SPDX General Meeting Minutes and Webpage Update

Phil Odence

There was full support for the webpage updates at the General Meeting. The plan is on to move forward if no one raises any concerns in the next week. (text of update is at the bottom of this email)


Meeting minutes and link below





L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...







signature_234117645   signature_858572913   signature_661693669   signature_167300685






General Meeting/Minutes/2020-10-01

General Meeting‎ | Minutes

·         Attendance: 8

·         Lead by Phil Odence

·         Minutes of Sept meeting Approved



·         1 Webpage Update- Phil

·         2 Tech Team Report - Steve standing in

·         3 Legal Team Report - Paul/Jilayne/Steve

·         4 Outreach Team Report

·         5 Attendees

Webpage Update- Phil[edit]

·         No objections to new copy for website

Tech Team Report - Steve standing in[edit]

·         Spec

·         DCO bot has been turned on for the spec

·         2.2.1

·         ISO requested more information

·         Developed and submitted

·         3.0

·         WilliamB has set up new branch

·         Still working on main profile

·         Minor mods for OMG/NTIA

·         Japan user group has provided inputs

·         Vulnerabilities Profile

·         Working with 3TS group

·         Linkage Profile

·         Name still up in the air

·         Something about of linking docs and vetting provenance

·         Build Profile

·         Kate working on looking at different built systems

·         Tools

·         Google SoC

·         All students passed. Congrats!

·         Rishabh has stayed involved and done some great work

·         Community Bridge

·         2 projects going

·         Tools.spdx.org

·         Funding is $2100 / $2400

·         All tools being transitioned

·         Test instance in place

·         Please Poke!

Legal Team Report - Paul/Jilayne/Steve[edit]

·         Licensing Profie

·         This has been the recent focus of the team

·         Simplify/Clarify what’s been in place

·         Working doc for initial draft: https://docs.google.com/document/d/1k_2tSlFXvW_SbW-I1DcSEoCNBMQJd4FEFIQr6KCJuyU/edit#

·         Base + Licensing is targeted at the historical use case for SPDX

·         Next step will be to clean up the initial draft for further discussion

·         License List

·         Little change due to focus on Licensing Profile

·         Building up a little backlog

·         Minutes for Legal Team going forward keeps minutes here:

·         https://github.com/spdx/meetings

Outreach Team Report[edit]

·         No Update



·         Phil Odence, Black Duck/Synopsys

·         Paul Madick

·         Rishabh Bhatnagar, St Francis Inst Tech

·         Aveek, NextMark Printers

·         Steve Winslow, LF

·         Jilayne Lovejoy, Canonical

·         Michael Herzog- nexB

·         Mike Dolan, Linux Foundation



From: Phil Odence <podence@...>
Date: Tuesday, September 29, 2020 at 4:00 PM
To: "spdx@..." <spdx@...>
Subject: SPDX Webpage Update



The SPDX Core Team has been working on a long overdue update to some of the web content that describes the spec and the project. Below is what we’ve come up with. We think it’s good to go, but at the Thurs General Meeting will see if anyone has concerns that would merit scheduling a meeting to discuss in more detail.





----- Short summary for top of main page, https://spdx.dev/ and anywhere else a short summary is needed/used ------

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations  and communities to share important data, thereby streamlining and improving compliance, security, and dependability.


------------ FOR NEW ABOUT PAGE ----------------------------


Our Vision

The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. 


Our Mission

The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information. 



SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by two sub-groups: the tech team and the legal team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.


The SPDX project is composed of:

  • The SPDX Specification itself
  • the SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax)
  • SPDX tools and libraries for working with the SPDX documents and SPDX License List


Guiding principles

  • SPDX represents data in formats that are both machine- and human-readable.
  • SPDX focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
  • SPDX makes no legal interpretations (of licenses or license compliance).
  • SPDX facilitates the efficient exchange of metadata in the supply chain. 


Governance Model

The SPDX Governance model is documented here.


------------END  FOR NEW ABOUT PAGE ----------------------------