[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Important] 3T-SBOM Full WG Meeting - Tomorrow 1/20

Hi all,


For those who have been tracking the weekly work of the Core, Integrity, and Defects working group it is clear that we are almost complete defining a data model and will soon begin crafting the first draft of a specification for presentation  to the Object Management Group for publication and adoption and then FastTracked to ISO.


Additionally, the need for software supply chain integrity with tool-to-tool SBOMs that capture and convey provenance and pedigree information with integrity has become a front-page story with the latest supply chain attacks hitting all manner of organizations.


In our meeting tomorrow, I would like to engage you in a discussion about an evolution of our community. This change offers opportunities to bring clarity to the community about SBOM standards as we prepare to publish our work, and though changes can be difficult and sometimes stressful we feel the benefit outweighs the negatives and the time for offering a straight-forward solution is now.  After hearing the proposal outlined below, I hope you will agree. Let me explain, and then we will meet tomorrow for discussion.


As we began our work more than a year ago (September 24-26, 2019 in Nashville), we sought to work collaboratively across communities on a ‘Software Bill of Materials’ specification. Our work has taken more time than we imagined in those heady first days. At the time, we expected to deliver a draft specification by November 11, 2019, within just six short weeks. We now know that timeline was wildly optimistic. Thanks to all who have remained patient throughout the journey.


With our slow and steady progress finally producing the first specification, we have stayed true to our fundamental principle of working collaboratively across communities. That brings us to our discussion today.


Over the past several months our work has increasingly aligned with work in the evolution of the SPDX community’s efforts in this area. We share common goals, our core specifications are largely overlapping, and many of our key contributors are common to both efforts. Many thanks in particular to William Bartholomew, Kate Stewart and Gary O’Neall for their work in this regard.


As we contemplate the next steps for our shared endeavor, starting prototyping and creation of tools to implement the standard, we believe we can work most efficiently by combining the two communities.


Our proposal has both short and longer term components.


Short Term

Meetings - in the short term, we propose merging 3T-SBOM meetings with SPDX meetings to continue our work.

  • Core - the current 3T-SBOM Core meeting will be cancelled and ongoing work will take place in a combined Core meeting on Tuesdays at 10 AM Pacific (one hour earlier than the current 3T-SBOM meeting). This meeting will last 90 minutes.
  • Full - the current 3T-SBOM Full WG meeting will be cancelled and those discussions will take place in a combined General meeting the first Thursday of every month at 8 AM Pacific.
  • Integrity - 3T-SBOM Integrity subgroup will continue on Mondays at 8 AM Pacific, with an invitation extended to interested SPDX community members.
  • Defects - likewise, the 3T-SBOM Defects subgroup will continue meeting on Thursdays at 12 noon Pacific, with an invitation extended to interested SPDX community members. 
  • Legal - the SPDX Legal working group will continue meeting every other Thursday at 9 AM Pacific, and an invitation will be extended to interested 3T-SBOM community members.

This will allow us to avoid duplicate meetings, communicate more efficiently, and share community resources including website, processes and tooling as we get ready to publish our first version of the standard.

Naming - During this initial period, we will refer to the combined effort interchangeably as 3T-SBOM / SPDX or SPDX / 3T-SBOM. The combined community will decide on a new name as part of longer term planning.

Longer Term

In the next six to eight months, we propose expanding the scope of the combined 3T-SBOM / SPDX community in the following areas:

  • User scenarios - expand the scope to include scenarios beyond software, including hardware, services and devices.
  • Naming - brainstorm and adopt a new name for the community that encompases the broader scope.
  • Governance model -  create a more inclusive governance model with support for representation across multiple member organizations.  
  • Funding - allow for the raising of funds to support infrastructure, tooling, marketing and promotion of specifications.

These actions will allow us to create a further diverse and robust community, with the structure and resources in place to promote awareness and facilitate adoption of this critically needed capability for producing, managing, sharing, and utilizing BOMs for software and other critical elements of our systems.

We believe this proposal will allow technical efforts to continue apace with little disruption, while allowing time to resolve broader questions of organization and scope.

I look forward to our discussion.