Date   

Re: Jitsi video calling for the General Meeting tomorrow

J Lovejoy
 

Hi all,

I pasted Sebastian's original message, which was in an attached .txt file, into the email body below for convenience here.

To follow-up on this:

We have been using Uberconference for the monthly general calls. We have had requests to switch as Uberconference does not always work well for people outside the US. Some of the SPDX working groups use Zoom and so that was the option to switch to being considered.

In response to Sebastian's suggestion to switch to Jitsi instead, no one had any objections. Sebastian is looking into a Jitsi server we can use and will provide an update.

Thanks Sebastian for looking into this!

Cheers,
Jilayne
SPDX legal co-lead

On 3/31/21 4:48 PM, Sebastian wrote:
Dear all,

I'm looking forward to participating in tomorrow's SPDX General Meeting.

As Phil Odence has just mentioned moving the meeting to an alternative
platform, I'd like to suggest using a free and open source platform, such
as Jitsi, for the meeting. Jitsi is free of charge and does not require
registration or signing up to participate.

It would be fitting for SPDX to use free and open source software for
meetings, and I can personally vouch for the reliability of Jitsi. It has
worked well in all of the calls I've used it for, which must number over a
hundred now. This includes calls of tens of participants, as well as a
particularly memorable meeting that ran continuously for over 9 (!) hours.

We could use the main server (which as I mentioned is free of charge), or
indeed we could just ask nicely to use one of any number of Jitsi servers
hosted by various FOSS organisations - or, even run our own! :)

If you like this idea, I'd suggest that we meet a little earlier than the
scheduled time in a Jitsi room. If anyone has trouble with Jitsi then we
can just hop over to the existing platform. If there no hitches, we can
continue on Jitsi!

I'm more than happy to answer any questions anyone might have; I'll be
checking my emails throughout tomorrow. I look forward to hearing what you
think of this idea.

Best wishes,

Sebastian


updating SPDX website FAQ page

J Lovejoy
 

Hi all,

As per some discussion on the general call today, the FAQ page on the website is in dire need of a refresh. https://spdx.dev/faq/ 

The legal team has made a copy of the text of the license list section of the FAQ in a Google doc and has begun to collect comments and suggestions. https://docs.google.com/document/d/1WBV0f8L_ddUf9P3eUXMoCwQJiHSckWNA1ykNil8JxGY/edit#

Admittedly, having just read through the license list FAQs, they might need more of full revision than a few suggestions!

Ask for the general SPDX community:
1) re: the SPDX License List:  are there ‘frequently asked questions’ related to the SPDX License List that you would like to see added to the FAQ? If so, could you please add them to the bottom of the Google doc at the link above (with your proposed answer, if you have one!)

2) Would someone like to create another Google doc for the other parts of the FAQ and being the same type of review?


Thanks!
Jilayne
legal team co-lead


SPDX Gen Meeting Minutes

Phil Odence
 

Minutes from Feb for approval today:

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-03-04

 

Thanks for your patience,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1892827946   signature_1951031055   signature_1171500084   signature_411428392

 


Jitsi video calling for the General Meeting tomorrow

Sebastian
 


Thursday SPDX General Meeting Reminder

Phil Odence
 

No special presentation this month, so the meeting will likely not run the full hour.

 

Note: The plan is still to move this meeting to Zoom, but we are still working out details with the Linux Foundation and so remain on Uberconference for the moment.

 

GENERAL MEETING

 

Meeting Time: Thurs, April 1, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approva

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack

  

 


Re: Introducing myself

Phil Odence
 

Cheers, Sebastian, welcome.

 

From: spdx@... <spdx@...> on behalf of Sebastian <seabass-labrax@...>
Date: Friday, March 26, 2021 at 9:18 AM
To: SPDX Mailing List <spdx@...>
Subject: [spdx] Introducing myself

Dear all on the SPDX mailing list,

Since I've just joined this list, I am writing now to introduce myself!

I'm Sebastian Crane, hailing from Britain. I like software, and I like
standards: a specification for software packaging is right up my street!

Having done licensing audits for software, I've seen what may be considered
'best practices' as well as some 'worst practices' - hopefully SPDX can tip
the scale to the 'best' side! I use SPDX license identifiers in my own
software projects, and I'm keen to study the other aspects of the SPDX
specification.

I look forward to getting to know the members of this group, and to play a
part in helping SPDX to reach even greater heights.

