Date   

Re: SPDX Goes ISO

Alexios Zavras
 

I guess it will…

The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated.

 

-- zvr

 

From: spdx@... <spdx@...> On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
Sent: Friday, 10 September, 2021 16:40
To: spdx@...
Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
Subject: Re: [spdx] SPDX Goes ISO

 

Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?

 

I think it should.

 

Do we know?

 

Marc-Etienne

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, September 9, 2021 5:03 PM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Goes ISO

 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Re: SPDX Goes ISO

Zachary Fetters
 

This is wonderful news! Congrats to Kate and everyone else who had a hand in this! Hopefully this means wider adoption and growth for the future!

Zachary Fetters
Freelance graphic/web designer.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Thursday, September 9th, 2021 at 11:02 AM, Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



Re: SPDX Goes ISO

Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
 

Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?

 

I think it should.

 

Do we know?

 

Marc-Etienne

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, September 9, 2021 5:03 PM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Goes ISO

 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 


Re: SPDX Goes ISO

Dick Brooks
 

I just realized that the DocFest will be demonstrating interoperability of an ISO standard SBOM.

Great timing getting the ISO standard status before the 9/16 DocFest. Very cool!

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, September 10, 2021 6:45 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 

 

On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

 

Please do 🙂

On Sep 10, 2021, at 19:45, Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:



We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 



On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

Richard Purdie
 

On Thu, 2021-09-09 at 15:02 +0000, Phil Odence via lists.spdx.org wrote:
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.
 
Many people have worked hard over the last decade to get us to this point. Big
credit goes to my Steering Committee colleagues who have all been instrumental.
And we should recognize that this was all Kate’s brainchild. I believe it was
Fall of 2009 when she started informally socializing the idea of a standard SBOM
format at Linux Foundation events. Not too long thereafter, in the then single
weekly meeting, early participants began debating whether it should be SPDE,
ultimately deciding “X” at the end would be catchier. And now it’s officially
caught.
 
Here’s the LF press release:
http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials
This is great news, very happy to see it and kudos to everyone involved.

People may also be interested to know that we just merged SPDX SBOM generation
into OpenEmbedded-Core, just before our feature freeze for our October release
(3.4).

This means that Yocto Project will have SPDX and hence ISO compliant SBOM
generation out the box from then and hence on our next LTS planned for April.

http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=f1a34a63e44dc444ed213c48bfeab9da1196bfc8
(and following patches)

Cheers,

Richard


Re: SPDX Goes ISO

Phil Odence
 

We may quote you on that!

 

From: spdx@... <spdx@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Thursday, September 9, 2021 at 9:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Seconded!

This is tremendously important for the governance ecosystem.

 

Regards

 

Shane 



On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:



A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   

   

   

 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

 

Seconded!

This is tremendously important for the governance ecosystem.

Regards

Shane 

On Sep 10, 2021, at 0:15, Steve Winslow <swinslow@...> wrote:


A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

Steve

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

<image001.png>

 

 

   
<image003.jpg>
   
<image004.jpg>
   
<image005.jpg>

 



--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

Dick Brooks
 

A truly amazing achievement – well done and congratulations to Kate and the entire SPDX and Linux Foundation community that made this happen.

 

So much looking forward to advancing SPDX interoperability via the DocFest event.

 

Thanks,

 

Dick Brooks

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Steve Winslow
Sent: Thursday, September 9, 2021 11:15 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

 

Steve

 

On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Goes ISO

Steve Winslow
 

A big +1 from me. Thank you to all the SPDX contributors and everyone involved in the years-long process of getting the SPDX standard to where it is today, and especially to Kate for her tireless efforts in making it all happen!

Steve


On Thu, Sep 9, 2021 at 11:03 AM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 



--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


SPDX Goes ISO

Phil Odence
 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_653089988   signature_1312878970   signature_1721301777   signature_106429426

 


Re: SPDX Sept General Meeting Minutes & Announcement

VM (Vicky) Brasseur
 

Thanks, Phil.

 

Will there be a press release of some sort? And at what point will the project be ready to start accepting member companies?

