7th November Supply Chain Security

Question

robmoffat opened this issue 9 months ago · comments

Date

Tuesday 7 Nov 2023 - 9AM EST / 2PM UK

Name	Firm	Comment

FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Join Zoom Meeting

Github Repo: https://github.com/finos/devops-automation/

Project Board: https://github.com/orgs/finos/projects/33

Mailing List: Email devops-mutualization+subscribe@finos.org to subscribe to our mailing list

Rob Moffat · Answer 1 · Tue Nov 07 2023 22:15:16 GMT+0800 (China Standard Time)

Rob / FINOS 🕙

Peter Smulovics · Answer 2 · Tue Nov 07 2023 22:15:25 GMT+0800 (China Standard Time)

Peter Smulovics / Morgan Stanley 🏦

Gary O'Neall · Answer 3 · Tue Nov 07 2023 22:15:41 GMT+0800 (China Standard Time)

Gary O'Neall / SPDX

Mimi Flynn · Answer 4 · Tue Nov 07 2023 22:16:23 GMT+0800 (China Standard Time)

Mimi Flynn / Morgan Stanley

Rob Moffat · Answer 5 · Tue Nov 07 2023 22:24:13 GMT+0800 (China Standard Time)

Gary O'Neall · Answer 6 · Tue Nov 07 2023 22:29:36 GMT+0800 (China Standard Time)

Here's a few notes and references for SPDX and how it may help with some of the FINOS Supply chain security use cases:

For an overview of use cases, see the individual profile pages: https://spdx.dev/learn/areas-of-interest/

Here's a presentation with an overview of SPDX and SPDX 3.0: Pointer to presentation on SPDX 2.X and 3.0 webinar and blog posts - SPDX now and in the future https://docs.google.com/presentation/d/1nW7PjddeSVGmQZu4bo50yXIZAniY9Hdxtg7Yt2No4jc

In terms of how it may apply to different discussion topics:

Discussion Topic: How is OSS embedded in web apps tracked/managed?#112 - SBOMs can be used. NPM has a pull request to generate SPDX files which include all dependencies in a standardized fashion
1st discussion point: EOL and lifecycle management for OSS libraries - Usage profile has end of life fields in SPDX
packaging, package management, and package registry protection - Update from PackagingCon - Good discussions on supply chain security. OpenSSF, SBOM's, link to talk: https://docs.google.com/presentation/d/1luX6E2GXAsq2-17eY4Gn_CvVX_knrNp7XOnjnUZJbbc

Gary O'Neall · Answer 7 · Tue Nov 07 2023 22:42:18 GMT+0800 (China Standard Time)

Here's a couple more SPDX links if you're interested in participating or just viewing what we're working on:

Gary O'Neall · Answer 8 · Tue Nov 07 2023 22:43:50 GMT+0800 (China Standard Time)

Another link for various presentations that are more PDF and video formats: https://github.com/spdx/outreach/blob/main/SPDX-presentations.md