Outreach calls minutes

SPDX Outreach Meeting 2025-03-24

• Alexios Zavras
• Bob Martin

Agenda

• update on standardization

Notes

• standardization update
  • last OMG procedural vote went through
  • it's now an "OMG standard"
  • road open to submit to ISO
• Bob will be unavailable April 9-20

SPDX Outreach Meeting 2025-03-10

• Alexios Zavras
• Bob Martin
• Ilan Schifter
• Victor Lu

Agenda

• Validation

Notes

• discussion on validation (SHACL rules)

SPDX Outreach Meeting 2025-02-10

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall
• Victor Lu

Agenda

• Brussels report
• CRA
• GSoC

Notes

• Brussels report
  • FOSDEM SBOM devroom
  • pre-FOSDEM tool day
• CRA
  • also Croissant for ML
  • Croissant cannot support relationships between dataset; nor origin/build information

SPDX Outreach Meeting 2025-01-27

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall
• Ilan Schifter
• Victor Lu

Agenda

• OMG update
• Podcast participation
• Adoption update

Notes

• OMG update
  • OMG has not approved the text
  • procedurally has to happen in a quarterly meeting
• Podcast participation
  • Kate and Gary were in Viktor Peterrson
  • https://vpetersson.com/podcast/S02E01.html
• Adoption of SPDXv3
  • limit is the availability of libraries and tools
  • Go library is missing contributions / reviews
  • https://github.com/spdx/spdx-go-model
• Other
  • Croissant might be of interest
  • ServiceNow already implements SPDXv2
  • Microsoft SBOM-tool look to migrate to SPDXv3

SPDX Outreach Meeting 2025-01-13

• Alexios Zavras
• Gary O'Neall
• Karen Bennet

Agenda

• FOSDEM
• Updates

Notes

• FOSDEM
  • SBOM devroomm full day on Sun 2 Feb
• Hardware profile presented at next Tech call (tomorrow)
• different groups pushing towards standards
• OpenSSF created new SIGs for CRA compliance

–- everything below already in https://github.com/spdx/meetings/tree/main/outreach

SPDX Outreach Meeting 2024-12-16

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall
• Karen Bennet
• Victor Liu

Agenda

• Go libs
• updates

Notes

• Go libraries for SPDXv3 not ready yet
• Updates
  • FOSDEM
    • presentations accepted/rejected
    • schedule published
• Open Source Stewards and Maintainers
  • OpenSSF establishes working group
  • Is SLSA competitive to SPDX?

SPDX Outreach Meeting 2024-12-02

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall
• Ilan Schifter
• Victor Liu

Agenda

• updates
• spec diagrams
• info on other efforts

Notes

• Updates
  • FOSDEM
    • Deadline for submissions
    • 20+ submissions
    • now review
    • program to be announced on Dec 15th
  • Channels
    • Alexios told Sebastian to go ahead and delete unused Matrix and IRC channels
  • Ambassadors
    • proposal to be submitted to Steering Committee on Jan 7th
• Model diagrams in spec
  • Alexios working on them
  • Do we need enumeration values?
    • No one is in favor
    • Alexios to prepare new versions and show them in Tech call
• Other efforts
  • Basic Formal Ontology (BFO) https://basic-formal-ontology.org/
• Kubernetes BOM tool
• Request for podcast guest on SPDX by Viktor Petersson
• AR: update presentations list
• Next calls:
  • Alexios will be out next week
  • No calls during the two weeks of holidays

SPDX Outreach Meeting 2024-11-25

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall

Agenda

• updates: FOSDEM, UO
• LF member summit update

Notes

• FOSDEM
  • deadline end of Nov (this week)
• capstone project
  • Univ. of Oregon Comp. Sci. department
  • team of 6 students
• LF member summit update

SPDX Outreach Meeting 2024-11-18

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall
• Ilan Schifter

Agenda

• PDF update
• old channels
• SPDX Ambassadors

Notes

• update on PDF for OMG/ISO
  • almost done
  • Bob and Alexios meeting Jory on Thursday
• ancient communication channels
  • Sebastian wants to hand over Matrix and IRC channel
  • ask Kate about IRC / Matrix channels
  • two X/twitter accounts: SPDXTeam and SPDX_SBOM
• Ilan is interested in modeling processes
  • propose the idea (what, why, how) and depending on the interest a new profile team might be formed
• SPDX Ambassadors
  • Steering committee to decide on process and details
  • Then run by Outreach team

SPDX Outreach Meeting 2024-11-04

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall
• Ilan Schifter

Agenda

Notes

• FOSDEM CfP sent to mailing lists

• No feedback from OMG about the spec yet

• Work needed:

