Special Presentation Title: SPDX AI BOM Update – Karen Bennet Abstract: A definition for AI system is forming which we will be discussed as we rollout the SPDX (System Package Data Exchange ) 3.0. AI BOM (core+software+AI+Dataset profiles) has changed slightly in past few months, come learn more and what is new in the AI BOM space for onsiderations in r SPDX 3.* ie. Harm/Vex, Environmental and Hardware profiles. Speaker: Karen is an experienced senior engineering leader with more than 40 years in the software development business in both open and closed source solutions. She is currently focused on bringing Responsible AI to Enterprise. She is heavily involved in developing Standards with LinuxFoundation, ITU, ISO, NIST and IEEE) to improve the trust a in AI systems. She previously worked as a senior engineering leader at IBM, Yahoo, Red Hat and 5 startups in the AI spa
Note: Minutes from the last meeting are at the bottom of this email Meeting Time: Thursday Feb 8, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=ZE9sYJcHMoEO3g5qrPPuiKU0gFK7mMjd9Km_ClCNBbU&e=> Conf call dial-in: Join the meeting: https://meet.jit.si/SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw224M4IF9lZQ--a36gO3Lwh__;JSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BGCiD_0k$> To join by phone instead, tap this: +1.512.647.1431,,1310118349#<tel:+15126471431,1310118349> Looking for a different dial-in number? See meeting dial-in numbers: https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2Fstatic*2FdialInInfo.html*3Froom*3DSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw0CFb1socSljscXVhl5wU_R__;JSUlJSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BhDXVXvs$> If also dialing-in through a room phone, join without connecting to audio: https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting*23config.startSilent*3Dtrue&sa=D&ust=1619537013292000&usg=AOvVaw0KXqpP-XHq4V1GzN9CrPgS__;JSUlJSUl!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41B0qALsVU$> Etherpad for minutes: https://spdx.swinslow.net/p/spdx-general-minutes<https://urldefense.com/v3/__https:/spdx.swinslow.net/p/spdx-general-minutes__;!!A4F2R9G_pg!bkFgK9GI5IbYCG_91ZtQilKgVfK3GKVMNzWVmfR-vYiSdgqVJFuyjsogC7bylG6qLZWcg-pZsfwx1j22AYkUN1F-yUtbJ9gGY3R4AFJ0$> Meeting Agenda: Administrative Agenda Attendance Minutes Approval. Bottom of this email Special Presentation – Karen Technical Team Report – Kate/Gary/Others * Overview * Specification and Profiles * Core & Software * Security * Licensing * Build * Lite * AI * Dataset * Functional Safety * Canonicalization/Serialization * Software as a Service * Hardware * Tooling + Implementers Legal Team Report – Jilayne/Steve Outreach/Website Team Report – Alexios/Bob General Announcements ****************** # SPDX General Meeting Minutes- 2024-03-07 ## Administrative - Minutes from February meeting (2024-02-08) approved - Attendees - 27 ## Special Presentation - SPDX 3.0 RC2 Overview - Gary and Bob - 3.0 goals - Background - Historical timeline - "use case by use case" - Evolution/fomats - 3.0 Specification infrastructure - Modular, collabortive - Conceptual model to markdown spec - Generators to website and (via OWL/SHACL) specific schemas - Structural Changes - all to broaden and simplify - Profiles - to support a wide range of use cases - External doc references - Relationships - A number of smaller changes usability and clarity - RC1 to RC2 changes - Changed model and JSON-LD serialization format - Addressed usablity issues - Data license - Change Big Picture - Flexiblity - Simplifications - Use cases - In 3.1 will have more Profiles like Hardware, becoming "System," not just Software - Where to from here? - OMG review and working team ADM TF - Linux Foundation members supporting - Ideally we get approval in March and final approval in June - Additional serializations - Tools/Libraries - Translation guidance - Please review spec! https://spdx.github.io/spdx-spec/v3.0/ ## Tech Team Report ### AI Profile Team - Karen/Gopi - Still working on a set of working examples - Clearing up all our PRs for 3.0 - Gap analysis with EU AI