|
SPDX December General Meeting Minutes
Phil Odence
Also attached are slides from Adrian and Steve’s very interesting presentations.
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-12-02
General Meeting/Minutes/2021-12-02< General Meeting | Minutes · Attendance: 33 · Lead by Phil Odence · Minutes from last approved · Phil will company membership announcement before end of week · We will be move General Meeting minutes to GitHub and crowdsource during meetings. Contents[hide]
Microsoft and SPDX - Adrian/Steve[edit]· Microsoft standardizing on SPDX [Adrian Giglio] · Why SPDX? · On ISO standard path · Already participating · Great group · Why build their own tool? · Already had tooling · Easy to move to SPDX · Needed certainty to meet NTiA standards · Utilize MS Detection · Needed a great range of environments · Support for very large, complex build systems; layered builds · The Tool · Built on .Net and available for Windows/Linux/Mac · Available as build step in Azure · Plan is to open source · Pulls OSS data from a variety of build system formats · Future · Proving by early March, then rolling out across Microsoft · Exploring different methods of SBOM distribution including web portal · Exploring signing with others in the industry · MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker] · How to distribute secured supply chain components? Specifically SBOMs · Supply chain artifact challenges: · artifacts get promoted across environments, including production assets getting pulled from the Internet into restricted networks · private virtual networks within cloud infrastructure · Solution: Validation artifacts need to travel together with the supply chain objects · by default, SBOM might get blocked from being accessed due to "airgapped" / VNet setup · instead, create a private registry within each vnet; with shared internal registry hosting all artifacts + SBOMs, then promoted into each vnet · ORAS: need signatures to be separable, verifiable, able to be validated, prior to bringing artifact / binary into the environment · Microsoft built this for Azure Container Registry, but customers share with other registries and other infrastructure; registries should be a broader standard => OCI Artifacts, ORAS Artifacts · Signatures and SPDX SBOMs get attached to the graph · ACR support for ORAS Artifacts today => customers can store SPDX SBOMs today: https://aka.ms/acr/supply-chain-artifacts · Opportunity: having SPDX document travel alongside the target artifact; CLI that can natively push / pull / validate SPDX SBOMs to Registries · What does the SPDX community want to see in an SBOM? · recording EULA text? · something validated at the time the content is used? => needs to be accessible along with the artifact itself · Questions/Comments · Dick: what about having vulnerability disclosures together as a part of the distributed info? · Appreciate that the SPDX structure enables describing all the pieces of what went into a software build in the first place => static information at a point in time · Scan results are things that you learn about over time => e.g. might learn later about a problem that was discovered after it was shipped · Scan results will continue to be additive, whereas the SBOM itself doesn't change · Dick: some vendors are running scans and producing NVD reports together with vendor's findings; making that info available together with the SBOM. During customer risk assessments, they can see beforehand if a CVE is reported => if shows up in the disclosure, that helps address the risk. · Scan results, etc., could be attached to the other documents that are included in the registry · Eventually, looking to have a web-browsable portal to easily access these documents. But, the automation is the interesting part. · Just this morning, this was announced to be becoming part of an OCI working group; previously getting proven within the ORAS project · Sebastian: Ostree (Fedora): https://fedoraproject.org/wiki/Changes/OstreeNativeContainer · Signature format: shipped in Notary v2, but working on expanding via conversations with the broader community. Needs to be able to be validated broadly. · Dick: NIST workshop that took place this week: ability to distribute SDLC evidence and policy data. Will that be part of this? · Viewing this as plumbing / core infrastructure, in a generic way; new types will emerge for what types of artifacts are used to be deployed / promoted on this infrastructure · Because it's generic / abstracted, any new type can be hosted on this infrastructure
Tech Team Report – Kate/Gary/Others[edit]· Tools · New release of SPDX Java Tools available at https://github.com/spdx/tools-java/releases/tag/v1.0.3 · Specification · Focused on the Core modeling · Made progress on collections, packages, and document definitions and relationships · Significant testing of the model with different use cases and serialization considerations
Legal Team Report - Jilayne/Pau/Steve[edit]· License List version 3.15 was released and published to https://spdx.org/licenses on Nov. 14 · Shortened month for meetings due to Thanksgiving holiday in US · Warner Losh presented to the team about FreeBSD's use of SPDX short-form license identifiers: https://docs.google.com/presentation/d/1mRWj7DCiicK57BqD4XzUMSZs51TpUUIYIgI-UcB8XDw/edit#slide=id.p
Outreach Team Report -[edit]· No update, but Sebastian sent an email to the General Meeting list with notes on behalf of the team.