  • Go over the website to find out what needs updating
  • Adoption needs tools; we need to find someone for the Go libraries
  • Java and Python are work-in-progress
  • Examples of SPDXv3 data

SPDX Outreach Meeting 2024-10-28

• Arthit Suriyawongkul
• Gary O'Neall

Agenda

• SPDX adoption in tools
• Microsoft SPDX support beyond 2.2
  • Write SPDX 2.2 https://github.com/microsoft/sbom-tool
  • Read SPDX 2.2 https://github.com/microsoft/component-detection
  • If sbom-tool support 2.2.1, it will support German BSI TR-03183 2.0.0
    https://github.com/microsoft/sbom-tool/issues/738
    https://github.com/microsoft/sbom-tool/issues/537

SPDX Outreach Meeting 2024-10-07

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Ilan Schifter

Agenda

• PDF versions of the spec
• SPDX website

Notes

• PDFs of the 3.0.1 spec
  • Bob to connect with OMG editor
  • She is the final approver of the OMG document
  • The ISO document will go to OMG/LF standards people
• Website
  • As soon as the spec is out of our hands, we should go through all pages and add mentions and references to SPDXv3

SPDX Outreach Meeting 2024-08-19

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Ilan Schifter

Agenda

• Discussion on work on PDF generation
• Ilan's questions

Notes

• Discussion on work on PDF generation
• Ilan's questions:
  • Q: where are the RDF files?
  • A: committed in the repo, https://github.com/spdx/spdx-spec/tree/development/v3.0.1/rdf
  • Q: I also need descriptions
  • A: you can run spec-parser and use the json dump
  • Q: anything else missing from the model, like listed licenses
  • A: nothing now, there will be a list of crypto algorithms in the future

SPDX Outreach Meeting 2024-08-12

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Kate Stewart

Agenda

Discussion on work on PDF generation

Notes

Discussion on work on PDF generation

SPDX Outreach Meeting 2024-08-05

• Alexios Zavras
• Arthit Suriyawongkul
• Ilan Schifter
• Victor Liu

Agenda

• Spec updates
• Tools page on website
• Ilan update

Notes

• Spec updates
  • trying to finalize
• Ilan trying to make videos
  • duration of a few minutes
  • put it to youtube
    (to check if SPDX has its own YouTube channel.
    The Linux Foundation has one at https://www.youtube.com/@LinuxfoundationOrg )
• Discussion about the Dot tool with Ilan, which can be part of his video
  • Relationship between SpdxDocument and Sbom
  • The tool should not let the user create ListedLicense,
    as they can only be defined in the official SPDX License List.

SPDX Outreach Meeting 2024-07-29

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall
• Victor Liu

Agenda

• Tools page on website
• Spec updates

Notes

• Tools page on website
  • missing responses
  • create an issue for tracking open source tools
    • https://github.com/spdx/outreach/issues/78
  • project libraries and tools should appear also on top, before list
• Spec updates
  • all contents
• Lite
  • There are information differences (for example, in cardinality)
    between "Annex H: SPDX Lite" and the Lite Profile.

SPDX Outreach Meeting 2024-07-22

• Alexios Zavras
• Arthit Suriyawongkul
• Bob Martin
• Gary O'Neall

Agenda

• Spec structure
• Other published documents
• Tools

Notes

• Spec structure
  • will also dicsuss it on tech call tomorrow
• Other published docs
  • web presence: think about how to communicate new version
  • spdx/using repo: needs updating, after spec
• Tools
  • question on slack
  • quick reply on issues, if no planned progress/resolution
• Extensions of an SPDX file. OMG needs one extension per one file

SPDX Outreach Meeting 2024-07-15

• Alexios Zavras
• Bob Martin
• Karen Bennet

Agenda

• spec Production
• tutorial on SBOM per lifecycle
• efforts to record standards and regulations

Notes

• Spec Production
  • waiting for Jason on hierarhy sections
• SBOM types
  • as per stages in software lifecycle
  • AI group wants presentation
  • Bob will do it this Wednesday
• recording requirements of standards/regulations
  • document on spdx/using repo
    • https://github.com/spdx/using/blob/main/docs/using-SPDX-to-comply-with-industry-guidance.md
  • MITRE System of Trust
    • https://sot.mitre.org/

SPDX Outreach Meeting 2024-07-08

• Alexios Zavras
• Bob Martin

Agenda

• Tools update
• Spec PDF production

Notes

• Tools update
  • we still don't have the new setup on web site
  • we have got some replie from tools
  • we should probably add the information
  • Alexios to work with Gary on it
• Alexios workign on the PDF production
  • open decisions for hierarchy and numbering

SPDX Outreach Meeting 2024-07-01

Attendees

• Alexios Zavras
• Bob Martin

Agenda

• Updates

Notes

• Alexios workign on the PDF production
• Bob will contact OMG for introductory sections of the spec

