SPDX January General Meeting Minutes
< General Meeting | Minutes
· Attendance: 15
· Lead by Phil Odence
· Minutes of Dec meeting approved
Contents
[hide]
· 1 Guest Presentation, JC Herz
· 2 Tech Team Report - Kate/Gary
· 3 Legal Team Report - Jilayne
Guest Presentation, JC Herz[edit]
· Background
· Years of working with companies and DOD in open source
· The Issues/concerns
· License issues- SPDX handles well
· Concerns about security close on the heels
· Compliance is an additional step- Jumping through the hoops to document
· SEVA Software Evidence Archive
· Elements
· Serves S-BOM function
· Augments with content that needs to travel with software
· Therefore allowing compliance work to be automated
· Freeing up valuable resources to do what they are supposed to do
· Can apply to a single component or a full application, so SEVA doesn’t distinguish
· Format Issue
· Customers required XML, beyond SEVA JSON
· To be useable by a highly secure facility, data has to be hardened for which XML is better suited
· Can be constrained and format can be verified (and extended)
· SPDX and SEVA Overlap
· License Info
· For the most part SPDX handles beautifully
· Government also needs to distinguish government open source
· A little more information about state of software (e.g. pre-release)
· Security extra needs
· Some concern about spurious vulnerabilities
· Answer is to extend a BoM to include patch info, etc
· End of life indicator
· They take SPDX familiar thing and provide some extensibility
· How to name “supplier”?
· Working with Kate
· OSS organization for example
· A bank’s black list
· Vulnerabilities
· Key requirement for vulnerabilities info in SBOM, although just a link might make more sense
· Reason is “audit” function. What you knew when. So needs a time stamp.
· Bureaucratic are not going to change in favor of something that makes more sense for developers
· Concerns that this will get worse over time
· Other Side - Logistics
· Moving and shipping of SW/chain of custody- Where did it come from exactly
· Not something OSS community has had to worry about
· Bad mirror issue, for example.
· Signed? Timestamp? Delivery date and time for software.
· Something like FedEx analogy
· Package URL helps identify
· Q&A
· What can SPDX group do?
· JC thinks that they should open source SEVA
· Could contribute to LinuxF perhaps
· Understand and need to balance needs of OSS consumers and dev communities
· Don’t want to burden them
· Automate
· Challenge- How to distinguish enterprise quality OSS vs. pet projects
Tech Team Report - Kate/Gary[edit]
· Tools
· Starting to plan for GSoC submissions with Gary/Kate
· Steve has been trained on releasing License list, so Gary now has backup
· Steve has been working on some new tools for summarizing the SPDX_license_ids based on a new SPDX go library - currently its just supporting TV, but he hopes to add in the other formats
· Specification
· Gary & James have been working through SeVA XML and working through how it can be added.
Legal Team Report - Jilayne[edit]
· License List
· V3.4 out before Christmas
· Big success to not have to scramble through holidays
· Release notes in the GitHub repo
· Instructions for requesting now live in Repo as well
· Leverage GSOC work has been automated.
· New frontier- Getting open hardware licenses on list
· Expanding definition of what goes on the list
Outreach Team Report[edit]
· None this month
Attendees[edit]
· Phil Odence, Black Duck/Synopsys
· Kate Stewart, Linux Foundation
· Jilayne Lovejoy
· Steve Winslow, LF
· Alexios Zavras, Intel
· Luis Villa, Tidelift
· Jams Neushal, Neushul Solutions
· Matthew Crawford, ARM
· Kevin Nelson, Optim Tech UHG
· Dennis Clark, NexB
· Thomas Steenbergen, HERE
· Bradlee Edmondson, Harvard
· Gary O’Neall, SourceAuditor
· Nicholas Toussaint, Orange
· JC Herz, Ionchannel