SBOMs in the Windows supply chain, an SPDX success story - Joe Bussell, Microsoft
Abstract: Joe will discuss the implementation of validation of SBOMs representing software packages in the Windows software supply chain. Each stage of the Windows pipeline generates a signed SBOM, providing a comprehensive view of the package and ensuring trust in the supply chain. Downstream consumers validate the COSE signature and content hashes contained in the SPDX SBOM match the hashes of the files in the package to ensure the integrity of the package. Joe: I'm a technology enthusiast who is passionate about making a positive impact on people's lives. I currently lead a team of engineers in the Windows Engineering System at Microsoft, where we focus on developing secure, reliable, and efficient tools for building a variety of products. I have a diverse technology background, including writing the atlas classes used in the US Air Force's Advanced Computer Flight Planner (ACFP) and developing a wall-mounted fiber-optic spectrometer for water quality assurance. Outside of work, I enjoy gardening, camping, reading, and playing tabletop games like Dungeons & Dragons. I also teach cybersecurity as part of TEALS. Fun fact: I've explored hydrothermal vents in the Southern Ocean a stone's throw from Antarctica on the USCG Polar Star. Meeting Time: Thurs, April 6, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=ZE9sYJcHMoEO3g5qrPPuiKU0gFK7mMjd9Km_ClCNBbU&e=> Conf call dial-in: Join the meeting: https://meet.jit.si/SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw224M4IF9lZQ--a36gO3Lwh__;JSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BGCiD_0k$> To join by phone instead, tap this: +1.512.647.1431,,1310118349#<tel:+15126471431,1310118349> Looking for a different dial-in number? See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2Fstatic*2FdialInInfo.html*3Froom*3DSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw0CFb1socSljscXVhl5wU_R__;JSUlJSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BhDXVXvs$> If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting*23config.startSilent*3Dtrue&sa=D&ust=1619537013292000&usg=AOvVaw0KXqpP-XHq4V1GzN9CrPgS__;JSUlJSUl!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41B0qALsVU$> Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes Administrative Agenda Attendance Minutes Approval: https://github.com/spdx/meetings/blob/main/general/2023-03-02.md Special Presentation - Joe Steering Committee Update - Phil Technical Team Report – Kate/Gary/Others * Specification and Profiles * Overview * Core * Legal * Integrity * Defects * Usage and Other Emerging * Tooling Legal Team Report – Jilayne/Paul/Steve Outreach/Website Team Report – Jack/Sebastian/Alexios -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1662): https://lists.spdx.org/g/spdx/message/1662 Mute This Topic: https://lists.spdx.org/mt/98065190/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