Best wishes,

Sebastian

--
IRC (registered on freenode, hackint and OFTC): 'seabass'





Introducing myself

Sebastian
 

Dear all on the SPDX mailing list,

Since I've just joined this list, I am writing now to introduce myself!

I'm Sebastian Crane, hailing from Britain. I like software, and I like
standards: a specification for software packaging is right up my street!

Having done licensing audits for software, I've seen what may be considered
'best practices' as well as some 'worst practices' - hopefully SPDX can tip
the scale to the 'best' side! I use SPDX license identifiers in my own
software projects, and I'm keen to study the other aspects of the SPDX
specification.

I look forward to getting to know the members of this group, and to play a
part in helping SPDX to reach even greater heights.

Best wishes,

Sebastian

--
IRC (registered on freenode, hackint and OFTC): 'seabass'


Thursday SPDX General Meeting Reminder

Phil Odence
 

Steve Winslow will present:

 

A Proof-of-concept for Generating an SPDX SBoM for CMake-based Projects.

I will discuss an experiment with leveraging the CMake file-based APIs to automatically create SPDX 2.2 SBoMs. The generated SBoM includes relationships to denote which source files were used as inputs for the corresponding build artifacts. I will present this in the context of the Zephyr project, an open source RTOS for embedded systems that leverages CMake. I will briefly discuss this proof-of-concept, some early results from it and thoughts for next steps.

 

GENERAL MEETING

 

Meeting Time: Thurs, March 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approva https://wiki.spdx.org/view/General_Meeting/Minutes/2021-02-04

 

CMake to SPDX - Steve

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack

  

 


Re: Thursday SPDX General Meeting Reminder - joining forces with 3T SBOM

J Lovejoy
 

Hi all,

This message from Santiago bounced, which is a good reminder for all newcomers that you will want to join the spdx-general mailing list, and probably the spdx-tech mailing list (for tech team discussions).  See https://spdx.dev/participate/ for more info on the different mailing lists, how to sign up, etc.

Thanks!
Jilayne
SPDX legal co-lead

On Feb 2, 2021, at 12:46 PM, Santiago Torres Arias <santiago@...> wrote:

Exciting indeed!

Looking forward to this!
-Santiago
On Tue, Feb 02, 2021 at 07:40:08PM +0000, Phil Odence wrote:
An exciting development!

As you may know, there have been a handful of groups working on standardizing SBOMs. Kate and Gary have been working closely with the 3T SBOM group for some time. Our missions are sufficiently aligned that we will be joining forces to evolve SPDX. Those folks will be attending various SPDX meetings including the General meeting.

In Thursday’s General meeting, Kay Williams and Bob Martin will provide some background on 3T SBOM and their perspective on joining forces. We will also add reports from the teams developing the various profiles to our regular agenda. The 3T folks have been working on and will report on the Integrity and Defects profiles.

GENERAL MEETING

Meeting Time: Thurs, Feb 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwIF-g&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=QGAwOVKtyK7NEY8Sc-t8hFvJTUzMmO4fSR-hXyx-LNA&s=yQ86S-deYrQzmsEx3OxiPmaN6ABCd1yZ9D3VPHYr774&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=ZE9sYJcHMoEO3g5qrPPuiKU0gFK7mMjd9Km_ClCNBbU&e=>

Conf call dial-in:
New dial in number: 415-881-1586<tel:(415)%20881-1586>
No PIN needed
The weblink for screenshare will stay the same at:
https://urldefense.proofpoint.com/v2/url?u=http-3A__uberconference.com_SPDXTeam&d=DwIF-g&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=QGAwOVKtyK7NEY8Sc-t8hFvJTUzMmO4fSR-hXyx-LNA&s=87cqKCcqOd1tR-1A4e3gQcrdaDev8_RyeQXCIV6LI60&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__uberconference.com_SPDXTeam&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=kDOWmrCVDSRX7jiE8p__nxk6fjEvfyeLaSfkKXjXPno&e=>

Administrative Agenda
Attendance
Minutes Approval

3T SBOM Intro - Kay/Bob

Technical Team Report – Kate/Gary/Others

 *   Specification and Profiles
    *   Overview
    *   Core
    *   Legal
    *   Integrity
    *   Defects
    *   Usage and Other Emerging
 *   Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack














Re: Thursday SPDX General Meeting Reminder - joining forces with 3T SBOM

Santiago Torres Arias
 

Exciting indeed!

