Date   

Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)

Sebastian Crane
 

Dear Marc-Etienne,

Hi all,

Great news: ISO SPDX standard is now publicly available at:
https://standards.iso.org/ittf/PubliclyAvailableStandards/
Yay! I was indeed just wondering about this earlier today, so thank
you very much for the notification :)

Best wishes,

Sebastian


Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)

Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
 

Hi all,

 

Great news: ISO SPDX standard is now publicly available at:

https://standards.iso.org/ittf/PubliclyAvailableStandards/

 

Best regards,

 

Marc-Etienne

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org
Sent: Monday, September 13, 2021 12:04 PM
To: savery@...; Spdx-tech@...
Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
Subject: Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)

 

Hi Simon,

 

About the availability of the SPDX spec.

 

It is the other way round. Since SPDX was not developed by ISO itself, the ISO standard should be available for free on this website: https://standards.iso.org/ittf/PubliclyAvailableStandards/

 

But it might take some time before it is put there.

 

Best regards,

 

Marc-Etienne

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Simon Avery via lists.spdx.org
Sent: Thursday, September 9, 2021 10:17 PM
To: Spdx-tech@...
Subject: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)

 

Hello everyone.  First time poster here, so I hope this topic is considered appropriate.

 

My favorite open source project is Julia (https://julialang.org).  It's build process pulls in a lot of code from many other repositories.  I thought that the project would benefit from having an SPDX document describing all these packages, streamlining the review and approval process at organizations that want to use Julia.

 

I've put together a pull request that adds an SPDX document to the repository. At this point it contains only a few packages to demonstrate what it looks like and will be filled in over time. If anyone on this list would like to provide feedback that would be appreciated.

 

 

On a related question since I see that SPDX just became an ISO standard. Does that mean that version 2.2.1 (and 3.0) of the specification will not be available for free at spdx.dev?  Will the spdx-spec repository on Github remain available so that open source developers can access the current specification?  If all developers had to pay $200, that would be a significant barrier to adoption in the OSS world.

 

Thank you in advance for any feedback provided.

 

Simon Avery


Minutes from Nov 4 SPDX General Meeting

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04

 

General Meeting/Minutes/2021-11-04

General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

·         Minutes from last approved

·         Company membership mechanics will be rolled out within a couple weeks.

 

Contents

 [hide

GSOC - Ujjwal[edit]

·         JSON Support for Golang libraries

Tech Team Report - Kate/Gary/Others[edit]

 

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Most of the work is focused on the core model.  We’re making progress but still have a ways to go to settle on a good code the other profiles will be built on.

·         A new repo has been setup for the SPDX 3.0 spec since it will have a different way of generating the examples and spec and will also be under the new license as part of the new governance we put in place

·         We expect more activities on the profiles next month, especially security

·         Interest in the spec and tools continues to increase – we’re seeing some good signs of adoption from companies, other open source projects, and individuals (if you need more detail – SW360 is engaged in some issues conversations on the tools, the SPDX 2.1 spec issues has some new contributor)

Legal team update - Jilayne/Pau/Steve[edit]

·         FreeBSD will be adopting SPDX tags

·         Fedora is exploring as well

·         Conversations about adding better instructions on using Git to contribute to license repo

 

Outreach team - Sebastian[edit]

·         Processes

·         Transitioned to monthly meeting

·         Different ways of working in between under discussion

·         Wikipedia page updates

·         Adding history

·         Adding logos of companies and projects that are using

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Ujjwall Agarwal

·         Alexios Zavras, Intel

·         Eric Billingsley, Calculi

·         Jeff Schutt, Cisco

·         Sebastian Crane

·         Bob Martin, Mitre

·         Steve Winslow, Boston Technology Law

·         Christopher Lusk, Lenovo

·         David Edelsohn, IBM

·         Jilayne Lovejoy, Red Hat

·         Tony Aiuto

·         Karan Marjara, AWS

·         Joshua Marpet, RM-ISAO

·         Paul Madick, Jenzabar

·         Adrian Diglio, Microsoft

·         Alfredo Espinosa

·         Brad Goldring

·         Edgar

·         Joe

·         Vicky Brasseur, Wipro

·         Warner Losh, FreeBSD

·         Fellow Jitser

·         Aasim, Microsoft

 


Asia SPDX Meeting- China government data processing draft policy

 

Came up on the call today. For those interested, here is an overview:

https://asia.nikkei.com/Business/China-tech/New-China-data-transfer-rules-to-be-costly-for-foreign-companies

Asia SPDX Meeting

When
Tue Nov 9, 2021 10am – 11am Japan Standard Time
Where
https://zoom.us/j/199624001 (map)
Who
Kate Stewart - organizer
Gary O'Neall

Agenda:
- SPDX-Lite
- other profiles?