 

Asking for a friend…

 

--V

 

-- 

VM (Vicky) Brasseur

Director, Senior Strategy Advisor

Open Source Program Office

Wipro Limited

Time Zone: Pacific/West Coast US

 

 

From: <spdx@...> on behalf of "Phil Odence via lists.spdx.org" <phil.odence=synopsys.com@...>
Reply-To: "spdx@..." <spdx@...>
Date: Wednesday, September 8, 2021 at 06:37
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Sept General Meeting Minutes & Announcement

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

SPDX Community,

 

Minutes: https://wiki.spdx.org/view/General_Meeting/Minutes/2021-09-02

 

As you are aware, in last week’s meeting we discussed a proposal to change the SPDX workgroup’s governance framework. The discussion was a good one and resulted in consensus. As things were rushed a bit at the end of the meeting and wanting to ensure no one was uncomfortable, we left the door open for concerns to be voiced “within a day or so” on this list. Subsequently there was a brief exchange on the list in support of the proposal as presented. And so, from this point forward, the SPDX is operating under the new framework.

 

For anyone who may have missed, a summary is attached. Additionally, here are links to the website that now specifies the newly adopted framework and a link directly to the repo that contains the details of the governance framework:

·  website: https://spdx.dev/about/governance/

·  GitHub repo: https://github.com/spdx/governance/

 

Thanks to all who participated in the smooth transition to the new framework.

 

Best regards,

Phil

Chair, SPDX Steering Committee

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_454131419   signature_92975526   signature_1517895499   signature_1172968236

 

 

 

 

General Meeting/Minutes/2021-09-02

General Meeting‎ | Minutes

·         Attendance: 26

·         Lead by Phil Odence

·         GSoC Presentation was postponed

SPDX Governance - Phil[edit]

·         Intro -Phil

·          

·         GOAL of today: Consensus  

·          

·         Background

·         About 8 years ago, we put in place a governance structure for SPDX.

·         Factors

·         ISO standardization- near to announcing

·         Executive Order

·         More participation from comm members with standards body experience

·         Working with other standards, i.e. SWID and CycloneDX

·          

·         Goal of Change - retain spirit and ways of working

·         more accurately reflect the current reality and future direction of the project

·         establishing a mechanism for official company membership in the project

·         using contribution processes and a license for the spec that ensure explicit patent license commitments from contributors

·         improving clarity around decision-making processes and establishing an appeals process

·         adopting a code of conduct

·          

·         Solution - Steve to explain further

·         Legal Entity creation- switched from JDF to a much simpler

·         Retained Community Specification model

·         Review of pdf Summary - Steave

·         Legal Entity

·         Membership Agreement

·         Community Specs process and license

·         Q&A/Discussion

·         Various clarifications

·         Code of Conduct

·         Agreed that under new structure it could, if need be, be modified in the future

·         Possibility of Dual-licensing Spec

·         Agreed to not address at this time

·         Resolution

·         Consensus reached

·         ...unless significant concerns were raised on the General Mailing List within a day of so of the meeting's close

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Sebastian Crane

·         Joshua Marpet, RM-ISAO

·         Mike Nemmers

·         William Cox, Synopsys

·         Andrew Jorgenson, AWS

·         Bob Martin, Mitre

·         Philippe Emmanuel Douziech, CAST

·         Alexios Zavras, Intel

·         Marc Etienne Vargenau, Nokia

·         Jilayne Lovejoy, Red Hat

·         Steve Winslow, LF

·         Mike Dolan, LF

·         Mark Atwood, Amazon

·         Gary O’Neall, SourceAuditor

·         Paul Madick, Jenzabar

·         Jeff Schutt, Cisco

·         Vicky Brasseur, Wipro

·         Warner Losh, FreeBSD

·         Zach Hill, Anchore

·         Pierre Tardy

·         David Edelsohn, IBM

·         Maximilian Huber, TNG

·         Bill Jaeger

·         Michael Mehlberg, Dark Sky Technology

·         Henk Birkholz, Fraunhofe

 

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


SPDX Sept General Meeting Minutes & Announcement

Phil Odence
 

SPDX Community,

 

Minutes: https://wiki.spdx.org/view/General_Meeting/Minutes/2021-09-02

 

As you are aware, in last week’s meeting we discussed a proposal to change the SPDX workgroup’s governance framework. The discussion was a good one and resulted in consensus. As things were rushed a bit at the end of the meeting and wanting to ensure no one was uncomfortable, we left the door open for concerns to be voiced “within a day or so” on this list. Subsequently there was a brief exchange on the list in support of the proposal as presented. And so, from this point forward, the SPDX is operating under the new framework.