Looking forward to this!
-Santiago

On Tue, Feb 02, 2021 at 07:40:08PM +0000, Phil Odence wrote:
An exciting development!

As you may know, there have been a handful of groups working on standardizing SBOMs. Kate and Gary have been working closely with the 3T SBOM group for some time. Our missions are sufficiently aligned that we will be joining forces to evolve SPDX. Those folks will be attending various SPDX meetings including the General meeting.

In Thursday’s General meeting, Kay Williams and Bob Martin will provide some background on 3T SBOM and their perspective on joining forces. We will also add reports from the teams developing the various profiles to our regular agenda. The 3T folks have been working on and will report on the Integrity and Defects profiles.

GENERAL MEETING

Meeting Time: Thurs, Feb 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwIF-g&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=QGAwOVKtyK7NEY8Sc-t8hFvJTUzMmO4fSR-hXyx-LNA&s=yQ86S-deYrQzmsEx3OxiPmaN6ABCd1yZ9D3VPHYr774&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.timeanddate.com_worldclock_converter.html&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=ZE9sYJcHMoEO3g5qrPPuiKU0gFK7mMjd9Km_ClCNBbU&e=>

Conf call dial-in:
New dial in number: 415-881-1586<tel:(415)%20881-1586>
No PIN needed
The weblink for screenshare will stay the same at:
https://urldefense.proofpoint.com/v2/url?u=http-3A__uberconference.com_SPDXTeam&d=DwIF-g&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=QGAwOVKtyK7NEY8Sc-t8hFvJTUzMmO4fSR-hXyx-LNA&s=87cqKCcqOd1tR-1A4e3gQcrdaDev8_RyeQXCIV6LI60&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__uberconference.com_SPDXTeam&d=DwMGaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=CGsG_HWslMnHmDRZngTUv7VswbuEgSDQQD-XjX0ZZFc&m=aTno2MdPkEyWeFF6NtTVsvkwhro4X8E0ghAjdiaNKPY&s=kDOWmrCVDSRX7jiE8p__nxk6fjEvfyeLaSfkKXjXPno&e=>

Administrative Agenda
Attendance
Minutes Approval

3T SBOM Intro - Kay/Bob

Technical Team Report – Kate/Gary/Others

* Specification and Profiles
* Overview
* Core
* Legal
* Integrity
* Defects
* Usage and Other Emerging
* Tooling

Legal Team Report – Jilayne/Paul/Steve

Outreach/Website Team Report – Jack







Thursday SPDX General Meeting Reminder - joining forces with 3T SBOM

Phil Odence
 

An exciting development!

 

As you may know, there have been a handful of groups working on standardizing SBOMs. Kate and Gary have been working closely with the 3T SBOM group for some time. Our missions are sufficiently aligned that we will be joining forces to evolve SPDX. Those folks will be attending various SPDX meetings including the General meeting.

 

In Thursday’s General meeting, Kay Williams and Bob Martin will provide some background on 3T SBOM and their perspective on joining forces. We will also add reports from the teams developing the various profiles to our regular agenda. The 3T folks have been working on and will report on the Integrity and Defects profiles.

 

GENERAL MEETING

 

Meeting Time: Thurs, Feb 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approva

 

3T SBOM Intro - Kay/Bob

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack

  

 


Re: [spdx-tech] [spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -

Takahashi, Kentaro
 

Thank you for your kind support Kate-san !


Best regards,

Kentaro Takahashi

-----Original Message-----
From: Spdx-tech@lists.spdx.org [mailto:Spdx-tech@lists.spdx.org] On Behalf
Of Kate Stewart
Sent: Wednesday, January 20, 2021 12:27 AM
To: spdx-tech@lists.spdx.org
Cc: SPDX-general <spdx@lists.spdx.org>
Subject: [spdx-tech] [spdx] Usage profile for SPDX3.0 - proposal from
OpenChain Japan WG -

Thanks for sending this Takahashi-san.


I'm forwarding this email for discussion on the spdx-tech mailing list
where the usage profile will be discussed. spdx-tech is where we
are discussing the profiles. spdx-general is low volume, and more
for announcements.

Will follow up on the spdx-tech mail list.

