Date   
SPDX General Meeting 2018 (replacement)

Phil Odence
 

Moving the July 4 instance of this meeting to July 11 due to the US holiday.


*****

I’m extending this recurring meeting to run through 2019. Please accept so it is updated on your calendar, however no need to send a response to me.



New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at:
http://uberconference.com/SPDXTeam



MEETING MINUTES FOR REVIEW: http://spdx.org/wiki/meeting-minutes-and-decisions


Re: SW360 experience

Shane Coughlan <shane@...>
 

Hi Alberto

FYI, we will have Michael from Siemens presenting on sw360 during the OpenChain First Monday call in June (9am Pacific on June 3rd). As a bonus we will also have Oliver discussing the Open Source Compliance Tool Chain and how we can all collaborate around that.

Join the call: https://uberconference.com/openchainproject
Optional US dial in number: 855-889-3011
No PIN needed
If you need to use an international phone number please check:
https://www.uberconference.com/international for country numbers.
1. Dial the country number based on your location.
2. Enter 855 889 3011 and then # to enter the room.

Regards

Shane

On May 21, 2019, at 3:29, Alberto Pianon <alberto@...> wrote:

Hi Oliver,

if you arrange a web meeting on sw360 I would be glad to join. I have installed sw360 and started playing with it, but I would like to see it used by someone who masters it...

Thanks!

Ciao

Alberto

Il 20/05/2019 08:46, Oliver Fendt ha scritto:
Hi Steve,



sw360 is an open source project under the umbrella of the Eclipse foundation. Its is a software component and product management system, which is on the one hand a system where you can manage the software components you are using no matter whether they are OSS, commercial or internal components or other artifacts on the other hand it is a system to manage your products (aka projects) in order to keep track of the bill of “materials”, to generate the OSS declaration document and source code bundles in scope of a product.

For the integration in the CI/CD workflow it provides a REST API

You can find the source code here: https://github.com/eclipse/sw360

Some documentation is available here: https://github.com/eclipse/sw360/wiki

If you like we can arrange a web meeting since we are using sw360 in our daily work.



Ciao

Oliver



Von: spdx@... <spdx@...> Im Auftrag von Steve Kilbane
Gesendet: Donnerstag, 16. Mai 2019 18:15
An: spdx@...
Cc: Kilbane, Stephen <@steve.kilbane>
Betreff: [spdx] SW360 experience



Hi all,



I first heard about SW360 during the presentations at the Linux Open Source Summit in Edinburgh. Searching around, though, I see very little mention of it, to the point where it's difficult to see whether this is a project just finding its feet, or something that has already been abandoned. I'd be interested in hearing from anyone who is actually using it in anger, who is willing to share their experiences.



Thanks for any info,



steve


Re: SW360 experience

Alberto Pianon
 

Hi Oliver,

if you arrange a web meeting on sw360 I would be glad to join. I have installed sw360 and started playing with it, but I would like to see it used by someone who masters it...

Thanks!

Ciao

Alberto

Il 20/05/2019 08:46, Oliver Fendt ha scritto:

Hi Steve,

 

sw360 is an open source project under the umbrella of the Eclipse foundation. Its is a software component and product management system, which is on the one hand a system where you can manage the software components you are using no matter whether they are OSS, commercial or internal components or other artifacts on the other hand it is a system to manage your products (aka projects) in order to keep track of the bill of “materials”, to generate the OSS declaration document and source code bundles in scope of a product.

For the integration in the CI/CD workflow it provides a REST API

You can find the source code here: https://github.com/eclipse/sw360

Some documentation is available here: https://github.com/eclipse/sw360/wiki

If you like we can arrange a web meeting since we are using sw360 in our daily work.

