Date   

SPDX license identifiers in the Linux kernel

Kate Stewart
 


Some of you have already noticed that this started in 2016
but as of 4.14, we had a major breakthrough and cleanup
of all the files without a license reference all had SDPX identifiers
added to them. 

There are some good writeups of the work emerging.

LWN has an excellent summary with links to more references at:


There's also a good blog by one of the kernel developers 
from Samsung explaining how to add the identifiers as well
that came out last week.


Some other excellent documentation that has emerged
including how to integrate SPDX one liners into a project 
is available at:  https://reuse.software/practices/  which the linux kernel
developers have consulted and worked with for the kernel. 

Thanks, Kate


SPDX General Meeting Minutes

Gary O'Neall
 

The minutes for the general meeting have been posted at https://wiki.spdx.org/view/General_Meeting/Minutes/2017-12-07

 

Gary

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: gary@...

 


Thurs SPDX General Meeting (with special guest speaker) Reminder

Philip Odence
 

We are fortunate to have Pedro Giffuni speaking with us on Thursday. Pedro is a Mechanical Engineer by profession but has been using FreeBSD since 1997, and eventually became a project committer in 2012. As part of his involvement in FreeBSD he also became an OpenOffice developer and was involved in the transition from a copyleft project under Oracle's umbrella to a permissively licensed project in order to become an Apache Software Foundation Top Level Project.

Outline of the talk:
- How is Licensing handled in Open Source projects.
- About FreeBSD and it's objectives.
- Why SPDX is important to FreeBSD.
- Strategy for adoption.
- Progress Report.
- Practical issues.
- Open questions.
_______

 

Apologies, I have had a conflict arise, so Gary will be hosting.

 

GENERAL MEETING

 

Meeting Time: Thurs, Dec 7, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-11-02

Guest Presenation – Pedro

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Cross Functional Issues –All

 

 

 


SPDX at Leadership Summit in March

Philip Odence
 

As you may know, the Linux Foundation Leadership Summit is in Sonoma, March 6-8. Additionally, there will be group meetings on the Monday before and Friday after for SPDX and Open Chain respectively.

 

The call for papers was just published. Please consider submitting a paper. There’s an appetite for talks on SPDX tooling, automation or usage.

http://events.linuxfoundation.org/events/open-source-leadership-summit/program/callforproposals

 

Please take this 1 minute survey to give a sense of the likelihood or your attending:

https://www.surveymonkey.com/r/NLX7KXN

 

Best regards,

Phil

 

BLACKDUCK
L. Philip Odence
VP/General Manager Black Duck On-Demand
Black Duck Software, Inc.
800 District Avenue, Suite 201
Burlington, MA 01803-5061
E: podence@...
O: +1.781.425.4479
M: +1.781.258.9502
Skype: philip.odence
www.blackducksoftware.com  

 

 


SPDX General Meeting 2018

Philip Odence
 

Note that we will be using a different dial in and different URL for future SPDX General Meetings.


Apologies for my having to send a new invitation. For some reason Outlook won’t let me update the original. So, you’ll have to delete the old. I called this one 2018, so there would be no confusion. (I hope)


Please accept so this recurring meeting is on your calendar, however no need to respond.



New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at:
http://uberconference.com/SPDXTeam



MEETING MINUTES FOR REVIEW: http://spdx.org/wiki/meeting-minutes-and-decisions



SPDX General Meeting: New Web Meeting Number and URL

Philip Odence
 

I will follow this email with an updated invitation to the General Meeting. Please accept the recurring meeting even if you can’t make the upcoming Dec meeting.


FSFE Recommends use of SPDX License Identifiers

Manbeck, Jack
 

We were excited to see this and wanted to share. As part of Project REUSE the FSFE is recommending use of SPDX License Identifiers.

 

https://spdx.org/news/news/2017/11/fsfe-recommends-license-identifiers-part-project-reuse

 

(Click the link for the page with the Video)

 

 

 

 

 


SPDXTeam - new dial in number for meetings, same web link.

Kate Stewart
 

Hi,
    We were able to get the SPDXTeam Uberconference updated
last Thursday to remove the limit on number of people attending
the call.  Yay!!!   However,  as a result of this,  we had to change the dial in number.