 

For anyone who may have missed, a summary is attached. Additionally, here are links to the website that now specifies the newly adopted framework and a link directly to the repo that contains the details of the governance framework:

·  website: https://spdx.dev/about/governance/

·  GitHub repo: https://github.com/spdx/governance/

 

Thanks to all who participated in the smooth transition to the new framework.

 

Best regards,

Phil

Chair, SPDX Steering Committee

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_454131419   signature_92975526   signature_1517895499   signature_1172968236

 

 

 

General Meeting/Minutes/2021-09-02

General Meeting‎ | Minutes

·         Attendance: 26

·         Lead by Phil Odence

·         GSoC Presentation was postponed

SPDX Governance - Phil[edit]

·         Intro -Phil

·          

·         GOAL of today: Consensus  

·          

·         Background

·         About 8 years ago, we put in place a governance structure for SPDX.

·         Factors

·         ISO standardization- near to announcing

·         Executive Order

·         More participation from comm members with standards body experience

·         Working with other standards, i.e. SWID and CycloneDX

·          

·         Goal of Change - retain spirit and ways of working

·         more accurately reflect the current reality and future direction of the project

·         establishing a mechanism for official company membership in the project

·         using contribution processes and a license for the spec that ensure explicit patent license commitments from contributors

·         improving clarity around decision-making processes and establishing an appeals process

·         adopting a code of conduct

·          

·         Solution - Steve to explain further

·         Legal Entity creation- switched from JDF to a much simpler

·         Retained Community Specification model

·         Review of pdf Summary - Steave

·         Legal Entity

·         Membership Agreement

·         Community Specs process and license

·         Q&A/Discussion

·         Various clarifications

·         Code of Conduct

·         Agreed that under new structure it could, if need be, be modified in the future

·         Possibility of Dual-licensing Spec

·         Agreed to not address at this time

·         Resolution

·         Consensus reached

·         ...unless significant concerns were raised on the General Mailing List within a day of so of the meeting's close

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Sebastian Crane

·         Joshua Marpet, RM-ISAO

·         Mike Nemmers

·         William Cox, Synopsys

·         Andrew Jorgenson, AWS

·         Bob Martin, Mitre

·         Philippe Emmanuel Douziech, CAST

·         Alexios Zavras, Intel

·         Marc Etienne Vargenau, Nokia

·         Jilayne Lovejoy, Red Hat

·         Steve Winslow, LF

·         Mike Dolan, LF

·         Mark Atwood, Amazon

·         Gary O’Neall, SourceAuditor

·         Paul Madick, Jenzabar

·         Jeff Schutt, Cisco

·         Vicky Brasseur, Wipro

·         Warner Losh, FreeBSD

·         Zach Hill, Anchore

·         Pierre Tardy

·         David Edelsohn, IBM

·         Maximilian Huber, TNG

·         Bill Jaeger

·         Michael Mehlberg, Dark Sky Technology

·         Henk Birkholz, Fraunhofe

 


Re: SPDX Thursday General Meeting Reminder - SPECIAL MEETING

Phil Odence
 

Thanks, Sebastian for your thoughts, support and understanding.

 

Regarding licensing, my sense was that your desire to make the spec easy to publish is covered by the proposed licensing scheme. Perhaps you and Steve could discuss to resolve.

 

Regarding the Code of Conduct. I think we’ve forked it from the upstream with which you are concerned and, in any case, the option to improve upon in the future exists.

 

Best,

Phil

 

From: spdx@... <spdx@...> on behalf of Sebastian Crane <seabass-labrax@...>
Date: Thursday, September 2, 2021 at 1:58 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Thursday General Meeting Reminder - SPECIAL MEETING

Dear all,

During today's General Meeting, in which the Core Team presented a
proposal to improve the governance of SPDX, I brought up a few
suggestions to the current proposal. Going into the meeting I did not
fully grasp that, under the current governance model, the proposal would
have to be accepted by the working group as a whole - thus consensus
would need to be reached before additional suggestions. Thank you to
Steve and Phil for explaining this!