SPDX Outreach Meeting 2024-06-24

Attendees

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Victor Lu

Agenda

• Update on PDF generation
• Tools responses
• Go libraries

Notes

• Update on PDF generation
  • last week Alexios collaborated with Jason (from OMG) and found a way forward
• Tools responses
  • still waiting for LF to provide info on web infrastructure (Zephyr-like)
  • one tool to be added to the website
• Go libraries
  • GUAC waits for libraries

SPDX Outreach Meeting 2024-06-17

Attendees

• Alexios Zavras
• Bob Martin
• Victor Lu

Agenda

• Updates on initiatives
• Updates on OMG production of spec PDF

Notes

• ECMA has a new Technical Committee TC54 with two Task Groups, focusing on:

  • Transparency Exchange API, and
  • Package URL

• working with Jason Smith

  • Alexios explained the current production setup via email
  • Jason is using LaTeX to generate the output
  • short call to be arrnged in the week for sync up

SPDX Outreach Meeting 2024-06-10

Attendees

• Alexios Zavras
• Bob Martin

Agenda

• OMG updates

Notes

• Bob currently in OMG meeting
• talked to Jason Smith, about tool for translating Markdown to PDF
• OMG spec has history of collaboration section
• maybe an informational annex/section
• list of contributors
• Bob to ask about links in documents
• OMG finalization task force also interest in commercial viability

SPDX Outreach Meeting 2024-05-13

Attendees

• Alexios Zavras
• Victor Lu

Agenda

Notes

SPDX Outreach Meeting 2024-04-29

Attendees

• Alexios Zavras
• Bob Martin
• Karen Bennet

Agenda

• Letter for tools information
• OSS EU
• OMG review

Notes

• Letter for tools information
  • some of the proprietary tools listed have no contact info
  • ask in General call about contact info
• OSS EU
  • presentation about SPDX
  • ask via the mailing lists about attendance
  • decide about f2f event depending on response
• OMG review
  • public commenting period ongoing
  • June meeting
  • mid-June finalization task force (FTF) starts
  • report on September
  • then to ISO

SPDX Outreach Meeting 2024-04-22

Attendees

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Karen Bennet
• Victor Lu

Agenda

• Conference feedback
• Tools registration

Notes

• Conference feedback
  • Open Source Summit North America
  • foss-northy
  • LLW
• Tools registration
  • online form (GitHub issue template is live)
  • draft letter to existing tools
  • "with the release of 3.0, provide information"
  • fill in this form
  • feel free to attend SPDX implementors meeting

SPDX Outreach Meeting 2024-04-08

Attendees

• Alexios Zavras
• Bob Martin
• Gary Armstrong
• Maximilian Huber
• Phil Odence

Agenda

• SPDX 3.0 release

Notes

• SPDX 3.0

  • Frozen model – for 3.0.0
    • Fix security json examples
  • Complete specification (besides model) – add annexes (can also be done in 3.0.1)
    • Lite Annex
    • Migration guide 2->3
  • Ontology RDF
  • JSON schema
  • Specification website
  • Specification PDF – not for the announcement
    • ODF looking at a tool to automatically generate it from Markdown input
  • Examples – a couple present; more nice to have (in JSON)

• Tools

  • Decide on a plan/timeline
  • Alexios and Bob to reach out and ask for updated data (after announcement)
  • Phil and Gary to work on "infrastructure"
    • Gary to implement reply form (GitHub issue template)
    • Phil to coordinate with LF for Zephyr-like presentation of tools

SPDX Outreach Meeting 2024-03-04

Attendees

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Karen Bennet
• Maximilian Huber
• Phil Odence
• Victor Lu

Agenda

• Tools

Notes

• Tools

  • list of SPDX website
  • Zephyr landscape
    • WordPress plugin
  • OpenSSF SBOM landscape
    • GitHub repo (and published pages)
    • We can get data from there!
  • AR: Gary to create an issue template to collect all data needed

• Calendar(s)

  • AR: make it visible in meetings repo

• Next week:

  • update timeline for collecting tool data

SPDX Outreach Meeting 2024-02-26

Attendees:

• Gary O'Neall
• Phil Odence
• Victor Lu
• Robert Martin
• Karen Bennet

Minutes

Discussion on use cases and minutes

• Victor will look into better use case documentation including examples
• We could start with Security - follow-up with Jeff Schutt
• Consider having a technical presentation about GUAC to compliment the user-level presentation previously given.

