Date   

Event: Rose Judge #cal-invite

spdx-implementers@lists.spdx.org Calendar <noreply@...>
 

Rose Judge

When:
Tuesday, May 17, 2022
8:00am to 9:00am
(UTC-07:00) America/Los Angeles
Repeats: Every 2 weeks on Tuesday

Where:
https://meet.jit.si/SPDXImplementersMeeting

Organizer: Rose Judge rjudge@...

View Event

Description:
A meeting for developers implementing SPDX-interoperable consumption or document creation tools to discuss best practices around how fields are populated, identify instances where different use cases might lead to different choices for fields and structures of documents.

Meeting minutes: https://spdx.swinslow.net/p/spdx-implementers-minutes
Github minutes: https://github.com/spdx/meetings/tree/main/implementors


Updated Event: SPDX Implementers Meeting #cal-invite

spdx-implementers@lists.spdx.org Calendar <noreply@...>
 

SPDX Implementers Meeting

When:
Tuesday, May 17, 2022
8:00am to 9:00am
(UTC-07:00) America/Los Angeles
Repeats: Every 2 weeks on Tuesday

Where:
https://meet.jit.si/SPDXImplementersMeeting

Organizer: Rose Judge rjudge@...

View Event

Description:
A meeting for developers implementing SPDX-interoperable consumption or document creation tools to discuss best practices around how fields are populated, identify instances where different use cases might lead to different choices for fields and structures of documents.

Meeting minutes: https://spdx.swinslow.net/p/spdx-implementers-minutes
Github minutes: https://github.com/spdx/meetings/tree/main/implementors


Question about optional License fields

Dick Brooks
 

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 


Re: Question about optional License fields

Rose Judge
 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Dick Brooks
 

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Rose Judge
 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Dick Brooks
 

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Dick Brooks
 

One last item.

 

Is anyone working on updates to the online validation tool to address these changes?

 

If so I would like to  submit some candidate SBOM’s in V 2.3 for testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM
To: 'spdx-implementers@...' <spdx-implementers@...>
Subject: RE: [spdx-implementers] Question about optional License fields

 

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Rose Judge
 

Yes, this was fixed with a PR I opened that was recently merged for 2.2.2. If you look at the latest github branch, you can see the changes reflected. I suspect the spec has not been updated yet with the latest 2.2.2 changes from GitHub but hopefully will be soon (I can ask at the tech call tomorrow).

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:51 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Rose Judge
 

I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 10:30 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

One last item.

 

Is anyone working on updates to the online validation tool to address these changes?

 

If so I would like to  submit some candidate SBOM’s in V 2.3 for testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM
To: 'spdx-implementers@...' <spdx-implementers@...>
Subject: RE: [spdx-implementers] Question about optional License fields

 

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Dick Brooks
 

Thanks, Rose.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 3:35 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Yes, this was fixed with a PR I opened that was recently merged for 2.2.2. If you look at the latest github branch, you can see the changes reflected. I suspect the spec has not been updated yet with the latest 2.2.2 changes from GitHub but hopefully will be soon (I can ask at the tech call tomorrow).

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:51 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Dick Brooks
 

Gary,

 

I’m happy to do some V 2.3 testing whenever you’re ready. Just let me know.

 

Thanks, Rose. Appreciate your quick turn-around.  

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 3:35 PM
To: spdx-implementers@...; Gary O'Neall <gary@...>
Subject: Re: [spdx-implementers] Question about optional License fields

 

I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 10:30 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

One last item.

 

Is anyone working on updates to the online validation tool to address these changes?

 

If so I would like to  submit some candidate SBOM’s in V 2.3 for testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM
To: 'spdx-implementers@...' <spdx-implementers@...>
Subject: RE: [spdx-implementers] Question about optional License fields

 

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Gary O'Neall
 

Yep – that would be me 😊

 

I’ll update the validation tool once the PR’s are merged and the 2.3 version is a bit more stable.

 

Best,
Gary

 

From: Rose Judge <rjudge@...>
Sent: Monday, May 2, 2022 12:35 PM
To: spdx-implementers@...; Gary O'Neall <gary@...>
Subject: Re: [spdx-implementers] Question about optional License fields

 

I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 10:30 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

One last item.

 

Is anyone working on updates to the online validation tool to address these changes?

 

If so I would like to  submit some candidate SBOM’s in V 2.3 for testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM
To: 'spdx-implementers@...' <spdx-implementers@...>
Subject: RE: [spdx-implementers] Question about optional License fields

 

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Dick Brooks
 

Excellent – Thanks, Gary. Just let me know when you’re ready to do some testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Gary O'Neall
Sent: Monday, May 2, 2022 4:19 PM
To: 'Rose Judge' <rjudge@...>; spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Yep – that would be me 😊

 

I’ll update the validation tool once the PR’s are merged and the 2.3 version is a bit more stable.

 

Best,
Gary

 

From: Rose Judge <rjudge@...>
Sent: Monday, May 2, 2022 12:35 PM
To: spdx-implementers@...; Gary O'Neall <gary@...>
Subject: Re: [spdx-implementers] Question about optional License fields

 

I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 10:30 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

One last item.

 

Is anyone working on updates to the online validation tool to address these changes?