Join Zoom Meeting
https://zoom.us/j/199624001

One tap mobile
+16465588656,,199624001# US (New York)
+16699006833,,199624001# US (San Jose)

Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 6833 US (San Jose)
877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 199 624 001
Find your local number: https://zoom.us/u/ac9KKJWzJT


──────────


Today's SPDX General Meeting Reminder

Phil Odence
 

Apologies for the late reminder.

 

Notes:

  • For Euro folks, time diff is off by an hour as US doesn’t go back to standard time until this weekend
  • We will have a Google Summer of Code presentation on Json support for Golang libs

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Nov 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

Presentation

  • JSON Support for Golang libraries
    After the introduction of Spdx Specifications v2.2 JSON, YAML, and a development version of XML have been added as supported file formats. However , the tools-golang package currently did not have the support to parse the spdx files nor had the support to save a spdx doc in JSON format .The main objective of this project is to add support in the tools-golang package so that it can parse as well as save SPDX® v2.2 files in JSON format . 
    Background : I am a passionate individual who always strives to work on end to end products which develop sustainable and scalable social and technical systems to create impact. 

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack 

  

 

 

 


Re: Public Domain license identifier

Richard Fontana
 

The "public domain" part appears to be the text of the Unlicense, so
I'd assume "MIT OR Unlicense".

Richard

On Tue, Oct 19, 2021 at 4:02 PM Pierre Tardy <tardyp@...> wrote:

Hello,

I am trying to identify this software in term of license expression

https://github.com/nothings/stb

It's is claimed to be "public domain or MIT".
I don't see any license identifier for public domain. It is arguabily not a license, and not valid across jurisdictions, but anyway we would like to document the authors will even if we will conclude the use of MIT.

So what should we document in your opinion?

Regards

Pierre


Re: Message Approval Needed - tardyp@gmail.com posted to spdx@lists.spdx.org

J Lovejoy
 

Hi Pierre,

I am moving the general SPDX list to BCC and sending this via the SPDX legal list, as that is the right place for this question! Also not - I have approved your message and copied you here so you will get the response, but you generally have to join the SPDX mailing list to post and receive message. https://lists.spdx.org/groups

Looking at the license file for that project: Alternative A is indeed MIT and Alternative B is the Unlicense (https://spdx.org/licenses/Unlicense.html)

Thus, the SPDX license expression would be:  MIT OR Unlicense

FYI - you might want to install the license diff browser plugin to help you with these kinds of things - https://chrome.google.com/webstore/detail/spdx-license-diff/kfoadicmilbgnicoldjmccpaicejacdh?hl=en (also available for Firefox)

Thanks
Jilayne
SPDX legal team co-lead



From: "Pierre Tardy" <tardyp@...>
Subject: Public Domain license identifier
Date: October 19, 2021 at 7:12:29 AM MDT


Hello,

I am trying to identify this software in term of license expression


It's is claimed to be "public domain or MIT".
I don't see any license identifier for public domain. It is arguabily not a license, and not valid across jurisdictions, but anyway we would like to document the authors will even if we will conclude the use of MIT.

So what should we document in your opinion?

Regards

Pierre




Public Domain license identifier

Pierre Tardy
 

Hello,

I am trying to identify this software in term of license expression


It's is claimed to be "public domain or MIT".
I don't see any license identifier for public domain. It is arguabily not a license, and not valid across jurisdictions, but anyway we would like to document the authors will even if we will conclude the use of MIT.

So what should we document in your opinion?

