|
| 1 | +# SPDX Tech Team Meeting - ASIA 2024-07-08 |
| 2 | + |
| 3 | +## Attendees |
| 4 | +- Norio Kobota |
| 5 | +- Nobuyuki Tana |
| 6 | +- Takashi Ninjouji |
| 7 | +- Yoshiyuki Ito |
| 8 | +- Kate Stewart |
| 9 | +- Bob Martin |
| 10 | +- Joshua Watt |
| 11 | + |
| 12 | +## Agenda |
| 13 | + |
| 14 | +- Discussion of 3.0 - SPDX Lite Annex |
| 15 | +- Timeline for 3.1? |
| 16 | +- Conformance of specification to SBOM definition. Conformance to specific profile. |
| 17 | +- Feedback on example? |
| 18 | +- Open Compliance Summit? |
| 19 | + |
| 20 | +## Notes |
| 21 | + |
| 22 | +- Discussion of SPDX Lite Annex in the specification |
| 23 | + - After discussion with Gary, we'll keep this Annex in the specification |
| 24 | + - If further tutorials on you to use SPDX-Lite - need to put the additional information in the "Using SPDX 3.0" guide, rather than add to this annex. |
| 25 | + - Any key "bugs" need to be fixed by end of month. |
| 26 | + |
| 27 | +- SPDX 3.1 timing- will follow after 3.0 goes to ISO. |
| 28 | + Probably looking at spring for release. Working to get SPDX 3.0 to ISO this fall. |
| 29 | + |
| 30 | +- Looking for guidance on how to compare/convert between versions of SPDX. |
| 31 | + - SPDX 3.0 minimum items, need to have guidance. |
| 32 | + Looking for conversion of SPDX lite from 2.3 to SPDX lite 3.0. |
| 33 | + What should minimum elements be specified, and compliance checks. |
| 34 | + - Guidelines on conversion should be made? Something Japan team can tackle in written guidances. "Using SPDX document" for this? |
| 35 | + - Gary tools working for translation from 2.3 to 3.0. Maybe useful starting point? |
| 36 | + |
| 37 | + - Feedback on Examples: We have already sent a PR from here, but should we document in detail the contents of the README included in this PR? https://github.com/NorioKobota/spdx-examples/tree/lite-profile/lite |
| 38 | + - .json-ld extension stopped it getting checked by the CI. Recommend to rename as .json |
| 39 | + - documents need some minor fixups to conform. |
| 40 | + - because multiple version of SPDX in repository - all SPDX 3.0 examples should be in directory /spdx-3.0/ |
| 41 | + - Joshua to add inline comments in pull request (https://github.com/spdx/spdx-examples/pull/91) |
| 42 | + - key will be to get it to pass CI checks. Structure looks good overall. |
| 43 | + |
| 44 | +- Open Compliance Summit? |
| 45 | + - Watanabe-san - may have posted about SPDX 3.0 translation. |
| 46 | + - Other topics? SPDX 3.1? |
| 47 | + |
| 48 | +- Working on secure software development standard. |
| 49 | + How SBOM management is in the process is a topic? |
| 50 | + - Most are looking at SBOMs as way of conveying in general. |
| 51 | + However looking at guidance of SSD - figuring out where to act for SBOM or build data in SPDX will make it more automatable. |
0 commit comments