Date   

Re: End Of Life Tag in spdx #spdx

Kate Stewart
 

Hi Sandeep,

     There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3.
When it comes in,  please feel free to review and make sure it's going to suffice for your needs.

For now, with 2.2 documents,  suggest you use the Package Comment field (https://spdx.github.io/spdx-spec/package-information/#720-package-comment-field) and standardize on a tag (like EndOfSupport: ) and the date. 

Will that work for now?

Thanks, 
Kate


On Fri, May 6, 2022 at 2:27 PM Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...> wrote:
Hi All, 
We have requirement to specify End Of Life as part of package information in SBoM ,
Is there way current SPDX format support this ? 

Regards
Sandeep 


End Of Life Tag in spdx #spdx

Patil, Sandeep
 

Hi All, 
We have requirement to specify End Of Life as part of package information in SBoM ,
Is there way current SPDX format support this ? 

Regards
Sandeep 


Re: SPDX Thurs General Meeting Reminder

Kate Stewart
 


The video has been posted here: 

On Wed, May 4, 2022 at 4:22 PM Christopher Lusk <clusk@...> wrote:

Hello,

 

Is it possible to get the recording from the April SPDX meeting?

 

Thanks.

 


Christopher D. Lusk
Product Security Analyst
Product Security Office
Lenovo


Emailclusk@...

 

Lenovo.com
Twitter
 | Instagram | Facebook | Linkedin | YouTube | Privacy

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Wednesday, May 4, 2022 9:17 AM
To: SPDX-general <spdx@...>
Subject: [External] [spdx] SPDX Thurs General Meeting Reminder

 

No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.

 

GENERAL MEETING

 

Meeting Time: Thurs, May 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval https://github.com/spdx/meetings/blob/main/general/2022-04-07.md

 

Special Presentation 

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack/Sebastian

 

 


Re: SPDX Thurs General Meeting Reminder

Christopher Lusk
 

Hello,

 

Is it possible to get the recording from the April SPDX meeting?

 

Thanks.

 


Christopher D. Lusk
Product Security Analyst
Product Security Office
Lenovo


Emailclusk@...

 

Lenovo.com
Twitter
 | Instagram | Facebook | Linkedin | YouTube | Privacy

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Wednesday, May 4, 2022 9:17 AM
To: SPDX-general <spdx@...>
Subject: [External] [spdx] SPDX Thurs General Meeting Reminder

 

No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.

 

GENERAL MEETING

 

Meeting Time: Thurs, May 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval https://github.com/spdx/meetings/blob/main/general/2022-04-07.md

 

Special Presentation 

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack/Sebastian

 

 


SPDX Thurs General Meeting Reminder

Phil Odence
 

No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.

 

GENERAL MEETING

 

Meeting Time: Thurs, May 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval https://github.com/spdx/meetings/blob/main/general/2022-04-07.md

 

Special Presentation 

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack/Sebastian

 

 


~24 hours left to propose SPDX talks to All Things Open!

VM (Vicky) Brasseur
 

All Things Open (ATO) is one of the largest open source conferences in the world now. In 2022 it’ll be in-person only, in its normal location of the Raleigh Convention Center in Raleigh, North Carolina, USA.

 

ATO 2022 happens October 30-November 2 (yes, over Halloween, ugh). This is either soon after or contemporaneous with the release of 3.0.

 

Considering the size of the potential audience (thousands) and the diversity of the event (both in attendees and in topic tracks), it would be great if folks could propose some SPDX-related talks. For instance:

 

  • Steve could propose the talk he’s doing for OSPOcon in June
  • An intro talk about SPDX would be good for a large percent of the audience
  • A survey of tools for using and/or creating SPDX might be fun
  • A general talk about supply chain stuff & how SPDX can help would be timely
  • Why distros (Fedora, Yocto) are supporting SPDX and how you can help your fave distro do the same

 

The ATO CFP form allows for submitting 15 minute keynote slots this year! That would be a great place for Kate, Jilayne, or someone to talk about the impact of supply chain stuff and where SPDX 3.0 fits in!