Regards

Pierre


Re: SPDX Oct Gen Meeting Minutes

Phil Odence
 

I’m pretty sure President Biden does too.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Friday, October 15, 2021 at 10:33 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Thanks, Phil. 100% agree with you.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 9:59 AM
To: spdx@...
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

 

That’s great, Dick. A very important direction for us IMO.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Friday, October 15, 2021 at 9:49 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Thanks, Phil.

 

Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 7:43 AM
To: spdx@...
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

 

Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Saturday, October 9, 2021 at 11:28 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Phil,

 

               I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 8, 2021 8:08 AM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Oct Gen Meeting Minutes

 

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1352972488   signature_1412948865   signature_476665210   signature_1426161603

 

 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

General Meeting/Minutes/2021-10-07

General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

 

Contents

 [hide

Special Topics- Phil / Vicky[edit]

·         Governance Update

·         New governance is in place

·         Will be announcing mechanism for signing up Member Companies

·         With that will announce the mechanism for nominating Steering Committee members

·         Wipro

·         Vicky discussed Wipro’s view of benefits and reasons for joining

Tech Team Report - Kate/Gary/Others[edit]

 

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Working on how to establish the repos

·         Question about SPDX Lite

·         That would be the minimum mandatory fields

Legal team update - Jilayne[edit]

·         New license request volume slowed down this month

·         Doing some general catchup with members of the legal team

·         Due for a new release at the end of the month

·         Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

Outreach team - Sebastian[edit]

·         Recent Docfest was a success, brought in several tool vendors to compare results

·         Updated Wikipedia page progressing slowing

·         Lead section updated - this is what you seen when you do a Google search

·         Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·         Website is being updated

·         A section will be added to showcase company usage of SPDX

·         Updating meeting time to be more time available

·         Times are shown as UTC Note: will change next month

·         new time will be the off weeks at the same time as legal

·         going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·         Joshua reported the SPDX official podcasts started

·         Once a month

·         Outreach team will meeting every other month

·         Will interview many community members

·         Will follow-up with Vicki and others in the general meeting

·         Kate - presented keynote at open source summit

·         well received, good interested

·         Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Alexios Zavras, Intel

·         Andrew Jorgenson, AWS

·         Kate Stewart, LF

·         Gary O’Neall, SourceAuditor

·         Bill Jaeger

·         Bob Martin, Mitre

·         Eric Billingsley, Calculi

·         Chrissini de Castro

·         Michael Mehlberg, Dark Sky Technology

·         Maximilian Huber, TNG

·         Sebastian Crane

·         William Cox, Synopsys

·         Vicky Brasseur, Wipro

·         Matthew Crawford, ARM

·         Marc Gisi, Windriver

·         Pierre Tardy,

·         Joshua Marpet, RM-ISAO

·         Brad Goldring

·         Paul Madick, Jenzabar

·         Jilayne Lovejoy, Red Hat

·         Christopher Lusk

·         Clement Poulain

·         Joshua Dubin, Verizon

·         Takashi Ninjouji

 


Re: SPDX Oct Gen Meeting Minutes

Dick Brooks
 

Thanks, Phil. 100% agree with you.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 9:59 AM
To: spdx@...
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

 

That’s great, Dick. A very important direction for us IMO.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Friday, October 15, 2021 at 9:49 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Thanks, Phil.

 

Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 7:43 AM
To: spdx@...
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

 

Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Saturday, October 9, 2021 at 11:28 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Phil,

 

               I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 8, 2021 8:08 AM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Oct Gen Meeting Minutes

 

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1352972488   signature_1412948865   signature_476665210   signature_1426161603

 

 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

General Meeting/Minutes/2021-10-07

General Meeting‎ | Minutes

·        Attendance: 25

·        Lead by Phil Odence

 

Contents

 [hide

Special Topics- Phil / Vicky[edit]

·        Governance Update

·        New governance is in place

·        Will be announcing mechanism for signing up Member Companies

·        With that will announce the mechanism for nominating Steering Committee members

·        Wipro

·        Vicky discussed Wipro’s view of benefits and reasons for joining

Tech Team Report - Kate/Gary/Others[edit]

 