Act - Working on workshop and whitepaper for Open Source Summit North America - NIST participation has started (via Slack) ### Build Profile Team - Brandon/Nisha - Stable - no additional updates ### Dataset Profile Team - Karen/Gopi - Same as AI Profile, status ### Functional Safety Team - Nicole/Kate - No updates ### Hardware Team - Kate - No updates ### Implementers Team - Rose - Worked on RC2 release and currently focused on the serialization discussion impact on tooling ### Licensing Profile Team - Steve - Significant updates for 3.0rc2 have been in the working draft for a while now - Tool implementers, please submit feedback on proposed licensing-related profiles from rc2, particularly the split into "SimpleLicensing" and "ExpandedLicensing" profiles ### Lite Profile Team - Ito/Ninjouji/Asaba/Kobota - Wrote up some JSON schemas for the lite profile - Will sync the JSON schema work with the serialization discussions on next week's call ### Operations Team - Matthew Crawford - We have discussed the proposed fields. Tomorrow (2:30pm UK time) we plan to do a final review before opening this to the wider community for review/comment. - We have excluded original proposed fields around patents and just focusing on export control and operations. ### Security Profile Team - Jeff - Some feedback on VEX profile - a separate meeting will be held this month ### Serialization Team - Joshua Watt - Progress has been made finalizing the JSON(-LD) serialization of SPDX 3. - The current plan is to have all documents be fully valid JSON-LD, but use a JSON schema to restrict the documents to a strict subset of JSON-LD. This ensures that there is only 1 JSON-based format that tools have to deal with, and it can be parser with either a full JSON-LD parser (if you need the full power of linked documents), or it can be parsed with simpler JSON parser since the schema enforces a simpler structure. Because of this choice, there is no plan for a distinct "simple JSON" format, as the same format can be used for both cases. - The SHACL ontology, JSON Schema, and JSON-LD context file should be available for testing soon. - No progress on Tag-Value yet ### Software as a Service Team – Gary - Completed our first use case - Starting second use case focused on security and certification ## Legal Team Update - Jilayne/Steve - Business as usual in terms of lots of open issues and needing help reviewing licenses; helpful to have experience with looking at licenses for this, but those people don't seem to help out... PLEASE CONTRIBUTE! - Updates to documentation to try to make things easier to follow, etc. - see: - https://github.com/spdx/license-list-XML/blob/main/DOCS/license-fields.md - added info re: how these maps to XML tags - https://github.com/spdx/license-list-XML/blob/main/DOCS/license-match.md - new resource! - https://github.com/spdx/license-list-XML/blob/main/DOCS/history.md - added some more detail re: evolution of SPDX License List format ## Outreach Team - Alexios/Bob - Working on improving the website - tooling documentation in particular - Hard to find examples and use cases, looking at ways to better organize them ## General Announcements - April 16th throuh 18th in Seattle - SBOM related topics Open Source Summit North America https://events.linuxfoundation.org/open-source-summit-north-america/ - Nomination for team leads ## Attendees - 27 - Phil Odence (Synopsys/Black Duck Audits) - Gary O'Neall - Steven Carbno - Alfred Strauch - Matthew Crawford - Mimi Flynn - Jim Vitrano - Joshua Watt - Bob Martin - Arthit Suriyawongkul - Timothy Gillespie (FOSSalyze GmbH) - Alex Rybak (Revenera) - Karen Bennet - Marc-Etienne Vargenau - Steve Winslow - Mark Atwood - Brad Goldring (GTC Law Group) - Maximilian Huber - ML - Shalini Batra - Victor Lu - Madhuri Padmanabhan - Jilayne Lovejoy - Mark Gisi - Michael Herzog - Alex Stewart (Emerson) - Aditi Sharma -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1840): https://lists.spdx.org/g/spdx/message/1840 Mute This Topic: https://lists.spdx.org/mt/105310150/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