Thanks, Kate

---------- Forwarded message ---------
From: Takahashi, Kentaro <kentaro_takahashi@mail.toyota.co.jp
<mailto:kentaro_takahashi@mail.toyota.co.jp> >
Date: Tue, Jan 19, 2021 at 8:57 AM
Subject: [spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan
WG -
To: spdx@lists.spdx.org <mailto:spdx@lists.spdx.org> <spdx@lists.spdx.org
<mailto:spdx@lists.spdx.org> >



Dear members,



We are in the license information exchange sub group under OpenChain Japan
WG, and would like to propose usage profile for SPDX3.0 on this mailing list
based on Kate's suggestion as follows:



How can we describe "Reference to Local/Contract Documents" with External
Document Ref Tag?



(1) Proposal of usage profile: including OSS policy and/or contract information
on the SPDX (at chain basis) As each company would have own OSS policy,
OSS related inconsistency may be arisen at each deal(each supply chain).
Generally, this kind of policy would be defined in the closed / local document
such as policy, agreement, contract, and/or SPEC under each chain, and as
such, it would not be applicable for SPDX2.2 for the moment.
However, for the purpose of clear data exchange at supply chain basis and of
whole data exchange management, we would like to include OSS policy and/or
contract information on the SPDX3.0 at chain basis.



(2)How can we do?
For example, restricted OSS license may be identified in the OSS policy. Also,
such OSS license may be approved only for prototype.
Accordingly, we are focused on "External Document References", "UsageInfo",
"ValidUntil" to describe such information exchange with the following (A)-(D):


(A)In order to refer to the machine readable "Agreement" in relation to product
development between company A and company B.:
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B
file://anyware_but_not_disclosed_to_open/Agreement_Btw_A_B.txt
Checksum_for_for_Agreement_Btw_A_B
Or
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B "Specific ID,
Effective As Of or any other common identifier between supplier A and
consumer B" Checksum_for_Agreement_Btw_A_B

(B)In order to describe UsageInfo for product defined in the Agreement
between A and B:
DocumentRef-ThisSPDXID: SPDXID PREREQUISITE_FOR
TargetProductInfo-ThisSPDXID
TargetProductInfo: TargetProductinfo-ThisSPDXID "Product Name which
worte in Agreement_Btw_A_B"

(C)In order to pick up UsageInfo description about package "X" from the
Agreement between A and B:
Package Description about "X".....
UsageInfo:<text> "Only for Verification but not for Final Product" </text>
(Picked up from "Agreement_Btw_A_B").

(D)In order to define Expiration of This SPDX Document on Product
Development:
ValidUntil: <text>"Next Scheduled Delivery of SPDX Doc"</text>



We are looking forward to receive any feedback from others on this matter.


Thank you in advance!



Best regards,



Kentaro Takahashi

Intellectual Property Div.
TOYOTA MOTOR CORPORATION

Attention: The information contained in this email may be attorney/client
privileged and confidential information intended only for the use of the
recipient(s) named above. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited.
If you have received this communication in error, please contact the sender by
reply e-mail and destroy all copies of this e-mail message. Thank you.







Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -

Kate Stewart
 

Thanks for sending this Takahashi-san.

I'm forwarding this email for discussion on the spdx-tech mailing list
where the usage profile will be discussed.   spdx-tech is where we
are discussing the profiles.   spdx-general is low volume, and more 
for announcements.

Will follow up on the spdx-tech mail list.

Thanks,  Kate

---------- Forwarded message ---------
From: Takahashi, Kentaro <kentaro_takahashi@...>
Date: Tue, Jan 19, 2021 at 8:57 AM
Subject: [spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -
To: spdx@... <spdx@...>


Dear members,



We are in the license information exchange sub group under OpenChain Japan WG, and would like to propose usage profile for SPDX3.0 on this mailing list based on Kate's suggestion as follows:



How can we describe "Reference to Local/Contract Documents" with External Document Ref Tag?



(1) Proposal of usage profile: including OSS policy and/or contract information on the SPDX (at chain basis) As each company would have own OSS policy, OSS related inconsistency may be arisen at each deal(each supply chain).
Generally, this kind of policy would be defined in the closed / local document such as policy, agreement, contract, and/or SPEC  under each chain, and as such, it would not be applicable for SPDX2.2 for the moment.
However, for the purpose of clear data exchange at supply chain basis and of whole data exchange management, we would like to include OSS policy and/or contract information on the SPDX3.0 at chain basis.