 

Ciao

Oliver

 

Von: spdx@... <spdx@...> Im Auftrag von Steve Kilbane
Gesendet: Donnerstag, 16. Mai 2019 18:15
An: spdx@...
Cc: Kilbane, Stephen <Stephen.Kilbane@...>
Betreff: [spdx] SW360 experience

 

Hi all,

 

I first heard about SW360 during the presentations at the Linux Open Source Summit in Edinburgh. Searching around, though, I see very little mention of it, to the point where it's difficult to see whether this is a project just finding its feet, or something that has already been abandoned. I'd be interested in hearing from anyone who is actually using it in anger, who is willing to share their experiences.

 

Thanks for any info,

 

steve

 


Re: SW360 experience

J Lovejoy
 

Thanks for responding, Oliver.

I've copied Steve here, as his message got caught up in the mailing list filter, as it looks likes he's not a member of the SPDX general mailing list. (Steve - you can join here: https://spdx.org/participate )

It occurred to me that perhaps a session on sw360 (and how it works with SPDX) might be a good topic for an upcoming general call? Phil - what do you think?

Jilayne


On 5/20/19 2:46 AM, Oliver Fendt wrote:

Hi Steve,

 

sw360 is an open source project under the umbrella of the Eclipse foundation. Its is a software component and product management system, which is on the one hand a system where you can manage the software components you are using no matter whether they are OSS, commercial or internal components or other artifacts on the other hand it is a system to manage your products (aka projects) in order to keep track of the bill of “materials”, to generate the OSS declaration document and source code bundles in scope of a product.

For the integration in the CI/CD workflow it provides a REST API

You can find the source code here: https://github.com/eclipse/sw360

Some documentation is available here: https://github.com/eclipse/sw360/wiki

If you like we can arrange a web meeting since we are using sw360 in our daily work.

 

Ciao

Oliver

 

Von: spdx@... <spdx@...> Im Auftrag von Steve Kilbane
Gesendet: Donnerstag, 16. Mai 2019 18:15
An: spdx@...
Cc: Kilbane, Stephen <Stephen.Kilbane@...>
Betreff: [spdx] SW360 experience

 

Hi all,

 

I first heard about SW360 during the presentations at the Linux Open Source Summit in Edinburgh. Searching around, though, I see very little mention of it, to the point where it's difficult to see whether this is a project just finding its feet, or something that has already been abandoned. I'd be interested in hearing from anyone who is actually using it in anger, who is willing to share their experiences.

 

Thanks for any info,

 

steve

 

Re: SW360 experience

Oliver Fendt
 

Hi Steve,

 

sw360 is an open source project under the umbrella of the Eclipse foundation. Its is a software component and product management system, which is on the one hand a system where you can manage the software components you are using no matter whether they are OSS, commercial or internal components or other artifacts on the other hand it is a system to manage your products (aka projects) in order to keep track of the bill of “materials”, to generate the OSS declaration document and source code bundles in scope of a product.

For the integration in the CI/CD workflow it provides a REST API

You can find the source code here: https://github.com/eclipse/sw360

Some documentation is available here: https://github.com/eclipse/sw360/wiki

If you like we can arrange a web meeting since we are using sw360 in our daily work.

 

Ciao

Oliver

 

Von: spdx@... <spdx@...> Im Auftrag von Steve Kilbane
Gesendet: Donnerstag, 16. Mai 2019 18:15
An: spdx@...
Cc: Kilbane, Stephen <Stephen.Kilbane@...>
Betreff: [spdx] SW360 experience

 

Hi all,

 

I first heard about SW360 during the presentations at the Linux Open Source Summit in Edinburgh. Searching around, though, I see very little mention of it, to the point where it's difficult to see whether this is a project just finding its feet, or something that has already been abandoned. I'd be interested in hearing from anyone who is actually using it in anger, who is willing to share their experiences.

 

Thanks for any info,

 

steve

 

SW360 experience

Steve Kilbane
 

Hi all,

 

I first heard about SW360 during the presentations at the Linux Open Source Summit in Edinburgh. Searching around, though, I see very little mention of it, to the point where it's difficult to see whether this is a project just finding its feet, or something that has already been abandoned. I'd be interested in hearing from anyone who is actually using it in anger, who is willing to share their experiences.

 

Thanks for any info,

 

steve

 

SPDX 2.1.1 specification - final review by 2019/5/21

Kate Stewart
 

In 2017 the project decided to move the specification from google documents to github and a repository was set up at: https://github.com/spdx/spdx-spec

Before we could move forward though, we needed to make sure we weren't loosing content/introducing errors,  so the decision was made to create a 2.1.1 version of the specification, with no significant content changes (only bug fixes).

2.1.1 was initially made available at: https://spdx.github.io/spdx-spec/ in 2018 by Thomas Steenbergen, in a beautiful online format (Thank you!), much improved and useful for those accessing the specification online.   However we stalled out on being able to generate .pdf version to get a static copy of this version.

Thanks to Jack Manbeck's efforts in 2019,  we've finally got a .pdf version available to be reviewed and approved.   Once this version is approved, we can start to incorporate the 2.2 changes into the specification.

A final candidate pdf version of the SPDX 2.1.1 specification is attached to this document, please review and open an issue at https://github.com/spdx/spdx-spec if you see a regression compared to SPDX 2.1 content which is at: 

If there are no significant regressions found compared to 2.1 in the review window, we will log this as the 2.1.1 version and start to incorporate the 2.2 content and features that have been agreed on over the last year into the reference version of the specification on github.

The review window for the 2.1.1 candidate will end on 2019/5/20.

If you have any concerns,  please either open an issue at https://github.com/spdx/spdx-spec  (against 2.1.1 milestone) or join us on the spdx-tech call to discuss. 

Thanks, 
Kate



Thursday SPDX General Meeting Reminder with Special Presentation

Phil Odence
 

Our “guest” presentation for this session feature guest Aaron Williamson (whom you are probably aware was counsel for the SFLC) and non-guest Jilayne. The twosome collaborated on the handbook they will discuss:

 

The Fintech Open Source Foundation (FINOS) recently released the Open Source License Compliance Handbook, a resource of practical compliance information about common open source licenses. FINOS launched the project to support its members in building more mature compliance processes and made the content (and code) open source to encourage adoption and contribution by the community. The handbook's "source code" is a collection of machine-readable YAML text files that can be compiled into a single document (using the supplied python script) or incorporated easily into databases and other systems. Aaron will discuss the project, the decisions behind its design, and plans for the future.

 

Aaron Williamson is General Counsel and Director of Governance at the Fintech Open Source Foundation (FINOS), a nonprofit foundation promoting open source collaboration in the financial services industry. In addition to managing the Foundation’s legal affairs, he leads the Foundation’s Open Source Readiness Program, helping members to develop policies and processes that enable productive engagement with open source. He also co-organizes the FINOS Open Source Strategy Forum, an annual conference on open source in financial services. 

 

 

GENERAL MEETING

 

Meeting Time: Thurs, May 2, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2019-04-04

 

Special Presentation – Jilayne/Aaron

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

April SPDX General Meeting Minutes

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2019-04-04

 

 

L. Philip Odence

General Manager, Black Duck On-Demand

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

 

 

 

 

         

 

 

General Meeting/Minutes/2019-04-04

< General Meeting‎ | Minutes

·         Attendance: 18

·         Lead by Phil Odence

·         Minutes of March meeting approved 

 

Contents

 [hide

·         1 Special Presentation - Gary/Steve

·         2 Tech Team Report - Gary

·         3 Legal Team Report - Jilayne/Paul

·         4 Outreach Team Report - Jack Manbeck

·         5 Attendees

Special Presentation - Gary/Steve[edit]

·         SPDX: Bridging the Compliance Tool Gap

·         https://events.linuxfoundation.org/wp-content/uploads/2018/07/SPDX-Bridging-the-Compliance-Tooling-Gap.pdf

Tech Team Report - Gary[edit]

·         Spec

·         Starting to put out 2.1.1 in pdf form

·         Kudos to Jack

·         Starting in on 2.2

·         Tools

·         GSoc

·         Very active

·         Lots of students and mentors

·         Good project

Legal Team Report - Jilayne/Paul[edit]

·         License List

·         3.5 Release out! 