New dial in number: 415-881-1586
No PIN needed

The weblink for screenshare will stay the same at:
http://uberconference.com/SPDXTeam

Meeting times for teams will remain the same, as indicated 
on the page for each Team Work Area on https://wiki.spdx.org

Please let me know if you have any questions.

Thanks, Kate




Re: Minutes of Nov SPDX General Meeting

Kate Stewart
 

Hi Phil,
     Couple of comments on the Prague section,  added them inline, but that's probably
not clear - so can you substitute the following in the minutes?

Prague
  • SPDX Open Source Tools Session
    • MarkG demoed sparts as part of Intel booth,  and illustrated how Hyperledger with SPDX can be used in supply chain 
    • Thomas Steenbergen announced open source review toolkit (ORT) and provided overview of ScanCode
    • Michael Jaeger reviewed how SW360 and new release of FOSSology can be used to work with SPDX
    • source{d} discussed proposal they're working on to apply machine learning to license recognition. 
    • Kate overviewed the SPDX tools repository and some of the newer additions by GSoC students as well as the test suite.
  • Kate did a talk on "automating license compliance - filling in the missing pieces" - more info at http://sched.co/BxI3.    
    • Lots of developer interest in this topic now.
  • FOSSology Hands-on training had section on SPDX documents, that she presented.

Thanks,   Kate


On Thu, Nov 2, 2017 at 10:18 AM, Phil Odence <podence@...> wrote:

https://wiki.spdx.org/view/General_Meeting/Minutes/2017-11-02

 

 

General Meeting/Minutes/2017-11-02

General Meeting‎ | Minutes

  • Attendance: 5
  • Lead by Phil Odence
  • Minutes of Oct meeting approved 

Contents

 [hide

Tech Team Report - Kate[edit]

  • Focus on new license list
    • Getting ready
    • Adding FSF Libre field
    • Trevor extending to an API, if they want to push changes, or we can pull
  • Prague
    • Sessions
should be "SPDX Tools Session"
      • MarkG demoed Hyperledger with SPDX 
      • Thomas Steenbergen announced open source review tool
(ORT) Open Source Review Toolkit working with ScanCode to generate SPDX files
      • Michael Jaeger showed a new tools as well
SW360 and FOSSology to generate SPDX files.
      • Source D showed machine learning in license recognition
source{d} discussed proposal they're working on to apply machine learning to license recognition. 
    • Kate talked about LF tools
about SPDX tools (and GSOC contributions)
 
      • Kate did a talk on automating license compliance
link to more info:  http://sched.co/BxI3.    Lots of developer interest in this topic now. 
      • She also participated in FOSSology training with a basic SPDX presentation
      • Lots of Developer representation
    • SPDX tagging seems to be getting traction with developers
  • Upcoming talks at the Open Compliance Summit in Yokahama
    • Several will touch on SPDX

Legal Team Report - Paul[edit]

  • XML project continues well
  • Still discussions on “or later” issue
    • On hold for the moment as Jilayne is out

Outreach Team Report[edit]

  • Jack still working on testing tools

 

Attendees[edit]

  • Phil Odence, Black Duck
  • Kate Stewart, Linux Foundation
  • Paul Madick, Dimension Data
  • Mike Dolan, Linux Foundation
  • Bradlee Edmondson, Harvard

 

 


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx



Minutes of Nov SPDX General Meeting

Philip Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2017-11-02

 

 

General Meeting/Minutes/2017-11-02

General Meeting‎ | Minutes

  • Attendance: 5
  • Lead by Phil Odence
  • Minutes of Oct meeting approved 

Contents

 [hide

Tech Team Report - Kate[edit]

  • Focus on new license list
    • Getting ready
    • Adding FSF Libre field
    • Trevor extending to an API, if they want to push changes, or we can pull
  • Prague
    • Sessions
      • MarkG demoed Hyperledger with SPDX 
      • Thomas Steenbergen announced open source review tool
      • Michael Jaeger showed a new tools as well
      • Source D showed machine learning in license recognition
    • Kate talked about LF tools
      • Kate did a talk on automating license compliance
      • She also participated in FOSSology training with a basic SPDX presentation
      • Lots of Developer representation
    • SPDX tagging seems to be getting traction with developers
  • Upcoming talks at the Open Compliance Summit in Yokahama
    • Several will touch on SPDX

