|
Re: End Of Life Tag in spdx
#spdx
Armijn Hemel - Tjaldur Software Governance Solutions
hello,
I would suggest to keep this
information "out of band" and not inside SPDX documents. Current
information inside SPDX documents is largely static: package,
license, checksum, and so on. Of course there could have been
errors that need to be fixed, but overall these fields are static.
EOL information, commercial status and
support status on the other hand are much more dynamic. Sometimes
packages are supported for only a few hours, sometimes for
decades. Very often it is also not clear when a package is EOL or
supported as many authors/maintainers do not announce it. The
support is sometimes also not done by the author/maintainers, but
by an external entity (for example: enterprise grade Linux
distributions). Does this mean it is supported, or only supported
for people willing to pay for it, or .... ? It is simply not clear
and it adds a lot of fuzziness.
This would make SPDX a lot more
cumbersome, as not only do the documents need to be generated, but
they also need to be updated all the time to avoid falling out of
sync. It also mixes syntax and semantics, which is never a good
idea.
armijn
-- Armijn Hemel, MSc Tjaldur Software Governance Solutions |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDXID
#spdx
Gary O'Neall
Hi Sandeep,
Although the SPDX ID is internal to SPDX documents, you can refer to an SPDX ID in a different document using the SPDX Document identifier as defined in section 6.6. So the statement below is accurate but could probably be made a bit clearer.
Regards,
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 11:44 PM To: spdx@... Subject: Re: [spdx] SPDXID #spdx
Hi Gary, |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDXID
#spdx
Patil, Sandeep
Hi Gary,
Thanks for reply, then SPDXID will be mostly internal ID and can not be referenced externally, Do you think this might need some change in SPDXID documentation statement ? "Uniquely identify any element in an SPDX document which may be referenced by other elements. These may be referenced internally and externally with the addition of the SPDX document identifier." Regards Sandeep |
|||||||||||||
|
|
|||||||||||||
|
FYI: SPDX in the OpenSSF Mobilization Plan
VM (Vicky) Brasseur
Some of you probably know that OpenSSF met with a bunch of US Federal organizations in Washington DC last week to discuss cyber security wrt the open source software supply chain. (our own Kate and William were there!)
Prior to that meeting, the OpenSSF community prepared a “mobilization plan” to present to the Feds, detailing ten areas where they feel they can make improvements to the security of the overall ecosystem. The ninth area is “SBOMs Everywhere” and specifically calls for working with SPDX.
You can download the complete plan here: https://openssf.org/oss-security-mobilization-plan/
--V
-- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited ⏰ Time Zone: Pacific/West Coast US
Internal to Wipro |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDXID
#spdx
Gary O'Neall
Hi Sandeep – Moving the conversation over to the SPDX-tech mailing list.
Unfortunately, adding in a CPE ID or pURL would include characters disallowed in the SPDX ID.
Fortunately, there is a way to express the pURL and CPE ID in the SPDX Package using the ExternalRef property. If you add these properties, tools such as the SPDX to OSV will pick up the references and use them to uniquely identify the packages.
Here’s an example in JSON format for a CPE 2.3 ID:
"packages" : [ { "SPDXID" : "SPDXRef-Package", "externalRefs" : [ { "referenceCategory" : "SECURITY", "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*", "referenceType" : "cpe23Type" }, …
See the ExternalRef subsection of the spec and the External Repository Identifiers Annex for more details.
Regards,
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 9:06 AM To: spdx@... Subject: [spdx] SPDXID #spdx
Hi , |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX and NTIA SBOM Minimum elements
#spdx
William Bartholomew (CELA)
This is how Microsoft has approached this:
The one thing I’d add is that additional identifiers would be stored in External References.
Regards,
William Bartholomew (he/him) – Let’s chat Principal Security Strategist Global Cybersecurity Policy – Microsoft
My working day may not be your working day. Please don’t feel obliged to reply to this e-mail outside of your normal working hours.
