https://wiki.spdx.org/view/General_Meeting/Minutes/2021-05-06

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

< General Meeting‎ | Minutes

·         Attendance: 18

·         Lead by Phil Odence

·         Minutes of Apri meeting Approved

·         Plan was to switch to Zoom

·         Considering using Jitsu

Contents

 [hide] 

• 1 SPDX License Name Space at Amazon - Mark
• 2 Tech Team Report - Kate/Gary/Others
• 3 Legal Team Report - Jilayne/Paul/Steve
• 4 Outreach Team Report - Kate
• 5 Other Topics
• 6 Attendees

·         https://docs.google.com/presentation/d/1uCAJW79hzqLAPhXfAn4maCRk9TZUhLJDAPEOBlgUFTw/edit?usp=sharing

·         Spec – Kate

·         Specification conversations continuing to move forward

·         Rough template for categories of topics (what were previously being called “profiles”)

·         Core Model - Gary

·         No Update

·         Licensing

·         filed PR with initial draft for discussion of template format, etc.; will update to newer template; previously discussed much of its substance last year

·         Integrity – Kay

·         working with in-toto community, framework for end-to-end supply chain security; collaborating with them to see if the specs can be aligned

·         Defects / Security – Thomas not here today

·         pushed first draft of fields for (1) vulnerabilities, and (2) defects => impact on packages, false positives, etc.

·         https://github.com/spdx/spdx-spec/pull/510

·         Meetings next week to look at other security specs, their use cases, whether they can / how they should be incorporated

·         Linking – Nisha not here today

·         Kate discussing with Nisha / Rose

·         Usage – Yoshiyuki Ito

·         No update

·         Pedigree / Build / Creation – Kate

·         No Update

·         GSoC- Alexios

·         Got 5 slots; can run up to 5 projects

·         Likely to accept 5 proposals:

·         2 for improving Golang tooling libraries (one RDF writing, one JSON reading/writing)

·         1 for transitioning / updating online SPDX tools

·         1 for spec processing tools

·         1 for improved license matcher, taking matching guidelines into account (unplanned submission)

·         Working for 3.13, planning to push out over the weekend

·         Have been trying to clean up old issues

·         Some updates on documentation in the repo

·         New participants recently – some discussions on recent calls have included reviewing past history; may want to put together more historical documentation of past context, etc.

·         Some interest from Debian – interest in getting a Debian-free tickbox into the license list

·         License submissions – starting to take a harder line on participation from people submitting license requests without sticking with them. For this release, started asking people to create the PR’s themselves – a few of the submitters at least responded and indicated they would do so

·         Still relying on the calls too much; having people commenting in issues out-of-band would be very helpful

·         Continuing to see interest in SPDX across different communities

·         Zephyr – auto-generation

·         Possible interest in re-starting Outreach team meetings – Sebastian interest, Aveek also

·         Kate will reach out to Jack and either ask him to restart or else Kate will restart

·         Sebastian – interest in Arch Linux in using SPDX

·         Some work being done on the Arch packaging system, interest in using SPDX licenses

·         Jitsi

·         Jilayne - Jitsi – this has gone well, plan to update to this for future General calls

·         Legal and Tech teams can update if/when they choose

·         Europe, UK, etc. seems to be working

·         Bob – recommend putting passwords on it

·         Steve – discuss whether to put one on. Possible but appears to prevent dial-ins afterwards.

·         Steve will look into options

·         Phil Odence, Black Duck/Synopsys

·         Mark Atwood, Amazon

·         Matthew Crawford, ARM

·         Bob Martin, Mitre

·         Philippe Emmanuel Douziech, CAST

·         Jilayne Lovejoy, Red Hat

·         Maximilian Huber, TNG

·         Alexios Zavras, Intel

·         Kay Williams, Microsoft

·         David Edelsohn, IBM

·         Thomas Steenbergen, HERE

·         Jeff Schutt, Cisco

·         Kate Stewart, Linux Foundation

·         Michael Herzog- nexB

·         Sebastian Crane

·         Steve Winslow, LF

·         Marc Etienne Vargenau, Nokia

·         Jonas Smedegaard, self