 

Anyway, time’s running short. The CFP closes EOD tomorrow!

 

Here’s the link and more information: https://www.allthingsopen.org/call-for-papers-2022/

 

--V

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

Internal to Wipro


The OpenChain Industry Survey 2022 - SPDX Included

 

The OpenChain Industry Survey 2022 covers a big topic: the global status of corporate engagement and management of open source. Please help by completing the survey from your perspective before May 1st.

English:
https://forms.gle/9Jf9h1J6AwzFpMz89

Simplified Chinese:
https://wj.qq.com/s2/9935077/5841/

Japanese:
https://forms.gle/A2qdawgY9h7CWr3q8

(Thank you China and Japan work groups! :) )

We are considering open source from a “strategy” perspective rather than a “development” perspective. Our goal is to help inform project, product and supply chain decisions in the year ahead. This goes far beyond compliance, OSPO and any other single topic. However, we are explicitly unpacking industry engagement with SPDX.

This survey is licensed under CC-0 so feel free to take it as the basis for your own surveys in the future.


Special Presentation and SPDX Thurs General Meeting Reminder

Phil Odence
 

NOTE: I am a little behind and have not posted the minutes from the March meeting in GH. In advance of that, I have included that minutes in roughg form at the bottom of this email.

 

PRESENTATION: Please join us for this presentation to kick off the meeting. Yocto have been very supportive of SPDX and active in incorporating the technology.

 

SPDX in the Yocto Project – Joshua Watt

Abstract:

As Software Bills of Material (SBoMs) become more important in the software industry, the generation of high quality SBoMs from the beginning of the Software Supply Chain has also become more important. The Yocto Project is designed to build up software images from source, and such is a prime candidate to generate these SBoMs at the point where software packages are compiled and assembled into customer images. Joshua will talk about how the Yocto Project is able to do this, and some of the interesting quirks encountered when implementing this feature.

 

Joshua Watt is a Software Engineer for Garmin, where he has been working for the past 13 years. He has been a developer with OpenEmebedded and the Yocto Project for the past 7 years, and is a member of the OpenEmbedded Technical Steering Committee.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, April 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-02-03.md

 

Special Presentation 

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack/Sebastian

 

 

 

 

# SPDX General Meeting Minutes - March 3, 2022

 

 

## Administrative

- Attendance: 

Phil Odence, Black Duck Audits/Synopsys

* Patrick Reilly

* Sebastian Crane

* Bob Martin

* Joshua Dubin, Verizon

* Steve Winslow

* Brad Goldring, GTC Law Group

* Joshua Marpet

* Joshua Watt

* Jon Geater, Jitsuin (presenter)

* Alex Rybak

* Jeff Schutt

* Kate Stewart, Linux Foundation

* Maximillian Huber 

* Mark Atwood, Amazon.com

* Philippe-Emmanuel Douziech, CAST GmbH / CISQ

* David Edelsohn

* Paul Madick

* Jilayne Lovejoy, Red Hat

* Ria Schalnat

* Molly Menomi

* Robert Boyd

 

 

- Lead by Phil Odence

- Minutes from last meeting approved.

 

## How RKVST Uses SPDX for Software Transparency by Jon Geater, CTO Jitsuin

### Jitsuin, RVST, Digital Twin Consortium

### The Problem

#### Cyber physical systems- Data is the new oil. Big Opportunity...but requires trusting data

#### Trust can be difficult because everyone is in a supply chain, crossing org boundaries

### Solution approach: Shared asset history w/evidence

#### Including BOM

##### Software and hardware combination (depending on industy)

##### SBOM- super crutial first step

#### Common understanding takes out human time-consuming steps

#### Anyone in the chain should be able to make their own risk assessment

##### Trust is not the same as security

##### Things change/are dynamic...and with software that's frequent

##### So systems need to be able to handle quickly, in real time

### Conclusions

#### What's needed is resilient operation of dynamic systems

#### Important first step is what's in the box

#### ...then vulernablities and what do to about them

#### interoperatiblity of standard formats

### Q&A

 

 

 

## Tech Team Report - Gary/Kate/Thomas

### Spec

#### Defects

Meetings have started up,  join the mailing list for details.

