|
Re: SPDX Company Membership
Phil Odence
Brian,
We will send an email to Primary Contacts from member companies who have signed up by tomorrow. There will be instructions, but essentially we’ll need to hear from the primary contact who the nominee is and then the nominiee will need to fill out an online form.
Phil
From:
spdx@... <spdx@...> on behalf of Brian Fox <brianf@...> Once signing up, how are nominations made?
On Tue, Mar 29, 2022 at 10:17 PM Steve Winslow <swinslow@...> wrote:
|
|
|
|
Re: SPDX Company Membership
Steve Winslow
Hi Brian, Since the cutoff date is EOD day, sometime in the next few days / next week we'll send an email with nomination instructions to the primary contacts from each of the members who have signed up by then. We may need a bit of time to work with the LF to collect the contact details from the signups, but we'll circulate the next steps to the members shortly thereafter. Best, Steve On Thu, Mar 31, 2022 at 1:16 PM Brian Fox <brianf@...> wrote:
|
|
|
|
Re: SPDX Company Membership
Brian Fox
Once signing up, how are nominations made? On Tue, Mar 29, 2022 at 10:17 PM Steve Winslow <swinslow@...> wrote:
|
|
|
|
Re: SPDX Company Membership
Steve Winslow
Hello SPDX community, Just wanted to send a reminder from Phil's original email announcing the SPDX project membership process -- see his email below. As mentioned previously, companies / organizations that become a member of SPDX prior to April 1 (before this coming Friday) will be able to nominate an individual from their organization for consideration for the initial Member Representative seats on the SPDX Steering Committee. On or shortly after April 1, we will send out details about the nomination process to all member companies as of that date, so that nominations can be submitted and the 1 or 2 Member Representatives chosen by the Steering Committee before their annual term begins on May 1. If you'd like for your company to nominate someone for consideration for the initial Member Representatives, please make sure that your company signs up as a member of SPDX on or before this Thursday, March 31. Please note that just being listed as an "SPDX Supporter" on https://spdx.dev is not itself the same as becoming a member of the project; you'll need to sign up as a member using the process Phil described below. (Of course, membership will still be open after that date, and future members could participate in nominations for future years' Member Representatives.) Best, Steve
|
|
|
|
Special Presentation and SPDX Thurs General Meeting Reminder
Phil Odence
REMINDER: Encourage your LF member company to join SPDX https://enrollment.lfx.linuxfoundation.org/?project=spdx . Companies that join by April 1 may nominate a candidate for Steering Committee this year.
PRESENTATION: Please join us for a very interesting presentation to kick off the meeting.
How RKVST Uses SPDX for Software Transparency by Jon Geater, CTO Jitsuin Abstract: One crucial aspect to deriving Trust in connected systems is software transparency, and SBOM (AKA “what’s in the box?”) is a crucial part of this, so SPDX is a very interesting place for Jon and RKVST to engage. We’ll be briefly exploring the deeper requirements of software transparency for context and look forward to a discussion on how best to apply and assist the SPDX community in meeting these. Jon: Jon Geater is chair of the Security and Trustworthiness Working Group in the Digital Twin Consortium and lead author of the Security Maturity Model for Digital Twins in the Industry Internet Consortium. In both of these forums, and with his company’s SaaS platform RKVST, he works to press forward the state of the art in Dynamic Resilience: a practical approach to security and safety in today’s fast-changing, highly connected world based on contextual decision-making and Zero Trust principles. As a co-founder of OASIS KMIP, former governing board member of Linux Foundation’s Hyperledger project, and former board member and chair of the Security Task Force at GlobalPlatform, Jon has a strong and dedicated commitment to open standards in cyber security.
