|
SPDX Thurs General Meeting Reminder
Phil Odence
EMEA folks- US had not changed clocks yet, so the meeting time at 11EDT is an hour off from normal for you.
We will have a special presentation from Thomas Steenbergen about how we have been evolving SPDX to support use cases for security vulnerabilities. This is an especially timely topic as much of the SBOM buzz is around this use case. We’ve made good progress with SPDX 2.3 and more progress is planned for 3.0.
GENERAL MEETING
Meeting Time: Thurs, Nov 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval: At the bottom of this email
Presenation - Thomas
Steering Committee Update - Phil
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian/Alexios
·
·
· ·
·
·
· · · · · · ·
·
·
· · ·
· · ·
· ·
·
· · ·
· · · · · · · ·
· · · · · · · ·
|
|
|
|
|
|
Re: Unicode
Nathan Willis
With the colossal caveat that I am only a **consumer of** Unicode's deliverables, I could speak briefly to the concern at point #3:
This is certainly inconvenient, but the Unicode site does host quite a few items with practical application, but which aren't under the "DATA FILES" and "SOFTWARE" hierarchies spelled out in "B" of the TOU. Namely, there is the whole "Unicode® Technical Site" at the entry point https://unicode.org/main.html ... which is different from the "Unicode site" at the entry point https://home.unicode.org/ Some of that "Technical Site" material covers projects and committees; there are also older documents, proposals, some data tables, things called "annexes" that I'm never 100% sure I understand the status of, and so on. My guess would be that there is a lot of legacy material from the organization's history that simply doesn't have a clear-cut, select-a-license-from-the-dropdown option. Fortunately, a lot of that material is mostly needed as references, but I can certainly see how occasions would arise where quoting from it is necessary to squash a bug. I've had people attach screenshots from really old Unicode docs in discussion threads. So I wouldn't attempt to weigh in on the other issues (certainly keeping the text up-to-date sounds vital), but merely dropping the license from SPDX would likely affect (a few) projects downstream. Nate -- |
|
|
|
|
|
Unicode
Dear all,
I'm wondering why https://spdx.org/licenses/Unicode-TOU.html is (still) part of the license list. Could it be deprecated? 1. First of all, the current text of the "Unicode® Copyright and Terms of Use" is quite different from the text which is referenced at https://spdx.org/licenses/Unicode-TOU.html (SPDX License Diff is very helpful to show the differences - thanks again to Alan Tse). 2. Sec. C.3 of the current version refers to the "Unicode Data Files and Software License": "Further specifications of rights and restrictions pertaining to the use of the Unicode DATA FILES and SOFTWARE can be found in the Unicode Data Files and Software License." The "Unicode Data Files and Software License" (https://www.unicode.org/license.txt) is similar but not identical to "https://spdx.org/licenses/Unicode-DFS-2016.html". 3. To me it seems that the "Unicode® Copyright and Terms of Use" are more or less ToU for a website and all redistributables are under "Unicode-DFS". 4. Unicode modifies the "year" within the copyright notice from year to year. The "Unicode Data Files and Software License" provides as follows: "this copyright and permission notice appear with all copies of the Data Files or Software" Would this require to identify in which year the data and/or software was copied from the Unicode website to use the license text with the correct year? Would it be sufficient to use the most recent version of the license text? Should this be reflected in the SPDX identifier? Is there anybody with more background information who can give some assistance? Best regards, Till |
|
|
|
|
|
IMPORTANT REMINDER: Telco Work Group meeting today - Telco SBOM Spec in Drafting
Dear all
The OpenChain Telco Work Group has a meeting today at 17:00 CEST (15:00 UTC). This meeting will be of special interest to anyone working on matters related to SBOMs, as the work group is currently drafting a telco spec related to this topic: https://github.com/OpenChain-Project/telco/blob/main/OpenChain%20Telco%20SBOM%20Specification.md Absent other pressing agenda items, the call today will focus on collecting feedback for this specification via issues submitted live on the call (by the chair) or offline (by you directly). Join us: https://zoom.us/j/4377592799 Regards Shane — Shane Coughlan General Manager, OpenChain e: scoughlan@... p: +81 (0) 80 4035 8083 w: www.linuxfoundation.org Schedule a call: https://meetings.hubspot.com/scoughlan |
|
|
|
|
|
SPDX Thurs General Meeting Reminder
Phil Odence
This month’s presentation will be one of the every popular reports on a Google Summer of Code project:
Project Title: NTIA Conformance Checker – Josh Lin
Project Abstract: This project implemented an NTIA Conformance Checker that checks whether a software bill of materials (SBOM) in SPDX format conforms to the NTIA’s Minimum elements guidance.