·        Tools 

·        no update

·        Specification

·        Spec version compatible with ISO, now available

·        Version 3

·        Working on how to establish the repos

·        Question about SPDX Lite

·        That would be the minimum mandatory fields

Legal team update - Jilayne[edit]

·        New license request volume slowed down this month

·        Doing some general catchup with members of the legal team

·        Due for a new release at the end of the month

·        Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

Outreach team - Sebastian[edit]

·        Recent Docfest was a success, brought in several tool vendors to compare results

·        Updated Wikipedia page progressing slowing

·        Lead section updated - this is what you seen when you do a Google search

·        Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·        Website is being updated

·        A section will be added to showcase company usage of SPDX

·        Updating meeting time to be more time available

·        Times are shown as UTC Note: will change next month

·        new time will be the off weeks at the same time as legal

·        going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·        Joshua reported the SPDX official podcasts started

·        Once a month

·        Outreach team will meeting every other month

·        Will interview many community members

·        Will follow-up with Vicki and others in the general meeting

·        Kate - presented keynote at open source summit

·        well received, good interested

·        Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

 

Attendees[edit]

·        Phil Odence, Black Duck/Synopsys

·        Alexios Zavras, Intel

·        Andrew Jorgenson, AWS

·        Kate Stewart, LF

·        Gary O’Neall, SourceAuditor

·        Bill Jaeger

·        Bob Martin, Mitre

·        Eric Billingsley, Calculi

·        Chrissini de Castro

·        Michael Mehlberg, Dark Sky Technology

·        Maximilian Huber, TNG

·        Sebastian Crane

·        William Cox, Synopsys

·        Vicky Brasseur, Wipro

·        Matthew Crawford, ARM

·        Marc Gisi, Windriver

·        Pierre Tardy,

·        Joshua Marpet, RM-ISAO

·        Brad Goldring

·        Paul Madick, Jenzabar

·        Jilayne Lovejoy, Red Hat

·        Christopher Lusk

·        Clement Poulain

·        Joshua Dubin, Verizon

·        Takashi Ninjouji

 


Re: SPDX Oct Gen Meeting Minutes

Phil Odence
 

That’s great, Dick. A very important direction for us IMO.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Friday, October 15, 2021 at 9:49 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Thanks, Phil.

 

Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 7:43 AM
To: spdx@...
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

 

Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Saturday, October 9, 2021 at 11:28 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Phil,

 

               I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 8, 2021 8:08 AM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Oct Gen Meeting Minutes

 

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1352972488   signature_1412948865   signature_476665210   signature_1426161603

 

 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

General Meeting/Minutes/2021-10-07

General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

 

Contents

 [hide

Special Topics- Phil / Vicky[edit]

·         Governance Update

·         New governance is in place

·         Will be announcing mechanism for signing up Member Companies

·         With that will announce the mechanism for nominating Steering Committee members

·         Wipro

·         Vicky discussed Wipro’s view of benefits and reasons for joining

Tech Team Report - Kate/Gary/Others[edit]

 

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Working on how to establish the repos

·         Question about SPDX Lite

·         That would be the minimum mandatory fields

Legal team update - Jilayne[edit]

·         New license request volume slowed down this month

·         Doing some general catchup with members of the legal team

·         Due for a new release at the end of the month

·         Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

Outreach team - Sebastian[edit]

·         Recent Docfest was a success, brought in several tool vendors to compare results

·         Updated Wikipedia page progressing slowing

·         Lead section updated - this is what you seen when you do a Google search

·         Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·         Website is being updated

·         A section will be added to showcase company usage of SPDX

·         Updating meeting time to be more time available

·         Times are shown as UTC Note: will change next month

·         new time will be the off weeks at the same time as legal

·         going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·         Joshua reported the SPDX official podcasts started

·         Once a month

·         Outreach team will meeting every other month

·         Will interview many community members

·         Will follow-up with Vicki and others in the general meeting

·         Kate - presented keynote at open source summit

·         well received, good interested

·         Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Alexios Zavras, Intel