GENERAL MEETING
Meeting Time: Thurs, Mar3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-02-03.md
Special Presentation – SteveH
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|
|
|
SPDX Feb General Meeting MInutes
Phil Odence
https://github.com/spdx/meetings/blob/master/general/2022-02-03.md
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
SPDX General Meeting Minutes - Feb 3, 2022Administrative
Steve Hendrick w/report on SBOM readiness
Tech Team Report - Gary/Kate/ThomasSpecDefects
Core 3.0
2.3 Release
ToolsDocFest (Rose)
GSOC
Tooling Release
Legal Team Report - Jilayne/Paul/SteveLicense List
Outreach Team Report - Sebastian
Attendees
|
|
|
|
Special Presentation and SPDX Thurs General Meeting Reminder
Phil Odence
Please join us for a very interesting presentation to kick off the meeting:
Preview of LF Study on SBOM Readiness by Steve Hendrick Abstract: The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness, produced in partnership with SPDX, OpenChain, and OpenSSF, reports on the extent of organizational SBOM readiness and adoption and its significance to improving cybersecurity throughout the open source ecosystem. The study comes on the heels of the US Administration’s Executive Order on Improving the Nation’s Cybersecurity, and the disclosure of the most recent and far-reaching log4j security vulnerability. Its timing coincides with increasing recognition across the globe of the importance of identifying software components and helping accelerate widespread implementation of cybersecurity best practices to mitigate the impact of software vulnerabilities. Steve: Steve Hendrick, who authored the SBOM readiness report, is a Vice President of research for the Linux Foundation and well traveled in application development and deployment software. Prior to his current role at the Linux Foundation, Steve spent 30 years as an industry analyst working for IDC, ESG, and EMA driving application development and deployment research. Steve has authored over 1,000 research reports and served as primary investigator on over 100 surveys.
GENERAL MEETING
Meeting Time: Thurs, Feb3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes
Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-01-06.md
Special Presentation – SteveH
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|
|
|
Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Thanks, Rose – much appreciate the quick response and for all that you do for the SPDX community.
Looking forward to participating in the DocFest.
Cheers and best regards,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Rose Judge <rjudge@...>
Sent: Wednesday, January 12, 2022 11:51 AM To: dick@...; spdx@... Subject: Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Hi Dick,
Instructions to participate with target sets/objects will be mailed out on Monday. We are finalizing the targets as we speak.
Thanks for your interest and patience. Excited to have you as part of this event!
-Rose From: Dick Brooks <dick@...>
Rose,
Where can I find the target set objects to create/submit an SPDX SBOM?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Rose Judge
Hello SPDX community,
SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts.
https://forms.gle/Mq7ReinTY6gDL4cs9
|
|
|
|
Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Rose Judge
Hi Dick,
Instructions to participate with target sets/objects will be mailed out on Monday. We are finalizing the targets as we speak.
Thanks for your interest and patience. Excited to have you as part of this event!
-Rose From: Dick Brooks <dick@...>
Rose,
Where can I find the target set objects to create/submit an SPDX SBOM?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Spdx-tech@... <Spdx-tech@...>
On Behalf Of Rose Judge
Sent: Wednesday, January 12, 2022 11:39 AM To: Spdx-tech@...; spdx@... Subject: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Hello SPDX community,
SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts.
https://forms.gle/Mq7ReinTY6gDL4cs9
|
|
|
|
Re: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Rose,
Where can I find the target set objects to create/submit an SPDX SBOM?
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Rose Judge
Sent: Wednesday, January 12, 2022 11:39 AM To: Spdx-tech@...; spdx@... Subject: [spdx-tech] Registration open for SPDX DocFest on Jan 27th
Hello SPDX community,
SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts.
https://forms.gle/Mq7ReinTY6gDL4cs9
|
|
|
|
Registration open for SPDX DocFest on Jan 27th
Rose Judge
Hello SPDX community,
SPDX is hosting another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts.
https://forms.gle/Mq7ReinTY6gDL4cs9
|
|
|
|
Re: Archive the https://github.com/spdx/license-list repository
Sebastian Schuberth
Thanks Gary.
toggle quoted message
Show quoted text
-- Sebastian Schuberth On Sun, Jan 9, 2022 at 11:02 PM Gary O'Neall <gary@...> wrote:
|
|
|
|
Re: Archive the https://github.com/spdx/license-list repository
Gary O'Neall
Hi Sebastian and SPDX community,
toggle quoted message
Show quoted text
I just archived the license-list repo per your suggestion. If there are any concerns, let me know. We can always unarchive the repository. I also archived and updated the README on the following repos. If anyone has any objections or concerns, please let me know. - ATTIC-tools-go - already indicated as superseded by tools-golang - spdx-github - Utility has not been updated in several years and does not support the latest versions of the spec - licensegenplugin - Utility not planned to be used and is no longer supported - ATTIC-airs - Already indicated as no longer being maintained - ATTIC-osit - Already indicated as no longer being maintained Regards, Gary -----Original Message----- |
|
|
|
Archive the https://github.com/spdx/license-list repository
Sebastian Schuberth
Hi all,
while the README at [1] documents the https://github.com/spdx/license-list repo to be archived, it's not "archived" in the GitHub sense, as available in the settings at https://github.com/spdx/license-list/settings. Any objections doing that to make it more clear that the repo is archived? [1] https://github.com/spdx/license-list#readme -- Sebastian Schuberth |
|
|
|
Thursday's SPDX General Meeting Reminder
Phil Odence
NOTE: As mentioned last meeting, the General Meeting will adopt the practice of the SPDX teams for taking minutes. We will use Etherpad live in the meeting and others can contribute. This will be particularly helpful for attendance and also handing off when I (as I regularly do) have to head off at half past the hour. Etherpad: https://spdx.swinslow.net/p/spdx-general-minutes And, starting with this meeting, GitHub will be our repo for archiving minutes. The wiki.spdx.org archive will still exist with the Dec21 minutes being the last entry. GHub Repo https://github.com/spdx/meetings/tree/master/general Thanks, Phil
GENERAL MEETING
Meeting Time: Thurs, Jan6, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the meeting:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-12-02
Brief update on governance and membership process - Phil
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|
|
|
License Universe
Karsten Klein
Hi all,
we recently published some insights on our license database. You can find details on
https://github.com/org-metaeffekt/metaeffekt-universe
and a visualization of the data on
https://metaeffekt.com/#universe-a
(apologies for the metaeffekt.com pages being currently only available in German language; however the visualization piece is “universal”).
