[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Important] 3T-SBOM Full WG Meeting - Tomorrow 1/20



Thanks Kate!

 

I am now signed up for the spdx mail list, and I have added the monthly general meeting to my calendar.

 

I encourage others to do so as well. 😊

 

Kay

 

From: Kate Stewart <kstewart@linuxfoundation.org>
Sent: Wednesday, January 20, 2021 3:19 PM
To: Kay Williams <kayw@microsoft.com>
Cc: sbom@omg.org
Subject: Re: [Important] 3T-SBOM Full WG Meeting - Tomorrow 1/20

 

Hi Kay,

    We don't have a specific calendar invite with all the names on it for the

monthly meeting.  Details can be found though on the project wiki page at: 

   

     The meeting agenda is mailed out on the spdx mailing list a couple 

of days before the meeting, by Phil, who hosts the meeting.   When the

next version comes out, I can forward it to this mailing list for this initial time.

Those who want to get mailed the agenda directly, should subscribe to 

the spdx mail list.   It's a low volume mail list.

 

Thanks, Kate

 

On Wed, Jan 20, 2021 at 5:01 PM Kay Williams <kayw@microsoft.com> wrote:

Thanks to everyone who attended today’s meeting.  We had a good discussion and there was overall support for this plan.

 

I want to apologize to those who tried to attend the meeting and were unable.  The recurring meeting expired a few weeks ago and when I created a new series, it came with a new meeting link.  Several of you had the old meeting / link on your calendars.

 

If anyone has questions, please don’t hesitate to reach out to Bob, Kate, William or me.

 

I look forward to seeing you all at the General SPDX / 3T SBOM monthly meeting: Thursday, February 4 at 8 AM Pacific.

 

(@Kate Stewart, I believe you will send the meeting invitation?)

 

Kay

 

From: Kay Williams
Sent: Tuesday, January 19, 2021 12:59 PM
To: sbom@omg.org
Subject: [Important] 3T-SBOM Full WG Meeting - Tomorrow 1/20

 

Hi all,

 

For those who have been tracking the weekly work of the Core, Integrity, and Defects working group it is clear that we are almost complete defining a data model and will soon begin crafting the first draft of a specification for presentation  to the Object Management Group for publication and adoption and then FastTracked to ISO.

 

Additionally, the need for software supply chain integrity with tool-to-tool SBOMs that capture and convey provenance and pedigree information with integrity has become a front-page story with the latest supply chain attacks hitting all manner of organizations.

 

In our meeting tomorrow, I would like to engage you in a discussion about an evolution of our community. This change offers opportunities to bring clarity to the community about SBOM standards as we prepare to publish our work, and though changes can be difficult and sometimes stressful we feel the benefit outweighs the negatives and the time for offering a straight-forward solution is now.  After hearing the proposal outlined below, I hope you will agree. Let me explain, and then we will meet tomorrow for discussion.

 

As we began our work more than a year ago (September 24-26, 2019 in Nashville), we sought to work collaboratively across communities on a ‘Software Bill of Materials’ specification. Our work has taken more time than we imagined in those heady first days. At the time, we expected to deliver a draft specification by November 11, 2019, within just six short weeks. We now know that timeline was wildly optimistic. Thanks to all who have remained patient throughout the journey.

 

With our slow and steady progress finally producing the first specification, we have stayed true to our fundamental principle of working collaboratively across communities. That brings us to our discussion today.

 

Over the past several months our work has increasingly aligned with work in the evolution of the SPDX community’s efforts in this area. We share common goals, our core specifications are largely overlapping, and many of our key contributors are common to both efforts. Many thanks in particular to William Bartholomew, Kate Stewart and Gary O’Neall for their work in this regard.

 

As we contemplate the next steps for our shared endeavor, starting prototyping and creation of tools to implement the standard, we believe we can work most efficiently by combining the two communities.

 

Our proposal has both short and longer term components.

 

Short Term

Meetings - in the short term, we propose merging 3T-SBOM meetings with SPDX meetings to continue our work.

 

  • Core - the current 3T-SBOM Core meeting will be cancelled and ongoing work will take place in a combined Core meeting on Tuesdays at 10 AM Pacific (one hour earlier than the current 3T-SBOM meeting). This meeting will last 90 minutes.
  • Full - the current 3T-SBOM Full WG meeting will be cancelled and those discussions will take place in a combined General meeting the first Thursday of every month at 8 AM Pacific.
  • Integrity - 3T-SBOM Integrity subgroup will continue on Mondays at 8 AM Pacific, with an invitation extended to interested SPDX community members.
  • Defects - likewise, the 3T-SBOM Defects subgroup will continue meeting on Thursdays at 12 noon Pacific, with an invitation extended to interested SPDX community members. 
  • Legal - the SPDX Legal working group will continue meeting every other Thursday at 9 AM Pacific, and an invitation will be extended to interested 3T-SBOM community members.

This will allow us to avoid duplicate meetings, communicate more efficiently, and share community resources including website, processes and tooling as we get ready to publish our first version of the standard.

Naming - During this initial period, we will refer to the combined effort interchangeably as 3T-SBOM / SPDX or SPDX / 3T-SBOM. The combined community will decide on a new name as part of longer term planning.

Longer Term

In the next six to eight months, we propose expanding the scope of the combined 3T-SBOM / SPDX community in the following areas:

  • User scenarios - expand the scope to include scenarios beyond software, including hardware, services and devices.
  • Naming - brainstorm and adopt a new name for the community that encompases the broader scope.
  • Governance model -  create a more inclusive governance model with support for representation across multiple member organizations.  
  • Funding - allow for the raising of funds to support infrastructure, tooling, marketing and promotion of specifications.

These actions will allow us to create a further diverse and robust community, with the structure and resources in place to promote awareness and facilitate adoption of this critically needed capability for producing, managing, sharing, and utilizing BOMs for software and other critical elements of our systems.

We believe this proposal will allow technical efforts to continue apace with little disruption, while allowing time to resolve broader questions of organization and scope.

I look forward to our discussion.

Sincerely,

Kay