Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.

Phil,

               I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

< General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

Contents

 [hide] 

• 1 Special Topics- Phil / Vicky
• 2 Tech Team Report - Kate/Gary/Others
• 3 Legal team update - Jilayne
• 4 Outreach team - Sebastian
• 5 Attendees

·         Governance Update

·         New governance is in place

·         Will be announcing mechanism for signing up Member Companies

·         With that will announce the mechanism for nominating Steering Committee members

·         Wipro

·         Vicky discussed Wipro’s view of benefits and reasons for joining

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Working on how to establish the repos

·         Question about SPDX Lite

·         That would be the minimum mandatory fields

·         New license request volume slowed down this month

·         Doing some general catchup with members of the legal team

·         Due for a new release at the end of the month

·         Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

·         Recent Docfest was a success, brought in several tool vendors to compare results

·         Updated Wikipedia page progressing slowing

·         Lead section updated - this is what you seen when you do a Google search

·         Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·         Website is being updated

·         A section will be added to showcase company usage of SPDX

·         Updating meeting time to be more time available

·         Times are shown as UTC Note: will change next month

·         new time will be the off weeks at the same time as legal

·         going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·         Joshua reported the SPDX official podcasts started

·         Once a month

·         Outreach team will meeting every other month

·         Will interview many community members

·         Will follow-up with Vicki and others in the general meeting

·         Kate - presented keynote at open source summit

·         well received, good interested

·         Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

·         Phil Odence, Black Duck/Synopsys

·         Alexios Zavras, Intel

·         Andrew Jorgenson, AWS

·         Kate Stewart, LF

·         Gary O’Neall, SourceAuditor

·         Bill Jaeger

·         Bob Martin, Mitre

·         Eric Billingsley, Calculi

·         Chrissini de Castro

·         Michael Mehlberg, Dark Sky Technology

·         Maximilian Huber, TNG

·         Sebastian Crane

·         William Cox, Synopsys

·         Vicky Brasseur, Wipro

·         Matthew Crawford, ARM

·         Marc Gisi, Windriver

·         Pierre Tardy,

·         Joshua Marpet, RM-ISAO

·         Brad Goldring

·         Paul Madick, Jenzabar

·         Jilayne Lovejoy, Red Hat

·         Christopher Lusk

·         Clement Poulain

·         Joshua Dubin, Verizon

·         Takashi Ninjouji

Dick, apologies for the slow response. Frankly we had a pretty tech team update this time. I think it’s a good idea to get some specifics from profile sub-teams next month and (herewith) suggest to Kate/Gary.

Phil,

               I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support profiles?

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

< General Meeting‎ | Minutes

·        Attendance: 25

·        Lead by Phil Odence

Contents

 [hide] 

• 1 Special Topics- Phil / Vicky
• 2 Tech Team Report - Kate/Gary/Others
• 3 Legal team update - Jilayne
• 4 Outreach team - Sebastian
• 5 Attendees

·        Governance Update

·        New governance is in place

·        Will be announcing mechanism for signing up Member Companies

·        With that will announce the mechanism for nominating Steering Committee members

·        Wipro

·        Vicky discussed Wipro’s view of benefits and reasons for joining

·        Tools 

·        no update

·        Specification

·        Spec version compatible with ISO, now available

·        Version 3

·        Working on how to establish the repos

·        Question about SPDX Lite

·        That would be the minimum mandatory fields

·        New license request volume slowed down this month

·        Doing some general catchup with members of the legal team

·        Due for a new release at the end of the month

·        Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

·        Recent Docfest was a success, brought in several tool vendors to compare results

·        Updated Wikipedia page progressing slowing

·        Lead section updated - this is what you seen when you do a Google search

·        Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·        Website is being updated

·        A section will be added to showcase company usage of SPDX

·        Updating meeting time to be more time available

·        Times are shown as UTC Note: will change next month

·        new time will be the off weeks at the same time as legal

·        going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·        Joshua reported the SPDX official podcasts started

·        Once a month

·        Outreach team will meeting every other month

·        Will interview many community members

·        Will follow-up with Vicki and others in the general meeting

·        Kate - presented keynote at open source summit

·        well received, good interested

·        Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

·        Phil Odence, Black Duck/Synopsys

·        Alexios Zavras, Intel

·        Andrew Jorgenson, AWS

·        Kate Stewart, LF

·        Gary O’Neall, SourceAuditor

·        Bill Jaeger

·        Bob Martin, Mitre

·        Eric Billingsley, Calculi

·        Chrissini de Castro

·        Michael Mehlberg, Dark Sky Technology

·        Maximilian Huber, TNG

·        Sebastian Crane

·        William Cox, Synopsys

·        Vicky Brasseur, Wipro

·        Matthew Crawford, ARM

·        Marc Gisi, Windriver

·        Pierre Tardy,

·        Joshua Marpet, RM-ISAO

·        Brad Goldring

·        Paul Madick, Jenzabar

·        Jilayne Lovejoy, Red Hat

·        Christopher Lusk

·        Clement Poulain

·        Joshua Dubin, Verizon

·        Takashi Ninjouji

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

< General Meeting‎ | Minutes

·         Attendance: 25

·         Lead by Phil Odence

Contents

 [hide] 

