Download to read offline
Uploaded byShane Coughlan
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
More Related Content
Similar to Operations Profile SPDX_Update_20250711_Example_05_03.pptx
Operations Profile SPDX_Update_20250711_Example_05_03.pptx
- 1.
- 2. Motivation • Original SPDXbased on Software itself (all information could be e.g. retrieved from the code) • Export control for software does rely on the bill of materials (SBOM), the same way FOSS compliance does. • Adding the information relevant for Export Control to SPDX as a standard to SBOM is very beneficial to supply chain communication (+ potential for further automation). • For further activities in the Software Management additional context information is needed ideally configuration-as-code (E.g. Export Control, Release Approvals … ) => thus standardization for tools is necessary
- 3. Operations.md • The OperationsProfile defines fields for describing the business context of the software that cannot (or not yet) be directly extracted from the source repository. • The intention of the Operations Profile is to provide a common base rather for alignment of tool and infrastructure interfaces and development than for exchanging the data between organizations along the software supply chain. The managed information is expected to be mainly kept within the organizations but in some cases might also be necessary input for processing and determining relevant parameters for the later exchange in the supply chain (e.g. Export Control Classification Number).
- 4. Operations Profile Journey •We set up an operations profile after the LF Europe in Bilboa – September 2023. Excel +Powerpoint => Markdown + Mermaid + draw.io + json- schema => Markdown using SPDX schema + spdx-3-model-repo 2024 2025
- 5. Operations Profile Background •Lifecycle Aspect • Assessments • Export Control • Obligation • Contribution Initiation Development Transition Maintenance
- 6. Two groups ofOperations • Business Operations • Technical Operations Business Environment Physical Environment System Hardware Software Network Business context 1 Business context 2 Business context n Physical context 1 Physical context 2 Physical context n … …
- 7. Business Processes • Valueadding processes • Client onboarding • Product / Service development • Deliver management systems • Product maintenance • Service operations • … • Supporting processes • Procurement process • Sales process • Asset management • … Business Operations
- 8. Types of BusinessOperations • Delivery Assessments • Upstream delivery - Inbound Assessment • Downstream delivery - Outbound Assessment • xxx non-functional requirements Assessements • Export Control Assessment • License Compliance Assessment • Obligation Fulfillment Assessment • … • Upstream Contribution Assessment • … Business Operations
- 9. Risk Management • Compliance •Ensuring audit trail and automated checks for non-functional requirements • Efficiency and Quality • Process efficiency by automation based on electronically processable data Business Operations
- 10. Relevant Docs andLinks Business Operations
- 11. Development and Documentation •Three main pillars in the development Drawio-Model Operation Profile MD-Files Examples https://github.com/spdx/spdx-3-s erialization-prototype-playground https://github.com/spdx/spdx-3- model/tree/profile-operations/mo del/Operations Operation Types - 01 Inbound assessment - 02 Outbound assessment - 03 contribution assessment - 04 obligation fulfillment assessment - 05 export control assessment https://github.com/spdx/spdx-3- model/blob/profile-operations/do cs/model.drawio
- 12. 01/02 inbound/outbound assessment •TODOs: • The classes should be combined to use the same data and only use another property to indicate an „instance“ of that class and by the instance it is defined if it is inbound/upstream or outbound/downstream (equivalent to concluded license approach)
- 13. 03 contribution assessment •TODOs: • Drawio-Model: • OperationProfile: Markdown-Files for classes and properties need to be created
- 14. • 03 –Contribution Assessment Drawio-Model Necessary Metadata
- 15. • 03 –Contribution Assessment Operation Profile MD-Files TBD UpstreamContributionAssessmentRe lationship Class still missing!!! - notRequired - contributionArtifact - agentOfAssessedElement - purpose - upstreamProjectMaturity contributionArtifact Property still missing!!! agentOfAssessedElements Property still missing!!! upstreamProjectMaturity Property still missing!!!
- 16. • 03 –Contribution Assessment Examples it is partly covering the ideas presented in https://static.sched.com/hosted_files/osseu2020/d9/Leveraging_an_Open_Source_Project_Catalogue_to_select_the_right_project_f inal.pdf
- 17. 05 export controlassessment • TODOs: • …
- 18. • 05 –Export Control Assessment Drawio-Model Necessary Input Metadata for assessment part of Relationship? => NO, only metadata that is a result of the assessment
- 19. • 05 –Export Control Assessment Operation Profile MD-Files Use <Requirement> from FUSA? Use <InspectionAction> from HW? Use <-regulation> from core? E.g. for targetCountry Use <-specification> from core? Use <-location> from core?
- 20. • 05 –Export Control Assessment Examples ExportControlQandA? specialTechnology? notRequired? manufacturer? purpose countryOfOrigin classification operationsComment? countryCode?
Editor's Notes
- #1 Welcome to the presentation about the operations profile of SPDX. SPDX is a standard format for communicating software bill of materials (SBOM) information. It helps software suppliers and consumers more easily understand what is in the software they use. In this presentation, we will discuss export control fields, product type, and AI-related aspects of SPDX.