Legal Team Report - Paul[edit]

  • XML project continues well
  • Still discussions on “or later” issue
    • On hold for the moment as Jilayne is out

Outreach Team Report[edit]

  • Jack still working on testing tools

 

Attendees[edit]

  • Phil Odence, Black Duck
  • Kate Stewart, Linux Foundation
  • Paul Madick, Dimension Data
  • Mike Dolan, Linux Foundation
  • Bradlee Edmondson, Harvard

 

 


Re: Reminder Thursday SPDX General Meeting

W. Trevor King
 

On Tue, Oct 31, 2017 at 12:16:17PM +0000, Phil Odence wrote:
Meeting Time: Thurs, Nov2, 8am PDT / 10 am CDT / 11am EDT / 15:00
UTC. http://www.timeanddate.com/worldclock/converter.html
For folks who keep a digital calendar, there's an iCalendar file which
includes this meeting in flight with [1]. You can import the calendar
from [2] now if you don't want to wait for the PR to land, although
folks who do that will probably need to re-import if/when the PR lands
and I remove the branch from my repository.

Cheers,
Trevor

[1]: https://github.com/spdx/spdx-spec/pull/42
[2]: https://raw.githubusercontent.com/wking/spdx-spec/meeting.ics/meeting.ics

--
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


Reminder Thursday SPDX General Meeting

Philip Odence
 

Should be a short one with no guest speaker.

 

European’s note that US has not yet switched back to Standard time, so time is off by an hour from normal.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Nov2, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the call: https://www.uberconference.com/katestewart

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-10-05

 

Technical Team Report – Kate

 

Legal Team Report – Paul

 

Outreach Team Report – Jack

 

Cross Functional Issues –All

 

 


Marriage of SPDX, OpenChain and the Blockchain

Mark Gisi
 

In 2016 we explored how the benefits  of the Blockchain could be leveraged to assist with open source compliance across a complex manufacturing supply chain [1]. Our interest was sparked after witnessing a group of customers struggling to coordinate/consolidate open source compliance artifacts during the manufacturing of a consumer product.

 

In February 2017 we presented our findings and announced a new initiative at the Open Source Leadership Summit. The focus: Utilize SPDX + OpenChain + Hyperledger Sawtooth to solve the problem. We made the source code available in July 2017 under the Apache license:

    https://github.com/Wind-River/sparts/blob/master/README.md

 

Demo Oct 23-25th 2017 in Prague - We will demo the Software Parts Ledger and its support for a  Software Parts catalog this week at the Open Source Summit in Prague in the Intel booth (we hope you can stop by if you are around). The demo includes SPDX and OpenChain components.  It is schedule for Monday 8am-1pm, Tuesday 8am-1pm, Wednesday, 1pm-6pm.

              

We will be presenting the latest status of this initiative at the Open Source Compliance Summit in November in Yokohama, Japan:

    Utilizing Blockchain Across The Supply Chain

Asian manufacturers and suppliers have expressed above average interest in this approach.

 

This has been and still largely is a grass roots initiative – which is how all great things begin (including Linux J). The project is looking for contributors who  have a serious interest/pain/stake in solving the problem being addressed (especially product manufacturers and software supplier organizations).  The success of any supply chain Blockchain initiative will eventually require heavy involvement of the supply chain participants (e.g., to host ledger/Blockchain nodes, contribute requirements, code, documentation and so forth).  We are also looking for a neutral place/organization to host the project which will also be important an requirement for its success in the long term.

 

Reach out to me if you are interested or would like to learn more.

 

cheers,

Mark

 

[1]: https://lists.spdx.org/pipermail/spdx-tech/2016-December/003199.html

      

 

Mark Gisi | Wind River | Director, IP & Open Source

Tel (510) 749-2016 | Fax (510) 749-4552

 


Re: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/

Philippe Ombredanne
 

On Fri, Oct 20, 2017 at 9:20 AM, Fendt, Oliver <oliver.fendt@...> wrote:
great to see this direction of development.
This will are least clarify all the files which carry nothing expect the Marko
MODUL_LICENSE("GPL");
Because one of the interesting questions is "is this a legally binding expression
of licensing?"
The MODULE_LICENSE macro used in the kernel is a clear license statement.
And better than a terse "Copyright (c) John Doe, GPL" that is seen in
the kernel
since there is a clear documentation of its meaning in the kernel's
module.h [0] :

* The following license idents are currently accepted as indicating free
* software modules
*
* "GPL" [GNU Public License v2 or later]
* "GPL v2" [GNU Public License v2]
* "GPL and additional rights" [GNU Public License v2 rights and more]
* "Dual BSD/GPL" [GNU Public License v2
* or BSD license choice]
* "Dual MIT/GPL" [GNU Public License v2
* or MIT license choice]
* "Dual MPL/GPL" [GNU Public License v2
* or Mozilla license choice]
*
* The following other idents are available
*
* "Proprietary" [Non free products]
[...]

So MODULE_LICENSE("GPL") means clearly "GNU Public License v2 or later"
and nothing else. I cannot comment on whether such a license statement would
be legally binding or not, but at least there is no ambiguity about
what this means.
And IMHO this is as good as an SPDX license identifier and as good as it gets
short of any other licensing indications.

Since the MODULE_LICENSE is only for kernel modules, there was a need
for something that could be applied elsewhere, hence the use of SPDX
identifiers. Note that there were talks to use a macro instead of a comment.
It may come back in the future as it would have the added benefit to inject
license ids in the built binaries (the same way a MODULE_LICENSE ends
up in a built LKM)

[0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/module.h?id=refs/tags/v4.10#n172

--
Cordially
Philippe Ombredanne


Re: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/

Oliver Fendt
 

Hi,

great to see this direction of development.
This will are least clarify all the files which carry nothing expect the Marko
MODUL_LICENSE("GPL");
Because one of the interesting questions is "is this a legally binding expression of licensing?"

Ciao
Oliver

-----Ursprüngliche Nachricht-----
Von: spdx-bounces@... [mailto:spdx-bounces@...] Im Auftrag von Philippe Ombredanne
Gesendet: Donnerstag, 19. Oktober 2017 20:28
An: SPDX-legal; spdx-tech@...; SPDX-general
Betreff: Fwd: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/

FYI:
In case you missed it: SPDX identifiers have landed in kernel land...
Read the whole thread at https://patchwork.kernel.org/patch/10016189/
And as a side effect, some new patches elsewhere are coming in with SPDX identifiers right in!
--
Cordially
Philippe Ombredanne

---------- Forwarded message ----------
From: Greg Kroah-Hartman <gregkh@...>
Date: Thu, Oct 19, 2017 at 10:38 AM
Subject: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/
To: linux-usb@...
Cc: linux-kernel@..., Thomas Gleixner <tglx@...>, Kate Stewart <kstewart@...>, Philippe Ombredanne <pombredanne@...>

It's good to have SPDX identifiers in all files to make it easier to audit the kernel tree for correct licenses. This patch adds these identifiers to all files in drivers/usb/ based on a script and data from Thomas Gleixner, Philippe Ombredanne, and Kate Stewart.

Cc: Thomas Gleixner <tglx@...>
Cc: Kate Stewart <kstewart@...>
Cc: Philippe Ombredanne <pombredanne@...>
Signed-off-by: Greg Kroah-Hartman <gregkh@...>
---
Unless someone really complains, I'm going to add this to my tree for 4.15-rc1.


diff --git a/drivers/usb/Makefile b/drivers/usb/Makefile index 9650b351c26c..cb8d902b801d 100644
--- a/drivers/usb/Makefile
+++ b/drivers/usb/Makefile
@@ -1,6 +1,7 @@
#
# Makefile for the kernel USB device drivers.
#
+# SPDX-License-Identifier: GPL-2.0

# Object files in subdirectories

[....] long diff of 600 files removed for brevity...
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


[PATCH] USB: add SPDX identifiers to all files in drivers/usb/

Philippe Ombredanne
 

FYI:
In case you missed it: SPDX identifiers have landed in kernel land...
Read the whole thread at https://patchwork.kernel.org/patch/10016189/
And as a side effect, some new patches elsewhere are coming in with
SPDX identifiers right in!
--
Cordially
Philippe Ombredanne

---------- Forwarded message ----------
From: Greg Kroah-Hartman <gregkh@...>
Date: Thu, Oct 19, 2017 at 10:38 AM
Subject: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/
To: linux-usb@...
Cc: linux-kernel@..., Thomas Gleixner
<tglx@...>, Kate Stewart <kstewart@...>,
Philippe Ombredanne <pombredanne@...>

It's good to have SPDX identifiers in all files to make it easier to
audit the kernel tree for correct licenses. This patch adds these
identifiers to all files in drivers/usb/ based on a script and data from
Thomas Gleixner, Philippe Ombredanne, and Kate Stewart.