(2)How can we do?
For example, restricted OSS license may be identified in the OSS policy. Also, such OSS license may be approved only for prototype.
Accordingly, we are focused on "External Document References", "UsageInfo", "ValidUntil" to describe such information exchange with the following (A)-(D):


(A)In order to refer to the machine readable "Agreement" in relation to product development between company A and company B.:
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B file://anyware_but_not_disclosed_to_open/Agreement_Btw_A_B.txt Checksum_for_for_Agreement_Btw_A_B
        Or
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B "Specific ID, Effective As Of or any other common identifier between supplier A and consumer B" Checksum_for_Agreement_Btw_A_B

(B)In order to describe UsageInfo for product defined in the Agreement between A and B:
DocumentRef-ThisSPDXID: SPDXID PREREQUISITE_FOR TargetProductInfo-ThisSPDXID
TargetProductInfo: TargetProductinfo-ThisSPDXID "Product Name which worte in Agreement_Btw_A_B"

(C)In order to pick up UsageInfo description about package "X" from the Agreement between A and B:
Package Description about "X".....
UsageInfo:<text> "Only for Verification but not for Final Product" </text>   (Picked up from "Agreement_Btw_A_B").

(D)In order to define Expiration of This SPDX Document on Product Development:
ValidUntil: <text>"Next Scheduled Delivery of SPDX Doc"</text>



We are looking forward to receive any feedback from others on this matter.


Thank you in advance!



Best regards,



Kentaro Takahashi

Intellectual Property Div.
TOYOTA MOTOR CORPORATION

Attention: The information contained in this email may be attorney/client privileged and confidential information intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please contact the sender by reply e-mail and destroy all copies of this e-mail message. Thank you.






Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -

Takahashi, Kentaro
 

Dear members,



We are in the license information exchange sub group under OpenChain Japan WG, and would like to propose usage profile for SPDX3.0 on this mailing list based on Kate's suggestion as follows:



How can we describe "Reference to Local/Contract Documents" with External Document Ref Tag?



(1) Proposal of usage profile: including OSS policy and/or contract information on the SPDX (at chain basis) As each company would have own OSS policy, OSS related inconsistency may be arisen at each deal(each supply chain).
Generally, this kind of policy would be defined in the closed / local document such as policy, agreement, contract, and/or SPEC under each chain, and as such, it would not be applicable for SPDX2.2 for the moment.
However, for the purpose of clear data exchange at supply chain basis and of whole data exchange management, we would like to include OSS policy and/or contract information on the SPDX3.0 at chain basis.



(2)How can we do?
For example, restricted OSS license may be identified in the OSS policy. Also, such OSS license may be approved only for prototype.
Accordingly, we are focused on "External Document References", "UsageInfo", "ValidUntil" to describe such information exchange with the following (A)-(D):


(A)In order to refer to the machine readable "Agreement" in relation to product development between company A and company B.:
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B file://anyware_but_not_disclosed_to_open/Agreement_Btw_A_B.txt Checksum_for_for_Agreement_Btw_A_B
Or
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B "Specific ID, Effective As Of or any other common identifier between supplier A and consumer B" Checksum_for_Agreement_Btw_A_B

(B)In order to describe UsageInfo for product defined in the Agreement between A and B:
DocumentRef-ThisSPDXID: SPDXID PREREQUISITE_FOR TargetProductInfo-ThisSPDXID
TargetProductInfo: TargetProductinfo-ThisSPDXID "Product Name which worte in Agreement_Btw_A_B"

(C)In order to pick up UsageInfo description about package "X" from the Agreement between A and B:
Package Description about "X".....
UsageInfo:<text> "Only for Verification but not for Final Product" </text> (Picked up from "Agreement_Btw_A_B").

(D)In order to define Expiration of This SPDX Document on Product Development:
ValidUntil: <text>"Next Scheduled Delivery of SPDX Doc"</text>



We are looking forward to receive any feedback from others on this matter.


Thank you in advance!



Best regards,



Kentaro Takahashi

Intellectual Property Div.
TOYOTA MOTOR CORPORATION

Attention: The information contained in this email may be attorney/client privileged and confidential information intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please contact the sender by reply e-mail and destroy all copies of this e-mail message. Thank you.


Re: Referencing external spdx documents with package information from project.spdx.yml

Gary O'Neall
 

Moving this from spdx general list to spdx-tech list.

 

Greetings Stephanie,

 

If you are referring to an external SPDX document, you will want to use the ExternalSpdxDocument rather than ExternalRef.

 

The serialization format for the ExternalSpdxDocument varies quite a bit between the different file formats.

 

For YAML, the top level document will have a field externalDocumentRefs which lists all documents which are referenced.  For example:

 

externalDocumentRefs:

- externalDocumentId: "DocumentRef-spdx-tool-1.2"

  checksum:

    algorithm: "SHA1"

    checksumValue: "d6a770ba38583ed4bb4525bd96e50461655d2759"

  spdxDocument: "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301"

 

When there an element in the external document referenced, the syntax is externalDocumentId:SPDXRef-XXX where the SPDXRef-XXX is the SPDX reference in the external document.

 

For example:

relationships:

- spdxElementId: "SPDXRef-DOCUMENT"

  relatedSpdxElement: "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement"

  relationshipType: "COPY_OF"

 

This is a similar approach to how the Tag/Value fields are parsed.

 

Note that this is an area of active discussion for the 3.0 Spec.  We all are finding the ExternalDocumentRef’s confusing and we will be renaming the fields at a minimum.  There is also some discussion on changing the model related to external document ref’s.  We will probably be discussing this on upcoming SPDX tech calls.  It has been proposed that we reintroduce the ExternalSpdxElement in the model for 3.0.

 

The SPDX YAML example includes an external document reference.

 

Best regards,
Gary

 

From: spdx@... <spdx@...> On Behalf Of Neubauer Stephanie (IOC/PDL4) via lists.spdx.org
Sent: Wednesday, January 13, 2021 4:40 AM
To: spdx@...
Cc: Schuberth Sebastian (IOC/PDL1) <Sebastian.Schuberth@...>
Subject: [spdx] Referencing external spdx documents with package information from project.spdx.yml

 

Hello J

 

I am currently working on an issue in the Oss-Review-Toolkit  [1] to support referring to external SPDX files from a `project.spdx.yml` [2].

 

I am currently checking out the spdx-specs [3] and the spdx schema [4] to create a working example of an ´project.spdx.yml` which has a package referencing an external SPDX document for  its metadata.

In the example file provided in [5]  I could not find a reference of that sort.

I have tried using `externalRefs` parameter of a package in the spdx document, but didn’t achieve actually referencing an external spdx document.

In the last paragraph of the spdx/tools repository [6] I have found a mention of “ExternalSpdxElement” that is not in the 2.0 model anymore. Has this been replaced in some way?

 

I wondered if there was an actual example in one of the documentations or repositories that shows:

A project.spdx.yml listing a package

and in that package metadata refer to

additional metadata in the form of a package.spdx.yml (or something similar)

 

Here is a slightly changed project.spdx.yml (originally from [7]) that shows how I would imagine the mechanisms working:

SPDXID: "SPDXRef-DOCUMENT"

spdxVersion: "SPDX-2.2"

creationInfo:

  created: "2020-07-23T18:30:22Z"

  creators:

  - "Organization: Example Inc."

  - "Person: Thomas Steenbergen"

  licenseListVersion: "3.9"

name: "xyz-0.1.0"

dataLicense: "CC0-1.0"

documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz"

documentDescribes:

- "SPDXRef-Package-xyz"

packages:

- SPDXID: "SPDXRef-Package-xyz"

  description: "Awesome product created by Example Inc."

  copyrightText: "Copyright (C) 2020 Example Inc."

  downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78"

  filesAnalyzed: false

  homepage: "https://example.com/products/xyz"

  licenseConcluded:  "NOASSERTION"

  licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"

  name: "xyz"

  versionInfo: "0.1.0"

- SPDXID: "SPDXRef-Package-curl"

  externalRefs:

    referenceCategory: "OTHER"

    referenceLocator: "curl:7.70.0" (or similar way of giving an identifier)

    referenceType: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here)

OR:       - SPDXID: "SPDXRef-Package-curl"

  externalSpdxDocument:

    documentUri: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here)

    id: SPDXDocumentRef-curl

relationships:

- spdxElementId: "SPDXRef-Package-xyz"

  relatedSpdxElement: "SPDXRef-Package-curl"

  relationshipType: "DEPENDS_ON"

 

 

[1] https://github.com/oss-review-toolkit/ort

[2] https://github.com/oss-review-toolkit/ort/issues/3402

[3] https://spdx.github.io/spdx-spec/3-package-information/#321-external-reference

[4] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json

[5] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXYAMLExample-2.2.spdx.yaml

[6] https://github.com/spdx/tools#upgrading-to-spdx-20

[7] https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/project/project.spdx.yml

 

Mit freundlichen Grüßen / Best regards

Stephanie Neubauer


Project Delivery Stuttgart (IOC/PDL4)
Robert Bosch GmbH | Postfach 11 27 | 71301 Waiblingen | GERMANY |
www.bosch.com
Tel. +49 711 811-92528 | Mobil +49 172 3620267 | Telefax +49 711 811-58200 |
Threema / Threema Work: PHCV2F36 | Stephanie.Neubauer@...

Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart, HRB 14000;
Aufsichtsratsvorsitzender: Franz Fehrenbach; Geschäftsführung: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Michael Bolle, Dr. Christian Fischer,
Dr. Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Rolf Najork, Uwe Raschke


Re: "X.org Preferred License"

Till Jaeger
 

Hi Alan,

Your Firefox extension works really well. Thanks for this great tool!

Best,

Till

Am 14.01.21 um 22:26 schrieb Alan Tse:

Hi Mark,

I’m also not sure of which SPDX tool you were using but I checked with
the browser extension spdx-license-diff
<https://github.com/spdx/spdx-license-diff> and I get a template match
to MIT since the extra part is optional as described by Steve.

 

Of course if you do use the browser extension and you see missing
template matches with it (which I find occasionally), I’ll fix it if you
report it <https://github.com/spdx/spdx-license-diff/issues>.

 

Alan

 

*From: *<spdx@lists.spdx.org> on behalf of Steve Winslow
<swinslow@linuxfoundation.org>
*Reply-To: *"spdx@lists.spdx.org" <spdx@lists.spdx.org>
*Date: *Thursday, January 14, 2021 at 12:47 PM
*To: *"spdx@lists.spdx.org" <spdx@lists.spdx.org>
*Cc: *Kate Stewart <kstewart@linuxfoundation.org>, "Atwood, Mark"
<atwoodm@amazon.com>
*Subject: *Re: [spdx] "X.org Preferred License"

 

*CAUTION:**This email originated from outside of Western Digital. Do not
click on links or open attachments unless you recognize the sender and
know that the content is safe.*

 

Hi Mark,

 

The MIT license template on the license list [1] has the language
"(including the next paragraph)" as optional text, which is why that
part shows up in blue italics on the list [2].

 

I think that's what you're referring to, but let me know if I'm missing
something.

 

Best,

Steve

 

[1]
https://github.com/spdx/license-list-XML/blob/a32a839b7385c9a797a26fa45c6f6234947b7abe/src/MIT.xml#L22

[2] https://spdx.org/licenses/MIT.html

 

On Thu, Jan 14, 2021 at 3:19 PM Mark Atwood via lists.spdx.org
<http://lists.spdx.org> <atwoodm=amazon.com@lists.spdx.org
<mailto:amazon.com@lists.spdx.org>> wrote:

The "X.org Preferred License" documented at [
https://www.x.org/archive/current/doc/xorg-docs/License.html ] is
the MIT
license with the additional text in the middle "(including the next
paragraph)".

Our SPDX license matching tool is not locking onto it with 100%, but
instead
is showing it nearest edit distance to MIT.  I've not yet dug in deeper,
but,

Is the X.org variant in the SPDX database?
If not should we add it as an new license, or as matching rule
variant to
MIT?

If its not in the database, I will start the legwork and paperwork
to add
it.

..m


Mark Atwood <atwoodm@amazon.com <mailto:atwoodm@amazon.com>>
Principal, Open Source
+1-206-604-2198








--

Steve Winslow
Director of Strategic Programs
The Linux Foundation

swinslow@linuxfoundation.org <mailto:swinslow@linuxfoundation.org>


Re: "X.org Preferred License"

Steve Kilbane
 

I'm glad this topic came up, because I hadn't heard of spdx-license-diff before, and now I have it installed. That's a pretty good start to a Friday!

 

Thanks, Alan!

