devops-automation open source supply chain WG Meeting March 19, 2024

Date

day-of-week DD MMM yyyy - time EST / time UK

Name	Firm	Comment

FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.
All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.
FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

[ ] Look into standard for vendors to contribute SBOMs and other supply chain metadata - start with openchain, SPDX, look at gaps - can document provenance and lineage - an incentive for vendors to participate to position their risk mitigation configs. Could potentially provide frameworks and tools to ease the meeting of the standard
[ ] Package management - can we approach registries and package management frameworks in a standardized way. Replicating google's assured open source - Karl will reach out to Google rep for Finos. JM will reach out to openchain and SPDX leads
[ ] ...