@... Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...> Subject: Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)
Hi Simon,
About the availability of the SPDX spec.
It is the other way round. Since SPDX was not developed by ISO itself, the ISO standard should be available for free on this website: https://standards.iso.org/ittf/PubliclyAvailableStandards/
But it might take some time before it is put there.
Best regards,
Marc-Etienne
From: Spdx-tech@... <Spdx-tech@...>
On Behalf Of Simon Avery via lists.spdx.org
Hello everyone. First time poster here, so I hope this topic is considered appropriate.
My favorite open source project is Julia (https://julialang.org). It's build process pulls in a lot of code from many other repositories. I thought that the project would benefit from having an SPDX document describing all these packages, streamlining the review and approval process at organizations that want to use Julia.
I've put together a pull request that adds an SPDX document to the repository. At this point it contains only a few packages to demonstrate what it looks like and will be filled in over time. If anyone on this list would like to provide feedback that would be appreciated.
On a related question since I see that SPDX just became an ISO standard. Does that mean that version 2.2.1 (and 3.0) of the specification will not be available for free at spdx.dev? Will the spdx-spec repository on Github remain available so that open source developers can access the current specification? If all developers had to pay $200, that would be a significant barrier to adoption in the OSS world.
Thank you in advance for any feedback provided.
Simon Avery |
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Minutes from Nov 4 SPDX General Meeting
Phil Odence
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04
General Meeting/Minutes/2021-11-04< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence · Minutes from last approved · Company membership mechanics will be rolled out within a couple weeks.
Contents[hide]
GSOC - Ujjwal[edit]· JSON Support for Golang libraries Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Most of the work is focused on the core model. We’re making progress but still have a ways to go to settle on a good code the other profiles will be built on. · A new repo has been setup for the SPDX 3.0 spec since it will have a different way of generating the examples and spec and will also be under the new license as part of the new governance we put in place · We expect more activities on the profiles next month, especially security · Interest in the spec and tools continues to increase – we’re seeing some good signs of adoption from companies, other open source projects, and individuals (if you need more detail – SW360 is engaged in some issues conversations on the tools, the SPDX 2.1 spec issues has some new contributor) Legal team update - Jilayne/Pau/Steve[edit]· FreeBSD will be adopting SPDX tags · Fedora is exploring as well · Conversations about adding better instructions on using Git to contribute to license repo
Outreach team - Sebastian[edit]· Processes · Transitioned to monthly meeting · Different ways of working in between under discussion · Wikipedia page updates · Adding history · Adding logos of companies and projects that are using
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Ujjwall Agarwal · Alexios Zavras, Intel · Eric Billingsley, Calculi · Jeff Schutt, Cisco · Sebastian Crane · Bob Martin, Mitre · Steve Winslow, Boston Technology Law · Christopher Lusk, Lenovo · David Edelsohn, IBM · Jilayne Lovejoy, Red Hat · Tony Aiuto · Karan Marjara, AWS · Joshua Marpet, RM-ISAO · Paul Madick, Jenzabar · Adrian Diglio, Microsoft · Alfredo Espinosa · Brad Goldring · Edgar · Joe · Vicky Brasseur, Wipro · Warner Losh, FreeBSD · Fellow Jitser · Aasim, Microsoft
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Asia SPDX Meeting- China government data processing draft policy
Came up on the call today. For those interested, here is an overview:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Today's SPDX General Meeting Reminder
Phil Odence
Apologies for the late reminder.
Notes:
GENERAL MEETING
Meeting Time: Thurs, Nov 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Public Domain license identifier
Richard Fontana
The "public domain" part appears to be the text of the Unlicense, so
toggle quoted message
Show quoted text
I'd assume "MIT OR Unlicense". Richard On Tue, Oct 19, 2021 at 4:02 PM Pierre Tardy <tardyp@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Message Approval Needed - tardyp@gmail.com posted to spdx@lists.spdx.org
J Lovejoy
Hi Pierre,
toggle quoted message
Show quoted text
I am moving the general SPDX list to BCC and sending this via the SPDX legal list, as that is the right place for this question! Also not - I have approved your message and copied you here so you will get the response, but you generally have to join the SPDX mailing list to post and receive message. https://lists.spdx.org/groups Looking at the license file for that project: Alternative A is indeed MIT and Alternative B is the Unlicense (https://spdx.org/licenses/Unlicense.html) Thus, the SPDX license expression would be: MIT OR Unlicense FYI - you might want to install the license diff browser plugin to help you with these kinds of things - https://chrome.google.com/webstore/detail/spdx-license-diff/kfoadicmilbgnicoldjmccpaicejacdh?hl=en (also available for Firefox) Thanks Jilayne SPDX legal team co-lead
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Public Domain license identifier
Pierre Tardy
Hello, I am trying to identify this software in term of license expression It's is claimed to be "public domain or MIT". I don't see any license identifier for public domain. It is arguabily not a license, and not valid across jurisdictions, but anyway we would like to document the authors will even if we will conclude the use of MIT. So what should we document in your opinion? Regards Pierre |
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: SPDX Oct Gen Meeting Minutes
Phil Odence
I’m pretty sure President Biden does too.
From:
spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Thanks, Phil. 100% agree with you.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of
Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 9:59 AM To: spdx@... Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes
That’s great, Dick. A very important direction for us IMO.
From:
spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Thanks, Phil.
Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.
From:
spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Phil,
I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome. Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
General Meeting/Minutes/2021-10-07< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence
Contents[hide]
Special Topics- Phil / Vicky[edit]· Governance Update · New governance is in place · Will be announcing mechanism for signing up Member Companies · With that will announce the mechanism for nominating Steering Committee members · Wipro · Vicky discussed Wipro’s view of benefits and reasons for joining Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Working on how to establish the repos · Question about SPDX Lite · That would be the minimum mandatory fields Legal team update - Jilayne[edit]· New license request volume slowed down this month · Doing some general catchup with members of the legal team · Due for a new release at the end of the month · Update on collaboration with OSI and FSF * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses * Recently, getting good response from FSF and OSI - especially from OSI * OSI has a machine readable format that is being actively worked on * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive Outreach team - Sebastian[edit]· Recent Docfest was a success, brought in several tool vendors to compare results · Updated Wikipedia page progressing slowing · Lead section updated - this is what you seen when you do a Google search · Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable · Website is being updated · A section will be added to showcase company usage of SPDX · Updating meeting time to be more time available · Times are shown as UTC Note: will change next month · new time will be the off weeks at the same time as legal · going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings. · Joshua reported the SPDX official podcasts started · Once a month · Outreach team will meeting every other month · Will interview many community members · Will follow-up with Vicki and others in the general meeting · Kate - presented keynote at open source summit · well received, good interested · Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Alexios Zavras, Intel · Andrew Jorgenson, AWS · Kate Stewart, LF · Gary O’Neall, SourceAuditor · Bill Jaeger · Bob Martin, Mitre · Eric Billingsley, Calculi · Chrissini de Castro · Michael Mehlberg, Dark Sky Technology · Maximilian Huber, TNG · Sebastian Crane · William Cox, Synopsys · Vicky Brasseur, Wipro · Matthew Crawford, ARM · Marc Gisi, Windriver · Pierre Tardy, · Joshua Marpet, RM-ISAO · Brad Goldring · Paul Madick, Jenzabar · Jilayne Lovejoy, Red Hat · Christopher Lusk · Clement Poulain · Joshua Dubin, Verizon · Takashi Ninjouji
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: SPDX Oct Gen Meeting Minutes
Thanks, Phil. 100% agree with you.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 9:59 AM To: spdx@... Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes
That’s great, Dick. A very important direction for us IMO.
From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Thanks, Phil.
Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.
From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Phil,
I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome. Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
General Meeting/Minutes/2021-10-07< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence
Contents[hide]
Special Topics- Phil / Vicky[edit]· Governance Update · New governance is in place · Will be announcing mechanism for signing up Member Companies · With that will announce the mechanism for nominating Steering Committee members · Wipro · Vicky discussed Wipro’s view of benefits and reasons for joining Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Working on how to establish the repos · Question about SPDX Lite · That would be the minimum mandatory fields Legal team update - Jilayne[edit]· New license request volume slowed down this month · Doing some general catchup with members of the legal team · Due for a new release at the end of the month · Update on collaboration with OSI and FSF * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses * Recently, getting good response from FSF and OSI - especially from OSI * OSI has a machine readable format that is being actively worked on * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive Outreach team - Sebastian[edit]· Recent Docfest was a success, brought in several tool vendors to compare results · Updated Wikipedia page progressing slowing · Lead section updated - this is what you seen when you do a Google search · Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable · Website is being updated · A section will be added to showcase company usage of SPDX · Updating meeting time to be more time available · Times are shown as UTC Note: will change next month · new time will be the off weeks at the same time as legal · going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings. · Joshua reported the SPDX official podcasts started · Once a month · Outreach team will meeting every other month · Will interview many community members · Will follow-up with Vicki and others in the general meeting · Kate - presented keynote at open source summit · well received, good interested · Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Alexios Zavras, Intel · Andrew Jorgenson, AWS · Kate Stewart, LF · Gary O’Neall, SourceAuditor · Bill Jaeger · Bob Martin, Mitre · Eric Billingsley, Calculi · Chrissini de Castro · Michael Mehlberg, Dark Sky Technology · Maximilian Huber, TNG · Sebastian Crane · William Cox, Synopsys · Vicky Brasseur, Wipro · Matthew Crawford, ARM · Marc Gisi, Windriver · Pierre Tardy, · Joshua Marpet, RM-ISAO · Brad Goldring · Paul Madick, Jenzabar · Jilayne Lovejoy, Red Hat · Christopher Lusk · Clement Poulain · Joshua Dubin, Verizon · Takashi Ninjouji
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: SPDX Oct Gen Meeting Minutes
Phil Odence
That’s great, Dick. A very important direction for us IMO.
From:
spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Thanks, Phil.
Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of
Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 7:43 AM To: spdx@... Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes
Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.
From:
spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Phil,
I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome. Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
General Meeting/Minutes/2021-10-07< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence
Contents[hide]
Special Topics- Phil / Vicky[edit]· Governance Update · New governance is in place · Will be announcing mechanism for signing up Member Companies · With that will announce the mechanism for nominating Steering Committee members · Wipro · Vicky discussed Wipro’s view of benefits and reasons for joining Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Working on how to establish the repos · Question about SPDX Lite · That would be the minimum mandatory fields Legal team update - Jilayne[edit]· New license request volume slowed down this month · Doing some general catchup with members of the legal team · Due for a new release at the end of the month · Update on collaboration with OSI and FSF * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses * Recently, getting good response from FSF and OSI - especially from OSI * OSI has a machine readable format that is being actively worked on * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive Outreach team - Sebastian[edit]· Recent Docfest was a success, brought in several tool vendors to compare results · Updated Wikipedia page progressing slowing · Lead section updated - this is what you seen when you do a Google search · Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable · Website is being updated · A section will be added to showcase company usage of SPDX · Updating meeting time to be more time available · Times are shown as UTC Note: will change next month · new time will be the off weeks at the same time as legal · going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings. · Joshua reported the SPDX official podcasts started · Once a month · Outreach team will meeting every other month · Will interview many community members · Will follow-up with Vicki and others in the general meeting · Kate - presented keynote at open source summit · well received, good interested · Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Alexios Zavras, Intel · Andrew Jorgenson, AWS · Kate Stewart, LF · Gary O’Neall, SourceAuditor · Bill Jaeger · Bob Martin, Mitre · Eric Billingsley, Calculi · Chrissini de Castro · Michael Mehlberg, Dark Sky Technology · Maximilian Huber, TNG · Sebastian Crane · William Cox, Synopsys · Vicky Brasseur, Wipro · Matthew Crawford, ARM · Marc Gisi, Windriver · Pierre Tardy, · Joshua Marpet, RM-ISAO · Brad Goldring · Paul Madick, Jenzabar · Jilayne Lovejoy, Red Hat · Christopher Lusk · Clement Poulain · Joshua Dubin, Verizon · Takashi Ninjouji
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: SPDX Oct Gen Meeting Minutes
Thanks, Phil.
Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 7:43 AM To: spdx@... Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes
Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.
From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Phil,
I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome. Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
General Meeting/Minutes/2021-10-07< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence
Contents[hide]
Special Topics- Phil / Vicky[edit]· Governance Update · New governance is in place · Will be announcing mechanism for signing up Member Companies · With that will announce the mechanism for nominating Steering Committee members · Wipro · Vicky discussed Wipro’s view of benefits and reasons for joining Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Working on how to establish the repos · Question about SPDX Lite · That would be the minimum mandatory fields Legal team update - Jilayne[edit]· New license request volume slowed down this month · Doing some general catchup with members of the legal team · Due for a new release at the end of the month · Update on collaboration with OSI and FSF * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses * Recently, getting good response from FSF and OSI - especially from OSI * OSI has a machine readable format that is being actively worked on * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive Outreach team - Sebastian[edit]· Recent Docfest was a success, brought in several tool vendors to compare results · Updated Wikipedia page progressing slowing · Lead section updated - this is what you seen when you do a Google search · Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable · Website is being updated · A section will be added to showcase company usage of SPDX · Updating meeting time to be more time available · Times are shown as UTC Note: will change next month · new time will be the off weeks at the same time as legal · going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings. · Joshua reported the SPDX official podcasts started · Once a month · Outreach team will meeting every other month · Will interview many community members · Will follow-up with Vicki and others in the general meeting · Kate - presented keynote at open source summit · well received, good interested · Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Alexios Zavras, Intel · Andrew Jorgenson, AWS · Kate Stewart, LF · Gary O’Neall, SourceAuditor · Bill Jaeger · Bob Martin, Mitre · Eric Billingsley, Calculi · Chrissini de Castro · Michael Mehlberg, Dark Sky Technology · Maximilian Huber, TNG · Sebastian Crane · William Cox, Synopsys · Vicky Brasseur, Wipro · Matthew Crawford, ARM · Marc Gisi, Windriver · Pierre Tardy, · Joshua Marpet, RM-ISAO · Brad Goldring · Paul Madick, Jenzabar · Jilayne Lovejoy, Red Hat · Christopher Lusk · Clement Poulain · Joshua Dubin, Verizon · Takashi Ninjouji
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: SPDX Oct Gen Meeting Minutes
Phil Odence
Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.
From:
spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Phil,
I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of
Phil Odence via lists.spdx.org
Sent: Friday, October 8, 2021 8:08 AM To: SPDX-general <spdx@...> Subject: [spdx] SPDX Oct Gen Meeting Minutes
There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome. Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
General Meeting/Minutes/2021-10-07< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence
Contents[hide]
Special Topics- Phil / Vicky[edit]· Governance Update · New governance is in place · Will be announcing mechanism for signing up Member Companies · With that will announce the mechanism for nominating Steering Committee members · Wipro · Vicky discussed Wipro’s view of benefits and reasons for joining Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Working on how to establish the repos · Question about SPDX Lite · That would be the minimum mandatory fields Legal team update - Jilayne[edit]· New license request volume slowed down this month · Doing some general catchup with members of the legal team · Due for a new release at the end of the month · Update on collaboration with OSI and FSF * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses * Recently, getting good response from FSF and OSI - especially from OSI * OSI has a machine readable format that is being actively worked on * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive Outreach team - Sebastian[edit]· Recent Docfest was a success, brought in several tool vendors to compare results · Updated Wikipedia page progressing slowing · Lead section updated - this is what you seen when you do a Google search · Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable · Website is being updated · A section will be added to showcase company usage of SPDX · Updating meeting time to be more time available · Times are shown as UTC Note: will change next month · new time will be the off weeks at the same time as legal · going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings. · Joshua reported the SPDX official podcasts started · Once a month · Outreach team will meeting every other month · Will interview many community members · Will follow-up with Vicki and others in the general meeting · Kate - presented keynote at open source summit · well received, good interested · Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Alexios Zavras, Intel · Andrew Jorgenson, AWS · Kate Stewart, LF · Gary O’Neall, SourceAuditor · Bill Jaeger · Bob Martin, Mitre · Eric Billingsley, Calculi · Chrissini de Castro · Michael Mehlberg, Dark Sky Technology · Maximilian Huber, TNG · Sebastian Crane · William Cox, Synopsys · Vicky Brasseur, Wipro · Matthew Crawford, ARM · Marc Gisi, Windriver · Pierre Tardy, · Joshua Marpet, RM-ISAO · Brad Goldring · Paul Madick, Jenzabar · Jilayne Lovejoy, Red Hat · Christopher Lusk · Clement Poulain · Joshua Dubin, Verizon · Takashi Ninjouji
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: SPDX Oct Gen Meeting Minutes
Phil,
I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 8, 2021 8:08 AM To: SPDX-general <spdx@...> Subject: [spdx] SPDX Oct Gen Meeting Minutes
There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome. Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
General Meeting/Minutes/2021-10-07< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence
Contents[hide]
Special Topics- Phil / Vicky[edit]· Governance Update · New governance is in place · Will be announcing mechanism for signing up Member Companies · With that will announce the mechanism for nominating Steering Committee members · Wipro · Vicky discussed Wipro’s view of benefits and reasons for joining Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Working on how to establish the repos · Question about SPDX Lite · That would be the minimum mandatory fields Legal team update - Jilayne[edit]· New license request volume slowed down this month · Doing some general catchup with members of the legal team · Due for a new release at the end of the month · Update on collaboration with OSI and FSF * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses * Recently, getting good response from FSF and OSI - especially from OSI * OSI has a machine readable format that is being actively worked on * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive Outreach team - Sebastian[edit]· Recent Docfest was a success, brought in several tool vendors to compare results · Updated Wikipedia page progressing slowing · Lead section updated - this is what you seen when you do a Google search · Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable · Website is being updated · A section will be added to showcase company usage of SPDX · Updating meeting time to be more time available · Times are shown as UTC Note: will change next month · new time will be the off weeks at the same time as legal · going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings. · Joshua reported the SPDX official podcasts started · Once a month · Outreach team will meeting every other month · Will interview many community members · Will follow-up with Vicki and others in the general meeting · Kate - presented keynote at open source summit · well received, good interested · Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Alexios Zavras, Intel · Andrew Jorgenson, AWS · Kate Stewart, LF · Gary O’Neall, SourceAuditor · Bill Jaeger · Bob Martin, Mitre · Eric Billingsley, Calculi · Chrissini de Castro · Michael Mehlberg, Dark Sky Technology · Maximilian Huber, TNG · Sebastian Crane · William Cox, Synopsys · Vicky Brasseur, Wipro · Matthew Crawford, ARM · Marc Gisi, Windriver · Pierre Tardy, · Joshua Marpet, RM-ISAO · Brad Goldring · Paul Madick, Jenzabar · Jilayne Lovejoy, Red Hat · Christopher Lusk · Clement Poulain · Joshua Dubin, Verizon · Takashi Ninjouji
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
SPDX Oct Gen Meeting Minutes
Phil Odence
There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome. Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
General Meeting/Minutes/2021-10-07< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence
Contents[hide]
Special Topics- Phil / Vicky[edit]· Governance Update · New governance is in place · Will be announcing mechanism for signing up Member Companies · With that will announce the mechanism for nominating Steering Committee members · Wipro · Vicky discussed Wipro’s view of benefits and reasons for joining Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Working on how to establish the repos · Question about SPDX Lite · That would be the minimum mandatory fields Legal team update - Jilayne[edit]· New license request volume slowed down this month · Doing some general catchup with members of the legal team · Due for a new release at the end of the month · Update on collaboration with OSI and FSF * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses * Recently, getting good response from FSF and OSI - especially from OSI * OSI has a machine readable format that is being actively worked on * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive Outreach team - Sebastian[edit]· Recent Docfest was a success, brought in several tool vendors to compare results · Updated Wikipedia page progressing slowing · Lead section updated - this is what you seen when you do a Google search · Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable · Website is being updated · A section will be added to showcase company usage of SPDX · Updating meeting time to be more time available · Times are shown as UTC Note: will change next month · new time will be the off weeks at the same time as legal · going to meetings every other week from once a week. Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings. · Joshua reported the SPDX official podcasts started · Once a month · Outreach team will meeting every other month · Will interview many community members · Will follow-up with Vicki and others in the general meeting · Kate - presented keynote at open source summit · well received, good interested · Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Alexios Zavras, Intel · Andrew Jorgenson, AWS · Kate Stewart, LF · Gary O’Neall, SourceAuditor · Bill Jaeger · Bob Martin, Mitre · Eric Billingsley, Calculi · Chrissini de Castro · Michael Mehlberg, Dark Sky Technology · Maximilian Huber, TNG · Sebastian Crane · William Cox, Synopsys · Vicky Brasseur, Wipro · Matthew Crawford, ARM · Marc Gisi, Windriver · Pierre Tardy, · Joshua Marpet, RM-ISAO · Brad Goldring · Paul Madick, Jenzabar · Jilayne Lovejoy, Red Hat · Christopher Lusk · Clement Poulain · Joshua Dubin, Verizon · Takashi Ninjouji
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Thursday's SPDX General Meeting Reminder
Phil Odence
A couple of special items for this month’s meeting:
GENERAL MEETING
Meeting Time: Thurs, Oct 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-07-01
Update/Presentation
Technical Team Report – Kate/Gary/Others
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: SPDX Goes ISO
Thanks, Phil – I’m very much looking forward to the configurable profiles capability.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Tuesday, September 14, 2021 1:16 PM To: spdx@... Subject: Re: [spdx] SPDX Goes ISO
Yes, understood. Thanks, Dick. For that use case, the President was more concerned with a cyber attack that a license violation. This is the point of evolving SPDX to be “configurable” with profiles to meet different use cases.
From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...> Phil,
Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber risk, i.e. C-SCRM, whereas license management is a Legal/Financial risk.
The use of SBOM for license legal risk management is indeed a good practice, but it is not required to satisfy NTIA minimal SBOM requirements for EO 14028.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.
From: spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...> Congratulations! |
|||||||||||||||||||||||||
|
|
