Hey Tony, We have a build profile meeting every Monday, let me send you an invite.
We are taking the stance of a builder similar to how SLSA does it and encoded in a similar way of the who/when/what/where/why of the build. ( https://spdx.swinslow.net/p/spdx-build-minutes). Looking forward to having you join the discussions! Cheers Brandon On Wed, Jun 1, 2022 at 10:30 AM Tony Aiuto <[email protected]> wrote: > Hi. I'm new to this particular thread. I wanted to extend the examples > Nisha started with > some perspective on what we do inside Google. A "build" is never really a > single type. > We think of it as a build orchestration, where individual sup-steps might > be performed on > different platforms entirely. Examples we might see are. > > iOS application built from linux desktop > > - build controller is local linux > - some code generation might be done on remote build servers > (typically linux, varying CPU architectures) > - compilation (of that generated code), and linking is done on Apple > machines for compliance > - code signing may be passed off to a smaller set of secure machines. > > Windows desktop application > > - Desktop user pushes button to initiate on the build service > - cross compile some libraries for windows on remote linux based build > servers > - pass pre-built portions to a windows based build server to do final > linking, signing and packaging > > > Each of these individual parts overlaps with one of the examples in > Nisha's doc. The main point > is that there is really no single "build". Each artifact in a build graph > could come from a different > build step execution environment. > > > > > On Wed, Jun 1, 2022 at 8:39 AM Brandon Lum via lists.spdx.org <lumb= > [email protected]> wrote: > >> This is a good starting off point for the Provider discussion! Thanks for >> putting this together. Let's keep 30 mins next meeting in the agenda to go >> through this and discuss it. >> >> On Tue, May 31, 2022 at 5:01 PM Nisha Kumar <[email protected]> wrote: >> >>> Hi Brandon, >>> >>> I'm not sure how much I can contribute without some feedback from the >>> group on the examples: >>> https://docs.google.com/document/d/1b1dF21miwRTIegwxNM3YZr15YU4kE3rfxeYcn47oPNI/edit?usp=sharing >>> >>> I would suggest looking at the examples and extracting some patterns. >>> One pattern I've noticed is whether a build thing is self hosted or hosted >>> by someone else. Another one is how high the stack is i.e. is it the build >>> happening on a computer with an OS or a computer with an OS running a VM or >>> a container with some automation around it. Could all of these things be >>> called "provider" or "service"? >>> On 5/24/22 07:32, Brandon Lum via lists.spdx.org wrote: >>> >>> Hi All, >>> >>> We've been making some great progress with the Build profiles working >>> group and Sebastian had the great suggestion of laying out a roadmap, as we >>> start to finalize on some details and ideas - some of which we will be >>> bringing to the spdx-tech group. >>> >>> As an aside, next Monday is memorial day, and most folks will be out, so >>> we decided to cancel the meeting in favor of an async discussion on the >>> roadmap, and the concept of ConfigInfo. >>> >>> *SPDX Build Profile Roadmap (Draft)* >>> >>> - [10 June] Define a proposal of Provider/Service construct (Nisha, et. >>> al) >>> - [17 June] Defining the contents of the build profile (5 W's of a >>> build) >>> - [24 June] Define a proposal of ConfigInfo (Gary, et. al) >>> - [15 July] Define additional SPDX relationships and how to express the >>> build profile >>> >>> Names are there for people who have volunteered/voluntold to help drive >>> the discussions, proposals are still discussed as a group. >>> >>> For additional context, here is a definition of ConfigInfo / Provider: >>> - ConfigInfo: Things like environment variables, parameters or >>> command/entrypoint. Things that are not files, and so don't quite fit as a >>> Package. >>> - Provider/Service: Express the usage of a particular service/provider. >>> For example, key management/signing service. >>> >>> Cheers >>> Brandon >>> >>> -- >>> nisha >>> >>> >> >> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4545): https://lists.spdx.org/g/Spdx-tech/message/4545 Mute This Topic: https://lists.spdx.org/mt/91312167/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