·         Andrew Jorgenson, AWS

·         Kate Stewart, LF

·         Gary O’Neall, SourceAuditor

·         Bill Jaeger

·         Bob Martin, Mitre

·         Eric Billingsley, Calculi

·         Chrissini de Castro

·         Michael Mehlberg, Dark Sky Technology

·         Maximilian Huber, TNG

·         Sebastian Crane

·         William Cox, Synopsys

·         Vicky Brasseur, Wipro

·         Matthew Crawford, ARM

·         Marc Gisi, Windriver

·         Pierre Tardy,

·         Joshua Marpet, RM-ISAO

·         Brad Goldring

·         Paul Madick, Jenzabar

·         Jilayne Lovejoy, Red Hat

·         Christopher Lusk

·         Clement Poulain

·         Joshua Dubin, Verizon

·         Takashi Ninjouji

 


Re: SPDX Oct Gen Meeting Minutes

Dick Brooks
 

Thanks, Phil.

 

Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 15, 2021 7:43 AM
To: spdx@...
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

 

Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Saturday, October 9, 2021 at 11:28 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Phil,

 

               I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 8, 2021 8:08 AM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Oct Gen Meeting Minutes

 

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1352972488   signature_1412948865   signature_476665210   signature_1426161603

 

 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

General Meeting/Minutes/2021-10-07

General Meeting‎ | Minutes

·        Attendance: 25

·        Lead by Phil Odence

 

Contents

 [hide

Special Topics- Phil / Vicky[edit]

·        Governance Update

·        New governance is in place

·        Will be announcing mechanism for signing up Member Companies

·        With that will announce the mechanism for nominating Steering Committee members

·        Wipro

·        Vicky discussed Wipro’s view of benefits and reasons for joining

Tech Team Report - Kate/Gary/Others[edit]

 

·        Tools 

·        no update

·        Specification

·        Spec version compatible with ISO, now available

·        Version 3

·        Working on how to establish the repos

·        Question about SPDX Lite

·        That would be the minimum mandatory fields

Legal team update - Jilayne[edit]

·        New license request volume slowed down this month

·        Doing some general catchup with members of the legal team

·        Due for a new release at the end of the month

·        Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

Outreach team - Sebastian[edit]

·        Recent Docfest was a success, brought in several tool vendors to compare results

·        Updated Wikipedia page progressing slowing

·        Lead section updated - this is what you seen when you do a Google search

·        Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·        Website is being updated

·        A section will be added to showcase company usage of SPDX

·        Updating meeting time to be more time available

·        Times are shown as UTC Note: will change next month

·        new time will be the off weeks at the same time as legal

·        going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·        Joshua reported the SPDX official podcasts started

·        Once a month

·        Outreach team will meeting every other month

·        Will interview many community members

·        Will follow-up with Vicki and others in the general meeting

·        Kate - presented keynote at open source summit

·        well received, good interested

·        Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

 

Attendees[edit]

·        Phil Odence, Black Duck/Synopsys

·        Alexios Zavras, Intel

·        Andrew Jorgenson, AWS

·        Kate Stewart, LF

·        Gary O’Neall, SourceAuditor

·        Bill Jaeger

·        Bob Martin, Mitre

·        Eric Billingsley, Calculi

·        Chrissini de Castro

·        Michael Mehlberg, Dark Sky Technology

·        Maximilian Huber, TNG

·        Sebastian Crane

·        William Cox, Synopsys

·        Vicky Brasseur, Wipro

·        Matthew Crawford, ARM

·        Marc Gisi, Windriver

·        Pierre Tardy,

·        Joshua Marpet, RM-ISAO

·        Brad Goldring

·        Paul Madick, Jenzabar

·        Jilayne Lovejoy, Red Hat

·        Christopher Lusk

·        Clement Poulain

·        Joshua Dubin, Verizon

·        Takashi Ninjouji

 


Re: SPDX Oct Gen Meeting Minutes

Phil Odence
 

Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Saturday, October 9, 2021 at 11:28 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Oct Gen Meeting Minutes

Phil,

 

               I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 8, 2021 8:08 AM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Oct Gen Meeting Minutes

 

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1352972488   signature_1412948865   signature_476665210   signature_1426161603

 

 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

General Meeting/Minutes/2021-10-07

General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

 

Contents

 [hide

Special Topics- Phil / Vicky[edit]

·         Governance Update

·         New governance is in place

·         Will be announcing mechanism for signing up Member Companies

·         With that will announce the mechanism for nominating Steering Committee members

