July Meeting Minutes

Phil Odence




Phil Odence




There were several attendees who’s organizations I don’t know. Please let me know and I will amend. Thanks.




General Meeting/Minutes/2021-07-01

General Meeting‎ | Minutes

·         Attendance: 22

·         Lead by Phil Odence

·         Minutes of June meeting Approved




SPDX Governance - Phil[edit]

Status of governance changes

·         Still working through a using the prepackaged JDF docs with LF lawyers

·         Lots there due to general nature

·         It will have to go through the specified process for discussion and voting

·         Why?

·         More scrutiny

·         Standards requirement- Companies supporting, logos

·         OMG CISQ 3T joining SPDX

·         ISO direction – Need more

·         Executive Order

·         Working with other standards, i.e. SWID and CycloneDX

 * Specific concerns that came up


·         Community Spec License vs. CCBY

·         Patent license to address concerns that have arisen from companies we want to support

·         Also, tangentially related SBOM gen tool showed up in repo

·         Need criteria for including

·         A question came up about discussion of governance on the Gen Mailing list

·         We try to limit traffic on the list so one can use to monitor activity without being overwhelmed

·         There will be a chance for discussion of a governance proposal once process goes in motion

·         Contact Phil with inputs

·         We’ll look into a separate list

Outreach Team Report - Sebastian/Jack[edit]


·         Rebooted

·         SPDX website rework - license for content CC-BY-4.0

·         Looking to rebuild website as static site.

·         Code and license - more flex over precise styling and functionality.

·         Prototype of site in next few weeks.

·         Technical slides - present about SPDX in own organizations.

·         Reviewed collateral,  audience focus for collateral that will meet audience needs.

·         More explanation of “why”.   Point to specification when get to details. 

·         IRC channel 

·         Sebastian set up #spdx on libera.chat

·         previous channels on OFTC, Freenode; hadn’t taken off

·         libera.chat has 11 people in it currently

·         “cloaking” - hides IP address in some cases, replaces with badge for organization you’re associated with; Sebastian can provide “SPDX cloak”

·         Matrix bridge - feature of libera.chat, enables joining via Matrix

·         Meeting date and time: 1500 UTC on Wednesdays will be new meeting time, on 14th of July


Legal Team Report - Jilayne/Paul/Steve[edit]


·         Several new folks participating

·         Ariel and Candice from ClearlyDefined have been digging into the Python stack of licenses

·         License List 3.14 release - targeting end of July


Tech Team Report - Kate/Gary/Others[edit]


·         Tools 

·         GSoC - JSON support in Golang; will seek to get GSoC student to present at a future General Meeting

·         New participants interacting with tools, and seeing pull requests.

·         NTIA Plugfest 

·         new tools emerging from communities 

·         SPDX was most common format in use

·         Can’t get down to SPDX field to field 

·         SPDX Plugfest?

·         Desire to have Japan SPDX Plugfest

·         One for north america   

·         Anchore has a tool supporting SPDX output if you need more 3.0 examples we can on it. (github.com/anchore/syft). We have 2.2 now but can fairly quickly iterate for some 3.0 support.

·         Specification

·         ISO/IEC PRF 5962 - Information Technology — SPDX® Specification V2.2.1- moved to PRF status Publication date : 2021-08

·         OCI registry overview and how SPDX could interact with containers. 

·         Specification 3.0 Work 

·         Looking for more 3.0 examples in serialization

·         Lacking critical mass for some decisions - vacations

·         Moving through punch list on core model.

·         Vulnerability - waiting for core.   Snyk put up a nice post.   

·         Feedback in progress.   

·         Serialization needs to become clearer.

·         More examples are needed. 

·         Follow up VEX and CSAF

·         Licensing profile - pretty similar to 2.2 already.

·         Once formatting for how template can be expressed.


Other Topics[edit]

·         Open Question - why spdx.dev vs. spdx.org;   license list dynamically generated spdx.org - Drupal → Wordpress.   How to keep License list still populate to website.

·         Keep license list URL stable. 

·         Wikipedia page on SPDX is pretty stale.    

·         Needs to be updated.    Outreach will take it. 


·         Phil Odence, Black Duck/Synopsys

·         Philippe Emmanuel Douziech, CAST

·         Bob Martin, Mitre

·         Joshua Marpet, RM-ISAO

·         David Edelsohn, IBM

·         Sebastian Crane

·         Marc Etienne Vargenau, Nokia

·         Zach Hill, Anchore

·         Steve Winslow, LF

·         Kate Stewart, Linux Foundation

·         William Cox, Synopsys

·         Jack Manbeck, TI

·         Alexios Zavras, Intel

·         Warner Losh, FreeBSD

·         Alfredo Espinosa

·         Jilayne Lovejoy, Red Hat

·         Chris Lusk

·         Andrew Jorganson, AWS

·         Thomas Steenbergen, HERE

·         Ronda,

·         Brian Fox, Sonotype

·         Michael Herzog- nexB