·         7 new licenses and exceptions

·         including 3 open hardware licenses

·         More open hw planned for 3.6

 

Outreach Team Report - Jack Manbeck[edit]

·         Rethinking a bit and redefining 

·         Survey is next step

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Steve Winslow, LF

·         Nisha Kumar, VMWare

·         Dave Huseby, LF

·         Alexios Zavras, Intel

·         Nicolas Toussaint, Orange

·         Mark Atwood, Amazon

·         Kate Stewart, Linux Foundation

·         Gary O’Neall, SourceAuditor

·         Jilayne Lovejoy

·         Philippe Ombrédanne- nexB

·         JC Herz, Ion Channel

·         Andrew Sinclair, Canonical

·         Paul Madick, Dimension Data

·         Jack Manbeck, TI

·         Michael Herzog- nexB

·         Mark Baushke, Juniper

·         Stephanie, Qualcomm

·         Uwe, Qualcomm

 

SPDX License List version 3.5 now live

J Lovejoy
 

Hi all,

Version 3.5 of the SPDX License List is now released.  Most notably, we have added several open hardware licenses (CERN and TAPR), which I think is a really sensible and exciting addition, considering we already have open documentation and data licenses on the list. We are still missing the Solderpad licenses, but those are slated to be added for the 3.6 release. 

Highlights include:

- New licenses/exceptions added: 7
  1. JPNIC
  2. libpng-2.0
  3. HPND-sell-variant
  4. GPL-CC-1.0
  5. TAPR-OHL-1.0
  6. CERN-OHL-1.1
  7. CERN-OHL-1.2
- Addition of markup to various licenses and other minor updates
- Add page describing entire workflow for adding a new license in /DOCS directory

thanks,
Jilayne

Thursday SPDX General Meeting Reminder.

Phil Odence
 

Our talk for this session with be from Gary O’Neall and Steve Winslow:

 

SPDX: Bridging the Compliance Tool Gap

Any organization which utilizes open source software needs to comply with the open source license terms and the specific security policies of their industry.  To satisfy the basic requirement of knowing the specific open source packages included in the software, several tools have been produced which create or manage a software “Bill of Materials”.  The Software Package Data Exchange (SPDX) defines a standard format for a Bill of Materials which can facilitate harmonious integration of multiple tools.

 

This is a reprise of a very well-received talk they gave at the LF Open Source Leadership Summit earlier this month. If you have colleagues, friends or partners that would like to learn SPDX, this would be great 30 minute intro. Please invite them.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, April 4, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2019-03-07  

 

Special Presentation – Gary/Steve

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

Re: #spdx #gsoc #spdx #gsoc

Krys Nuvadga
 

Hi Belen,

Welcome to SPDX, We are glad you find our project idea interesting. Join the developers community on gitter at https://gitter.im/spdx-org/Lobby to discuss your ideas and questions.

Best regards

On Sat, Mar 30, 2019 at 7:46 PM Maria Belen Guaranda <mabegc@...> wrote:
Hello! My name is Belen Guaranda. I am an undergraduate Computer Science student from Ecuador, in my last semester of studies. I am interested in working on the project "Develop a Distributed License Repository Application" for SPDX in this year's GSoC. I have solid background in web development, both front-end (HTML,CSS,Vue,Boostrapa) and back-end (Django,Node,Nginx,SQL and NoSQL databases), as well as testing (Travis,Pylint,Coveralls,UnitTests). I'd like to discuss some details and doubts with the mentor if possible.