From: spdx@... <spdx@...> On Behalf Of
Dick Brooks via lists.spdx.org
Sent: Monday, May 16, 2022 9:24 AM To: spdx@... Subject: [EXTERNAL] Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...>
On Behalf Of Patil, Sandeep via lists.spdx.org
Hi , |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX and NTIA SBOM Minimum elements
#spdx
You’re welcome.
You will most likely need SPDX V2.3 if you have any “FILE” components that need to specify version info. The new PackagePurpose field supports the version info for “FILE” artifacts.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 12:31 PM To: spdx@... Subject: Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Thanks you Dick, This is useful
Caution: This e-mail originated from outside of Philips, be careful for phishing.
NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Hi ,
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX and NTIA SBOM Minimum elements
#spdx
Patil, Sandeep
Thanks you Dick, This is useful
From: spdx@... <spdx@...> On Behalf Of
Dick Brooks via lists.spdx.org
Sent: Monday, May 16, 2022 9:54 PM To: spdx@... Subject: Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Caution: This e-mail originated from outside of Philips, be careful for phishing.
NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...>
On Behalf Of Patil, Sandeep via lists.spdx.org
Hi , The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX and NTIA SBOM Minimum elements
#spdx
NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 12:10 PM To: spdx@... Subject: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Hi , 
|
|||||||||||||
|
|
|||||||||||||
|
SPDX and NTIA SBOM Minimum elements
#spdx
Patil, Sandeep
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ? Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ? Regards Sandeep |
|||||||||||||
|
|
|||||||||||||
|
SPDXID
#spdx
Patil, Sandeep
Hi ,
I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like "SPDXRef-[cpe id]" or "SPDXRef-[pURL]" Any further guidance on this will help. Regards Sandeep |
|||||||||||||
|
|
|||||||||||||
|
Re: End Of Life Tag in spdx
#spdx
Kate and Sandeep,
Our customers are also interested in this information. There are two concepts to consider: Commercial Status: <enumeration value="Available"></enumeration> <enumeration value="Retired"></enumeration> <enumeration value="EOL"></enumeration> <enumeration value="BetaTest"></enumeration> <enumeration value="Pilot"></enumeration> <enumeration value="Abandoned"></enumeration>
Support Status: <enumeration value="Supported"></enumeration> <enumeration value="Unsupported"></enumeration> <enumeration value="Community"></enumeration>
Both are described in the open-source Vendor Response File (VRF) XML schema available here: https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SAGVendorSchema.xsd
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Kate Stewart
Sent: Friday, May 6, 2022 3:34 PM To: SPDX-general <spdx@...> Subject: Re: [spdx] End Of Life Tag in spdx #spdx
Hi Sandeep,
There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3. When it comes in, please feel free to review and make sure it's going to suffice for your needs.
For now, with 2.2 documents, suggest you use the Package Comment field (https://spdx.github.io/spdx-spec/package-information/#720-package-comment-field) and standardize on a tag (like EndOfSupport: ) and the date.
Will that work for now?
Thanks,
On Fri, May 6, 2022 at 2:27 PM Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: End Of Life Tag in spdx
#spdx
Kate Stewart
Hi Sandeep, There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3. When it comes in, please feel free to review and make sure it's going to suffice for your needs. For now, with 2.2 documents, suggest you use the Package Comment field (https://spdx.github.io/spdx-spec/package-information/#720-package-comment-field) and standardize on a tag (like EndOfSupport: ) and the date. Will that work for now? Thanks, Kate On Fri, May 6, 2022 at 2:27 PM Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...> wrote: Hi All, |
|||||||||||||
|
|
|||||||||||||
|
End Of Life Tag in spdx
#spdx
Patil, Sandeep
Hi All,
We have requirement to specify End Of Life as part of package information in SBoM , Is there way current SPDX format support this ? Regards Sandeep |
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX Thurs General Meeting Reminder
Kate Stewart
The video has been posted here: Thanks again to Joshua for sharing with us! On Wed, May 4, 2022 at 4:22 PM Christopher Lusk <clusk@...> wrote:
|
|||||||||||||
|
|
|||||||||||||
|
Re: SPDX Thurs General Meeting Reminder
Christopher Lusk
From: spdx@... <spdx@...> On Behalf Of
Phil Odence via lists.spdx.org
Sent: Wednesday, May 4, 2022 9:17 AM To: SPDX-general <spdx@...> Subject: [External] [spdx] SPDX Thurs General Meeting Reminder
No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.