The data is meant to convey the richness/complexity of licenses/exceptions in the wild and demonstrates our endeavor for normalization as a fundamental work for identification, scanning and documentation. In particular, the tables on Github show - by linking into the different license spaces - coverage of SPDX, OSI and ScanCode Toolkit.
We hope you enjoy “playing around with licenses”.
Please note – this is all work in progress. Curiously looking forward for your feedback…
Kind regards, Karsten
metaeffekt GmbH Firmensitz: Renettenweg 6/1, 69124 Heidelberg Registergericht: Amtsgericht Mannheim, HRB 725313 Geschäftsführer: Karsten Klein USt.-IdNr.: DE307084554
Diese E-Mail kann vertrauliche und/oder rechtlich geschützte Informationen beinhalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte den Absender und löschen Sie diese E-Mail und alle Kopien umgehend. Eine unbefugte Weitergabe der E-Mail oder deren Inhalte und Anhänge ist nicht gestattet.
Möchten Sie als Empfänger keine Informationen dieser Art erhalten, setzen Sie sich bitte unmittelbar mit dem Absender der E-Mail in Verbindung. Die metaeffekt GmbH unterstützt Ihre Datenhoheit und informationelle Selbstbestimmung und übermittelt Informationen ausschließlich auf der Rechtsgrundlage der europäischen Datenschutzgrundverordnung (DSGVO). Weitere Informationen zu den Datenverarbeitungsvorgängen und insbesondere Ihrer Rechte entnehmen Sie der Datenschutzerklärung der metaeffekt GmbH.
|
|
|
|
SPDX December General Meeting Minutes
Phil Odence
Also attached are slides from Adrian and Steve’s very interesting presentations.
https://wiki.spdx.org/view/General_Meeting/Minutes/2021-12-02
General Meeting/Minutes/2021-12-02< General Meeting | Minutes · Attendance: 33 · Lead by Phil Odence · Minutes from last approved · Phil will company membership announcement before end of week · We will be move General Meeting minutes to GitHub and crowdsource during meetings. Contents[hide]
Microsoft and SPDX - Adrian/Steve[edit]· Microsoft standardizing on SPDX [Adrian Giglio] · Why SPDX? · On ISO standard path · Already participating · Great group · Why build their own tool? · Already had tooling · Easy to move to SPDX · Needed certainty to meet NTiA standards · Utilize MS Detection · Needed a great range of environments · Support for very large, complex build systems; layered builds · The Tool · Built on .Net and available for Windows/Linux/Mac · Available as build step in Azure · Plan is to open source · Pulls OSS data from a variety of build system formats · Future · Proving by early March, then rolling out across Microsoft · Exploring different methods of SBOM distribution including web portal · Exploring signing with others in the industry · MCR Distributing SPDX SBoMs for Microsoft content [Steve Lasker] · How to distribute secured supply chain components? Specifically SBOMs · Supply chain artifact challenges: · artifacts get promoted across environments, including production assets getting pulled from the Internet into restricted networks · private virtual networks within cloud infrastructure · Solution: Validation artifacts need to travel together with the supply chain objects · by default, SBOM might get blocked from being accessed due to "airgapped" / VNet setup · instead, create a private registry within each vnet; with shared internal registry hosting all artifacts + SBOMs, then promoted into each vnet · ORAS: need signatures to be separable, verifiable, able to be validated, prior to bringing artifact / binary into the environment · Microsoft built this for Azure Container Registry, but customers share with other registries and other infrastructure; registries should be a broader standard => OCI Artifacts, ORAS Artifacts · Signatures and SPDX SBOMs get attached to the graph · ACR support for ORAS Artifacts today => customers can store SPDX SBOMs today: https://aka.ms/acr/supply-chain-artifacts · Opportunity: having SPDX document travel alongside the target artifact; CLI that can natively push / pull / validate SPDX SBOMs to Registries · What does the SPDX community want to see in an SBOM? · recording EULA text? · something validated at the time the content is used? => needs to be accessible along with the artifact itself · Questions/Comments · Dick: what about having vulnerability disclosures together as a part of the distributed info? · Appreciate that the SPDX structure enables describing all the pieces of what went into a software build in the first place => static information at a point in time · Scan results are things that you learn about over time => e.g. might learn later about a problem that was discovered after it was shipped · Scan results will continue to be additive, whereas the SBOM itself doesn't change · Dick: some vendors are running scans and producing NVD reports together with vendor's findings; making that info available together with the SBOM. During customer risk assessments, they can see beforehand if a CVE is reported => if shows up in the disclosure, that helps address the risk. · Scan results, etc., could be attached to the other documents that are included in the registry · Eventually, looking to have a web-browsable portal to easily access these documents. But, the automation is the interesting part. · Just this morning, this was announced to be becoming part of an OCI working group; previously getting proven within the ORAS project · Sebastian: Ostree (Fedora): https://fedoraproject.org/wiki/Changes/OstreeNativeContainer · Signature format: shipped in Notary v2, but working on expanding via conversations with the broader community. Needs to be able to be validated broadly. · Dick: NIST workshop that took place this week: ability to distribute SDLC evidence and policy data. Will that be part of this? · Viewing this as plumbing / core infrastructure, in a generic way; new types will emerge for what types of artifacts are used to be deployed / promoted on this infrastructure · Because it's generic / abstracted, any new type can be hosted on this infrastructure
Tech Team Report – Kate/Gary/Others[edit]· Tools · New release of SPDX Java Tools available at https://github.com/spdx/tools-java/releases/tag/v1.0.3 · Specification · Focused on the Core modeling · Made progress on collections, packages, and document definitions and relationships · Significant testing of the model with different use cases and serialization considerations
Legal Team Report - Jilayne/Pau/Steve[edit]· License List version 3.15 was released and published to https://spdx.org/licenses on Nov. 14 · Shortened month for meetings due to Thanksgiving holiday in US · Warner Losh presented to the team about FreeBSD's use of SPDX short-form license identifiers: https://docs.google.com/presentation/d/1mRWj7DCiicK57BqD4XzUMSZs51TpUUIYIgI-UcB8XDw/edit#slide=id.p
Outreach Team Report -[edit]· No update, but Sebastian sent an email to the General Meeting list with notes on behalf of the team.
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Adrian Digli, Microsoft · Steve Lasker, Microsoft · Sebastian Crane · Steve Winslow, Boston Technology Law · Dick Brooks, REA · Rich Steenwyk, GE Healthcare · Annie · Brad Goldring, GTC · Jeff Schutt, Cisco · David Edelsohn, IBM · Jilayne Lovejoy, Red Hat · Aveek Basu, NextMark Printers · Marc Gisi, Windriver · Gary O’Neall, SourceAuditor · Philippe Ombrédanne- nexB · Dick Brooks · Alex Rybek · Brend Smits, Philips · Christopher Lusk, Lenovo · Christopher Phillips · Fellow Jitser · Jilayne Lovejoy, Red Hat · Mashid · Kendra Morton · Marco · Majira · Michael Herzog- nexB · Mike Nemmers · Molly Menoni · Paul Madick, Jenzabar · Rose Judge, VMWare · Vicky Brasseur, Wipro
|
|
|
|
Re: SPDX Company Membership
Phil,
I just checked on REA’s LF membership status and it appears the lowest cost tier is $5,000 to become a LF member. Please confirm my understanding is correct that $5,000 is the lowest cost membership fee available.
Thanks,
Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Phil Odence via lists.spdx.org
Sent: Thursday, December 2, 2021 3:04 PM To: SPDX-general <spdx@...> Subject: [spdx] SPDX Company Membership
Dear SPDX community,
With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.
We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.
As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.
Membership Benefits
Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.
Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection
Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.
