April General SPDX Meeting Minutes

Phil Odence

A great meeting with great attendance.

Please volunteer or suggest a guest speaker for next time. Anything SPDX related is fair game.




General Meeting/Minutes/2020-04-02

General Meeting‎ | Minutes

·         Attendance: 19

·         Lead by Phil Odence

·         Minutes of April meeting



·         1 Guest Speaker- Allan Friedman, NTIA

·         2 Tech Team Report - Kate

·         3 Legal Team Report - Steve

·         4 Outreach Team Report - Jack

·         5 Cross Functional -

·         6 Attendees

Guest Speaker- Allan Friedman, NTIA[edit]

·         NTIA’s Multistakeholder SBOM Process

·         Concerns about software supply chain risks have garnered more attention and energy in the OSS community, industry, and governments around the world. One natural starting point is a greater expectation of transparency of software components and dependencies. Any solution must scale up and down the software supply chain, and across the incredibly diverse software ecosystem, from modern CI/CD application development to critical infrastructure and embedded systems. Over the past two years, NTIA has helped a diverse set of stakeholders find a common vision for a "software bill of materials" (SBOM) that has the potential to scale as needed, and serve as a foundation for even more innovation around software supply chain security and quality. The SPDX community has played a key role in this discussion, and emerged as a key standard. This presentation will give an overview of the policy landscape, the progress made, and the work yet to be done around SBOM. 

·         Allan’s slides  https://drive.google.com/open?id=1KOsm6grnSZ5FsSnzTI9ybYT9m84F8Zfe

Tech Team Report - Kate[edit]

·         Spec

·         Wrapping up 2.2 spec

·         Known unknowns made it in

·         3.0 Visions

·         William Bartholomew’s talk about profiles was great (and recorded)

·         Tools

·         Gary’s been working on 2.2 tooling

·         Requiring a complete rewrite to the java tools

·         Not API compatible

·         Google SoC

·         15 different submissions

·         Google is looking for additional mentors on each project

·         So, we need more mentors; contact Gary

Legal Team Report - Steve[edit]

·         Finalized updates to license inclusion principles

·         Mostly clarifications

·         But also to broaden a bit for non-OSS source available licenses

·         https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md

·         3.9 list release has been pushed out a bit

·         Were waiting for above

·         https://github.com/spdx/license-list-XML/issues?q=is%3Aopen+is%3Aissue+milestone%3A%223.9+release%22

·         In anticipation of 3.0 working on a licensing profile

·         With Tech Team, updating back end of SPDX website to manage move from Drupal to Wordpress

·         Maintaining license URLs

·         Static pages moving do a different domain.


Outreach Team Report - Jack[edit]

·         Will be looking for help to update content for Website as per above

·         Documenting comprehensive list of SPDX-related tooling

Cross Functional -[edit]

·         None


·         Phil Odence, Black Duck/Synopsys

·         Alan Friedman, NTIA

·         Rose Judge, VMware

·         Steve Winslow, LF

·         Kate Stewart, Linux Foundation

·         Alexios Zavras, Intel

·         Jack Manbeck, TI

·         Jim Hutchison, Qualcomm

·         William Bartholomew, GitHub

·         Dave McLoughlin, Flexera

·         Michael Herzog- nexB

·         Alex Rybak, Flexera

·         Gary O’Neall, SourceAuditor

·         Paul Madick

·         Brad Goldring, GTC Law

·         David Wheeler, Linux Foundation

·         Mike Dolan, Linux Foundation

·         Bob Campbell, DXC

·         Mark Atwood, Amazon