main@lists.openchainproject.org | IMPORTANT: Special Tooling Meeting - March 1st (tomorrow) at 09:00 CET (08:00 UTC)

Home Messages Hashtags Subgroups

Date Date 1 - 2 of 2

IMPORTANT: Special Tooling Meeting - March 1st (tomorrow) at 09:00 CET (08:00 UTC)

Shane Coughlan #5206 Tomorrow there is a special meeting (on our regular schedule) of the tooling work group. Please dial in at 09:00 CET on Wednesday the 1st of March. This will be a strategy meeting about what we can and will do for the rest of the year. Jan will host alongside Philippe and Oliver (time permitting). https://conf.fsfe.org/b/compliance-tooling Access Code: 199143 There is a specific proposal to discuss below. Jan: Maybe it would be an idea to focus a bit on the actual use of tools and the "how" on getting to use them properly. For example, meanwhile many tools are capable of producing an SBOM. But are they comparable? Will I get the same results from different tools? What actually is required to identify a package correctly? Purl? Repo-URL? How could we verify, what we are consuming? Who, If not the automation group, would be able to provide sound answers to such questions? Shane prepared a thinking document a couple of days ago: https://docs.google.com/document/d/12eFSalfbo3C_wtcGXsKdg0-4FAmPIIN6DEcs5WEcDXM/edit?usp=sharing It suggests the development of three things starting with our third Wednesday meeting in March: • Slides or other material to set context for automation (OpenChain has some slides to help understand individual tooling options, but they are outdated. We have the landscape, but we need to integrate it with tooling options) • Case studies to dig deeper into each tool • Metrics to help people choose between tools once they understand their requirements and the options on the market Shane’s note: None of this makes sense in isolation. It needs to be tied together with one simple, big item: why do we need tooling in the first place? The answer is “to understand what we are dealing with at scale.” This suggests that tooling is inextricably linked with SBOMs, and that whatever we do when talking about the above should be linked into SBOM strategy (White House, NISA, CISA, etc), implementation (SPDX, Cyclone_DX) and the challenges in that domain (practical implementation in tooling). That may be our filter to shape all of the above. OpenChain Automation Work Group - First Wednesday Meeting.ics OpenChain Automation Work Group - First Wednesday Meeting.ics
More All Messages By This Member
Shane Coughlan #5207 A reminder that the tooling work group strategy meeting takes place in just under four hours. Highly recommended discussion for all parties interested in ensuring clear, useful information about open source tooling for open source compliance is available to all. toggle quoted message Show quoted text On Feb 28, 2023, at 22:19, Shane Coughlan <scoughlan@...> wrote: Tomorrow there is a special meeting (on our regular schedule) of the tooling work group. Please dial in at 09:00 CET on Wednesday the 1st of March. This will be a strategy meeting about what we can and will do for the rest of the year. Jan will host alongside Philippe and Oliver (time permitting). https://conf.fsfe.org/b/compliance-tooling Access Code: 199143 There is a specific proposal to discuss below. Jan: Maybe it would be an idea to focus a bit on the actual use of tools and the "how" on getting to use them properly. For example, meanwhile many tools are capable of producing an SBOM. But are they comparable? Will I get the same results from different tools? What actually is required to identify a package correctly? Purl? Repo-URL? How could we verify, what we are consuming? Who, If not the automation group, would be able to provide sound answers to such questions? Shane prepared a thinking document a couple of days ago: https://docs.google.com/document/d/12eFSalfbo3C_wtcGXsKdg0-4FAmPIIN6DEcs5WEcDXM/edit?usp=sharing It suggests the development of three things starting with our third Wednesday meeting in March: • Slides or other material to set context for automation (OpenChain has some slides to help understand individual tooling options, but they are outdated. We have the landscape, but we need to integrate it with tooling options) • Case studies to dig deeper into each tool • Metrics to help people choose between tools once they understand their requirements and the options on the market Shane’s note: None of this makes sense in isolation. It needs to be tied together with one simple, big item: why do we need tooling in the first place? The answer is “to understand what we are dealing with at scale.” This suggests that tooling is inextricably linked with SBOMs, and that whatever we do when talking about the above should be linked into SBOM strategy (White House, NISA, CISA, etc), implementation (SPDX, Cyclone_DX) and the challenges in that domain (practical implementation in tooling). That may be our filter to shape all of the above. <OpenChain Automation Work Group - First Wednesday Meeting.ics> OpenChain Automation Work Group - First Wednesday Meeting.ics OpenChain Automation Work Group - First Wednesday Meeting.ics
More All Messages By This Member

1 - 2 of 2

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms