Hi all, thanks for the candid and open discussion on the OSIM call this week. As promised, I'm pasting notes below... in due course I'll get these in our GH repo.
Jay - thanks for moderating and driving the discussion.
Stefan - thanks for taking the lead on the next steps.
Isaac
--
Duncan was an original proposer of the group; losing his contribution leaves a big gap We all retain the belief that information modeling for this area is important We want to make the group successful; how best do we approach that? Would like input from the group: * Anupam * Wasn't present for the beginning of this group * Interested in whether there's data on the need for this working group? * Jay: some related info exists in the GH repo, but it's generalized need for information models rather than data models * VEX is good example of information which today flows through various data serialization formats * We have a sense of the need but not specific research; potentially we could look to fill in that gap * Stefan * We've been building groundwork, defining terms, not much progress * Felt like "being prepared for a journey" * It's time to "be on a journey" * Perhaps we should focus on a narrower scope? * Bob * Concern that we're not sufficiently connected to SPDX and CycloneDX * They're both evolving independently, and accelerating * The data standards operate at a micro-detail level * The opportunity for us is that we can produce conceptual continuity and connective tissue across the space * Stefan * Has been orbiting CDX and SPDX for a while * Each seems to strive to dominate; each at the same time caught up in local concerns * Opportunity for us is to start small, build a center of gravity * Isaac * \[summarizes discussion so far\] * One opportunity would be to look at the new CISA SBOM Min Elements doc; it's foundational, narrow, important, influential * Bob * Leaving SBOM for a moment, BOM as a thing seems interesting * BOM for software, models, datasets, libraries, firmware... * Adjacency here with provenance and lineage * "what can we know about \[asset X\]"... and its journey to us, the chain of custody, the processes involved in building it, etc. So... what now? And do we have the right group to tackle this kind of thing? * Opportunities particular with CSAF as an OASIS effort? Plan of record: * Isaac send out notes \[DONE\] * We'll propose a framing, plan, and scope ahead of October meeting * Stefan take the lead here, with a focus on which technical committees we might partner with or otherwise aim to pull in * We'll iterate and plan a check-in at the end of the year * Let's be honest with ourselves as to how we're doing and if we should continue