·         Wipro

·         Vicky discussed Wipro’s view of benefits and reasons for joining

Tech Team Report - Kate/Gary/Others[edit]

 

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Working on how to establish the repos

·         Question about SPDX Lite

·         That would be the minimum mandatory fields

Legal team update - Jilayne[edit]

·         New license request volume slowed down this month

·         Doing some general catchup with members of the legal team

·         Due for a new release at the end of the month

·         Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

Outreach team - Sebastian[edit]

·         Recent Docfest was a success, brought in several tool vendors to compare results

·         Updated Wikipedia page progressing slowing

·         Lead section updated - this is what you seen when you do a Google search

·         Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·         Website is being updated

·         A section will be added to showcase company usage of SPDX

·         Updating meeting time to be more time available

·         Times are shown as UTC Note: will change next month

·         new time will be the off weeks at the same time as legal

·         going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·         Joshua reported the SPDX official podcasts started

·         Once a month

·         Outreach team will meeting every other month

·         Will interview many community members

·         Will follow-up with Vicki and others in the general meeting

·         Kate - presented keynote at open source summit

·         well received, good interested

·         Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Alexios Zavras, Intel

·         Andrew Jorgenson, AWS

·         Kate Stewart, LF

·         Gary O’Neall, SourceAuditor

·         Bill Jaeger

·         Bob Martin, Mitre

·         Eric Billingsley, Calculi

·         Chrissini de Castro

·         Michael Mehlberg, Dark Sky Technology

·         Maximilian Huber, TNG

·         Sebastian Crane

·         William Cox, Synopsys

·         Vicky Brasseur, Wipro

·         Matthew Crawford, ARM

·         Marc Gisi, Windriver

·         Pierre Tardy,

·         Joshua Marpet, RM-ISAO

·         Brad Goldring

·         Paul Madick, Jenzabar

·         Jilayne Lovejoy, Red Hat

·         Christopher Lusk

·         Clement Poulain

·         Joshua Dubin, Verizon

·         Takashi Ninjouji

 


Re: SPDX Oct Gen Meeting Minutes

Dick Brooks
 

Phil,

 

               I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Friday, October 8, 2021 8:08 AM
To: SPDX-general <spdx@...>
Subject: [spdx] SPDX Oct Gen Meeting Minutes

 

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1352972488   signature_1412948865   signature_476665210   signature_1426161603

 

 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

General Meeting/Minutes/2021-10-07

General Meeting‎ | Minutes

·        Attendance: 25

·        Lead by Phil Odence

 

Contents

 [hide

Special Topics- Phil / Vicky[edit]

·        Governance Update

·        New governance is in place

·        Will be announcing mechanism for signing up Member Companies

·        With that will announce the mechanism for nominating Steering Committee members

·        Wipro

·        Vicky discussed Wipro’s view of benefits and reasons for joining

Tech Team Report - Kate/Gary/Others[edit]

 

·        Tools 

·        no update

·        Specification

·        Spec version compatible with ISO, now available

·        Version 3

·        Working on how to establish the repos

·        Question about SPDX Lite

·        That would be the minimum mandatory fields

Legal team update - Jilayne[edit]

·        New license request volume slowed down this month

·        Doing some general catchup with members of the legal team

·        Due for a new release at the end of the month

·        Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

Outreach team - Sebastian[edit]

·        Recent Docfest was a success, brought in several tool vendors to compare results

·        Updated Wikipedia page progressing slowing

·        Lead section updated - this is what you seen when you do a Google search

·        Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·        Website is being updated

·        A section will be added to showcase company usage of SPDX

·        Updating meeting time to be more time available

·        Times are shown as UTC Note: will change next month

·        new time will be the off weeks at the same time as legal

·        going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·        Joshua reported the SPDX official podcasts started

·        Once a month

·        Outreach team will meeting every other month

·        Will interview many community members

·        Will follow-up with Vicki and others in the general meeting

·        Kate - presented keynote at open source summit

·        well received, good interested

·        Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

 

Attendees[edit]

