EMEA folks- US had not changed clocks yet, so the meeting time at 11EDT is an hour off from normal for you.

We will have a special presentation from Thomas Steenbergen about how we have been evolving SPDX to support use cases for security vulnerabilities. This is an especially timely topic as much of the SBOM buzz is around this use case. We’ve made good progress with SPDX 2.3 and more progress is planned for 3.0.

GENERAL MEETING

Meeting Time: Thurs, Nov 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

Etherpad for minutes:

https://spdx.swinslow.net/p/spdx-general-minutes

Administrative Agenda

Attendance

Minutes Approval: At the bottom of this email

Presenation - Thomas

Steering Committee Update - Phil

Technical Team Report – Kate/Gary/Others

• Specification and Profiles
• Overview
• Core
• Legal
• Integrity
• Defects
• Usage and Other Emerging
• Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack/Sebastian/Alexios

# SPDX General Meeting Minutes - Oct 6, 2022       

## Administrative

* Lead by Phil Odence

* Minutes from last meeting approved

·          

### Attendance: 23

## Special Presentation - NTIA Conformance Checker – Josh Lin

* Introducing Josh and GSoC

* NTIA Minimum Elements

* Checker "checks" whether SBOM meets minimum requirements

·         * plus one other field, doc version

* Demo

·         * Web app

·         * Command line available too

* Q&A

## Steering Committee Update

* Wiki freeze

* 2.3 pdf

* Legal Team License List cadence

·                 

## Tech Team Report - Gary

·          

### Spec

* 2.3

    * Essentially released

    * Still some remaining "cleanup" items

    * But good to go; ready for use

* 3.0 Core

    * Continuing to work through core model with punchlist

    * Schedule

·             * Have been targeting end of 2022

·         * looking unlikely, 

·         * Core work is an important dependency

·         * Working with Cyclone DX on interop including tooling

·         * good working relationship

·         * aiming for lossless translation between the two

·         * trying to include as much joint functionality as possiblity

* Profile active progress towards 3.0

    * Defects - 

    * Usage - 

    * AI profile - 

    * Build profile - 

    * New FuSa profile 

* Tooling

    * Lots of activity

    * Significant interest in the Maven plugin

    * Fairly significant release of the tools in the next week or so (including Josh's utility)

    * Lots of progress on Go tools

·          

## Legal Team Report - Jilayne, Steve

* Current focus is on processes and documentation

·         * ergo less on processing submissions

* However, submissions have ramped up

·         * Fedora/Richard Fontana in particular has proposed many new licenses

·         * So 32 pending, much higher than normal

·         * https://github.com/spdx/license-list-XML/issues - please come and weigh in on submitted issues, re: whether requests fit with the license inclusion principles at https://github.com/spdx/license-list-XML/blob/main/DOCS/license-inclusion-principles.md

* Cadence discussion

·         * Has been calendar quarter + 1

·         * Looking at major/minor version numbers

·         * Open to input from tool vendors on Legal Team mailing list - https://lists.spdx.org/g/Spdx-legal

* Help needed

·         * People to do the work

·         * Automation of license mark up

* Old license

·         * Fedora, Debian, FreeBSD collaboration on license archaeology

## Outreach Team Report -  Sebastian 

* Website

·         * Rebuild entering next stage

·         * Must meet LF standards

·         * Collecting member logs in vector formats (to scale up and down from phone to mega monitor)

* 2.3 pdf

·         * SPDX has grown and so has the task

·         * Jack has done previous and conversion for the ISO spec

·         * Stepping back and building markdown to LaTeX pdf convertor

·         * Pandoc has not been effective

·         * Tables are a particular problem

·         * Perhaps there's an existing, non-Pandoc, tool that would serve

·         * Should be addressed in 3.0, built in by design

·         * spec generator that Alexios is driving

* Help needed

·         * website in particular

·         * bringing content over

·         * so need 

·         * writing

·         * graphic design

·         * web development

·          

·                 

## Attendees

* Phil Odence, Synopsys/Black Duck Audits

* Jari Koivisto

* David Edelsohn

* VM Brasseur

* Armin Tanzer

* Gary O'Neall

* William Cox (Synopsys)

* Josh Lin

* Steve Winslow

* Karsten Klein (metaeffekt)

* Alex Rybak (Revenera)

* Bruce

* Brad Goldring (GTC Law Group)

* Jack Manbeck

* Rich Steenwyk (GE Healthcare)

* Bryan Cowan (Fortress)

* Nicolaus Weidner

* Jilayne Lovejoy

* Michael Herzog

* Sebastian Crane

* Molly Menoni

* Marc-Etienne Vargenau

* Ria Schalnat