#### Core 3.0

Kate / William - have been making good progress on punch list

#### 2.3 Release

* will be adding in some fields that people have been asking for interoperability with CycloneDX community

* license namespaces - Mark Atwood and Steve Winslow to sync

* SPDX Lite - add Package Supplier to match NTIA minimum definition for SPDX Lite profile

 

 

### Tools

#### GSOC

* Submission in,  project ideas still welcome.

 

 

## Legal Team Report - Jilayne/Paul/Steve

* 3.16 released at beginning of February; continuing with issues / PRs for 3.17

change in meeting cadence - moved to 2nd / 4th Thursday of every month, Steve to update downloadable invites on website

## Outreach Team Report -  Sebastian

* Updates to landscape in process

* FOSDEM talk from Sebastian - recording not yet on FOSDEM website 

  * highlighting key aspects of effective, high-quality SBOMs

  * will be available at https://fosdem.org/2022/schedule/event/security_sbom/ once it's posted

* March 20 - LibrePlanet talk - package management

  * https://libreplanet.org/2022/speakers/#5830

* OpenSSF interest in vulnerabilities website

* Kate and Jack - updates to website

 

 


Re: SPDX Company Membership

Phil Odence
 

Brian,

 

We will send an email to Primary Contacts from member companies who have signed up by tomorrow. There will be instructions, but essentially we’ll need to hear from the primary contact who the nominee is and then the nominiee will need to fill out an online form.

 

Phil

 

From: spdx@... <spdx@...> on behalf of Brian Fox <brianf@...>
Date: Thursday, March 31, 2022 at 1:16 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Company Membership

Once signing up, how are nominations made?

 

On Tue, Mar 29, 2022 at 10:17 PM Steve Winslow <swinslow@...> wrote:

Hello SPDX community,

 

Just wanted to send a reminder from Phil's original email announcing the SPDX project membership process -- see his email below.

 

As mentioned previously, companies / organizations that become a member of SPDX prior to April 1 (before this coming Friday) will be able to nominate an individual from their organization for consideration for the initial Member Representative seats on the SPDX Steering Committee. On or shortly after April 1, we will send out details about the nomination process to all member companies as of that date, so that nominations can be submitted and the 1 or 2 Member Representatives chosen by the Steering Committee before their annual term begins on May 1.

 

If you'd like for your company to nominate someone for consideration for the initial Member Representatives, please make sure that your company signs up as a member of SPDX on or before this Thursday, March 31. Please note that just being listed as an "SPDX Supporter" on https://spdx.dev is not itself the same as becoming a member of the project; you'll need to sign up as a member using the process Phil described below.

 

(Of course, membership will still be open after that date, and future members could participate in nominations for future years' Member Representatives.)

 

Best,

Steve

 

On Thu, Dec 2, 2021 at 3:03 PM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

Dear SPDX community,

 

With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.

 

We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.

 

As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.

 

Membership Benefits

 

Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.

 

Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection

 

Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.

 

Signing up

 

Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.

 

In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

 

(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)

 

Please let us know if you or your organization have any questions about becoming a member of SPDX.

 

SPDX Steering Committee

Phil, Kate, Gary, Jilayne, Steve, Paul and Jack

 

 


Re: SPDX Company Membership

Steve Winslow
 

Hi Brian,

Since the cutoff date is EOD day, sometime in the next few days / next week we'll send an email with nomination instructions to the primary contacts from each of the members who have signed up by then. We may need a bit of time to work with the LF to collect the contact details from the signups, but we'll circulate the next steps to the members shortly thereafter.

