7th November Supply Chain Security
robmoffat opened this issue · comments
Date
Tuesday 7 Nov 2023 - 9AM EST / 2PM UK
Untracked attendees
Name | Firm | Comment |
---|
Meeting notices
-
FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
-
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
-
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
-
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
Agenda
- Convene, roll call, welcome new people
- Approve previous meeting minutes
- SPDX / SBOMs (Gary ONeall)
- Add Items Here
- AOB, Q&A & Adjourn (5mins)
Decisions Made
- Decision 1
- Decision 2
- ...
Action Items
- Action 1
- Action 2
- ...
Zoom info
Join Zoom Meeting
- https://zoom.us/j/95521041942?pwd=dHgwREU2TzBsS242ak1zYWZsUW9OUT09
- Meeting ID: 955 2104 1942
- Passcode: 443820
- Find your local number: https://zoom.us/u/aesEqmNODb
Github Repo: https://github.com/finos/devops-automation/
Project Board: https://github.com/orgs/finos/projects/33
Mailing List: Email devops-mutualization+subscribe@finos.org to subscribe to our mailing list
Rob / FINOS 🕙
Peter Smulovics / Morgan Stanley 🏦
Gary O'Neall / SPDX
Mimi Flynn / Morgan Stanley
Here's a few notes and references for SPDX and how it may help with some of the FINOS Supply chain security use cases:
For an overview of use cases, see the individual profile pages: https://spdx.dev/learn/areas-of-interest/
Here's a presentation with an overview of SPDX and SPDX 3.0: Pointer to presentation on SPDX 2.X and 3.0 webinar and blog posts - SPDX now and in the future https://docs.google.com/presentation/d/1nW7PjddeSVGmQZu4bo50yXIZAniY9Hdxtg7Yt2No4jc
In terms of how it may apply to different discussion topics:
- Discussion Topic: How is OSS embedded in web apps tracked/managed?#112 - SBOMs can be used. NPM has a pull request to generate SPDX files which include all dependencies in a standardized fashion
- 1st discussion point: EOL and lifecycle management for OSS libraries - Usage profile has end of life fields in SPDX
- packaging, package management, and package registry protection - Update from PackagingCon - Good discussions on supply chain security. OpenSSF, SBOM's, link to talk: https://docs.google.com/presentation/d/1luX6E2GXAsq2-17eY4Gn_CvVX_knrNp7XOnjnUZJbbc
Here's a couple more SPDX links if you're interested in participating or just viewing what we're working on:
https://github.com/spdx/meetings
https://spdx.dev/engage/participate/
Another link for various presentations that are more PDF and video formats: https://github.com/spdx/outreach/blob/main/SPDX-presentations.md