On Tue, 2021-05-18 at 17:28 -0400, Trevor Woerner wrote:
On Tue, May 18, 2021 at 4:59 PM akuster808 <firstname.lastname@example.org> wrote:I'd like to try and put some guidance around the discussion if I may?On 5/18/21 11:32 AM, Trevor Woerner wrote:I'd like to recommend this be a round-table topic for next week's OEIf meta-doubleopen addresses the issue for folks, what is the topic of
There are a ton of things we could do here but I think the need
is comparatively clear and pressing. Discussions are good where
the outcome is unknown and options need to be explored. I think
some of this is relatively clear for the reasons I'll mention below.
meta-doubleopen says "This meta layer is intended for use withCan I suggest we adopt the position that we aim for SPDX unless someone
produces a strong argument that something else has advantages?
The reason I say this is that it is the standard most projects are
consolidating around, it shows alignment with other work at the LF
and SDPX is aiming to become an ISO standard. To do something different
would put us in a difficult position IMO. People complain that LF
projects don't collaborate enough, here we have an opportunity I want
to make work.
We could look at what an SBOM is, and what are the minimum requiredWe do need to find out what the legislation says about this so we can
Another question for the round table: should we integrate this intoWe need to be able to say that OE/YP generates SBOM manifests for
images out the box, preferably by default. If we don't do that, we will
lose out to projects which can claim this. I think that makes the
The round table is also a great way of introducing this important topicI think aspects which do need discussion is how to handle:
* SPDX data at the do_package/do_packagedata level
* SPDX data at the archiver and do_populate_lic level
* whether we can replace existing image manifests
* whether we need tooling to take an SPDX image manifest and process it to
various forms for end user/tool use (e.g. actual file output or API?).
This probably translates into some kind of plan with different phases.