Best,
Steve

On Thu, Mar 31, 2022 at 1:16 PM Brian Fox <brianf@...> wrote:
Once signing up, how are nominations made?

On Tue, Mar 29, 2022 at 10:17 PM Steve Winslow <swinslow@...> wrote:
Hello SPDX community,

Just wanted to send a reminder from Phil's original email announcing the SPDX project membership process -- see his email below.

As mentioned previously, companies / organizations that become a member of SPDX prior to April 1 (before this coming Friday) will be able to nominate an individual from their organization for consideration for the initial Member Representative seats on the SPDX Steering Committee. On or shortly after April 1, we will send out details about the nomination process to all member companies as of that date, so that nominations can be submitted and the 1 or 2 Member Representatives chosen by the Steering Committee before their annual term begins on May 1.

If you'd like for your company to nominate someone for consideration for the initial Member Representatives, please make sure that your company signs up as a member of SPDX on or before this Thursday, March 31. Please note that just being listed as an "SPDX Supporter" on https://spdx.dev is not itself the same as becoming a member of the project; you'll need to sign up as a member using the process Phil described below.

(Of course, membership will still be open after that date, and future members could participate in nominations for future years' Member Representatives.)

Best,
Steve

On Thu, Dec 2, 2021 at 3:03 PM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

Dear SPDX community,

 

With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.

 

We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.

 

As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.

 

Membership Benefits

 

Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.

 

Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection

 

Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.

 

Signing up

 

Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.

 

In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

 

(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)

 

Please let us know if you or your organization have any questions about becoming a member of SPDX.

 

SPDX Steering Committee

Phil, Kate, Gary, Jilayne, Steve, Paul and Jack

 

 


Re: SPDX Company Membership

Brian Fox
 

Once signing up, how are nominations made?


On Tue, Mar 29, 2022 at 10:17 PM Steve Winslow <swinslow@...> wrote:
Hello SPDX community,

Just wanted to send a reminder from Phil's original email announcing the SPDX project membership process -- see his email below.

As mentioned previously, companies / organizations that become a member of SPDX prior to April 1 (before this coming Friday) will be able to nominate an individual from their organization for consideration for the initial Member Representative seats on the SPDX Steering Committee. On or shortly after April 1, we will send out details about the nomination process to all member companies as of that date, so that nominations can be submitted and the 1 or 2 Member Representatives chosen by the Steering Committee before their annual term begins on May 1.

If you'd like for your company to nominate someone for consideration for the initial Member Representatives, please make sure that your company signs up as a member of SPDX on or before this Thursday, March 31. Please note that just being listed as an "SPDX Supporter" on https://spdx.dev is not itself the same as becoming a member of the project; you'll need to sign up as a member using the process Phil described below.

(Of course, membership will still be open after that date, and future members could participate in nominations for future years' Member Representatives.)

Best,
Steve

On Thu, Dec 2, 2021 at 3:03 PM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

Dear SPDX community,

 

With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.

 

We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.

 

As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.

 

Membership Benefits

 

Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.

 

Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection

 

Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.

 

Signing up

 

Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.

 

In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

 

(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)

 

Please let us know if you or your organization have any questions about becoming a member of SPDX.

 

SPDX Steering Committee

Phil, Kate, Gary, Jilayne, Steve, Paul and Jack

 

 


Re: SPDX Company Membership

Steve Winslow
 

Hello SPDX community,

Just wanted to send a reminder from Phil's original email announcing the SPDX project membership process -- see his email below.

As mentioned previously, companies / organizations that become a member of SPDX prior to April 1 (before this coming Friday) will be able to nominate an individual from their organization for consideration for the initial Member Representative seats on the SPDX Steering Committee. On or shortly after April 1, we will send out details about the nomination process to all member companies as of that date, so that nominations can be submitted and the 1 or 2 Member Representatives chosen by the Steering Committee before their annual term begins on May 1.

