-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOMit Sandbox Project Application #192
Conversation
I read through what's currently there for the specification, and one big suggestion I have is an example, even if it's a contrived hello world example would be useful to really understand how SBOMit intends to solve the problem posed in the specification and presentation. |
There is some discussion around licensing of the SBOMit specification on the LF License review issue. Initial discussion with the SBOMit maintainers is to accept a change to Ideally the TAC can review our application and discuss at the next meeting. If the vote is to accept pending the license change, the SBOMit maintainers will work the license change in parallel. I also updated slides (4 and 5) updated to detail the difference between SBOMit and signed SBOMs. This was a common question from TAC members. |
Adding some updates since the TAC meeting on Tuesday.
|
SBOMit lifecycle docs update to reflect change to using |
(starting the voting thread) +1 Binding from me. |
voting - +1 for me to adopt based on reaction to feedback & adjustment of license (thanks!) |
+1 for me - the project is in a early phase, but that's what the sandbox step is for! |
As I explained multiple times in various places: under our current governance structure this cannot be brought in as a project. Because it is not primarily focused on producing code, it ought to be categorized as a SIG (for which there is no sandbox stage). |
+1 from me. |
+1 from me |
Assuming the other items are correctly spelled, can you try following the instructions in https://github.com/ossf/tac/actions/runs/6218203711?pr=192#summary-16874345424 ? (If they don't make sense, please let me know) |
I'm finding a bit ironic that the OpenSSF is asking me to curl and run a perl script from the Internet... 😃
I'm not super conversant in Perl and I'm about to head to bed. The flagged items are actually spelled correctly, if someone else from the SBOMit group has a moment to sanity check what is happening and then tell the spellchecker to ignore these issues. |
You can manually add the items to (Updated to be slightly more precise, sorry about the confusion) |
+1 |
Okay, I've submitted a PR with those words added. #200 |
@JustinCappos You kind of want to do something like SBOMit/tac@main...JustinCappos:tac:patch-2 -- i.e. creating the PR from your repo into the SBOMit repo. check-spelling will suggest deleting things that aren't needed, so those would be orphaned and reaped by the next person who followed its instructions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6 of 7 TAC members voted to approve, with 1 not responding. Arnaud brings up good points that we need to have a spec-focused group entry in our governance, but that should not block this effort.
Thanks! So is this pr ready to merge? |
Yep just need to fix the merge conflicts and it's ready to go |
I tried to resolve the conflicts but I don't have write permission on this branch to help :( |
Signed-off-by: Ian Dunbar-Hall <[email protected]>
Co-authored-by: Josh Soref <[email protected]> Signed-off-by: Justin Cappos <[email protected]>
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@hythloda rebased the SBOMit application changes and resolved the conflicts. |
@jsoref is the spelling workflow broken or something in the file? |
@hythloda unfortunately check-spelling is looking at files as a whole, it found these items in the files changed in this PR: The reason it cares about I just released a version last week which would have told you which lines it found each item in (which should have helped things a lot) and which files it was checking (which would have improved things a little). I need to think about the logic of the only changed files feature (it exists for this sort of repository use case, but I rarely use it) -- I suspect the advice it gives should be to add items into But basically, the goal here is for it to ask people if they're ok with the words that are used, if they are, the check isn't mandatory and once it merges, future PRs that don't change those files won't be asked about those items. Oh..., there is a workflow change we could/should make which is adding tac/.github/workflows/spelling.yml Line 131 in aa5f070
tac/.github/workflows/spelling.yml Line 148 in aa5f070
That'd result in you not seeing a ❌ but instead getting the ✅ . So, long story short:
|
…ithub.com/ossf/tac/pull/192\#issuecomment-1749657593 Signed-off-by: Ian Dunbar-Hall <[email protected]>
…ithub.com/ossf/tac/pull/192\#issuecomment-1749657593 (#6) Signed-off-by: Ian Dunbar-Hall <[email protected]>
The SBOMit project is seeking sandbox maturity level entry into the OpenSSF.
SBOMit was presented to the Security Tooling WG on 8/15/23 and the slides are available at ...
We believe we meet OpenSSF Sandbox requirements.
Remaining Actions
SBOMit Links
SBOMit is licensed as CC-BY-4.0.