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Adrian Digli, Microsoft · Steve Lasker, Microsoft · Sebastian Crane · Steve Winslow, Boston Technology Law · Dick Brooks, REA · Rich Steenwyk, GE Healthcare · Annie · Brad Goldring, GTC · Jeff Schutt, Cisco · David Edelsohn, IBM · Jilayne Lovejoy, Red Hat · Aveek Basu, NextMark Printers · Marc Gisi, Windriver · Gary O’Neall, SourceAuditor · Philippe Ombrédanne- nexB · Dick Brooks · Alex Rybek · Brend Smits, Philips · Christopher Lusk, Lenovo · Christopher Phillips · Fellow Jitser · Jilayne Lovejoy, Red Hat · Mashid · Kendra Morton · Marco · Majira · Michael Herzog- nexB · Mike Nemmers · Molly Menoni · Paul Madick, Jenzabar · Rose Judge, VMWare · Vicky Brasseur, Wipro
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: SPDX Company Membership
Phil,
I just checked on REA’s LF membership status and it appears the lowest cost tier is $5,000 to become a LF member. Please confirm my understanding is correct that $5,000 is the lowest cost membership fee available.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, December 2, 2021 3:04 PM To: SPDX-general <spdx@...> Subject: [spdx] SPDX Company Membership
Dear SPDX community,
With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.
We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.
As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.
Membership Benefits
Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.
Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection
Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.
Signing up
Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.
In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.
(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)
Please let us know if you or your organization have any questions about becoming a member of SPDX.
SPDX Steering Committee Phil, Kate, Gary, Jilayne, Steve, Paul and Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
SPDX Company Membership
Phil Odence
Dear SPDX community,
With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.
We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.
As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.
Membership Benefits
Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.
Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection
Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.
Signing up
Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.
In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.
(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)
Please let us know if you or your organization have any questions about becoming a member of SPDX.
SPDX Steering Committee Phil, Kate, Gary, Jilayne, Steve, Paul and Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
SPDX Outreach Team report for December General Meeting
Dear all,
Since we didn't have time at the SPDX General Meeting today for the usual team reports, I'm writing to send the Outreach Team's report in textual form! Feel free to reply if you have any questions about the activities of the SPDX Outreach Team, or would like to be involved. Best wishes, Sebastian ----- # Wikipedia article We've added a version history section to the article at https://wikipedia.org/wiki/Software_Package_Data_Exchange with a version table and explanatory paragraphs (as is the format used in articles for a lot of other open source projects). Plus, the disambiguation link that said 'license documentation standard' now says 'software bill of materials standard'. Here are a couple of 'perma-links' to the before and after states of the article: * Before: https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&oldid=1053739112 * After: https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&direction=next&oldid=1058145243 # SBOM Landscape page At the most recent Outreach Team meeting, we discussed various categories and taxonomies that could be used in the SBOM Landscape page we are developing at: https://github.com/spdx/sbom-landscape We'll be trying to form 'neighbourhoods' of related use-cases such as attestation, automation etc. The automated tests for the page are still failing, but builds seem to work correctly so can continue work on it. We now have Syft, OSS Review Toolkit, REUSE and Tern listed on the SBOM Landscape page, and will be adding more in the coming weeks! # SPDX Podcast Joshua Marpet has resolved the audio issues, meaning that we can start recording podcast episodes again. Joshua is working on an episode with the SPDX Asia Team. # 'SPDX Ambassadors' Vicky Brasseur suggested that having an ambassadors programme would be a good idea, so we are exploring the possibility of having contact details of SPDX Ambassadors on our main website. This will help newcomers to quickly contact representatives of SPDX. # Replicant I have been in correspondence with a steering committee member of the Replicant project. Replicant aims to replace proprietary components in Android, and are looking to improve their source code license scanning. SPDX SBOMs could be useful in reducing unnecessary repetition of audits here. # FOSSLight We have had good interaction with the developers of FOSSLight, an open source license scanner from Logitech. Gary O'Neall and I have been proactively examining SPDX-related failures in order to help them with their use of the SPDX Java libraries. FOSSLight is a top priority for addition to the spdx.dev Open Source Tools page, as well as the SBOM Landscape! -----
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Thursday's SPDX General Meeting Reminder
Phil Odence
Hello, all, looking forward to seeing you Thursday. Note, we’ll have guest presentation from Microsoft on what they are doing with SPDX. Best, Phil
GENERAL MEETING
Meeting Time: Thurs, Dec 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04
Brief update on governance and membership process - Phil
Presentation Microsoft and SPDX · Microsoft standardizing on SPDX [Adrian Giglio] · MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker]
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
OpenChain Automation Case Study #5 - Running a Supply Chain using open source tooling + SPDX
Recording now available. Part #5 explores how SPDX ISO/IEC 5962 works as a Software Bill of Materials (SBOM) in the supply chain through existing open source tooling for open source compliance.