Cc: Thomas Gleixner <tglx@...>
Cc: Kate Stewart <kstewart@...>
Cc: Philippe Ombredanne <pombredanne@...>
Signed-off-by: Greg Kroah-Hartman <gregkh@...>
---
Unless someone really complains, I'm going to add this to my tree for
4.15-rc1.


diff --git a/drivers/usb/Makefile b/drivers/usb/Makefile
index 9650b351c26c..cb8d902b801d 100644
--- a/drivers/usb/Makefile
+++ b/drivers/usb/Makefile
@@ -1,6 +1,7 @@
#
# Makefile for the kernel USB device drivers.
#
+# SPDX-License-Identifier: GPL-2.0

# Object files in subdirectories

[....] long diff of 600 files removed for brevity...


Oct SPDX General Meeting Minutes

Philip Odence
 

Here you go:

https://wiki.spdx.org/view/General_Meeting/Minutes/2017-10-05 

 

 

BLACKDUCK
L. Philip Odence
VP/General Manager Black Duck On-Demand
Black Duck Software, Inc.
800 District Avenue, Suite 201
Burlington, MA 01803-5061
E: podence@...
O: +1.781.425.4479
M: +1.781.258.9502
Skype: philip.odence
www.blackducksoftware.com  

 

 

 

 

 

General Meeting/Minutes/2017-10-05

General Meeting‎ | Minutes

  • Attendance: 11
  • Lead by Phil Odence
  • Minutes of Sept meeting approved 

 

Contents

 [hide

Guest Presentation - Alexander Lisianoi[edit]

  • Background
    • Working on masters in Technical University of Vienna
  • Project
    • Turning Python Code into Javascript
      • Pooling PY and License expression
      • Libraries that are self contained
      • Initially looked easy
    • Results
      • It works!
    • How it went
      • Long list of tools available, so choosing a tool is the first step
        • Brython, Batavia, Transcript
        • Brython can read in pure Python
        • Bytavia uses Python byte code
        • Transcript actually translates to javacode, so he picked that one
          • Downside is that it doesn’t handle every Python capability
      • Encountered a lot of bizarre results
        • And complained a fair amount
        • Tricky to know what goes wrong; have to debug both in parallel
        • Errors can be subtle
        • How things are compared differs between languages
    • The resulting tool
      • You can parse, but it can be broken
    • Value of the work
      • Javascript is very commonly used for front ends these days
      • You don’t want to have to support two technologies for front and back end
      • This allows leveraging the backend scripts for building front end
      • Valuable to tool developers using JS and to development communities
      • As a side-effect of the work, we Alexander helped 

Tech Team Report - Kate/Gary[edit]

  • Spec
    • All on GItHub now
  • Last few meetings have been focused on
    • FSF proposal
      • Supporting legal team on expanding license expression language
    • Testing work from Jack
      • Tool testing cases
        • Scanners for locating license language
        • License language matchers (using matching guidelines)
      • Also testing license list generator
        • Which requires test cases as well
      • Looking at creating a repo for all test cases
        • Two tool types 
        • License list gen
      • Will be community based so folks can contribute cases
  • Preview
    • Looks like there will be a new tool contribution from an LF member
    • A tool to create a summary 
      • Input SPDX tag value; output easy to read/intrerpret format
  • LinuxCon Europe
    • There will be a meeting for those creating tools
    • New testing work with be on the agenda

 

Legal Team Report - Jilayne/Paul[edit]

  • FSF Proposal 
    • For how the GPL version is represented
    • Questions about new operators, default
    • Generated a large meeting with tech folks
      • Lively discussion
      • Did not reach resolution
    • FSF has come back with another proposal
      • Technical challenges
      • Difference of opinion, particularly for case where
      • Part of the issue is that FSF is focused on just the identifiers vs. how we use with SPDX
        • License does not specify “or later” or “only”
        • How do we represent without representing legal judgment
        • Fundamentally there are different opinions on what it means when there is no specification
        • Very important to FSF (including Richard Stallman)

