https://github.com/spdx/meetings/blob/master/general/2022-02-03.md
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | [email protected]<mailto:[email protected]> https://www.synopsys.com/audits [SIG-emailsig-2020] [signature_762280638]<https://www.linkedin.com/showcase/sw_integrity/> [signature_1149972784] <https://twitter.com/SW_Integrity> [signature_1518328037] <https://www.youtube.com/channel/UC0I_hKR1E-Ty0roBUEQN4Ww> [signature_338408634] <https://www.facebook.com/SynopsysSoftwareIntegrity> SPDX General Meeting Minutes - Feb 3, 2022 Administrative * Attendance: 33 * Lead by Phil Odence * Minutes from last meeting approved Steve Hendrick w/report on SBOM readiness * Press release about the report<https://www.linuxfoundation.org/tools/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness/> * Report itself<https://linuxfoundation.org/wp-content/uploads/LFResearch_SBOM_Report_final.pdf> * Showing a selected set of slides from the report * In all his years as an industry analyst, he never heard of SBOMs. Now though, it's about to become a massive market. * Was careful to not be too LF biased by surveying a broad end user community. * Anticipate a 60+ percent growth of orgs using SBOMs…if the tooling exists to support that growth. He hasn't yet looked at the tools that are out there. * Not a lot of visibility for this from the vendors & tooling providers. Analysts also haven't yet done a market forecast for this, either. * Discussion on formats that wasn't included in the report. Won't summarise here as it's not really public. Tech Team Report - Gary/Kate/Thomas Spec Defects * Thomas sent out Doodle poll to figure out date for next team call * Multiple options on how to include vulnerabilities: include, separate, and link * Working on one document Core 3.0 * Good progress on building concensus on when to use properties or relationships (packages containing files for example). Follow along in spdx-3.0-model repo. 2.3 Release * Follow up from Docfest on some clarifications that emerged from comparisons. * Anything that we need to help people adopt SPDX for presidential order. Dick points out CMC issued an RFI that incorporates SBOM: https://sam.gov/opp/fe53a2be20094034b178e260f29cd0ad/view * For licensing-related fields that are currently mandatory but can have noassertion, looking at permitting them to be made as optional for 2.3, presuming NOASSERTION if field is omitted. Tools DocFest (Rose) * Held on 1/27, 24 attendee, identified - 6 topics - made it through all 6 * Thanks to analysis team for helping to understand the differences! GSOC * GSOC Summer of Code - Alexios will be lead. * Please feel free to contribute Tooling Release * Rohit working on merge for Online tools. * Working with CycloneDX team to have tools that interoperate. * FOSDEM coming up this weekend - Software Composition and Dependency devroom, https://fosdem.org/2022/schedule/track/software_composition_and_dependency_management/ Legal Team Report - Jilayne/Paul/Steve License List * Will release 3.16 this weekend. * Good discussion on Fedora use of identifiers, and use between communities. * Historically added about 80 licenses to license list in 2014, based on Fedora's own list of licenses * Similar to discussion previously with Warner about use in FreeBSD * Will provide updates to General team on Fedora and FreeBSD as it proceeds Outreach Team Report - Sebastian * (getting update from email) ________________________________ Attendees * VM Brasseur * Brad Goldring, GTC Law Group * Christina Chen * Thomas Steenbergen * Steve Hendrick * Jilayne Lovejoy * Dick Brooks * Kate Stewart * Alex Rybak * Alexios Zavras * Gary O'Neall * Christine Chen * David Edelsohn * Edgar * Jacob Wilson * Jesse Porter, Qualcomm * Karan Marjara * Lena Smart * Marc Etienne Vargenau * Matthew Neal Miller, Red Hat Product Security * Michael Herzog * Paul Madick * Pete Allor, Red Hat Product Security * Phil Odence * Steve Winslow * William Cox * Andrew Jorgensen * Alfredo Espinosa * Rose Judge * Ria Schalnat * Joe Bussell * Joshua Dubin * Michael Herzog -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1497): https://lists.spdx.org/g/spdx/message/1497 Mute This Topic: https://lists.spdx.org/mt/89070934/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