Blog post

• Agree to post https://docs.google.com/document/d/1qi4wrKh8IT-U0HNeWcWR5-yMjCUaYCnl0GLnv2ZptYE/edit#heading=h.34i77crh451c - if Kate or Phil can post this week, that would be great. Otherwise, Gary will post next week when back from travels

Video

• Karen asked if there was budget for a video production on SPDX 3.0
• We have a crowd funded budget that could be used
• Cost would be in the order of magnitude of $1K

SPDX Outreach Meeting 2024-02-19

Attendees

• Alexios Zavras
• Victor Lu

Agenda

• 3.0-rc2
• Outreach discussion (Victor)

Notes

• 3.0-rc2
  • Frozen on Saturday 2024-02-17
  • PDF not ready (missing: section and page numbering, etc.)
  • Bob in the process of making it by hand
• Outreach
  • Slack channel
  • Perception

––

SPDX Outreach Meeting 2024-02-12

Attendees

• Alexios Zavras
• Victor Lu

Agenda

Notes

Discussion on SDPX adoption and friendliness

––

SPDX Outreach Meeting 2024-01-22

Attendees

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Maximilian Huber
• Phil Odence
• Victor Lu

Agenda

• FOSDEM face-to-face meeting
• new outreach ideas
  • Slack channel
  • blog post on SPDX

Notes

• FOSDEM face-to-face meeting

  • Friday afternoon, after Philippe's event
  • AR: Alexios to email tech list

• Slack channel

  • spdx.slack.com not available
  • Victor has set up another channel: invitation to join

• blog post on SPDX

  • from developer's view
  • SPDX is complicated, scares people away
  • easy steps on how to use the tools
  • SPDX also has verification features
  • we could publish a simpler JSON schema
  • we could publish a new version, unrelated (but interoperable)
  • there are critical business needs
  • may have simpler format, that can be automatically converted to full

–-

SPDX Outreach Meeting 2024-01-15

Attendees

• Alexios Zavras
• Victor Lu

Agenda

• blog post on SPDXv3

Notes

–-

SPDX Outreach Meeting 2024-01-08

Attendees

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Maximilian Huber
• Phil Odence

Agenda

• Request for new tool inclusion
• Industry Advisory Group
• F2F in FOSDEM

Notes

• addition of new tool

  • https://github.com/spdx/outreach/issues/52
  • all in favor

• Industry Advisory Group

  • shall we have an SPDX group for industry reach-out?
  • once a month, external participants
  • user view, what hinders adoption/use
  • ask what Outreach can do to help
  • specific meetings with specific people
  • need structure/agenda/…
  • Gary will create a propose in email to the outreach team
  • Decide in the following outreach meeting if we want to invite others

• face to face in FOSDEM

  • probably not in the days of conference (weekend)
  • send an email asking for attendance and timeslot preferences

–-

SPDX Outreach Meeting 2023-12-18

Attendees

• Alexios Zavras
• Gary O'Neall
• Phil Odence

Agenda

• FOSDEM update
• sponsorship request
• Tool inclusion

Notes

• FOSDEM
  • schedule done!
  • 17 talks and 2 panels
  • emails later this week
• sponsorship request
• Tool inclusion

–-

SPDX Outreach Meeting 2023-12-11

Attendees

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Phil Odence

Agenda

• Compliance Summit report
• FOSDEM news
• Tool inclusion
• Specification update

Notes

• Report from Compliance Summit
  • Lots of support for SPDX in Asian community
  • Huawei interest for OpenEuler
  • Bloomberg (Alyssa Wright) also interested; they use CycloneDX currently
• FOSDEM
  • CfP closed
  • 48 submissions
  • Still to come: review, decisions, scheduling
• Tool inclusion
  • Max has provided SBOM checking functionality
  • if it fails, negative results are also shown
  • badges: passed (new) criteria, contributed quick start
  • we need dedicated meeting for this
• Update on SPDX specification production
  • tooling should be in place for 3.0RC2
  • generating HTML pages and PDF (not ISO format)

–-

SPDX Outreach Meeting 2023-11-27

Attendees

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Phil Odence
• Victor Lu

Agenda

• Tool inclusion

Notes

–-

SPDX Outreach Meeting 2023-11-20

Attendees

• Alexios Zavras
• Bob Martin
• Phil Odence

Agenda

• Tool inclusion
• FOSDEM

Notes

• Tool inclusion

  • No need to validate input
  • have a disclaimer like "Information provided by tools"
  • annual check whether info is still accurate
  • separate their validation from inclusion process
  • bring it to next Steering Committee call, Tue 28 Nov

• FOSDEM

  • CfP published

–- to copy

SPDX Outreach Meeting 2024-mm-dd

Attendees

• Alexios Zavras
• Bob Martin
• Gary O'Neall
• Maximilian Huber
• Phil Odence
• Tim Mackey
• Victor Lu

Agenda

• FOSDEM
• SPDXv3 readiness

Notes