If you'd like for your company to nominate someone for consideration for the initial Member Representatives, please make sure that your company signs up as a member of SPDX on or before this Thursday, March 31. Please note that just being listed as an "SPDX Supporter" on https://spdx.dev is not itself the same as becoming a member of the project; you'll need to sign up as a member using the process Phil described below.

(Of course, membership will still be open after that date, and future members could participate in nominations for future years' Member Representatives.)

Best,
Steve

On Thu, Dec 2, 2021 at 3:03 PM Phil Odence via lists.spdx.org <phil.odence=synopsys.com@...> wrote:

Dear SPDX community,

 

With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.

 

We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.

 

As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.

 

Membership Benefits

 

Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.

 

Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection

 

Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.

 

Signing up

 

Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.

 

In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.

 

(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)

 

Please let us know if you or your organization have any questions about becoming a member of SPDX.

 

SPDX Steering Committee

Phil, Kate, Gary, Jilayne, Steve, Paul and Jack

 

 


Special Presentation and SPDX Thurs General Meeting Reminder

Phil Odence
 

REMINDER: Encourage your LF member company to join SPDX https://enrollment.lfx.linuxfoundation.org/?project=spdx . Companies that join by April 1 may nominate a candidate for Steering Committee this year.

 

PRESENTATION: Please join us for a very interesting presentation to kick off the meeting.

 

How RKVST Uses SPDX for Software Transparency by Jon Geater, CTO Jitsuin

Abstract:

One crucial aspect to deriving Trust in connected systems is software transparency, and SBOM (AKA “what’s in the box?”) is a crucial part of this, so SPDX is a very interesting place for Jon and RKVST to engage. We’ll be briefly exploring the deeper requirements of software transparency for context and look forward to a discussion on how best to apply and assist the SPDX community in meeting these.

Jon:

Jon Geater is chair of the Security and Trustworthiness Working Group in the Digital Twin Consortium and lead author of the Security Maturity Model for Digital Twins in the Industry Internet Consortium. In both of these forums, and with his company’s SaaS platform RKVST, he works to press forward the state of the art in Dynamic Resilience: a practical approach to security and safety in today’s fast-changing, highly connected world based on contextual decision-making and Zero Trust principles. As a co-founder of OASIS KMIP, former governing board member of Linux Foundation’s Hyperledger project, and former board member and chair of the Security Task Force at GlobalPlatform, Jon has a strong and dedicated commitment to open standards in cyber security.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Mar3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-02-03.md

 

Special Presentation – SteveH

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack 

 


SPDX Feb General Meeting MInutes

Phil Odence
 

https://github.com/spdx/meetings/blob/master/general/2022-02-03.md

 

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_762280638   signature_1149972784   signature_1518328037   signature_338408634

 

 

SPDX General Meeting Minutes - Feb 3, 2022

Administrative

  • Attendance: 33
  • Lead by Phil Odence
  • Minutes from last meeting approved

Steve Hendrick w/report on SBOM readiness

  • Press release about the report
  • Report itself
  • Showing a selected set of slides from the report
  • In all his years as an industry analyst, he never heard of SBOMs. Now though, it's about to become a massive market.
  • Was careful to not be too LF biased by surveying a broad end user community.
  • Anticipate a 60+ percent growth of orgs using SBOMs…if the tooling exists to support that growth. He hasn't yet looked at the tools that are out there.
  • Not a lot of visibility for this from the vendors & tooling providers. Analysts also haven't yet done a market forecast for this, either.
  • Discussion on formats that wasn't included in the report. Won't summarise here as it's not really public.

Tech Team Report - Gary/Kate/Thomas

Spec

Defects

  • Thomas sent out Doodle poll to figure out date for next team call
  • Multiple options on how to include vulnerabilities: include, separate, and link
  • Working on one document

Core 3.0

  • Good progress on building concensus on when to use properties or relationships (packages containing files for example). Follow along in spdx-3.0-model repo.

2.3 Release

  • Follow up from Docfest on some clarifications that emerged from comparisons.
  • Anything that we need to help people adopt SPDX for presidential order. Dick points out CMC issued an RFI that incorporates SBOM: https://sam.gov/opp/fe53a2be20094034b178e260f29cd0ad/view
  • For licensing-related fields that are currently mandatory but can have noassertion, looking at permitting them to be made as optional for 2.3, presuming NOASSERTION if field is omitted.

Tools

DocFest (Rose)

  • Held on 1/27, 24 attendee, identified - 6 topics - made it through all 6
  • Thanks to analysis team for helping to understand the differences!

GSOC

  • GSOC Summer of Code - Alexios will be lead.
  • Please feel free to contribute

Tooling Release

Legal Team Report - Jilayne/Paul/Steve

License List

  • Will release 3.16 this weekend.
  • Good discussion on Fedora use of identifiers, and use between communities.
    • Historically added about 80 licenses to license list in 2014, based on Fedora's own list of licenses
    • Similar to discussion previously with Warner about use in FreeBSD
    • Will provide updates to General team on Fedora and FreeBSD as it proceeds

Outreach Team Report - Sebastian

  • (getting update from email)

Attendees

  • VM Brasseur
  • Brad Goldring, GTC Law Group
  • Christina Chen
  • Thomas Steenbergen
  • Steve Hendrick
  • Jilayne Lovejoy
  • Dick Brooks
  • Kate Stewart
  • Alex Rybak
  • Alexios Zavras
  • Gary O'Neall
  • Christine Chen
  • David Edelsohn
  • Edgar
  • Jacob Wilson
  • Jesse Porter, Qualcomm
  • Karan Marjara
  • Lena Smart
  • Marc Etienne Vargenau
  • Matthew Neal Miller, Red Hat Product Security
  • Michael Herzog
  • Paul Madick
  • Pete Allor, Red Hat Product Security
  • Phil Odence
  • Steve Winslow
  • William Cox
  • Andrew Jorgensen
  • Alfredo Espinosa
  • Rose Judge
  • Ria Schalnat
  • Joe Bussell
  • Joshua Dubin
  • Michael Herzog

 


Special Presentation and SPDX Thurs General Meeting Reminder

Phil Odence
 

Please join us for a very interesting presentation to kick off the meeting:

 

Preview of LF Study on SBOM Readiness by Steve Hendrick

Abstract:

The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness, produced in partnership with SPDX, OpenChain, and OpenSSF, reports on the extent of organizational SBOM readiness and adoption and its significance to improving cybersecurity throughout the open source ecosystem. The study comes on the heels of the US Administration’s Executive Order on Improving the Nation’s Cybersecurity, and the disclosure of the most recent and far-reaching log4j security vulnerability. Its timing coincides with increasing recognition across the globe of the importance of identifying software components and helping accelerate widespread implementation of cybersecurity best practices to mitigate the impact of software vulnerabilities. 

Steve:

Steve Hendrick, who authored the SBOM readiness report, is a Vice President of research for the Linux Foundation and well traveled in application development and deployment software.  Prior to his current role at the Linux Foundation, Steve spent 30 years as an industry analyst working for IDC, ESG, and EMA driving application development and deployment research. Steve has authored over 1,000 research reports and served as primary investigator on over 100 surveys.

 

GENERAL MEETING

 

Meeting Time: Thurs, Feb3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers:
 https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio:
 https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

 

Administrative Agenda

Attendance

Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-01-06.md

 

Special Presentation – SteveH

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack 

 


Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

Dick Brooks
 

Thanks, Rose – much appreciate the quick response and for all that you do for the SPDX community.