• 1 Special Topics- Phil / Vicky
• 2 Tech Team Report - Kate/Gary/Others
• 3 Legal team update - Jilayne
• 4 Outreach team - Sebastian
• 5 Attendees

·         Governance Update

·         New governance is in place

·         Will be announcing mechanism for signing up Member Companies

·         With that will announce the mechanism for nominating Steering Committee members

·         Wipro

·         Vicky discussed Wipro’s view of benefits and reasons for joining

·         Tools 

·         no update

·         Specification

·         Spec version compatible with ISO, now available

·         Version 3

·         Working on how to establish the repos

·         Question about SPDX Lite

·         That would be the minimum mandatory fields

·         New license request volume slowed down this month

·         Doing some general catchup with members of the legal team

·         Due for a new release at the end of the month

·         Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

·         Recent Docfest was a success, brought in several tool vendors to compare results

·         Updated Wikipedia page progressing slowing

·         Lead section updated - this is what you seen when you do a Google search

·         Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·         Website is being updated

·         A section will be added to showcase company usage of SPDX

·         Updating meeting time to be more time available

·         Times are shown as UTC Note: will change next month

·         new time will be the off weeks at the same time as legal

·         going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·         Joshua reported the SPDX official podcasts started

·         Once a month

·         Outreach team will meeting every other month

·         Will interview many community members

·         Will follow-up with Vicki and others in the general meeting

·         Kate - presented keynote at open source summit

·         well received, good interested

·         Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

·         Phil Odence, Black Duck/Synopsys

·         Alexios Zavras, Intel

·         Andrew Jorgenson, AWS

·         Kate Stewart, LF

·         Gary O’Neall, SourceAuditor

·         Bill Jaeger

·         Bob Martin, Mitre

·         Eric Billingsley, Calculi

·         Chrissini de Castro

·         Michael Mehlberg, Dark Sky Technology

·         Maximilian Huber, TNG

·         Sebastian Crane

·         William Cox, Synopsys

·         Vicky Brasseur, Wipro

·         Matthew Crawford, ARM

·         Marc Gisi, Windriver

·         Pierre Tardy,

·         Joshua Marpet, RM-ISAO

·         Brad Goldring

·         Paul Madick, Jenzabar

·         Jilayne Lovejoy, Red Hat

·         Christopher Lusk

·         Clement Poulain

·         Joshua Dubin, Verizon

·         Takashi Ninjouji

There were a few of anonymous participants that I did not include in the count. It would be helpful to get names for these minutes and to use them for future meetings. Also, while it’s not required to be affiliated with a company, that information is also helpful. I didn’t catch for everyone. If you’d like to me to add, just let me know via email. Additions/corrections also welcome.

Best,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-10-07

< General Meeting‎ | Minutes

·        Attendance: 25

·        Lead by Phil Odence

Contents

 [hide] 

• 1 Special Topics- Phil / Vicky
• 2 Tech Team Report - Kate/Gary/Others
• 3 Legal team update - Jilayne
• 4 Outreach team - Sebastian
• 5 Attendees

·        Governance Update

·        New governance is in place

·        Will be announcing mechanism for signing up Member Companies

·        With that will announce the mechanism for nominating Steering Committee members

·        Wipro

·        Vicky discussed Wipro’s view of benefits and reasons for joining

·        Tools 

·        no update

·        Specification

·        Spec version compatible with ISO, now available

·        Version 3

·        Working on how to establish the repos

·        Question about SPDX Lite

·        That would be the minimum mandatory fields

·        New license request volume slowed down this month

·        Doing some general catchup with members of the legal team

·        Due for a new release at the end of the month

·        Update on collaboration with OSI and FSF

  * Gary is working on 3 year old issues with the LicenseListPublisher to automate the inclusion of data from FSF and OSI   * Data is in the isFsfFree column and the OSI approved columns for the SPDX listed licenses   * Recently, getting good response from FSF and OSI - especially from OSI   * OSI has a machine readable format that is being actively worked on   * In addition to tool automation, there may be an opportunity for the legal team to have a communication process on license updates   * Jilayne provided history on previous attempts to work with FSF on integrating their data which at times has been less responsive  

·        Recent Docfest was a success, brought in several tool vendors to compare results

·        Updated Wikipedia page progressing slowing

·        Lead section updated - this is what you seen when you do a Google search

·        Sebastian resolved an accessibility issue with the SPDX spec web pages - increasing the contrast making it much more readable

·        Website is being updated

·        A section will be added to showcase company usage of SPDX

·        Updating meeting time to be more time available

·        Times are shown as UTC Note: will change next month

·        new time will be the off weeks at the same time as legal

·        going to meetings every other week from once a week.  Vicki pointed out that there will be more work being done on the mailing list, so feel free to volunteer for outreach activities even if you can't make the meetings.