https://www.openchainproject.org/news/2021/11/24/automation-case-study-5 Check out the entire case study here: https://www.openchainproject.org/automation-case-study Huge thanks to Maximilian Huber at TNG for running this webinar. Regards Shane — Shane Coughlan General Manager, OpenChain e: scoughlan@... p: +81 (0) 80 4035 8083 w: www.linuxfoundation.org Schedule a call: https://meetings.hubspot.com/scoughlan
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
REMINDER: SPDX in Virtual Supply Chain Webinar in 15 minutes (09:00 UTC)
REMINDER: OpenChain Automation Case Study showing SPDX Software Bill of Materials being used in a “virtual supply chain” @ 09:00 UTC.
Join without registration here: https://zoom.us/j/4377592799 Everyone is welcome. Need more timezone information? The event will take place on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST.
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
REMINDER: Today is the Automation Case Study “virtual supply chain” showing code going through multiple scanners and maintaining SPDX integrity @ 09:00 UTC
REMINDER: Today is the OpenChain Automation Case Study “virtual supply chain” showing code going through multiple scanners and maintaining SPDX integrity @ 09:00 UTC.
We will hold it on Zoom: https://zoom.us/j/4377592799 Everyone is welcome. No registration needed. Need more timezone information? The event will take place on November 24th at 09:00 UTC / 10:00 CET / 17:00 CST / 18:00 KST + JST. The event is in our global calendar: https://www.openchainproject.org/community Regards Shane Shane Coughlan OpenChain General Manager +818040358083 Book a meeting: https://meetings.hubspot.com/scoughlan
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
Oliver Fendt
Hi Vicky
We also have a nice website https://oss-compliance-tooling.org/ Perhaps this is better suited for getting an overview
Ciao Oliver
From: spdx@... <spdx@...> On Behalf Of
Michael Dolan via lists.spdx.org
You may also want to look at the SLSA framework.
---
On Thu, Nov 18, 2021 at 10:03 AM VM (Vicky) Brasseur via
lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
You may also want to look at the SLSA framework. https://slsa.dev/levels ---
On Thu, Nov 18, 2021 at 10:03 AM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
VM (Vicky) Brasseur
Yessssss…
It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!
--V
-- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited Time Zone: Pacific/West Coast US
From:
<spdx@...> on behalf of "Steve Kilbane via lists.spdx.org" <stephen.kilbane=analog.com@...>
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
Hi Vicky,
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
steve
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
That help?
Kate
On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via
lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
Hi Vicky,
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
steve
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
That help?
Kate
On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via
lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Taxonomy of software supply chain ecosystem?
Kate Stewart
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy. We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website. Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real. That help? Kate
On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Taxonomy of software supply chain ecosystem?
VM (Vicky) Brasseur
A taxonomy of this SSC ecosystem. I would like to have one, plz&thx.
For instance, looking at this (very much work in progress, just noodling about as I think about things) picture, those items in each of those long lists aren’t equivalent. They fall into different categories of functionality and come into play at different stages.
Those categories/stages are the taxonomy I’m hoping someone else has already created and published under a FOSS license so we can all play along at home. 😊
My web searches aren’t turning anything up on this one. Do any of you know whether this exists already?
--V
-- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited Time Zone: Pacific/West Coast US
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)
Dear Marc-Etienne,
Hi all,Yay! I was indeed just wondering about this earlier today, so thank you very much for the notification :) Best wishes, Sebastian
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: [spdx-tech] RFC: Creating a fairly complex SPDX document for an open source project (Julia)
Hi all,
Great news: ISO SPDX standard is now publicly available at: https://standards.iso.org/ittf/PubliclyAvailableStandards/
Best regards,
Marc-Etienne
From: Spdx-tech@... <Spdx-tech@...>
On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) via lists.spdx.org
Hi Simon,
About the availability of the SPDX spec.