 

Looking forward to participating in the DocFest.

 

Cheers and best regards,

 

Dick Brooks

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Rose Judge <rjudge@...>
Sent: Wednesday, January 12, 2022 11:51 AM
To: dick@...; spdx@...
Subject: Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

 

Hi Dick,

 

Instructions to participate with target sets/objects will be mailed out on Monday. We are finalizing the targets as we speak.  

 

Thanks for your interest and patience. Excited to have you as part of this event!

 

-Rose

From: Dick Brooks <dick@...>
Organization: Reliable Energy Analytics LLC
Reply-To: "dick@..." <dick@...>
Date: Wednesday, January 12, 2022 at 8:48 AM
To: Rose Judge <rjudge@...>, "Spdx-tech@..." <Spdx-tech@...>, "spdx@..." <spdx@...>
Subject: RE: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

 

Rose,

 

Where can I find the target set objects to create/submit an SPDX SBOM?

 

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Rose Judge
Sent: Wednesday, January 12, 2022 11:39 AM
To: Spdx-tech@...; spdx@...
Subject: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

 

Hello SPDX community,

 

SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts. 


Specifically, the goals of this 
DocFest are to:
1) come to agreement on how the fields should be populated for a given artifact
2) identify instances where different use cases might lead to different choices for fields and structures of documents
3) assess how well the NTIA SBOM minimum elements are covered
4) create a set of reference SPDX SBOMs as part of the corpus for further tooling evaluation.

This event will require "sweat equity" – participants who can produce SPDX documents are expected to have generated at least one SPDX document from the target set (either source, built from source, built image or container equivalent). Participants who consume SPDX documents are expected to run at least two SPDX documents through their tooling and share any analysis results. Those who have signed up and have submitted files by January 21, 2022 will receive a meeting invite to the 
DocFest.

To indicate interest to participate, please fill in the following form:

https://forms.gle/Mq7ReinTY6gDL4cs9


Further details on how to participate will be mailed to those that have filled in the form. 

Thanks,
DocFest Organizers  (Rose, Gary, Kate)

 


Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

Rose Judge
 

Hi Dick,

 

Instructions to participate with target sets/objects will be mailed out on Monday. We are finalizing the targets as we speak.  

 

Thanks for your interest and patience. Excited to have you as part of this event!

 

-Rose

From: Dick Brooks <dick@...>
Organization: Reliable Energy Analytics LLC
Reply-To: "dick@..." <dick@...>
Date: Wednesday, January 12, 2022 at 8:48 AM
To: Rose Judge <rjudge@...>, "Spdx-tech@..." <Spdx-tech@...>, "spdx@..." <spdx@...>
Subject: RE: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

 

Rose,

 

Where can I find the target set objects to create/submit an SPDX SBOM?

 

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Rose Judge
Sent: Wednesday, January 12, 2022 11:39 AM
To: Spdx-tech@...; spdx@...
Subject: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

 

Hello SPDX community,

 

SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts. 


Specifically, the goals of this 
DocFest are to:
1) come to agreement on how the fields should be populated for a given artifact
2) identify instances where different use cases might lead to different choices for fields and structures of documents
3) assess how well the NTIA SBOM minimum elements are covered
4) create a set of reference SPDX SBOMs as part of the corpus for further tooling evaluation.

This event will require "sweat equity" – participants who can produce SPDX documents are expected to have generated at least one SPDX document from the target set (either source, built from source, built image or container equivalent). Participants who consume SPDX documents are expected to run at least two SPDX documents through their tooling and share any analysis results. Those who have signed up and have submitted files by January 21, 2022 will receive a meeting invite to the 
DocFest.

To indicate interest to participate, please fill in the following form:

https://forms.gle/Mq7ReinTY6gDL4cs9


Further details on how to participate will be mailed to those that have filled in the form. 

Thanks,
DocFest Organizers  (Rose, Gary, Kate)

 


Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

Dick Brooks
 

Rose,

 

Where can I find the target set objects to create/submit an SPDX SBOM?

 

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Rose Judge
Sent: Wednesday, January 12, 2022 11:39 AM
To: Spdx-tech@...; spdx@...
Subject: [spdx-tech] Registration open for SPDX DocFest on Jan 27th

 

Hello SPDX community,

 

SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts. 


Specifically, the goals of this 
DocFest are to:
1) come to agreement on how the fields should be populated for a given artifact
2) identify instances where different use cases might lead to different choices for fields and structures of documents
3) assess how well the NTIA SBOM minimum elements are covered
4) create a set of reference SPDX SBOMs as part of the corpus for further tooling evaluation.

This event will require "sweat equity" – participants who can produce SPDX documents are expected to have generated at least one SPDX document from the target set (either source, built from source, built image or container equivalent). Participants who consume SPDX documents are expected to run at least two SPDX documents through their tooling and share any analysis results. Those who have signed up and have submitted files by January 21, 2022 will receive a meeting invite to the 
DocFest.

To indicate interest to participate, please fill in the following form:

https://forms.gle/Mq7ReinTY6gDL4cs9


Further details on how to participate will be mailed to those that have filled in the form. 

Thanks,
DocFest Organizers  (Rose, Gary, Kate)

 


Registration open for SPDX DocFest on Jan 27th

Rose Judge
 

Hello SPDX community,

 

SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts. 


Specifically, the goals of this 
DocFest are to:
1) come to agreement on how the fields should be populated for a given artifact
2) identify instances where different use cases might lead to different choices for fields and structures of documents
3) assess how well the NTIA SBOM minimum elements are covered
4) create a set of reference SPDX SBOMs as part of the corpus for further tooling evaluation.

This event will require "sweat equity" – participants who can produce SPDX documents are expected to have generated at least one SPDX document from the target set (either source, built from source, built image or container equivalent). Participants who consume SPDX documents are expected to run at least two SPDX documents through their tooling and share any analysis results. Those who have signed up and have submitted files by January 21, 2022 will receive a meeting invite to the 
DocFest.

To indicate interest to participate, please fill in the following form:

https://forms.gle/Mq7ReinTY6gDL4cs9


Further details on how to participate will be mailed to those that have filled in the form. 

Thanks,
DocFest Organizers  (Rose, Gary, Kate)

 


Re: Archive the https://github.com/spdx/license-list repository

Sebastian Schuberth
 

Thanks Gary.

--
Sebastian Schuberth

On Sun, Jan 9, 2022 at 11:02 PM Gary O'Neall <gary@...> wrote:

Hi Sebastian and SPDX community,

I just archived the license-list repo per your suggestion. If there are any concerns, let me know. We can always unarchive the repository.

I also archived and updated the README on the following repos. If anyone has any objections or concerns, please let me know.

- ATTIC-tools-go - already indicated as superseded by tools-golang
- spdx-github - Utility has not been updated in several years and does not support the latest versions of the spec
- licensegenplugin - Utility not planned to be used and is no longer supported
- ATTIC-airs - Already indicated as no longer being maintained
- ATTIC-osit - Already indicated as no longer being maintained

Regards,
Gary

-----Original Message-----
From: spdx@... <spdx@...> On Behalf Of Sebastian
Schuberth
Sent: Sunday, January 9, 2022 6:38 AM
To: spdx@...
Subject: [spdx] Archive the https://github.com/spdx/license-list repository

Hi all,

while the README at [1] documents the
https://github.com/spdx/license-list repo to be archived, it's not "archived" in
the GitHub sense, as available in the settings at
https://github.com/spdx/license-list/settings. Any objections doing that to
make it more clear that the repo is archived?

[1] https://github.com/spdx/license-list#readme

--
Sebastian Schuberth







81 - 100 of 1590