I think it would be good to have a discussion at some point on the Code
of Conduct and of the licensing of the SPDX specification, to maybe
iterate further on the already excellent proposal.

For the record, and the reason for sending this email, I wanted to state
that I'm very much in support of the proposal as it is now, and would
not consider my concerns blockers here! Thanks again to the members of
the Core Team who've put the time and effort into creating the proposal.

Best wishes,

Sebastian





Re: SPDX Thursday General Meeting Reminder - SPECIAL MEETING

Sebastian Crane
 

Dear all,

During today's General Meeting, in which the Core Team presented a
proposal to improve the governance of SPDX, I brought up a few
suggestions to the current proposal. Going into the meeting I did not
fully grasp that, under the current governance model, the proposal would
have to be accepted by the working group as a whole - thus consensus
would need to be reached before additional suggestions. Thank you to
Steve and Phil for explaining this!

I think it would be good to have a discussion at some point on the Code
of Conduct and of the licensing of the SPDX specification, to maybe
iterate further on the already excellent proposal.

For the record, and the reason for sending this email, I wanted to state
that I'm very much in support of the proposal as it is now, and would
not consider my concerns blockers here! Thanks again to the members of
the Core Team who've put the time and effort into creating the proposal.

Best wishes,

Sebastian


SPDX Thursday General Meeting Reminder - SPECIAL MEETING

Phil Odence
 

We will deviate from our usual standing agenda for this special meeting. We will start with a presentation from a Google Summer of Code student (see topic below) and then will pick up the discussion of the SPDX Governance change with the aim of reaching consensus and moving forward.

 

I encourage you to read through the attached. Steve will give a very quick overview and can answer questions, but we will assume participants of read the pdf of not all the details referenced. And as a reminder, here’s the context I provided last week:

SPDX Community,

As previewed in the June General Meeting, the Core Team has submitted a proposal for changing the governance of SPDX. The reasoning for the change and substance are the same as what we discussed in that meeting. However, we have simplified the implementation considerably. Importantly, the project will continue to operate day to day as we have for over a decade but with better defined governance. Attached is a document that summarizes the proposal and provide links to the details.

In the second half of next Thursday’s General Meeting we will try to reach consensus on the proposal. In the meantime, once you have studied the matter, provide feedback or raise any questions on this thread. (Note, the many of the details are housed in a GitHub repo but again comments/questions go here.) If we do not reach consensus on Thursday, we may hold the discussion over to the following meeting.

Best regards,

Phil

 

GSoC Presentation

 

Title- Support for spdx Go lang tools

by Ujjwal Agarwal

 

I will talk about the possible approaches that we could have adopted for the project and the approach I choose to go ahead with .The challenges I faced throughout the GSoC coding phase while coding the project and furthermore what are the future implementations that we can expect .

 

I am a B.tech student at Thapar Institute of Engineering and Technology India . Skilled in Go lang, DevOps, Leadership, Cryptocurrency, and web development. Strong information technology student with a keen interest in open source development .

 

 

See you Thursday,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1776178224   signature_1183619641   signature_662632004   signature_1480720749

 

 

 

 

 


Re: SPDX Governance Next Steps

Steve Winslow
 

Thanks Richard and Jilayne!

Yes, in other cases we've seen one LF project become a member of another, for purposes of showing support and furthering collaboration between the projects' communities. In other LF projects there are often multiple tiers of membership, including an "associate" membership as you mentioned. For this proposal for SPDX we've kept it simple with just a single "General" membership tier, so that's what Yocto would fall into as well.

Best,
Steve


On Thu, Aug 26, 2021 at 5:40 PM J Lovejoy <opensource@...> wrote:
Hi Richard,

I love your forward thinking!  First we have to have the review and acceptance of the proposal. Assuming that goes through and as to whether the Yocto Project could be an SPDX member - that is probably a question for the LF, as I'm not sure how one LF project being a member of another LF project works when you have the same "parent".

In any case, I'd think we can figure out something to show the strong support and relationship!

