Summary of Meetings from the Chair (Marc-Etienne)
Meeting 2023-04-06 morning
Attendees:
- Stephen Kilbane, Analog Devices Inc.
- Nikola Babadzhanov, Bosch
- Anton Bashlykov, MBition
- Marc-Etienne Vargenau, Nokia
We reviewed the pull requests and merged them:
- added the definition of “SBOM Type” from CISA and used it in section 3.7 “SBOM Build information”
- updated section “3.13 SBOM Verification”, added recommendation to provide a digital signature of the SBOM
- updated section 3.5.2, added rationale for the tag:value format, indicating it is the most human-readable format
- updated several “Verification and reference material” and “Rationale” sections
- added “5. References” section, providing references for SPDX, OpenChain and “NTIA minimum elements”
Meeting 2023-04-06 afternoon
Attendees:
- Alfred Strauch, SmartTalk Security Inc.
- Chris
- Marc-Etienne Vargenau, Nokia
We review the pull requests that were merged in the morning meeting.
Alfred points out the use case of a software that has its name changed and asks how this should be handled.
Alfred suggests that I join the SBOM Forum. He will introduce me to Tom Alrich. The forum groups several companies including Red Hat, Oracle, Microsoft and companies producing medical devices. One of the creators of CycloneDX is a member.
Outcome
The draft document is now complete. Please review it and share you comments and suggestions in the mailing list or on GitHub by creating issues or pull requests.