Project Overview: The minimum constituent parts of an overall Software Bill of Material (SBOM) – referred to as NTIA’s minimum elements – are three broad, interrelated areas (Data Fields, Automation Support, and Practices and Processes). These elements will enable an evolving approach to software transparency, capturing both the technology and the functional operation. The purpose of this project is to check if an SBOM document contains the minimum required data fields such as the supplier name, component name, component version, unique identifiers, dependency relationships, author of the SBOM, and timestamps.
About Josh: I am a 2nd year computer science student at University British Columbia and I am currently on a co-op term. I participated in Google Summer of Code 2022 as an open source contributor and it was through this program that I built the NTIA Conformance Checker under the guidance of my mentors Jeff, Nisha, Gary, and Kate.
GENERAL MEETING
Meeting Time: Thurs, Oct 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval: https://github.com/spdx/meetings/blob/main/general/2022-09-01.md
Steering Committee Update – Phil
GSOC Presentation – Josh Lin
Technical Team Report – Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Sebastian/Alexios
|
|
|
|
|
|
General release of SAG-PM Version 1.2 with support for SPDX Version 2.3
REA is pleased to announce the general availability of SAG-PM Version 1.2 with support for SPDX V 2.3 and CycloneDX V 1.4. This release satisfies the requirements outlined on OMB memo M-22-18 published on September 14.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Dick Brooks
Sent: Wednesday, September 14, 2022 5:13 PM To: 'SPDX Technical Mailing List' <spdx-tech@...> Subject: [spdx-tech] FYI: New White House Memo issued today outlining SBOM implementation guidance for Executive Order 14028
Parties interested in actual SBOM implementation guidance should refer to this White House Memo, issued September 14, 2022: https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
|
|
|
|
|
New Change Proposal process
J Lovejoy
Dear SPDX community, As mentioned on a couple of the general calls some time ago, the Steering Committee has been working on a Change Proposal template and process to facilitate communication, prioritization, and decision-making as to what major changes the project will work on. As the community has grown, we want to ensure we have a way to discuss new ideas in a timely manner, decide on what will get implemented, and then follow-through on that plan. Many projects use a template for describing new ideas and proposals, which ensures everyone is clear on what is being proposed, why, and how it fits into the bigger picture. To this end a new GitHub repo has been created (https://github.com/spdx/change-proposal) with a description of the process and a Change Proposal template. Having a separate repo will provide a place for new ideas to start and make it easier to manage notifications. The intention is that this process will be used for more significant changes - not day-to-day activities or things already in flight. As to what changes use this process or not, we will refine guidance on that as needed. We also thought it’d be good for a Steering Committee member to lead by example and submit the first Change Proposal. To that end, Alexios has volunteered to do so! Thanks to Vicky Brasseur and Ria Schalnat for their excellent help in drafting this and the Steering Committee for bringing it to fruition. Jilayne (on behalf of SPDX Steering Committee) |
|
|
|
|
|
SPDX Thurs (today) General Meeting Reminder
Phil Odence
It’s September! Apologies for the late reminder. I just never hit send yesterday.
Note that the minutes from August meeting are at the bottome of this email.
This month, there will be no special presentation per se, however the Steering Committee update will be extended and will include Jilayne presenting a new process to facilitate expedient decision making around new ideas that have cross team impact or would represent a big change for the overall project.
Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
GENERAL MEETING
Meeting Time: Thurs, Sept 1, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval: At the bottom of this email
Steering Committee Update - Phil
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian/Alexios
SPDX General Meeting Minutes - Aug 4, 2022AdministrativeAttendance: 29
Special Presentation, Matthew Crawford
Tech Team Report - Gary/Kate/WilliamBSpec
Legal Team Report - Jilayne/Paul/Steve
Outreach Team Report - Sebastian / Jack / Alexios
Attendees
|
|
|
|
|
|
Re: SPDX Merging
#spdx
Hi,
Just made the sbom-composer tool public. It’s been only run with sboms that I generated, so would be very happy to hear your feedback and do any following updates if necessary.
Joe, it does the merge based on these guidelines. As an example these two sboms result in this composed.spdx. Shortly, it just appends the data without the document creation information, allows the latter to be configurable and updates the references. Would be happy to hear your feedback if any.
Best, Ivana
--- Ivana Atanasova Open Source Engineer VMware Open Source Program Office
From:
spdx@... <spdx@...> on behalf of Joe Bussell via lists.spdx.org <joe.bussell=microsoft.com@...> Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?
From: spdx@... <spdx@...>
On Behalf Of Gary O'Neall via lists.spdx.org
Sent: Monday, August 8, 2022 10:07 AM To: spdx@... Subject: [EXTERNAL] Re: [spdx] SPDX Merging #spdx
I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.
Regards, Gary
Hi All,
|
|
|
|
|
|
Re: SPDX Merging
#spdx
Joe Bussell
Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain?
From: spdx@... <spdx@...> On Behalf Of
Gary O'Neall via lists.spdx.org
Sent: Monday, August 8, 2022 10:07 AM To: spdx@... Subject: [EXTERNAL] Re: [spdx] SPDX Merging #spdx
I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.
Regards, Gary
Hi All, |
|
|
|
|
|
Re: SPDX Merging
#spdx
Hi,
I’m currently working on a composer tool that supports merging. Shortly to be open-sourced.
Best, Ivana
--- Ivana Atanasova Open Source Engineer VMware Open Source Program Office
From:
spdx@... <spdx@...> on behalf of Gary O'Neall via lists.spdx.org <gary=sourceauditor.com@...> I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.
Regards, Gary
From: spdx@... <spdx@...>
On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 4:07 AM To: spdx@... Subject: [spdx] SPDX Merging #spdx
Hi All,
|
|
|
|
|
|
Re: SPDX Merging
#spdx
Gary O'Neall
I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create a pull request.
Regards, Gary
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 4:07 AM To: spdx@... Subject: [spdx] SPDX Merging #spdx
Hi All, |
|
|
|
|
|
Re: SPDX Signing
#spdx
Brandon Lum
Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md (Different from the attestation i just sent)
|
|
|
|
|
|
Re: SPDX Signing
#spdx
Brandon Lum
I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size and this (point to a URI) also allows one to defer authorization of the blob to a storage server and point to a collection of documents. Still in draft, but this is a approximation of what we're using { "_type": "https://in-toto.io/Statement/v0.1", "predicateType": "http://google.com/sbom", "subject": [ { "name": "binary-linux-amd64", "digest": { "sha256": "f2e59e0e82c6a1b2c18ceea1dcb739f680f50ad588759217fc564b6aa5234791" } } ], "predicate": { "sboms": [ { "format": "SPDX", "digest": { "sha256": "02948ad50464ee57fe237b09054c45b1bff6c7d18729eea1eb740d89d9563209" }, "uri": "https://github.com/lumjjb/sample-golang-prov/releases/download/v1.3/binary.spdx" } ], // BuildMetadata is optional, but is used for provenance verification in the event SLSA // provenance is not available. Specific to github actions workflow. "build-metadata": { "artifact-source-repo": "https://github.com/lumjjb/sample-golang-prov", "artifact-source-repo-commit": "c8cb5f292c77064aeabb488ea4f5e483a5073076", "attestation-generator-repo": "https://github.com/lumjjb/slsa-github-generator-go", "attestation-generator-repo-commit": "6948f4c67f6bca55657fe1fb3630b55b1714ef2d" } } } On Mon, Aug 8, 2022 at 7:51 AM Steve Kilbane <stephen.kilbane@...> wrote:
|
|
|
|
|
|
Re: SPDX Signing
#spdx
May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here.
A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.
steve
* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.
From: spdx@... <spdx@...>
On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42 To: spdx@... Subject: Re: [spdx] SPDX Signing #spdx
Sandeep,
I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).
REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s. We simply have to make our public key available for verification of signed SBOM’s.
The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From:
spdx@... <spdx@...>
On Behalf Of Patil, Sandeep via lists.spdx.org
Hi All, |
|
|
|
|
|
Re: SPDX Signing
#spdx
hectorf@...
Sandeep, I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and potentially contains more metadata. |
|
|
|
|
|
Re: SPDX Signing
#spdx
Sandeep,
I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).
REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s. We simply have to make our public key available for verification of signed SBOM’s.
The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM To: spdx@... Subject: [spdx] SPDX Signing #spdx
Hi All, |
|
|
|
|
|
SPDX Signing
#spdx
Patil, Sandeep
Hi All,
Is there any guidelines to sign SPDX file ? Regards Sandeep |
|
|
|
|
|
SPDX Merging
#spdx
Patil, Sandeep
Hi All,
Is there any tool to merge two spdx file ? Regards Sandeep |
|
|
|
|
|
SPDX Thurs General Meeting Reminder
Phil Odence
Special Presentation this month by Matthew Crawford from Arm: Title A new era for SPDX at Arm, are we ready for change?
Let me walk you through the journey of open source software compliance at Arm, from spreadsheets of doom to a platform that captures OSS approvals and produces SPDX files. There were numerous hurdles along the journey but with the help of the internal and external community (including members of this group) we have achieved something that is helpful for Arm and its partners.
Bio
Matthew Crawford has been working at Arm since 2017 mainly focusing on the Third Party Intellectual Property strategy and process management. His professional accomplishments include working to make Arm OpenChain conformant in 2019; involvement in the Google Summer of Code as a mentor and working with the SPDX community. He has a strong passion for open source hardware and software governance, trust and security. Before 2017, Matthew worked in the pharmaceutical industry for GlaxoSmithKline and amongst other things worked on building trust in the software being used throughout the supply chain (as well as designing and synthesising medicines!).
GENERAL MEETING
Meeting Time: Thurs, Aug 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval: https://github.com/spdx/meetings/blob/main/general/2022-06-02.md
Presentation- Matthew
Steering Committee Update - Phil
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian/Alexios |
|
|
|
