SPDX Feb General Meeting MInutes

Phil Odence




L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...







signature_762280638   signature_1149972784   signature_1518328037   signature_338408634



SPDX General Meeting Minutes - Feb 3, 2022


  • Attendance: 33
  • Lead by Phil Odence
  • Minutes from last meeting approved

Steve Hendrick w/report on SBOM readiness

  • Press release about the report
  • Report itself
  • Showing a selected set of slides from the report
  • In all his years as an industry analyst, he never heard of SBOMs. Now though, it's about to become a massive market.
  • Was careful to not be too LF biased by surveying a broad end user community.
  • Anticipate a 60+ percent growth of orgs using SBOMs…if the tooling exists to support that growth. He hasn't yet looked at the tools that are out there.
  • Not a lot of visibility for this from the vendors & tooling providers. Analysts also haven't yet done a market forecast for this, either.
  • Discussion on formats that wasn't included in the report. Won't summarise here as it's not really public.

Tech Team Report - Gary/Kate/Thomas



  • Thomas sent out Doodle poll to figure out date for next team call
  • Multiple options on how to include vulnerabilities: include, separate, and link
  • Working on one document

Core 3.0

  • Good progress on building concensus on when to use properties or relationships (packages containing files for example). Follow along in spdx-3.0-model repo.

2.3 Release

  • Follow up from Docfest on some clarifications that emerged from comparisons.
  • Anything that we need to help people adopt SPDX for presidential order. Dick points out CMC issued an RFI that incorporates SBOM: https://sam.gov/opp/fe53a2be20094034b178e260f29cd0ad/view
  • For licensing-related fields that are currently mandatory but can have noassertion, looking at permitting them to be made as optional for 2.3, presuming NOASSERTION if field is omitted.


DocFest (Rose)

  • Held on 1/27, 24 attendee, identified - 6 topics - made it through all 6
  • Thanks to analysis team for helping to understand the differences!


  • GSOC Summer of Code - Alexios will be lead.
  • Please feel free to contribute

Tooling Release

Legal Team Report - Jilayne/Paul/Steve

License List

  • Will release 3.16 this weekend.
  • Good discussion on Fedora use of identifiers, and use between communities.
    • Historically added about 80 licenses to license list in 2014, based on Fedora's own list of licenses
    • Similar to discussion previously with Warner about use in FreeBSD
    • Will provide updates to General team on Fedora and FreeBSD as it proceeds

Outreach Team Report - Sebastian

  • (getting update from email)


  • VM Brasseur
  • Brad Goldring, GTC Law Group
  • Christina Chen
  • Thomas Steenbergen
  • Steve Hendrick
  • Jilayne Lovejoy
  • Dick Brooks
  • Kate Stewart
  • Alex Rybak
  • Alexios Zavras
  • Gary O'Neall
  • Christine Chen
  • David Edelsohn
  • Edgar
  • Jacob Wilson
  • Jesse Porter, Qualcomm
  • Karan Marjara
  • Lena Smart
  • Marc Etienne Vargenau
  • Matthew Neal Miller, Red Hat Product Security
  • Michael Herzog
  • Paul Madick
  • Pete Allor, Red Hat Product Security
  • Phil Odence
  • Steve Winslow
  • William Cox
  • Andrew Jorgensen
  • Alfredo Espinosa
  • Rose Judge
  • Ria Schalnat
  • Joe Bussell
  • Joshua Dubin
  • Michael Herzog