in our github repo today, and a pretty version is at: https://spdx.github.io/spdx-spec/.
It now costs CHF198 to buy. This is the ISO way, and I think it's literally criminal.
As in: violates UN Charter of Human Rights.
If it doesn't wind up on the Publically Available Standards list, then I
think it's just been killed as a specification.
No open source person is going to buy the document.
I believe that is correct. It seems an odd systems, but as I understand it, it’s not unusual to have free and paid for versions of specs with the same content. Openchain is, I believe, and example of same.
From:
spdx@... <spdx@...> on behalf of William Bartholomew via lists.spdx.org <iamwillbar=github.com@...>
Date: Monday, September 13, 2021 at 2:43 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO
I’ll defer to Phil or Kate for an official answer, but my understanding is that SPDX will continue to publish the specification directly from the SPDX project to the community, but certain versions will be also published as ISO standards (the first being 2.2.1 which is materially the same as what’s published on the SPDX site today).
William
It now costs CHF198 to buy. This is the ISO way, and I think it's literally criminal.
As in: violates UN Charter of Human Rights.
If it doesn't wind up on the Publically Available Standards list, then I
think it's just been killed as a specification.
No open source person is going to buy the document.
I’ll defer to Phil or Kate for an official answer, but my understanding is that SPDX will continue to publish the specification directly from the SPDX project to the community, but certain versions will be also published as ISO standards (the first being 2.2.1 which is materially the same as what’s published on the SPDX site today).
William
It now costs CHF198 to buy. This is the ISO way, and I think it's literally criminal.
As in: violates UN Charter of Human Rights.
If it doesn't wind up on the Publically Available Standards list, then I
think it's just been killed as a specification.
No open source person is going to buy the document.
As in: violates UN Charter of Human Rights.
If it doesn't wind up on the Publically Available Standards list, then I
think it's just been killed as a specification.
No open source person is going to buy the document.
So will it definitely become an "ISO Publicly Available Standard" and is that just a question of time?
Viele Grü0e,
Henk
I guess it will…
The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated.
-- zvr
*From:* spdx@... <spdx@...> *On Behalf Of *Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
*Sent:* Friday, 10 September, 2021 16:40
*To:* spdx@...
*Cc:* Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
*Subject:* Re: [spdx] SPDX Goes ISO
Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ <https://standards.iso.org/ittf/PubliclyAvailableStandards/> ?
I think it should.
Do we know?
Marc-Etienne
*From:*spdx@... <mailto:spdx@...> <spdx@... <mailto:spdx@...>> *On Behalf Of *Phil Odence via lists.spdx.org
*Sent:* Thursday, September 9, 2021 5:03 PM
*To:* SPDX-general <spdx@... <mailto:spdx@...>>
*Subject:* [spdx] SPDX Goes ISO
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021 <https://urldefense.com/v3/__https:/www.iso.org/standard/81870.html__;!!A4F2R9G_pg!IzcEk2nRZUdfzZmQ8bT_tVgInVURy_PWptKdAupJoT8av2upo-tStlSbY_4GqlpA$>.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials <https://urldefense.com/v3/__http:/www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials__;!!A4F2R9G_pg!IzcEk2nRZUdfzZmQ8bT_tVgInVURy_PWptKdAupJoT8av2upo-tStlSbY89Cvfim$>
Best regards,
Phil
**
*L. Philip Odence*
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@... <mailto:phil.odence@...>
https://www.synopsys.com/audits <https://www.synopsys.com/audits>
SIG-emailsig-2020
signature_653089988<https://www.linkedin.com/showcase/sw_integrity/>signature_1312878970<https://twitter.com/SW_Integrity>signature_1721301777<https://www.youtube.com/channel/UC0I_hKR1E-Ty0roBUEQN4Ww>signature_106429426<https://www.facebook.com/SynopsysSoftwareIntegrity>
Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de>
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928
I guess it will…
The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated.
-- zvr
Sent: Friday, 10 September, 2021 16:40
To: spdx@...
Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
Subject: Re: [spdx] SPDX Goes ISO
Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?
I think it should.
Do we know?
Marc-Etienne
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928
On Thursday, September 9th, 2021 at 11:02 AM, Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?
I think it should.
Do we know?
Marc-Etienne
Sent: Thursday, September 9, 2021 5:03 PM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Goes ISO
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
I just realized that the DocFest will be demonstrating interoperability of an ISO standard SBOM.
Great timing getting the ISO standard status before the 9/16 DocFest. Very cool!
Thanks,
Dick Brooks
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Sent: Friday, September 10, 2021 6:45 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO
We may quote you on that!
From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO
Seconded!
This is tremendously important for the governance ecosystem.
Regards
Shane
On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:
A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!
Steve
On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
<image001.png>
--Steve Winslow
VP, Compliance and Legal
The Linux Foundation
On Sep 10, 2021, at 19:45, Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:
We may quote you on that!
From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISOSeconded!
This is tremendously important for the governance ecosystem.
Regards
Shane
On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:
A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!
Steve
On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
<image001.png>
--Steve Winslow
VP, Compliance and Legal
The Linux Foundation
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.This is great news, very happy to see it and kudos to everyone involved.
Many people have worked hard over the last decade to get us to this point. Big
credit goes to my Steering Committee colleagues who have all been instrumental.
And we should recognize that this was all Kate’s brainchild. I believe it was
Fall of 2009 when she started informally socializing the idea of a standard SBOM
format at Linux Foundation events. Not too long thereafter, in the then single
weekly meeting, early participants began debating whether it should be SPDE,
ultimately deciding “X” at the end would be catchier. And now it’s officially
caught.
Here’s the LF press release:
http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
People may also be interested to know that we just merged SPDX SBOM generation
into OpenEmbedded-Core, just before our feature freeze for our October release
(3.4).
This means that Yocto Project will have SPDX and hence ISO compliant SBOM
generation out the box from then and hence on our next LTS planned for April.
http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=f1a34a63e44dc444ed213c48bfeab9da1196bfc8
(and following patches)
Cheers,
Richard
We may quote you on that!
From:
spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO
Seconded!
This is tremendously important for the governance ecosystem.
Regards
Shane
On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:
A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!
Steve
On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
<image001.png>
--Steve Winslow
VP, Compliance and Legal
The Linux Foundation
On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:
A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!SteveOn Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
<image001.png>
<image003.jpg><image004.jpg><image005.jpg>
--Steve Winslow
VP, Compliance and Legal
The Linux Foundation
A truly amazing achievement – well done and congratulations to Kate and the entire SPDX and Linux Foundation community that made this happen.
So much looking forward to advancing SPDX interoperability via the DocFest event.
Thanks,
Dick Brooks
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Sent: Thursday, September 9, 2021 11:15 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO
A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!
Steve
On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
Best regards,
Phil
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
Thanks, Phil.
Will there be a press release of some sort? And at what point will the project be ready to start accepting member companies?
Asking for a friend…
--V
--
VM (Vicky) Brasseur
Director, Senior Strategy Advisor
Open Source Program Office
Wipro Limited
Time Zone: Pacific/West Coast US
From:
<spdx@...> on behalf of "Phil Odence via lists.spdx.org" <phil.odence=synopsys.com@...>
Reply-To: "spdx@..." <spdx@...>
Date: Wednesday, September 8, 2021 at 06:37
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Sept General Meeting Minutes & Announcement
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
SPDX Community,
Minutes: https://wiki.spdx.org/view/General_Meeting/Minutes/2021-09-02
As you are aware, in last week’s meeting we discussed a proposal to change the SPDX workgroup’s governance framework. The discussion was a good one and resulted in consensus. As things were rushed a bit at the end of the meeting and wanting to ensure no one was uncomfortable, we left the door open for concerns to be voiced “within a day or so” on this list. Subsequently there was a brief exchange on the list in support of the proposal as presented. And so, from this point forward, the SPDX is operating under the new framework.