It is the other way round. Since SPDX was not developed by ISO itself, the ISO standard should be available for free on this website: https://standards.iso.org/ittf/PubliclyAvailableStandards/
But it might take some time before it is put there.
Best regards,
Marc-Etienne
From: Spdx-tech@... <Spdx-tech@...>
On Behalf Of Simon Avery via lists.spdx.org
Hello everyone. First time poster here, so I hope this topic is considered appropriate.
My favorite open source project is Julia (https://julialang.org). It's build process pulls in a lot of code from many other repositories. I thought that the project would benefit from having an SPDX document describing all these packages, streamlining the review and approval process at organizations that want to use Julia.
I've put together a pull request that adds an SPDX document to the repository. At this point it contains only a few packages to demonstrate what it looks like and will be filled in over time. If anyone on this list would like to provide feedback that would be appreciated.
On a related question since I see that SPDX just became an ISO standard. Does that mean that version 2.2.1 (and 3.0) of the specification will not be available for free at spdx.dev? Will the spdx-spec repository on Github remain available so that open source developers can access the current specification? If all developers had to pay $200, that would be a significant barrier to adoption in the OSS world.
Thank you in advance for any feedback provided.
Simon Avery
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Minutes from Nov 4 SPDX General Meeting
Phil Odence
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-11-04
General Meeting/Minutes/2021-11-04< General Meeting | Minutes · Attendance: 25 · Lead by Phil Odence · Minutes from last approved · Company membership mechanics will be rolled out within a couple weeks.
Contents[hide]
GSOC - Ujjwal[edit]· JSON Support for Golang libraries Tech Team Report - Kate/Gary/Others[edit]
· Tools · no update · Specification · Spec version compatible with ISO, now available · Version 3 · Most of the work is focused on the core model. We’re making progress but still have a ways to go to settle on a good code the other profiles will be built on. · A new repo has been setup for the SPDX 3.0 spec since it will have a different way of generating the examples and spec and will also be under the new license as part of the new governance we put in place · We expect more activities on the profiles next month, especially security · Interest in the spec and tools continues to increase – we’re seeing some good signs of adoption from companies, other open source projects, and individuals (if you need more detail – SW360 is engaged in some issues conversations on the tools, the SPDX 2.1 spec issues has some new contributor) Legal team update - Jilayne/Pau/Steve[edit]· FreeBSD will be adopting SPDX tags · Fedora is exploring as well · Conversations about adding better instructions on using Git to contribute to license repo
Outreach team - Sebastian[edit]· Processes · Transitioned to monthly meeting · Different ways of working in between under discussion · Wikipedia page updates · Adding history · Adding logos of companies and projects that are using
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Ujjwall Agarwal · Alexios Zavras, Intel · Eric Billingsley, Calculi · Jeff Schutt, Cisco · Sebastian Crane · Bob Martin, Mitre · Steve Winslow, Boston Technology Law · Christopher Lusk, Lenovo · David Edelsohn, IBM · Jilayne Lovejoy, Red Hat · Tony Aiuto · Karan Marjara, AWS · Joshua Marpet, RM-ISAO · Paul Madick, Jenzabar · Adrian Diglio, Microsoft · Alfredo Espinosa · Brad Goldring · Edgar · Joe · Vicky Brasseur, Wipro · Warner Losh, FreeBSD · Fellow Jitser · Aasim, Microsoft
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Asia SPDX Meeting- China government data processing draft policy
Came up on the call today. For those interested, here is an overview:
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Today's SPDX General Meeting Reminder
Phil Odence
Apologies for the late reminder.
Notes:
GENERAL MEETING
Meeting Time: Thurs, Nov 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07
Presentation
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||
|
Re: Public Domain license identifier
Richard Fontana
The "public domain" part appears to be the text of the Unlicense, so
toggle quoted messageShow quoted text
I'd assume "MIT OR Unlicense". Richard
On Tue, Oct 19, 2021 at 4:02 PM Pierre Tardy <tardyp@...> wrote:
|
|||||||||||||||||||||||||
|
|