Signing up
Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.
In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.
(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)
Please let us know if you or your organization have any questions about becoming a member of SPDX.
SPDX Steering Committee Phil, Kate, Gary, Jilayne, Steve, Paul and Jack
|
|
|
|
SPDX Company Membership
Phil Odence
Dear SPDX community,
With the adoption of the new project governance model for SPDX in September, one new aspect of the updated structure is the introduction of the ability for companies and other organizations to become official members of the project.
We have been working with the Linux Foundation for them to configure their membership enrollment platform for SPDX. Now that this has been completed, we're happy to announce that organizations can begin signing up as members of SPDX.
As a reminder, organizational membership in SPDX is not required in order for anyone to contribute to or participate in the technical development of SPDX. All of SPDX's code and specification development is open to anyone to participate in, whether or not their organization is a formal SPDX member -- same as always.
Membership Benefits
Membership in SPDX enables an organization to have their logo displayed on the project website and materials to indicate their status as a "member" of the project, and to identify them as such.
Additionally, with the governance change, the SPDX Steering Committee will be expanded to include up to two individuals selected as Member Representatives (see Section 2 of the Governance document). Each organization that is a member of SPDX may nominate one person from their organization as a candidate for selection
Organizations that become members of SPDX within the first four months following December 1, 2021, may make a nomination for the initial selection of Member Representatives during that four-month time period. After April 1, 2022, the Steering Committee will choose the Member Representatives from among the nominees. We will send updated details about this to the then-current members as the deadline approaches. The terms for all Steering Committee members, as specified in Section 2 of the Governance document, will begin on May 1, 2022.
Signing up
Project membership in SPDX itself is available at no charge; however, an organization must be a member of The Linux Foundation (which may include fees for your organization) in order to become a member.
In order to become a member, go to https://enrollment.lfx.linuxfoundation.org/?project=spdx to begin the signup process. If your organization is not already an LF member, the LF membership agreement sign-up and billing will be included as part of the process.
(Please note that the membership enrollment system may still ask for billing information, even if your organization is already an LF member and you are only signing up for SPDX membership.)
Please let us know if you or your organization have any questions about becoming a member of SPDX.
SPDX Steering Committee Phil, Kate, Gary, Jilayne, Steve, Paul and Jack
|
|
|
|
SPDX Outreach Team report for December General Meeting
Dear all,
Since we didn't have time at the SPDX General Meeting today for the usual team reports, I'm writing to send the Outreach Team's report in textual form! Feel free to reply if you have any questions about the activities of the SPDX Outreach Team, or would like to be involved. Best wishes, Sebastian ----- # Wikipedia article We've added a version history section to the article at https://wikipedia.org/wiki/Software_Package_Data_Exchange with a version table and explanatory paragraphs (as is the format used in articles for a lot of other open source projects). Plus, the disambiguation link that said 'license documentation standard' now says 'software bill of materials standard'. Here are a couple of 'perma-links' to the before and after states of the article: * Before: https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&oldid=1053739112 * After: https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&direction=next&oldid=1058145243 # SBOM Landscape page At the most recent Outreach Team meeting, we discussed various categories and taxonomies that could be used in the SBOM Landscape page we are developing at: https://github.com/spdx/sbom-landscape We'll be trying to form 'neighbourhoods' of related use-cases such as attestation, automation etc. The automated tests for the page are still failing, but builds seem to work correctly so can continue work on it. We now have Syft, OSS Review Toolkit, REUSE and Tern listed on the SBOM Landscape page, and will be adding more in the coming weeks! # SPDX Podcast Joshua Marpet has resolved the audio issues, meaning that we can start recording podcast episodes again. Joshua is working on an episode with the SPDX Asia Team. # 'SPDX Ambassadors' Vicky Brasseur suggested that having an ambassadors programme would be a good idea, so we are exploring the possibility of having contact details of SPDX Ambassadors on our main website. This will help newcomers to quickly contact representatives of SPDX. # Replicant I have been in correspondence with a steering committee member of the Replicant project. Replicant aims to replace proprietary components in Android, and are looking to improve their source code license scanning. SPDX SBOMs could be useful in reducing unnecessary repetition of audits here. # FOSSLight We have had good interaction with the developers of FOSSLight, an open source license scanner from Logitech. Gary O'Neall and I have been proactively examining SPDX-related failures in order to help them with their use of the SPDX Java libraries. FOSSLight is a top priority for addition to the spdx.dev Open Source Tools page, as well as the SBOM Landscape! ----- |
|
|