·        Joshua reported the SPDX official podcasts started

·        Once a month

·        Outreach team will meeting every other month

·        Will interview many community members

·        Will follow-up with Vicki and others in the general meeting

·        Kate - presented keynote at open source summit

·        well received, good interested

·        Sebastian and Gary reporting increasing interest in SBOM tooling - we're seeing some good momentum

·        Phil Odence, Black Duck/Synopsys

·        Alexios Zavras, Intel

·        Andrew Jorgenson, AWS

·        Kate Stewart, LF

·        Gary O’Neall, SourceAuditor

·        Bill Jaeger

·        Bob Martin, Mitre

·        Eric Billingsley, Calculi

·        Chrissini de Castro

·        Michael Mehlberg, Dark Sky Technology

·        Maximilian Huber, TNG

·        Sebastian Crane

·        William Cox, Synopsys

·        Vicky Brasseur, Wipro

·        Matthew Crawford, ARM

·        Marc Gisi, Windriver

·        Pierre Tardy,

·        Joshua Marpet, RM-ISAO

·        Brad Goldring

·        Paul Madick, Jenzabar

·        Jilayne Lovejoy, Red Hat

·        Christopher Lusk

·        Clement Poulain

·        Joshua Dubin, Verizon

·        Takashi Ninjouji

Yes, understood. Thanks, Dick. For that use case, the President was more concerned with a cyber attack that a license violation. This is the point of evolving SPDX to be “configurable” with profiles to meet different use cases.

Phil,

               Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber risk, i.e. C-SCRM, whereas license management is a Legal/Financial risk.

The use of SBOM for license legal risk management is indeed a good practice, but it is not required to satisfy NTIA minimal SBOM requirements for EO 14028.

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

Thanks, Matija. Absolutely not just license compliance. Security too is a big driver and an important part/direction of SPDX.

I guess it will…
The OpenChain one took a couple of months to appear, though, so I don’t know how quickly this gets updated.
-- zvr
*From:* spdx@... <spdx@...> *On Behalf Of *Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
*Sent:* Friday, 10 September, 2021 16:40
*To:* spdx@...
*Cc:* Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
*Subject:* Re: [spdx] SPDX Goes ISO
Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ <https://standards.iso.org/ittf/PubliclyAvailableStandards/> ?
I think it should.
Do we know?
Marc-Etienne
*From:*spdx@... <mailto:spdx@...> <spdx@... <mailto:spdx@...>> *On Behalf Of *Phil Odence via lists.spdx.org
*Sent:* Thursday, September 9, 2021 5:03 PM
*To:* SPDX-general <spdx@... <mailto:spdx@...>>
*Subject:* [spdx] SPDX Goes ISO
I’m pleased to announce that SPDX is now ISO/IEC 5962:2021 <https://urldefense.com/v3/__https:/www.iso.org/standard/81870.html__;!!A4F2R9G_pg!IzcEk2nRZUdfzZmQ8bT_tVgInVURy_PWptKdAupJoT8av2upo-tStlSbY_4GqlpA$>.
Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.
Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials <https://urldefense.com/v3/__http:/www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials__;!!A4F2R9G_pg!IzcEk2nRZUdfzZmQ8bT_tVgInVURy_PWptKdAupJoT8av2upo-tStlSbY89Cvfim$>
Best regards,
Phil
**
*L. Philip Odence*
General Manager, Black Duck Audit Business
Synopsys Software Integrity Group, Burlington, MA
M (781) 258-9502 | phil.odence@... <mailto:phil.odence@...>
https://www.synopsys.com/audits <https://www.synopsys.com/audits>
SIG-emailsig-2020
signature_653089988<https://www.linkedin.com/showcase/sw_integrity/>signature_1312878970<https://twitter.com/SW_Integrity>signature_1721301777<https://www.youtube.com/channel/UC0I_hKR1E-Ty0roBUEQN4Ww>signature_106429426<https://www.facebook.com/SynopsysSoftwareIntegrity>
Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de>
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928

Since the standard was not developed by ISO itself, will the standard be publicly available at https://standards.iso.org/ittf/PubliclyAvailableStandards/ ?

I think it should.

Do we know?

Marc-Etienne

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

 

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

 

Here’s the LF press release: http://www.linuxfoundation.org/press-release/spdx-becomes-internationally-recognized-standard-for-software-bill-of-materials

 

Best regards,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

 

 

         

 

I’m pleased to announce that SPDX is now ISO/IEC 5962:2021.

Many people have worked hard over the last decade to get us to this point. Big credit goes to my Steering Committee colleagues who have all been instrumental. And we should recognize that this was all Kate’s brainchild. I believe it was Fall of 2009 when she started informally socializing the idea of a standard SBOM format at Linux Foundation events. Not too long thereafter, in the then single weekly meeting, early participants began debating whether it should be SPDE, ultimately deciding “X” at the end would be catchier. And now it’s officially caught.

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits