-
Notifications
You must be signed in to change notification settings - Fork 29
Add meeting notes for SPDX Tech Team on 2026-02-17 #1054
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
robcraig-LF
wants to merge
1
commit into
main
Choose a base branch
from
robcraig-LF-patch-324090
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| # SPDX Tech Team Meeting | 2026-02-17 | ||
|
|
||
| ## Attendees | ||
|
|
||
| * Alexios Zavras | ||
| * Alfred Strauch | ||
| * Agustin Benito Bethencourt | ||
| * Arthit Suriyawongkul | ||
| * Bob Martin | ||
| * Dick Brooks | ||
| * Gary O'Neall | ||
| * Greg Shue | ||
| * Joshua Watt | ||
| * Karen Bennet | ||
| * Kate Stewart | ||
| * Marc-Etienne Vargenau | ||
| * Maximilian Huber | ||
| * Nicole Pappler | ||
| * Steven Carbno | ||
| * Ted Gauthier | ||
| * Victor Lu | ||
|
|
||
| --- | ||
|
|
||
| ## Agenda | ||
|
|
||
| ### 1. Approval of last week's minutes | ||
|
|
||
| ### 2. Announcements | ||
|
|
||
| * **Lunar New Year:** Best wishes to Asian members for the **Year of the Horse**! 🐎 | ||
| * **Linux Foundation Member Summit:** Taking place next week; identifying attendees. | ||
| * **Linux Foundation Open Source Summit NA:** CFP is now closed. | ||
| * **New US Government SCRM Rules:** FAR part 40/DFAR part 240 rules took effect **Feb 1, 2026**. | ||
| * **SPDX Cryptographic Algorithm List** | ||
|
|
||
| ### 3. 3.1-rc2 Topics | ||
|
|
||
| #### Inform | ||
|
|
||
| * **Feedback on SPDX 3.1-rc1:** SBOM Lifecycle, Safety, and Governance Enhancements ([Issue #1354]()) | ||
| * **Call for Action:** Add compliance points for new (3.1) profiles / update for existing (since 3.0) profiles ([Issue #1337]()) | ||
| * **Missing Examples:** New 3.1 profiles need examples in the [spdx-examples repo](); these are required criteria for the -rc2 release. | ||
|
|
||
| #### Review (PRs & Changes) | ||
|
|
||
| * **Redirections:** Setup RDF and schema URL redirections for 3.1 and ISO 3.0 ([Issue #1249]()) | ||
| * **Property Names:** Reuse/Generalize property names ([Issue #1207]()) | ||
| * PR: Generalize *Time ([PR #1219]()) | ||
|
|
||
|
|
||
| * **Maintainers:** Add maintainers of new 3.1 profiles to the list ([PR #1216]()) | ||
| * **Documentation:** Include derived classes ([Issue #1190]()) | ||
| * PR (whole subclasses): [spec-parser #184]() | ||
| * PR (direct subclasses): [spec-parser #201]() | ||
|
|
||
|
|
||
| * **ExternalIdentifierType:** Add types for document, person, organization, and location ([PR #1187]()) | ||
| * **Terms & Definitions:** Add “stakeholder” and “persona” ([PR #1356]()) | ||
| * **Annex Removal:** Should we remove "Package URL spec" Annex and reference the ECMA standard instead? ([Issue #1144]()) | ||
|
|
||
| #### Discuss | ||
|
|
||
| * **CISA Minimum Elements:** Add "known unknown" and "redacted" properties ([Issue #1105]()) | ||
| * **JSON-LD Serialization:** | ||
| * Update element inlining rules / CreationInfo exception ([Issue #1104]()) | ||
| * Recommend putting `NamespaceMap` at the root level/beginning of file ([Issue #1339]()) | ||
|
|
||
|
|
||
| * **Component Interaction:** How it interacts with other profiles ([PR #1044]()) | ||
|
|
||
| ### 4. 3.1 Topics | ||
|
|
||
| * Allow optional version parameter in media-type ([Issue #642]()) | ||
| * SPDX 3 file extensions ([Issue #987]()) | ||
|
|
||
| ### 5. General / Non-Release Specific | ||
|
|
||
| * Recommendation on `spdxId` and SPDX document namespace ([PR #1215]()) | ||
|
|
||
| ### 6. Release Readiness | ||
|
|
||
| * General discussion on timelines and status. | ||
|
|
||
| ### 7. Alignment with “Core Ontology” | ||
|
|
||
| * Discussion on whether SPDX Core should adopt existing ontologies for common elements (organization, person, etc.). | ||
| * **Common Core Ontologies (CCO):** Based on Basic Formal Ontology (BFO / ISO/IEC 21838-2). | ||
| * **Core Vocabularies:** Reusing/extending W3C standards (SEMIC). | ||
|
|
||
| ### 8. Roles | ||
|
|
||
| * Modeling a consensus across Safety, AI, Operations, and SupplyChain. | ||
| * Steven C. proposes **RoleRelationship**. | ||
|
|
||
| --- | ||
|
|
||
| ## Meeting Notes | ||
|
|
||
| ### Minutes Approval | ||
|
|
||
| * Minutes from the previous meeting were **Approved** (Reviewed by Gary & Bob). | ||
| * **TODO:** Update SPDX Tech Team Meeting Minutes Home Page. | ||
|
|
||
| ### SPDX Crypto Algorithm List | ||
|
|
||
| * **Presentation:** Slides presented by Augustin. (Note: Link to PDF version to be added to GitHub). | ||
| * **Challenges:** Completeness, security profile, and inclusion of certificates. | ||
| * **Compatibility:** Aiming for alignment with **CycloneDX** IDs where standardized. 4-5 IDs currently need adjustment for full compatibility. | ||
| * **Current State:** Under heavy development; modeled after the SPDX License List. Needs a dedicated engineer to drive publishing and cryptographers for advisory. | ||
|
|
||
| ### SPDXid & Document Namespace ([PR #1215]()) | ||
|
|
||
| * **Implementation:** Joshua indicated namespaces will be implemented for element IDs. Recommendation: keep IDs short in examples. | ||
| * **JSON-LD Context:** Schema will permit shorter identifiers in the `@context`. | ||
| * **Review requested:** Please review the `@context` support PR: [shacl2code #71](). | ||
| * **Compatibility:** Max questioned if this is standard RDF; Joshua confirmed it is compatible. | ||
| * **Tooling Guidance:** | ||
| * Discussion on default values for creators (e.g., Yocto defaults to OpenEmbedded). | ||
| * Guidance: If an organization/tool is known, use that specific name. To verify creation, look at `spdxIds` rather than the associated website. | ||
|
|
||
|
|
||
| * **TODO:** Update guidance and examples on how to use `@context`. | ||
|
|
||
| ### Feedback on SPDX 3.1-rc1 | ||
|
|
||
| * See [Issue #1354](). | ||
| * **Next Week:** Focus on **Signatures**. | ||
|
|
||
| --- | ||
|
|
||
| ## Backlog | ||
|
|
||
| The current backlog can be viewed at the following link: | ||
| [SPDX Tech Team Backlog]() | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.