Best regards,

Belen



--
krys Nuvadga
Piar, Inc.

#spdx #gsoc #spdx #gsoc

Maria Belen Guaranda <mabegc@...>
 

Hello! My name is Belen Guaranda. I am an undergraduate Computer Science student from Ecuador, in my last semester of studies. I am interested in working on the project "Develop a Distributed License Repository Application" for SPDX in this year's GSoC. I have solid background in web development, both front-end (HTML,CSS,Vue,Boostrapa) and back-end (Django,Node,Nginx,SQL and NoSQL databases), as well as testing (Travis,Pylint,Coveralls,UnitTests). I'd like to discuss some details and doubts with the mentor if possible.

Best regards,

Belen

GSOC-2019

Hardik Sapra
 

Hello everyone,

My name is Hardik. I am a first-year Computer Science student from India. I'm completely new to Open Source Organizations and their working.
I would like to contribute to "SPDX Document Generator for projects using SPDXIDs" using my knowledge of Python.

Any help on how to get started with it and help the community would be helpful.


Thanks Hardik

Re: Special SPDX Talk Next Week - CORRECTION

Phil Odence
 

April 4, fixed below.

 

The good news is we also have speaker for the May call I was in contact with at the same time which is why I was crossing wires.

 

From: "podence@..." <podence@...>
Date: Friday, March 29, 2019 at 7:27 AM
To: "spdx@..." <spdx@...>
Subject: Special SPDX Talk Next Week

 

For our SPDX General Meeting call next week we will have a presentation from Gary O’Neall and Steve Winslow called:

SPDX: Bridging the Compliance Tool Gap

Any organization which utilizes open source software needs to comply with the open source license terms and the specific security policies of their industry.  To satisfy the basic requirement of knowing the specific open source packages included in the software, several tools have been produced which create or manage a software “Bill of Materials”.  The Software Package Data Exchange (SPDX) defines a standard format for a Bill of Materials which can facilitate harmonious integration of multiple tools.

 

This is a reprise of a very well-received talk they gave at the LF Open Source Leadership Summit earlier this month. I will send out the normal General Meeting reminder, however I wanted to mention this earlier because you might want to share with others. If you have colleagues, friends or partners that would like to learn SPDX, this would be great 30 minute intro. Please invite them.

 

April 4, 11am EDT, 8am PDT, 4pm UK summer time, too late Japan time

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at:
http://uberconference.com/SPDXTeam

 

Special SPDX Talk Next Week

Phil Odence
 

For our SPDX General Meeting call next week we will have a presentation from Gary O’Neall and Steve Winslow called:

SPDX: Bridging the Compliance Tool Gap

Any organization which utilizes open source software needs to comply with the open source license terms and the specific security policies of their industry.  To satisfy the basic requirement of knowing the specific open source packages included in the software, several tools have been produced which create or manage a software “Bill of Materials”.  The Software Package Data Exchange (SPDX) defines a standard format for a Bill of Materials which can facilitate harmonious integration of multiple tools.

 

This is a reprise of a very well-received talk they gave at the LF Open Source Leadership Summit earlier this month. I will send out the normal General Meeting reminder, however I wanted to mention this earlier because you might want to share with others. If you have colleagues, friends or partners that would like to learn SPDX, this would be great 30 minute intro. Please invite them.

 

May 4, 11am EDT, 8am PDT, 4pm UK summer time, too late Japan time

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at:
http://uberconference.com/SPDXTeam

 

Re: announcing: Open Source Compliance Handbook

J Lovejoy
 

and here is the link to that announcement that I forgot to include before: https://www.finos.org/blog/announcing-the-open-source-license-compliance-handbook

;)
Jilayne

On Mar 12, 2019, at 12:18 PM, J Lovejoy <opensource@...> wrote:

Hi SPDX folks (legal and general list),

I want to tell you about a project I’ve been working on with Aaron Williamson and the Fintech Open Source Foundation (FINOS) that I think many of you may be interested in. 