Outreach Team Report - Jack[edit]

  • Mostly license test file work as described above

 

Attendees[edit]

  • Phil Odence, Black Duck
  • Kate Stewart, Linux Foundation
  • Alexander Lisianoi, Technical University of Vienna
  • Matthew Crawford, ARM
  • Matija Suklje, FSFE
  • Steve Winslow, Linux Foundation
  • Mike Dolan, Linux Foundation
  • Jack Manbeck, TI
  • Michael Herzog- nexB
  • Gary O’Neall, SourceAuditor
  • Paul Madick, Dimension Data

 


Reminder about Thursday SPDX General Meeting (with special guest!)

Philip Odence
 

Please join us for a special presentation by Alexander Lisianoi another SPDX 2017 Google Summer of Code student participant. He is a software engineer working towards his Masters at Technical University of Vienna, Austria. His project for us was called "Online Validation Tools.” He will describe how took two libraries (boolean.py and license-expression) and converted them from Python to Javascript with a tool called Transcryp.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Oct 5, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the call: https://www.uberconference.com/katestewart

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-09-07 

 

Guest Presentation – Alexander

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne

 

Business Team Report – Jack

 

Cross Functional Issues –All

 

 

Phil

 

BLACKDUCK
L. Philip Odence
VP/General Manager Black Duck On-Demand
Black Duck Software, Inc.
800 District Avenue, Suite 201
Burlington, MA 01803-5061
E: podence@...
O: +1.781.425.4479
M: +1.781.258.9502
Skype: philip.odence
www.blackducksoftware.com  

 

 

 


Re: Package, mandatory?

Gary O'Neall
 

Hi Jonas,

However, the cardinality is given as "Optional, one or many." I'm not
sure exactly how to interpret this, as I noticed the spdx-tools fails
when converting from tag format to RDF if I don't have a Package
specified.
I would call this a bug in the SPDX tools. If you could log an issue in the
git repo and upload a tag/value file which reproduces the error, I'll take a
look at it (https://github.com/spdx/tools/issues).

Thanks for reporting the issues.

Gary


Re: Package, mandatory?

Kate Stewart
 

Hi Jonas

On Tue, Sep 26, 2017 at 7:11 AM, Jonas Oberg <jonas@...> wrote:
Hi everyone,

as you know, the FSFE is working on a project, REUSE, which has as one of
its recommendations to produce a SPDX conformant bill of materials, if one
can be generated automatically.

As part of this project, I'm putting together a few template/example
repositories which does exactly this. I will definitely make a lot of
assumptions in generating the SPDX file, and it won't scale well beyond
the example, but it's still an interesting practice.

In this, I've discovered what feels like an inconsistency in the
specification, or its implementation.

I would like to bring your attention to version 2.1, section 3[^1] which
deals with the package information. The description is given as

  "One instance of the Package Information is required per package being described."

However, the cardinality is given as "Optional, one or many." I'm not sure
exactly how to interpret this, as I noticed the spdx-tools fails when
converting from tag format to RDF if I don't have a Package specified.

Prior to 2.0,  the expectation was that there would only be a single package
with a set of files in each SPDX document.    

When we introduced relationships/identifiers, in 2.0, we were able to extend the specification 
to handle multiple packages could be present in the same SPDX document (cardinality (Many)).   
Similarily it was recognized that an SPDX document could be just a grouping of files 
(ie. a set of binary files and an artificial package to encompass them all was not needed). (hence
Optional).    I can see though that we should have been clearer. 

The tools should be able to handle the translation,  so yes,  go ahead and log a bug there too.
 

If I know where the bug is (specification, me, spdx-tools), I can file a
more appropriate bug report or fix my own code :-)

Bug in the spdx-tools,   improvement in wording needed in the specification - so
please go ahead and log issues against both. 

Thanks, Kate
 


[^1]: https://spdx.org/spdx-specification-21-web-version#h.4i7ojhp


Best regards,

--
Jonas Öberg
Executive Director

FSFE e.V. - keeping the power of technology in your hands. Your
support enables our work, please join us today http://fsfe.org/join
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx

441 - 460 of 1587