·        Phil Odence, Black Duck/Synopsys

·        Alexios Zavras, Intel

·        Andrew Jorgenson, AWS

·        Kate Stewart, LF

·        Gary O’Neall, SourceAuditor

·        Bill Jaeger

·        Bob Martin, Mitre

·        Eric Billingsley, Calculi

·        Chrissini de Castro

·        Michael Mehlberg, Dark Sky Technology

·        Maximilian Huber, TNG

·        Sebastian Crane

·        William Cox, Synopsys

·        Vicky Brasseur, Wipro

·        Matthew Crawford, ARM

·        Marc Gisi, Windriver

·        Pierre Tardy,

·        Joshua Marpet, RM-ISAO

·        Brad Goldring

·        Paul Madick, Jenzabar

·        Jilayne Lovejoy, Red Hat

·        Christopher Lusk

·        Clement Poulain

·        Joshua Dubin, Verizon

·        Takashi Ninjouji

 


SPDX Oct Gen Meeting Minutes

Phil Odence
 

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1352972488   signature_1412948865   signature_476665210   signature_1426161603

 

 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

 

General Meeting/Minutes/2021-10-07

General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

 

Contents

 [hide

Special Topics- Phil / Vicky[edit]

·         Governance Update

·         New governance is in place

·         Will be announcing mechanism for signing up Member Companies

·         With that will announce the mechanism for nominating Steering Committee members

·         Wipro

·         Vicky discussed Wipro’s view of benefits and reasons for joining

Tech Team Report - Kate/Gary/Others[edit]

 

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Working on how to establish the repos

·         Question about SPDX Lite

·         That would be the minimum mandatory fields

Legal team update - Jilayne[edit]

·         New license request volume slowed down this month

·         Doing some general catchup with members of the legal team

·         Due for a new release at the end of the month

·         Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

Outreach team - Sebastian[edit]

·         Recent Docfest was a success, brought in several tool vendors to compare results

·         Updated Wikipedia page progressing slowing

·         Lead section updated - this is what you seen when you do a Google search

·         Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·         Website is being updated

·         A section will be added to showcase company usage of SPDX

·         Updating meeting time to be more time available

·         Times are shown as UTC Note: will change next month

·         new time will be the off weeks at the same time as legal

·         going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·         Joshua reported the SPDX official podcasts started

·         Once a month

·         Outreach team will meeting every other month

·         Will interview many community members

·         Will follow-up with Vicki and others in the general meeting

·         Kate - presented keynote at open source summit

·         well received, good interested

·         Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Alexios Zavras, Intel

·         Andrew Jorgenson, AWS

·         Kate Stewart, LF

·         Gary O’Neall, SourceAuditor

·         Bill Jaeger

·         Bob Martin, Mitre

·         Eric Billingsley, Calculi

·         Chrissini de Castro

·         Michael Mehlberg, Dark Sky Technology

·         Maximilian Huber, TNG

·         Sebastian Crane

·         William Cox, Synopsys

·         Vicky Brasseur, Wipro

·         Matthew Crawford, ARM

·         Marc Gisi, Windriver

·         Pierre Tardy,

·         Joshua Marpet, RM-ISAO

·         Brad Goldring

·         Paul Madick, Jenzabar

·         Jilayne Lovejoy, Red Hat

·         Christopher Lusk

·         Clement Poulain

·         Joshua Dubin, Verizon

·         Takashi Ninjouji

 


Thursday's SPDX General Meeting Reminder

Phil Odence
 

A couple of special items for this month’s meeting:

  • Quick status of updated SPDX governance
  • Short presentation by VM (Vicky) Brasseur, Director, Senior Strategy Advisor at Wipro. Her company has recently decided to become a member and put its full support behind SPDX. She’ll talk about what they do with SPDX and why they are so keen

 

GENERAL MEETING

 

Meeting Time: Thurs, Oct 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-07-01

 

Update/Presentation

  • Governance – Phil
  • Wipro and SPDX - Vicky

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack 

  

 

 

 


Re: SPDX Goes ISO

Dick Brooks
 

Thanks, Phil – I’m very much looking forward to the configurable profiles capability.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Tuesday, September 14, 2021 1:16 PM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

Yes, understood. Thanks, Dick. For that use case, the President was more concerned with a cyber attack that a license violation. This is the point of evolving SPDX to be “configurable” with profiles to meet different use cases.

