|
| 1 | + # SPDX Tech Team Meeting 2024-07-09 |
| 2 | + |
| 3 | +## Attendees |
| 4 | + |
| 5 | +- Alexios Zavras |
| 6 | +- Alfred Strauch |
| 7 | +- Arthit Suriyawongkul |
| 8 | +- Bob Martin |
| 9 | +- Dick Brooks |
| 10 | +- Gary O'Neall |
| 11 | +- Ilans |
| 12 | +- Jeff Licquia |
| 13 | +- Joshua Watt |
| 14 | +- Karsten Klein |
| 15 | +- Kate Stewart |
| 16 | +- Marc-Etienne Vargenau |
| 17 | +- Maximilian Huber |
| 18 | +- Nisha Kumar |
| 19 | +- Peter Monks |
| 20 | +- Steven Carbno |
| 21 | + |
| 22 | +## Agenda |
| 23 | + |
| 24 | +- Progress on Tooling - Ilans |
| 25 | +- Improve CI checks for bad extensions: https://github.com/spdx/spdx-examples/pull/88 |
| 26 | +- Moving informational annexes to new repo https://github.com/spdx/using/pull/1 |
| 27 | +- New annex on license matching https://github.com/spdx/spdx-spec/pull/968 |
| 28 | +- Add package-url specification as an annex https://github.com/spdx/spdx-spec/pull/969 |
| 29 | +- Update on spec production/publishing (Alexios) |
| 30 | + |
| 31 | +## Notes |
| 32 | + |
| 33 | +### Tooling |
| 34 | + |
| 35 | +- Ilans giving demo of "SPDX Explorer" visual authoring tool, |
| 36 | + for reviewing the specification and generating examples. |
| 37 | +- Showed how the red dot shows mandatory properties. |
| 38 | +- Selection is set up to automatically fill in as much as possible. |
| 39 | +- Everything is validated as RDF, and then translated to JSON. |
| 40 | +- Joshua - have you run through validator? |
| 41 | + Discussion with Illans - must pass JSON schema and make sure it pass so that other tools can consume. |
| 42 | +- Open Question: CreationInfo - has createdBy Agent - loop. It is intentional? Yes, It is not a DAG. |
| 43 | +- Open Question: If another SBOM has same Creation Info can't use in one SBOM. |
| 44 | + - Use of External Map - From one SBOM to another - can use ExternalMap. |
| 45 | + Add property of element collection. Then add externalSpdxId. |
| 46 | + Then put the organization of the reference. |
| 47 | + - Referencing via ExternalMap. |
| 48 | + - SPDXID's are universally unique. You can assume they are the same thing and replicate. |
| 49 | + - Best practice is to reference with ExternalMap explicitly. |
| 50 | + - Currently the range for createdBy/suppliedBy is Agent. |
| 51 | + But it is possible that the Agent (Organization, Person) is exist elsewhere outside |
| 52 | + without being instantiated inside the current SBOM, so in the future is should be possible to use IRI. |
| 53 | + |
| 54 | +### Issues/PRs |
| 55 | + |
| 56 | +- github actions: Add check for bad extensions - No objections - merged |
| 57 | +- Moving informational annexes to new repo (spdx/using) - Remove the SPDX Lite profile and can be merge |
| 58 | +- New annex on license matching - Update branch |
| 59 | +- Add package-url specification as an annex (Annex E) - Bob and Gary will put comments in the PR |
| 60 | + |
| 61 | +### Update on spec production/publishing |
| 62 | + |
| 63 | +- Alexios working on generation of .pdf that can be submitted to ISO. Working with OMG to align with guidance. |
| 64 | +- The same input we're generating for the website, will now be able to generate the .pdf as well. |
| 65 | +- As soon as the workflow is ironed out, will pull in Jeff, to update the CI so that we can run. |
| 66 | +- This is being done with LATEX, and then its converted to mkdocs. |
| 67 | + This is what OMG is using right now to produce the documents. |
| 68 | + Standalone tool, but hopefully simple to implement. |
| 69 | +- Want to decide how often we run this - probably on each release. |
| 70 | + This is going to be a function on each time it takes. .pdf at point in time |
| 71 | + - random .pdf builds should have a "NOT AUTHORATIVE/DRAFT/etc" build. |
| 72 | +- Alexios to send close draft to Jorey/Rex for further review by JDF, to make sure no surprises. |
| 73 | + |
| 74 | +### Spec parser update |
| 75 | + |
| 76 | +- Basic flow is spec parser runs, then mkdocs runs |
| 77 | +- Now you will see list "Superclasses" in each element. |
| 78 | +- External properties cardinality updated |
| 79 | +- All interited properties inside software are available, inside a class! |
| 80 | +- After this rolls out, will ask the Japan team if they still see need for LITE Annex. |
| 81 | +- Roll out plan: Discussion with Jeff on whether we're pulling from latest spec parser. Yes, should be. |
| 82 | + - New spec parser now generating list of files for "nav" section in mkdocs.yaml. |
| 83 | + This should be integrated in the next release. |
| 84 | + - Will affect this CI PR https://github.com/spdx/spdx-spec/pull/950 |
| 85 | +- Discussion on core expansion - Alexios version doesn't auto expand. |
| 86 | + - Core expansion issue: https://github.com/spdx/spdx-spec/issues/958 |
| 87 | + - New version of readthedocs should fix. Jeff will try to validate fix, and then apply. |
| 88 | +- Is it possible to put the serialized json property in the table? |
| 89 | + Joshua thinks that this will help with confusion. |
| 90 | + Document of JSONLD context needs to be somewhere. |
| 91 | + Writing a JSON LD document from the page won't work. |
| 92 | + Alexios notes that the document describes RDF model. |
| 93 | + - Issue for serialized name in spec doc: https://github.com/spdx/spdx-spec/issues/975 |
0 commit comments