devops-automation icon indicating copy to clipboard operation
devops-automation copied to clipboard
verified publisher icon finos

7th November Supply Chain Security

Open robmoffat opened this issue 2 years ago • 8 comments

Date

Tuesday 7 Nov 2023 - 9AM EST / 2PM UK

Untracked attendees

Name Firm Comment

Meeting notices

  • FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

  • All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

  • FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.

  • FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

  • [ ] Convene, roll call, welcome new people
  • [ ] Approve previous meeting minutes
  • [ ] SPDX / SBOMs (Gary ONeall)
  • [ ] Add Items Here
  • [ ] AOB, Q&A & Adjourn (5mins)

Decisions Made

  • [ ] Decision 1
  • [ ] Decision 2
  • [ ] ...

Action Items

  • [ ] Action 1
  • [ ] Action 2
  • [ ] ...

Zoom info

Join Zoom Meeting

  • https://zoom.us/j/95521041942?pwd=dHgwREU2TzBsS242ak1zYWZsUW9OUT09
  • Meeting ID: 955 2104 1942
  • Passcode: 443820
  • Find your local number: https://zoom.us/u/aesEqmNODb

Github Repo: https://github.com/finos/devops-automation/

Project Board: https://github.com/orgs/finos/projects/33

Mailing List: Email [email protected] to subscribe to our mailing list

robmoffat avatar Nov 07 '23 14:11 robmoffat

Rob / FINOS 🕙

robmoffat avatar Nov 07 '23 14:11 robmoffat

Peter Smulovics / Morgan Stanley 🏦

psmulovics avatar Nov 07 '23 14:11 psmulovics

Gary O'Neall / SPDX

goneall avatar Nov 07 '23 14:11 goneall

Mimi Flynn / Morgan Stanley

mimiflynn avatar Nov 07 '23 14:11 mimiflynn

https://spdx.dev/learn/areas-of-interest/

robmoffat avatar Nov 07 '23 14:11 robmoffat

Here's a few notes and references for SPDX and how it may help with some of the FINOS Supply chain security use cases:

For an overview of use cases, see the individual profile pages: https://spdx.dev/learn/areas-of-interest/

Here's a presentation with an overview of SPDX and SPDX 3.0: Pointer to presentation on SPDX 2.X and 3.0 webinar and blog posts - SPDX now and in the future https://docs.google.com/presentation/d/1nW7PjddeSVGmQZu4bo50yXIZAniY9Hdxtg7Yt2No4jc

In terms of how it may apply to different discussion topics:

  • Discussion Topic: How is OSS embedded in web apps tracked/managed?#112 - SBOMs can be used. NPM has a pull request to generate SPDX files which include all dependencies in a standardized fashion
  • 1st discussion point: EOL and lifecycle management for OSS libraries - Usage profile has end of life fields in SPDX
  • packaging, package management, and package registry protection - Update from PackagingCon - Good discussions on supply chain security. OpenSSF, SBOM's, link to talk: https://docs.google.com/presentation/d/1luX6E2GXAsq2-17eY4Gn_CvVX_knrNp7XOnjnUZJbbc

goneall avatar Nov 07 '23 14:11 goneall

Here's a couple more SPDX links if you're interested in participating or just viewing what we're working on:

https://github.com/spdx/meetings https://spdx.dev/engage/participate/

goneall avatar Nov 07 '23 14:11 goneall

Another link for various presentations that are more PDF and video formats: https://github.com/spdx/outreach/blob/main/SPDX-presentations.md

goneall avatar Nov 07 '23 14:11 goneall