FINOS has announced the initial release of the Open Source License Compliance Handbook. The Handbook is itself an open source project, available on Github. It consists of:
  • Structured compliance data about open source licenses, stored in a simple YAML format for easy consumption by machines and lawyers alike (licensed CC-BY-SA-4.0),
  • A Python script to compile the license entries and introductory material into an asciidoc-formatted markup document (licensed Apache 2.0), and
  • "Binaries" of the document in docx and PDF formats (as well as an intermediate DocBook version) (CC-BY-SA-4.0).
We're excited to get this resource into the hands of the community and get your input and contributions, as well as ideas on the potential to integrate this into all the great open source tooling that is out there. Aaron and I recognize that there's always the potential for ruffled feathers at efforts to "summarize" licenses and I have no doubt some of our efforts are imperfect. But the Handbook is meant for a particular purpose -- not to exhaustively summarize licenses or address every GPL corner case, but to help developers and compliance professionals address the most common requirements in the most common use cases.

Please take a look, file an issue, or submit a pull request :) (Be warned, FINOS requires signing a dreaded CLA first!)

Thanks,
Jilayne

announcing: Open Source Compliance Handbook

J Lovejoy
 

Hi SPDX folks (legal and general list),

I want to tell you about a project I’ve been working on with Aaron Williamson and the Fintech Open Source Foundation (FINOS) that I think many of you may be interested in. 

FINOS has announced the initial release of the Open Source License Compliance Handbook. The Handbook is itself an open source project, available on Github. It consists of:
  • Structured compliance data about open source licenses, stored in a simple YAML format for easy consumption by machines and lawyers alike (licensed CC-BY-SA-4.0),
  • A Python script to compile the license entries and introductory material into an asciidoc-formatted markup document (licensed Apache 2.0), and
  • "Binaries" of the document in docx and PDF formats (as well as an intermediate DocBook version) (CC-BY-SA-4.0).
We're excited to get this resource into the hands of the community and get your input and contributions, as well as ideas on the potential to integrate this into all the great open source tooling that is out there. Aaron and I recognize that there's always the potential for ruffled feathers at efforts to "summarize" licenses and I have no doubt some of our efforts are imperfect. But the Handbook is meant for a particular purpose -- not to exhaustively summarize licenses or address every GPL corner case, but to help developers and compliance professionals address the most common requirements in the most common use cases.

Please take a look, file an issue, or submit a pull request :) (Be warned, FINOS requires signing a dreaded CLA first!)

Thanks,
Jilayne

SPDX General Meeting Minutes

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2019-03-07

 

 

General Meeting/Minutes/2019-03-07

< General Meeting‎ | Minutes

·         Attendance: 5

·         Lead by Phil Odence

·         Minutes of Feb meeting approved 

 

Contents

 [hide

·         1 Tech Team Report - Gary

·         2 Legal Team Report - Paul

·         3 Outreach Team Report

·         4 Cross Function

·         5 Attendees

Tech Team Report - Gary[edit]

·         Tools

·         Google Summer of Code

·         Accepted again

·         Lots of activity from students

·         *Plenty of ideas

·         Spec

·         Jack jumped in to help with publishing from GitHub 

·         Started up APAC SPDX call

·         Lots of interest from Automotive

·         Discussion of “SPDX Lite”

·         “Files analyzed” field set to zero changes many required fields to option

·         Will be monthly

 

Legal Team Report - Paul[edit]

·         License List

·         Working through new licenses, normal stuff

 

Outreach Team Report[edit]

·         No update.

Cross Function[edit]

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Steve Winslow, LF

·         Mark Atwood, Amazon

·         Paul Madick, Dimension Data

·         Gary O’Neall, SourceAuditor

 

Reminder SPDX General Meeting today

Phil Odence