NOTE: I am a little behind and have not posted the minutes from the March meeting in GH. In advance of that, I have included that minutes in roughg form at the bottom of this email.
PRESENTATION: Please join us for this presentation to kick off the meeting. Yocto have been very supportive of SPDX and active in incorporating the technology. SPDX in the Yocto Project – Joshua Watt Abstract: As Software Bills of Material (SBoMs) become more important in the software industry, the generation of high quality SBoMs from the beginning of the Software Supply Chain has also become more important. The Yocto Project is designed to build up software images from source, and such is a prime candidate to generate these SBoMs at the point where software packages are compiled and assembled into customer images. Joshua will talk about how the Yocto Project is able to do this, and some of the interesting quirks encountered when implementing this feature. Joshua Watt is a Software Engineer for Garmin, where he has been working for the past 13 years. He has been a developer with OpenEmebedded and the Yocto Project for the past 7 years, and is a member of the OpenEmbedded Technical Steering Committee. GENERAL MEETING Meeting Time: Thurs, April 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=ZE9sYJcHMoEO3g5qrPPuiKU0gFK7mMjd9Km_ClCNBbU&e=> Conf call dial-in: Join the meeting: https://meet.jit.si/SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw224M4IF9lZQ--a36gO3Lwh__;JSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BGCiD_0k$> To join by phone instead, tap this: +1.512.647.1431,,1310118349# Looking for a different dial-in number? See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2Fstatic*2FdialInInfo.html*3Froom*3DSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw0CFb1socSljscXVhl5wU_R__;JSUlJSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BhDXVXvs$> If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting*23config.startSilent*3Dtrue&sa=D&ust=1619537013292000&usg=AOvVaw0KXqpP-XHq4V1GzN9CrPgS__;JSUlJSUl!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41B0qALsVU$> Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes Administrative Agenda Attendance Minutes Approval https://github.com/spdx/meetings/blob/master/general/2022-02-03.md Special Presentation Technical Team Report – Kate/Gary/Others * Specification and Profiles * Overview * Core * Legal * Integrity * Defects * Usage and Other Emerging * Tooling Legal Team Report – Jilayne/Paul/Steve Outreach/Website Team Report – Jack/Sebastian # SPDX General Meeting Minutes - March 3, 2022 ## Administrative - Attendance: * Phil Odence, Black Duck Audits/Synopsys * Patrick Reilly * Sebastian Crane * Bob Martin * Joshua Dubin, Verizon * Steve Winslow * Brad Goldring, GTC Law Group * Joshua Marpet * Joshua Watt * Jon Geater, Jitsuin (presenter) * Alex Rybak * Jeff Schutt * Kate Stewart, Linux Foundation * Maximillian Huber * Mark Atwood, Amazon.com * Philippe-Emmanuel Douziech, CAST GmbH / CISQ * David Edelsohn * Paul Madick * Jilayne Lovejoy, Red Hat * Ria Schalnat * Molly Menomi * Robert Boyd - Lead by Phil Odence - Minutes from last meeting approved. ## How RKVST Uses SPDX for Software Transparency by Jon Geater, CTO Jitsuin ### Jitsuin, RVST, Digital Twin Consortium ### The Problem #### Cyber physical systems- Data is the new oil. Big Opportunity...but requires trusting data #### Trust can be difficult because everyone is in a supply chain, crossing org boundaries ### Solution approach: Shared asset history w/evidence #### Including BOM ##### Software and hardware combination (depending on industy) ##### SBOM- super crutial first step #### Common understanding takes out human time-consuming steps #### Anyone in the chain should be able to make their own risk assessment ##### Trust is not the same as security ##### Things change/are dynamic...and with software that's frequent ##### So systems need to be able to handle quickly, in real time ### Conclusions #### What's needed is resilient operation of dynamic systems #### Important first step is what's in the box #### ...then vulernablities and what do to about them #### interoperatiblity of standard formats ### Q&A ## Tech Team Report - Gary/Kate/Thomas ### Spec #### Defects * Meetings have started up, join the mailing list for details. #### Core 3.0 * Kate / William - have been making good progress on punch list #### 2.3 Release * will be adding in some fields that people have been asking for interoperability with CycloneDX community * license namespaces - Mark Atwood and Steve Winslow to sync * SPDX Lite - add Package Supplier to match NTIA minimum definition for SPDX Lite profile ### Tools #### GSOC * Submission in, project ideas still welcome. ## Legal Team Report - Jilayne/Paul/Steve * 3.16 released at beginning of February; continuing with issues / PRs for 3.17 * change in meeting cadence - moved to 2nd / 4th Thursday of every month, Steve to update downloadable invites on website ## Outreach Team Report - Sebastian * Updates to landscape in process * FOSDEM talk from Sebastian - recording not yet on FOSDEM website * highlighting key aspects of effective, high-quality SBOMs * will be available at https://fosdem.org/2022/schedule/event/security_sbom/ once it's posted * March 20 - LibrePlanet talk - package management * https://libreplanet.org/2022/speakers/#5830 * OpenSSF interest in vulnerabilities website * Kate and Jack - updates to website -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1503): https://lists.spdx.org/g/spdx/message/1503 Mute This Topic: https://lists.spdx.org/mt/88839683/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