 

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Tuesday, September 14, 2021 at 12:44 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Phil,

 

               Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber risk, i.e. C-SCRM, whereas license management is a Legal/Financial risk.

 

The use of SBOM for license legal risk management is indeed a good practice, but it is not required to satisfy NTIA minimal SBOM requirements for EO 14028.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Tuesday, September 14, 2021 11:53 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

 

From: spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...>
Date: Tuesday, September 14, 2021 at 10:31 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Congratulations!

This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!


hip hip hurrah!
Matija
--
gsm:    tel:+386.41.849.552
www:    https://urldefense.com/v3/__https://matija.suklje.name__;!!A4F2R9G_pg!JDcVm_7nX5ihf6dF-lq5bEdOjwvrwPFEsQEyBY11L-icpBRYY7c2OV2t2w8ajmFojgc$
xmpp:   matija.suklje@...
sip:    matija_suklje@...






Re: SPDX Goes ISO

Phil Odence
 

Yes, understood. Thanks, Dick. For that use case, the President was more concerned with a cyber attack that a license violation. This is the point of evolving SPDX to be “configurable” with profiles to meet different use cases.

 

 

From: spdx@... <spdx@...> on behalf of Dick Brooks <dick@...>
Date: Tuesday, September 14, 2021 at 12:44 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Phil,

 

               Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber risk, i.e. C-SCRM, whereas license management is a Legal/Financial risk.

 

The use of SBOM for license legal risk management is indeed a good practice, but it is not required to satisfy NTIA minimal SBOM requirements for EO 14028.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Tuesday, September 14, 2021 11:53 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

 

From: spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...>
Date: Tuesday, September 14, 2021 at 10:31 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Congratulations!

This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!


hip hip hurrah!
Matija
--
gsm:    tel:+386.41.849.552
www:    https://urldefense.com/v3/__https://matija.suklje.name__;!!A4F2R9G_pg!JDcVm_7nX5ihf6dF-lq5bEdOjwvrwPFEsQEyBY11L-icpBRYY7c2OV2t2w8ajmFojgc$
xmpp:   matija.suklje@...
sip:    matija_suklje@...







Re: SPDX Goes ISO

Matija Šuklje
 

Die 14. 09. 21 et hora 17:52 Phil Odence via lists.spdx.org scripsit:
Absolutely not just license compliance. Security too is a
big driver and an important part/direction of SPDX.
I know. I’m just excited by the prospect of synergies and more use of SPDX in
the wild!

I can already see how the wider community would start working together on
joint SPDX documents, fixing issues together, nesting/referring existing SPDX
documents for subcomponents in the SPDX documents of the wider codebase
instead of re-scanning the whole thing over and over again …ah, may the dreams
finally become true! :)


cheers,
Matija
--
gsm: tel:+386.41.849.552
www: https://matija.suklje.name
xmpp: matija.suklje@...
sip: matija_suklje@...


Re: SPDX Goes ISO

Dick Brooks
 

Phil,

 

               Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber risk, i.e. C-SCRM, whereas license management is a Legal/Financial risk.

 

The use of SBOM for license legal risk management is indeed a good practice, but it is not required to satisfy NTIA minimal SBOM requirements for EO 14028.

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Tuesday, September 14, 2021 11:53 AM
To: spdx@...
Subject: Re: [spdx] SPDX Goes ISO

 

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

 

From: spdx@... <spdx@...> on behalf of Matija Šuklje <matija@...>
Date: Tuesday, September 14, 2021 at 10:31 AM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SPDX Goes ISO

Congratulations!

This is indeed a massive step for the software world, and hopefully not just
in terms of license compliance!


hip hip hurrah!
Matija
--
gsm:    tel:+386.41.849.552
www:    https://urldefense.com/v3/__https://matija.suklje.name__;!!A4F2R9G_pg!JDcVm_7nX5ihf6dF-lq5bEdOjwvrwPFEsQEyBY11L-icpBRYY7c2OV2t2w8ajmFojgc$
xmpp:   matija.suklje@...
sip:    matija_suklje@...





121 - 140 of 1592