Attendees:
- Jimmy Ahlberg, Ericsson
- Takashi Ninjouji, Honda
- Marc-Etienne Vargenau, Nokia
We show the anti-trust notice https://github.com/OpenChain-Project/Reference-Material/tree/master/OpenChain-Templates/Work-Group-Slide-Template as reminded by Shane.
Jimmy is back from his Asia trip. He will go in Japan for the Open Source and Compliance summits.
Jimmy has concerns about the recently released version 1.7 of the CycloneDX standard. CycloneDX v1.7 introduces first-class support for patents and patent families. These new fields could be used by patent trolls.
Shane will be leaving his role as OpenChain General Manager. His last day will be the 12th of December. There is no replacement for him yet. It might take some time. Everyone is welcome to propose candidates.
We have no news from CISA about their Minimum Elements document. Nokia comments were provided, but they are still not visible at https://www.regulations.gov/document/CISA-2025-0007-0001/comment. So we have no idea when the final version of the document will be published.
The Python ntia-conformance-checker https://pypi.org/project/ntia-conformance-checker/ has been updated. It is now possible to check also conformance to the CISA document, meaning checking also Licenses and Copyright Holder. But the default is still to check NTIA, an option has to be added to check for CISA. So it has no impact on the openchain-telco-sbom-validator that uses this library.
It is now also possible to check conformance for SPDX 3 SBOMs. But we have not yet tested this capability.
A new release 0.3.3 of the openchain-telco-sbom-validator has been published. It only fixes a very small bug in the handling of the CISA SBOM type when followed by more text in the comment.
Nokia has published a new Python tool https://pypi.org/project/pypispdx/ to create SBOMs for Python packages available on https://pypi.org/. It will create an SBOM in multiple SPDX 2.3 formats (tag:value, JSON, RDF, XML, YAML). The SBOM will be compliant with the OpenChain Telco SBOM Guide. It includes the recursive dependencies of the package. For every package, it contains the PackageDownloadLocation, the PackageChecksum in both SHA256 and MD5 and the licenses when available.
Takashi-san reminds that the last version of the German BSI document requires SPDX in version 3, whereas the previous version required only SPDX 2. Most tools, including for example Black Duck, produce only SPDX 2 for the moment. We do not know the reason why the BSI requires it. In practice, the simplest solution could be to convert SPDX 2 to SPDX 3 using the Java tools https://github.com/spdx/tools-java.
Takashi-san shows the work done by the automotive group about SPDX 3.
The OpenChain automotive work group handles SPDX 3 generate by Yocto and would like to validate it against the Telco Guide. Currently, the validator can only handle SPDX 2, as the Python library it uses (https://github.com/spdx/tools-python/) cannot parse SPDX 3. The last release of this library is more that one year old. A new maintainer has been nominated, so we hope to have a new release that can handle SPDX 3, but we have no date.
We can start to think to an update of the SBOM Guide to allow SPDX 3. The OpenChain SBOM work group has produced in its document a mapping table of the Telco Guide between SPDX 2 and SPDX 3.
Jimmy will provide a better wording of the paragraph about encryption (see https://github.com/OpenChain-Project/Telco-WG/pull/214).
Watch the Recording:
Be part of this:
Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.
✉️ We have a dedicated mailing list:
https://lists.openchainproject.org/g/telco
💻 We have a dedicated GitHub Repo:
https://github.com/OpenChain-Project/Telco-WG
You are also welcome to participate in any of our other working groups around the world:
