(cc list trimmed) Thanks, Gary. Just for the record, I am on the tech list too. I wasn’t clear on where the group charter boundaries lay.
steve From: [email protected] <[email protected]> on behalf of Gary O'Neall <[email protected]> Date: Thursday, 1 December 2022 at 19:44 To: [email protected] <[email protected]>, [email protected] <[email protected]> Cc: 'Brandon Lum' <[email protected]>, 'Nisha Kumar' <[email protected]> Subject: Re: [spdx] SPDX creation phase [External] Hi Steve, I’m going to include the SPDX tech group on the email thread – sorry to many of you for the duplication. Steve – If you’re a member of that email we can continue the thread there. There is a Build Profile working group which is tackling very similar problems for the SPDX 3.0 spec led by Brandon and Nisha (cc’d) – you may want to connect with that group. For SPDX 2.3, I have a couple of thoughts and suggestions. I think the Creation Information created date will provide the information on when the SBOM was created. We don’t have any fields at the SPDX Document level to store and retrieve the build phase information, but we have added 3 new fields at the package level which may be useful: * Built Date<https://urldefense.com/v3/__https:/spdx.github.io/spdx-spec/v2.3/package-information/*726-built-date__;Iw!!A3Ni8CS0y2Y!8iwcoxDZmH-fB5fBky6piw47d7lS0gG3c9PD0RfBRCNt_DlLrHgH9FNhGalrzI-lUMOQSKlS3l8sUvBWRT6FGwgu8hUf9WI$> * Release Date<https://urldefense.com/v3/__https:/spdx.github.io/spdx-spec/v2.3/package-information/*725-release-date__;Iw!!A3Ni8CS0y2Y!8iwcoxDZmH-fB5fBky6piw47d7lS0gG3c9PD0RfBRCNt_DlLrHgH9FNhGalrzI-lUMOQSKlS3l8sUvBWRT6FGwgucaEHXO4$> * Valid Until Date<https://urldefense.com/v3/__https:/spdx.github.io/spdx-spec/v2.3/package-information/*727-valid-until-date__;Iw!!A3Ni8CS0y2Y!8iwcoxDZmH-fB5fBky6piw47d7lS0gG3c9PD0RfBRCNt_DlLrHgH9FNhGalrzI-lUMOQSKlS3l8sUvBWRT6FGwguB0XG6_A$> For a typical SBOM, the SPDX document will have a Document Describes which points to the package the SBOM is describing. Although it isn’t direct, you could use the Built Date and Release Date along with the Creation information to determine where in the lifecycle the SBOM was created. Since these are optional fields, the Telco SIG would need to specify that they be included for the package in the Document Describes field. Using the comment field for information not in the SPDX spec is an acceptable practice – especially if the information is intended to be human readable. You can also use an Annotation on the SPDX document for the same purpose. The advantage of the Annotation is you can have more than one with each Annotation having a specific purpose. For example, you could have an Annotation “Build-Phase: pre-build” and an separate annotation for unrelated information. Best regards, Gary From: [email protected] <[email protected]> On Behalf Of Steve Kilbane Sent: Thursday, December 1, 2022 3:20 AM To: [email protected] Subject: [spdx] SPDX creation phase Hi all, One of the suggestions in today’s call for the OpenChain Telco SIG, where we’re discussing proposals for an SBOM standard for the Telecommunications industry, was: > SBOMs conforming to the Telco SBOM Specification need to contain the > information when the SBOM was created in the “Created” SPDX field and at what > phase of the software build it was created (“pre-build”, “build-time” or > “post-build”) in the CreatorComment SPDX field. (See https://github.com/OpenChain-Project/Telco-WG/pull/15<https://urldefense.com/v3/__https:/github.com/OpenChain-Project/Telco-WG/pull/15__;!!A3Ni8CS0y2Y!8iwcoxDZmH-fB5fBky6piw47d7lS0gG3c9PD0RfBRCNt_DlLrHgH9FNhGalrzI-lUMOQSKlS3l8sUvBWRT6FGwgu5rkyeLY$>) I raised a concern about ambiguity here, in that your application may be built from libraries that are built at an earlier stage, so the SBOM information may be created after some components are built, but before others. A recipient of the SBOM might also interpret each of these three phrases differently from the creator of the SBOM. I recall hearing that there have been conversations about many different SBOMs according to phase (source SBOM, build SBOM, deploy SBOM, cloud SBOM, etc.), so I wondered whether there was advice that the Telco SIG could lean upon, rather than trying to formulate a solution when it’s already a solved problem. Apologies if this isn’t the right group. steve -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4865): https://lists.spdx.org/g/Spdx-tech/message/4865 Mute This Topic: https://lists.spdx.org/mt/95401893/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