GENERAL MEETING
Meeting Time: Thurs, May 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/main/general/2022-04-07.md
Special Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian
|
|||||||||||||
|
|
|||||||||||||
|
SPDX Thurs General Meeting Reminder
Phil Odence
No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.
GENERAL MEETING
Meeting Time: Thurs, May 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/main/general/2022-04-07.md
Special Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian
|
|||||||||||||
|
|
|||||||||||||
|
~24 hours left to propose SPDX talks to All Things Open!
VM (Vicky) Brasseur
All Things Open (ATO) is one of the largest open source conferences in the world now. In 2022 it’ll be in-person only, in its normal location of the Raleigh Convention Center in Raleigh, North Carolina, USA.
ATO 2022 happens October 30-November 2 (yes, over Halloween, ugh). This is either soon after or contemporaneous with the release of 3.0.
Considering the size of the potential audience (thousands) and the diversity of the event (both in attendees and in topic tracks), it would be great if folks could propose some SPDX-related talks. For instance:
The ATO CFP form allows for submitting 15 minute keynote slots this year! That would be a great place for Kate, Jilayne, or someone to talk about the impact of supply chain stuff and where SPDX 3.0 fits in!
Anyway, time’s running short. The CFP closes EOD tomorrow!
Here’s the link and more information: https://www.allthingsopen.org/call-for-papers-2022/
--V
Internal to Wipro |
|||||||||||||
|
|
|||||||||||||
|
The OpenChain Industry Survey 2022 - SPDX Included
The OpenChain Industry Survey 2022 covers a big topic: the global status of corporate engagement and management of open source. Please help by completing the survey from your perspective before May 1st.
English: https://forms.gle/9Jf9h1J6AwzFpMz89 Simplified Chinese: https://wj.qq.com/s2/9935077/5841/ Japanese: https://forms.gle/A2qdawgY9h7CWr3q8 (Thank you China and Japan work groups! :) ) We are considering open source from a “strategy” perspective rather than a “development” perspective. Our goal is to help inform project, product and supply chain decisions in the year ahead. This goes far beyond compliance, OSPO and any other single topic. However, we are explicitly unpacking industry engagement with SPDX. This survey is licensed under CC-0 so feel free to take it as the basis for your own surveys in the future. |
|||||||||||||
|
|
|||||||||||||
|
Special Presentation and SPDX Thurs General Meeting Reminder
Phil Odence
NOTE: I am a little behind and have not posted the minutes from the March meeting in GH. In advance of that, I have included that minutes in roughg form at the bottom of this email.
PRESENTATION: Please join us for this presentation to kick off the meeting. Yocto have been very supportive of SPDX and active in incorporating the technology.
SPDX in the Yocto Project – Joshua Watt Abstract: As Software Bills of Material (SBoMs) become more important in the software industry, the generation of high quality SBoMs from the beginning of the Software Supply Chain has also become more important. The Yocto Project is designed to build up software images from source, and such is a prime candidate to generate these SBoMs at the point where software packages are compiled and assembled into customer images. Joshua will talk about how the Yocto Project is able to do this, and some of the interesting quirks encountered when implementing this feature.
Joshua Watt is a Software Engineer for Garmin, where he has been working for the past 13 years. He has been a developer with OpenEmebedded and the Yocto Project for the past 7 years, and is a member of the OpenEmbedded Technical Steering Committee.
GENERAL MEETING
Meeting Time: Thurs, April 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-02-03.md
Special Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack/Sebastian
|
|||||||||||||
|
|
|||||||||||||
