FW: Jan 3 SPDX General Meeting Reminder

Phil Odence

Re-reminding now that most folks are back from the holidays.


From: "podence@..." <podence@...>
Date: Thursday, December 20, 2018 at 10:04 AM
To: "spdx@..." <spdx@...>
Cc: JC Herz <jc.herz@...>
Subject: Jan 3 SPDX General Meeting Reminder


Hello, all. Wishing the best to you for the holidays. As many will have time off between now and the New Year.


A new direction from SPDX is to expand into handling security information in addition to license and copyrights. JCC Herz will be talking about this in in the Jan 3 meeting. JC is the COO of Ion Channel, a software supply chain assurance and software logistics platform. JC co-wrote open source acquisition policy for the Defense Department in the mid-2000’s to curtail vendor-driven FUD about OSS, and has worked in large-scale enterprises to accelerate and enable verification, audit and continuous assurance of OSS for mission critical applications. 


Here's what she’ll be talking about-

“Evolving SPDX for Open Source Security: Lessons Learned from the Software Evidence Archive (SEVA)”

In the early days of enterprise OSS use, corporate concern tended to stem from licensing status, and SPDX operationalizes and automates risk management in that domain. As concerns around OSS have shifted towards security and supply chain risk, there are enterprise workflows for security approval, audit and compliance that require more and different details to augment transitive dependencies and licensing - some of which are not immediately obvious to developer communities outside the bureaucracies where these workflows exist. In the development of the SEVA (Software Evidence Archive), Ion Channel needed to augment the content of a standard SBOM with security, audit and compliance fields to satisfy the security, audit and compliance requirements of large IT bureaucracies in an an automated fashion. Because of large and escalating regulatory requirements for security, audit and compliance, these workflows are not going away. To that end, Ion Channel seeks to support SPDX with an open source XML implementation that includes these fields, so that large regulated customers can more easily adopt, maintain and update OSS applications and components. 






Meeting Time: Thurs, Jan 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 


Administrative Agenda


Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-12-06


Guest Speaker  – JC Herz


Technical Team Report – Kate/Gary


Legal Team Report – Jilayne/Paul


Outreach Team Report – Jack


Any Cross Functional Issues –All



L. Philip Odence
General Manager, Black Duck On-Demand
Synopsys Software Integrity Group
800 District Avenue, Suite 101, Burlington, MA 01803-5061
Note new work #: W: +1.781.313.6801; M: +1.781.258.9502