Cheers,
Jilayne

On 8/25/21 2:28 PM, Richard Purdie wrote:
On Wed, 2021-08-25 at 20:09 +0000, Phil Odence via lists.spdx.org wrote:
SPDX Community,
As previewed in the June General Meeting, the Core Team has submitted a
proposal for changing the governance of SPDX. The reasoning for the change and
substance are the same as what we discussed in that meeting. However, we have
simplified the implementation considerably. Importantly, the project will
continue to operate day to day as we have for over a decade but with better
defined governance. Attached is a document that summarizes the proposal and
provide links to the details.
In the second half of next Thursday’s General Meeting we will try to reach
consensus on the proposal. In the meantime, once you have studied the matter,
provide feedback or raise any questions on this thread. (Note, the many of the
details are housed in a GitHub repo but again comments/questions go here.) If
we do not reach consensus on Thursday, we may hold the discussion over to the
following meeting.
FWIW I've been wondering how we could show a relationship between Yocto Project
and SPDX as we are a strong support of it so this looks timely in that regard
assuming we'd be eligible as an associate member?

Cheers,

Richard









--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SPDX Governance Next Steps

J Lovejoy
 

Hi Richard,

I love your forward thinking!  First we have to have the review and acceptance of the proposal. Assuming that goes through and as to whether the Yocto Project could be an SPDX member - that is probably a question for the LF, as I'm not sure how one LF project being a member of another LF project works when you have the same "parent".

In any case, I'd think we can figure out something to show the strong support and relationship!

Cheers,
Jilayne

On 8/25/21 2:28 PM, Richard Purdie wrote:
On Wed, 2021-08-25 at 20:09 +0000, Phil Odence via lists.spdx.org wrote:
SPDX Community,
As previewed in the June General Meeting, the Core Team has submitted a
proposal for changing the governance of SPDX. The reasoning for the change and
substance are the same as what we discussed in that meeting. However, we have
simplified the implementation considerably. Importantly, the project will
continue to operate day to day as we have for over a decade but with better
defined governance. Attached is a document that summarizes the proposal and
provide links to the details.
In the second half of next Thursday’s General Meeting we will try to reach
consensus on the proposal. In the meantime, once you have studied the matter,
provide feedback or raise any questions on this thread. (Note, the many of the
details are housed in a GitHub repo but again comments/questions go here.) If
we do not reach consensus on Thursday, we may hold the discussion over to the
following meeting.
FWIW I've been wondering how we could show a relationship between Yocto Project
and SPDX as we are a strong support of it so this looks timely in that regard
assuming we'd be eligible as an associate member?

Cheers,

Richard








Re: SPDX Governance Next Steps

Richard Purdie
 

On Wed, 2021-08-25 at 20:09 +0000, Phil Odence via lists.spdx.org wrote:
SPDX Community,
As previewed in the June General Meeting, the Core Team has submitted a
proposal for changing the governance of SPDX. The reasoning for the change and
substance are the same as what we discussed in that meeting. However, we have
simplified the implementation considerably. Importantly, the project will
continue to operate day to day as we have for over a decade but with better
defined governance. Attached is a document that summarizes the proposal and
provide links to the details.
In the second half of next Thursday’s General Meeting we will try to reach
consensus on the proposal. In the meantime, once you have studied the matter,
provide feedback or raise any questions on this thread. (Note, the many of the
details are housed in a GitHub repo but again comments/questions go here.) If
we do not reach consensus on Thursday, we may hold the discussion over to the
following meeting.
FWIW I've been wondering how we could show a relationship between Yocto Project
and SPDX as we are a strong support of it so this looks timely in that regard
assuming we'd be eligible as an associate member?

Cheers,

Richard


SPDX Governance Next Steps

Phil Odence
 

SPDX Community,

As previewed in the June General Meeting, the Core Team has submitted a proposal for changing the governance of SPDX. The reasoning for the change and substance are the same as what we discussed in that meeting. However, we have simplified the implementation considerably. Importantly, the project will continue to operate day to day as we have for over a decade but with better defined governance. Attached is a document that summarizes the proposal and provide links to the details.

In the second half of next Thursday’s General Meeting we will try to reach consensus on the proposal. In the meantime, once you have studied the matter, provide feedback or raise any questions on this thread. (Note, the many of the details are housed in a GitHub repo but again comments/questions go here.) If we do not reach consensus on Thursday, we may hold the discussion over to the following meeting.

Best regards,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_829465809   signature_1727697714   signature_1137153923   signature_859259509

 

 

41 - 60 of 1485