FW: SPDX Thurs General Meeting Reminder

Phil Odence

No special presentation this month, so meeting should go shorter than usual.




Meeting Time: Thurs, July 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 

If also dialing-in through a room phone, join without connecting to audio: 


Etherpad for minutes:



Administrative Agenda


Minutes Approval: Not yet posted in GitHub but included at the bottom here.


Steering Committee Update - Phil


Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling


Legal Team Report – Jilayne/Paul/Steve


Outreach/Website Team Report – Jack/Sebastian/Alexios



* Attendance: 28

* Lead by Phil Odence

* Minutes from last meeting approved.

## Steering Committee Update - Phil

* Governance updates - minor clarifications

* Starting work on a project management framework

* Team Leads trying out a kickoff form before formalizing anything

* Alexios selected as new co-lead for Outreach Team, joining Steering Committee in that capacity

## OpenSSF and White House Meeting - Kate

* Focus on SBOMs - looking to engage with SPDX community, particularly on Defects side + laser focus on security

* Early January 2022 - discussing security and SBOMs; many companies putting resources towards solving problems are OpenSSF members; discussion was under Chatham House Rule, info present but not disclosing speaker / organization

* New meeting - included representatives from many organizations, including outside OpenSSF / LF

* Kate and William Bartholomew present and active in SBOM workstream

* Mobilization plan: https://openssf.org/oss-security-mobilization-plan/ - Stream 9, "SBOMs Everywhere"

* Stream 10 also relevant to SPDX

* Additionally a working group for package managers, with recurring meetings

* June 20 or later - will be meeting in Austin among SPDX, CycloneDX and others re: identifying key use cases; reach out to Kate if wanting to participate in discussion

* Looking to find companies willing to invest in improving tooling, especially with going to 2.3 and 3.0; tools requested by community; improving documentation; doing outreach

* CISA Federal Register notice: https://www.federalregister.gov/documents/2022/06/01/2022-11733/public-listening-sessions-on-advancing-sbom-technology-processes-and-practices

* RedHat readout from meeting: https://www.linkedin.com/posts/mark-bohannon-54b66a_red-hats-open-approach-to-vulnerability-activity-6931970156457840640-BrD8/?utm_source=linkedin_share&utm_medium=member_desktop_web

## Tech Team Report - Gary/Kate/Thomas

### Spec

* SPDX 2.2.2 has been released

* docs bugs have been resolved, and can be accessed at: https://spdx.github.io/spdx-spec/

* SPDX 2.3 is close to feature complete, we'll be declaring a release candidate in the next week, and generating ontologies for the tools to start trying it out.

* Likely aiming to release in next couple of weeks

* Documented in spdx-spec GitHub repo re: remaining tasks and activities

* Only a couple items left impacting syntax of documents; hoping they'll be resolved this week, though can't commit b/c seeking consensus across multiple teams and time zones

* Aiming to have a draft schema out w/in a week after consensus, to be available for review

* Tooling folks then to update tools in parallel

* A couple of big issues _separate from_ those impacting the syntax: e.g. license namespaces, licenses and snippets; intending to be compatible with existing syntax, but want to document in spec if adopting

* SPDX 3.0 moving in parallel, revised model posted.

* William leading up core profile team effort

* Small list of outstanding items, will soon transition to documentation phase, moving from visual to written model

* Defects profile, canonicalisation, usage profile

* WG: AI BOM team meeting regularly, looking at defining how to define training data, data sets, etc., starting to work up minimal set of fields

* focused on how to represent models and training data for models

* WG: SPDX Implementers Group - meeting to discuss best practices around generating SPDX documents, meeting every other Wednesday

* WG: Build data - Brandon Lum heading up recurring meeting, Monday nights European time

* WG: Canonicalization - Meets on Friday, discussing the serializations for the 3.0 model.

* Namespace discussions, additional meeting with Friday.

* Desire to have working group meetings listed and calendar invites visible

* Sebastian - looking to update wiki in short term, https://wiki.spdx.org/

* Gary - currently discussed primarily on tech team list

* Jilayne - would it make sense to add meeting times to https://github.com/spdx/meetings -- main README

## Legal Team Report - Jilayne/Paul/Steve

* License List 3.17 released in May

* Focus currently on discussion of cross-team topics for spec - license namespaces, etc.

* Looking to get a bit more formalization on cross-team topics:

* avoid multiple conversations on separate calls, look to have joint calls where appropriate

* proposals for something significant and new: aim to be more disciplined in articulating what's being solved for, e.g. "problem statement" / "what is this trying to achieve"; articulate how this fits into the mission of the project

* try to define the goals / problem statement before jumping to implementation

* Namespace discussion tomorrow - https://lists.spdx.org/g/Spdx-tech/message/4539; please read first before coming to meeting

## Outreach Team Report - Sebastian / Jack / Alexios


* 2 projects for this summer, now in the community bonding period

* communicate with participants

* Coding period starts next week

* Material progress on SPDX website rebuild, sneak peek on upcoming outreach team call

* Joshua Marpet working on additional outreach things

* Upcoming talks:

* Kate - upcoming RSA talk with Allen Friedman re: SBOMs and tooling, come by and say hi in person if you'll be there!

* Steve - Zephyr Developer Summit next week, SBOMs at build time

* Steve - OSPOCon / OSS NA later in June, SPDX License List

##Steering Committee

* No update

## Attendees

* David Edelsohn, IBM

* Kate Stewart, LF

* Jeff Buddington

* Gary O'Neall

* Alex Rybak, Revenera

* Dick Brooks, REA

* Alexios Zavras

* Rich Steenwyk, GE Healthcare

* Jeff Schutt

* Sebastian Crane

* Molly Menoni

* Phil Odence, Synopsys

* Steve Winslow, Boston Tech Law

* Jack Manbeck

* Yoshiyuki Ito

* Brad Goldring, GTC Law Group

* Andrew Jorgensen

* Michael Herzog

* Joshua Watt

* Rose Judge

* Sunil Jain

* Karsten Klein

* Mark Atwood, Amazon.com

* Tony Aiuto, Google

* Marc-Etienne Vargenau, Nokia

* VM Brasseur, Wipro

* Adrian Diglio, Microsoft

* Hector Fernandez, VMware