 

If so I would like to  submit some candidate SBOM’s in V 2.3 for testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM
To: 'spdx-implementers@...' <spdx-implementers@...>
Subject: RE: [spdx-implementers] Question about optional License fields

 

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



Re: Question about optional License fields

Gary O'Neall
 

Thanks Dick – I’ll take you up on the testing 😊

 

Gary

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Dick Brooks
Sent: Monday, May 2, 2022 2:59 PM
To: spdx-implementers@...; 'Rose Judge' <rjudge@...>
Subject: Re: [spdx-implementers] Question about optional License fields

 

Excellent – Thanks, Gary. Just let me know when you’re ready to do some testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Gary O'Neall
Sent: Monday, May 2, 2022 4:19 PM
To: 'Rose Judge' <rjudge@...>; spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Yep – that would be me 😊

 

I’ll update the validation tool once the PR’s are merged and the 2.3 version is a bit more stable.

 

Best,
Gary

 

From: Rose Judge <rjudge@...>
Sent: Monday, May 2, 2022 12:35 PM
To: spdx-implementers@...; Gary O'Neall <gary@...>
Subject: Re: [spdx-implementers] Question about optional License fields

 

I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 10:30 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

One last item.

 

Is anyone working on updates to the online validation tool to address these changes?

 

If so I would like to  submit some candidate SBOM’s in V 2.3 for testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM
To: 'spdx-implementers@...' <spdx-implementers@...>
Subject: RE: [spdx-implementers] Question about optional License fields

 

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 



First implementers meeting tomorrow, May 17th

Rose Judge
 

Hi folks,

 

The first SPDX implementers meeting is scheduled for tomorrow. Here’s the agenda for the kick-off call:

 

  • Introductions
  • Procedure for meeting minutes/approval of minutes
  • Confirm that this day works for folks to meet. Originally we had talked about using the same time slot as the Open Chain Tooling work group but I am realizing that their call is on Wednesdays. I must’ve accidentally scheduled this meeting the wrong day of the week when I setup the invite.
    • Would folks prefer Tuesday or Wednesday at this time?
  • Does everyone feel that their tooling can cover the minimum elements for an SBOM?

 

 

If you have any other topics you would like to cover, please feel free to add to the agenda here: https://spdx.swinslow.net/p/spdx-implementers-minutes

 

Talk to you soon,

Rose


Updated Event: SPDX Implementers Meeting #cal-invite

Group Notification <noreply@...>
 

SPDX Implementers Meeting

When:
Wednesday, June 1, 2022
8:00am to 9:00am
(UTC-07:00) America/Los Angeles
Repeats: Every 2 weeks on Wednesday

Where:
https://meet.jit.si/SPDXImplementersMeeting

Organizer: Rose Judge rjudge@...

View Event

Description:
A meeting for developers implementing SPDX-interoperable consumption or document creation tools to discuss best practices around how fields are populated, identify instances where different use cases might lead to different choices for fields and structures of documents.

Meeting minutes: https://spdx.swinslow.net/p/spdx-implementers-minutes
Github minutes: https://github.com/spdx/meetings/tree/main/implementors


SPDX Implementers meeting update + minutes

Rose Judge
 

Hello SPDX Implementers,

 

As discussed in the inaugural call today, the SPDX Implementers meeting will take place every other Wednesday at 8am PDT/11am EDT/5pm CEST moving forward. I have updated the calendar invite to reflect the day change (time of meeting remains the same). The next meeting will take place on June 1st.

 

I’ve also opened a PR capturing the meeting minutes from today’s call: https://github.com/spdx/meetings/pull/161. Please take a look and let me know if there’s anything that needs changing (you can comment directly on the PR). We’ll merge this PR at the beginning of next call.

 

Thanks,

Rose

 


SPDX Implementers meeting Wednesday June 1st

Rose Judge
 

Hello SPDX Implementers,

 

The second SPDX implementers meeting is tomorrow, June 1st (8am PDT/11am EDT/5pm CEST). Here’s the agenda:

 

  • Approve meeting minutes from the last call.
  • Please add your tool to the SPDX SBOM landscape.
  • Follow-up discussion about SPDX formats: What’s needed? What’s most useful? Should any be deprecated?
  • Open table

 

 

If you have any other topics you would like to cover, please feel free to add to the agenda here: https://spdx.swinslow.net/p/spdx-implementers-minutes

 

Talk to you soon,

Rose

 


Re: SPDX Implementers meeting Wednesday June 1st

Dick Brooks
 

Rose,

 

Please resend the Wednesday invitation. It’s not on my calendar.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge via lists.spdx.org
Sent: Wednesday, June 1, 2022 12:00 AM
To: spdx-implementers@...
Subject: [spdx-implementers] SPDX Implementers meeting Wednesday June 1st

 

Hello SPDX Implementers,

 

The second SPDX implementers meeting is tomorrow, June 1st (8am PDT/11am EDT/5pm CEST). Here’s the agenda:

 

  • Approve meeting minutes from the last call.
  • Please add your tool to the SPDX SBOM landscape.
  • Follow-up discussion about SPDX formats: What’s needed? What’s most useful? Should any be deprecated?
  • Open table

 

 

If you have any other topics you would like to cover, please feel free to add to the agenda here: https://spdx.swinslow.net/p/spdx-implementers-minutes

 

Talk to you soon,

Rose

 

1 - 20 of 25