For anyone who may have missed, a summary is attached. Additionally, here are links to the website that now specifies the newly adopted framework and a link directly to the repo that contains the details of the governance framework:
· website: https://spdx.dev/about/governance/
· GitHub repo: https://github.com/spdx/governance/
Thanks to all who participated in the smooth transition to the new framework.
Best regards,
Phil
Chair, SPDX Steering Committee
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
General Meeting/Minutes/2021-09-02
< General Meeting | Minutes
· Attendance: 26
· Lead by Phil Odence
· GSoC Presentation was postponed
SPDX Governance - Phil[edit]
· Intro -Phil
·
· GOAL of today: Consensus
·
· Background
· About 8 years ago, we put in place a governance structure for SPDX.
· Factors
· ISO standardization- near to announcing
· Executive Order
· More participation from comm members with standards body experience
· Working with other standards, i.e. SWID and CycloneDX
·
· Goal of Change - retain spirit and ways of working
· more accurately reflect the current reality and future direction of the project
· establishing a mechanism for official company membership in the project
· using contribution processes and a license for the spec that ensure explicit patent license commitments from contributors
· improving clarity around decision-making processes and establishing an appeals process
· adopting a code of conduct
·
· Solution - Steve to explain further
· Legal Entity creation- switched from JDF to a much simpler
· Retained Community Specification model
· Review of pdf Summary - Steave
· Legal Entity
· Membership Agreement
· Community Specs process and license
· Q&A/Discussion
· Various clarifications
· Code of Conduct
· Agreed that under new structure it could, if need be, be modified in the future
· Possibility of Dual-licensing Spec
· Agreed to not address at this time
· Resolution
· Consensus reached
· ...unless significant concerns were raised on the General Mailing List within a day of so of the meeting's close
Attendees[edit]
· Phil Odence, Black Duck/Synopsys
· Sebastian Crane
· Joshua Marpet, RM-ISAO
· Mike Nemmers
· William Cox, Synopsys
· Andrew Jorgenson, AWS
· Bob Martin, Mitre
· Philippe Emmanuel Douziech, CAST
· Alexios Zavras, Intel
· Marc Etienne Vargenau, Nokia
· Jilayne Lovejoy, Red Hat
· Steve Winslow, LF
· Mike Dolan, LF
· Mark Atwood, Amazon
· Gary O’Neall, SourceAuditor
· Paul Madick, Jenzabar
· Jeff Schutt, Cisco
· Vicky Brasseur, Wipro
· Warner Losh, FreeBSD
· Zach Hill, Anchore
· Pierre Tardy
· David Edelsohn, IBM
· Maximilian Huber, TNG
· Bill Jaeger
· Michael Mehlberg, Dark Sky Technology
· Henk Birkholz, Fraunhofe
SPDX Community,
Minutes: https://wiki.spdx.org/view/General_Meeting/Minutes/2021-09-02
As you are aware, in last week’s meeting we discussed a proposal to change the SPDX workgroup’s governance framework. The discussion was a good one and resulted in consensus. As things were rushed a bit at the end of the meeting and wanting to ensure no one was uncomfortable, we left the door open for concerns to be voiced “within a day or so” on this list. Subsequently there was a brief exchange on the list in support of the proposal as presented. And so, from this point forward, the SPDX is operating under the new framework.
For anyone who may have missed, a summary is attached. Additionally, here are links to the website that now specifies the newly adopted framework and a link directly to the repo that contains the details of the governance framework:
· website: https://spdx.dev/about/governance/
· GitHub repo: https://github.com/spdx/governance/
Thanks to all who participated in the smooth transition to the new framework.
Best regards,
Phil
Chair, SPDX Steering Committee
L. Philip Odence
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@...
https://www.synopsys.com/audits
General Meeting/Minutes/2021-09-02
< General Meeting | Minutes
· Attendance: 26
· Lead by Phil Odence
· GSoC Presentation was postponed
SPDX Governance - Phil[edit]
· Intro -Phil
·
· GOAL of today: Consensus
·
· Background
· About 8 years ago, we put in place a governance structure for SPDX.
· Factors
· ISO standardization- near to announcing
· Executive Order
· More participation from comm members with standards body experience
· Working with other standards, i.e. SWID and CycloneDX
·
· Goal of Change - retain spirit and ways of working
· more accurately reflect the current reality and future direction of the project
· establishing a mechanism for official company membership in the project
· using contribution processes and a license for the spec that ensure explicit patent license commitments from contributors
· improving clarity around decision-making processes and establishing an appeals process
· adopting a code of conduct
·
· Solution - Steve to explain further
· Legal Entity creation- switched from JDF to a much simpler
· Retained Community Specification model
· Review of pdf Summary - Steave
· Legal Entity
· Membership Agreement
· Community Specs process and license
· Q&A/Discussion
· Various clarifications
· Code of Conduct
· Agreed that under new structure it could, if need be, be modified in the future
· Possibility of Dual-licensing Spec
· Agreed to not address at this time
· Resolution
· Consensus reached
· ...unless significant concerns were raised on the General Mailing List within a day of so of the meeting's close
Attendees[edit]
· Phil Odence, Black Duck/Synopsys
· Sebastian Crane
· Joshua Marpet, RM-ISAO
· Mike Nemmers
· William Cox, Synopsys
· Andrew Jorgenson, AWS
· Bob Martin, Mitre
· Philippe Emmanuel Douziech, CAST
· Alexios Zavras, Intel
· Marc Etienne Vargenau, Nokia
· Jilayne Lovejoy, Red Hat
· Steve Winslow, LF
· Mike Dolan, LF
· Mark Atwood, Amazon
· Gary O’Neall, SourceAuditor
· Paul Madick, Jenzabar
· Jeff Schutt, Cisco
· Vicky Brasseur, Wipro
· Warner Losh, FreeBSD
· Zach Hill, Anchore
· Pierre Tardy
· David Edelsohn, IBM
· Maximilian Huber, TNG
· Bill Jaeger
· Michael Mehlberg, Dark Sky Technology
· Henk Birkholz, Fraunhofe
Thanks, Sebastian for your thoughts, support and understanding.
Regarding licensing, my sense was that your desire to make the spec easy to publish is covered by the proposed licensing scheme. Perhaps you and Steve could discuss to resolve.
Regarding the Code of Conduct. I think we’ve forked it from the upstream with which you are concerned and, in any case, the option to improve upon in the future exists.
Best,
Phil
From:
spdx@... <spdx@...> on behalf of Sebastian Crane <seabass-labrax@...>
Date: Thursday, September 2, 2021 at 1:58 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Thursday General Meeting Reminder - SPECIAL MEETING
Dear all,
During today's General Meeting, in which the Core Team presented a
proposal to improve the governance of SPDX, I brought up a few
suggestions to the current proposal. Going into the meeting I did not
fully grasp that, under the current governance model, the proposal would
have to be accepted by the working group as a whole - thus consensus
would need to be reached before additional suggestions. Thank you to
Steve and Phil for explaining this!
I think it would be good to have a discussion at some point on the Code
of Conduct and of the licensing of the SPDX specification, to maybe
iterate further on the already excellent proposal.
For the record, and the reason for sending this email, I wanted to state
that I'm very much in support of the proposal as it is now, and would
not consider my concerns blockers here! Thanks again to the members of
the Core Team who've put the time and effort into creating the proposal.
Best wishes,
Sebastian
During today's General Meeting, in which the Core Team presented a
proposal to improve the governance of SPDX, I brought up a few
suggestions to the current proposal. Going into the meeting I did not
fully grasp that, under the current governance model, the proposal would
have to be accepted by the working group as a whole - thus consensus
would need to be reached before additional suggestions. Thank you to
Steve and Phil for explaining this!
I think it would be good to have a discussion at some point on the Code
of Conduct and of the licensing of the SPDX specification, to maybe
iterate further on the already excellent proposal.
For the record, and the reason for sending this email, I wanted to state
that I'm very much in support of the proposal as it is now, and would
not consider my concerns blockers here! Thanks again to the members of
the Core Team who've put the time and effort into creating the proposal.
Best wishes,
Sebastian