 

steve

 

From: spdx@... <spdx@...> On Behalf Of Alan Tse
Sent: 14 January 2021 21:26
To: spdx@...
Cc: Kate Stewart <kstewart@...>; Atwood, Mark <atwoodm@...>
Subject: Re: [spdx] "X.org Preferred License"

 

[External]

 

Hi Mark,

I’m also not sure of which SPDX tool you were using but I checked with the browser extension spdx-license-diff and I get a template match to MIT since the extra part is optional as described by Steve.

 

Of course if you do use the browser extension and you see missing template matches with it (which I find occasionally), I’ll fix it if you report it.

 

Alan

 

From: <spdx@...> on behalf of Steve Winslow <swinslow@...>
Reply-To: "spdx@..." <spdx@...>
Date: Thursday, January 14, 2021 at 12:47 PM
To: "spdx@..." <spdx@...>
Cc: Kate Stewart <kstewart@...>, "Atwood, Mark" <atwoodm@...>
Subject: Re: [spdx] "X.org Preferred License"

 

CAUTION: This email originated from outside of Western Digital. Do not click on links or open attachments unless you recognize the sender and know that the content is safe.

 

Hi Mark,

 

The MIT license template on the license list [1] has the language "(including the next paragraph)" as optional text, which is why that part shows up in blue italics on the list [2].

 

I think that's what you're referring to, but let me know if I'm missing something.

 

Best,

Steve

 

 

On Thu, Jan 14, 2021 at 3:19 PM Mark Atwood via lists.spdx.org <atwoodm=amazon.com@...> wrote:

The "X.org Preferred License" documented at [
https://www.x.org/archive/current/doc/xorg-docs/License.html ] is the MIT
license with the additional text in the middle "(including the next
paragraph)".

Our SPDX license matching tool is not locking onto it with 100%, but instead
is showing it nearest edit distance to MIT.  I've not yet dug in deeper,
but,

Is the X.org variant in the SPDX database?
If not should we add it as an new license, or as matching rule variant to
MIT?

If its not in the database, I will start the legwork and paperwork to add
it.

..m


Mark Atwood <atwoodm@...>
Principal, Open Source
+1-206-604-2198







--

Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: "X.org Preferred License"

Mark Atwood
 

Thanks, and I see it’s already done.  Now I need to see why my tool isn’t matching it.

 

..m

 

From: Steve Winslow <swinslow@...>
Sent: Thursday, January 14, 2021 12:47 PM
To: spdx@...
Cc: Kate Stewart <kstewart@...>; Atwood, Mark <atwoodm@...>
Subject: RE: [EXTERNAL] [spdx] "X.org Preferred License"

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

Hi Mark,

 

The MIT license template on the license list [1] has the language "(including the next paragraph)" as optional text, which is why that part shows up in blue italics on the list [2].

 

I think that's what you're referring to, but let me know if I'm missing something.

 

Best,

Steve

 

 

On Thu, Jan 14, 2021 at 3:19 PM Mark Atwood via lists.spdx.org <atwoodm=amazon.com@...> wrote:

The "X.org Preferred License" documented at [
https://www.x.org/archive/current/doc/xorg-docs/License.html ] is the MIT
license with the additional text in the middle "(including the next
paragraph)".

Our SPDX license matching tool is not locking onto it with 100%, but instead
is showing it nearest edit distance to MIT.  I've not yet dug in deeper,
but,

Is the X.org variant in the SPDX database?
If not should we add it as an new license, or as matching rule variant to
MIT?

If its not in the database, I will start the legwork and paperwork to add
it.

..m


Mark Atwood <atwoodm@...>
Principal, Open Source
+1-206-604-2198








--

Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: "X.org Preferred License"

Alan Tse
 

Hi Mark,

I’m also not sure of which SPDX tool you were using but I checked with the browser extension spdx-license-diff and I get a template match to MIT since the extra part is optional as described by Steve.

 

Of course if you do use the browser extension and you see missing template matches with it (which I find occasionally), I’ll fix it if you report it.

 

Alan

 

From: <spdx@...> on behalf of Steve Winslow <swinslow@...>
Reply-To: "spdx@..." <spdx@...>
Date: Thursday, January 14, 2021 at 12:47 PM
To: "spdx@..." <spdx@...>
Cc: Kate Stewart <kstewart@...>, "Atwood, Mark" <atwoodm@...>
Subject: Re: [spdx] "X.org Preferred License"

 

CAUTION: This email originated from outside of Western Digital. Do not click on links or open attachments unless you recognize the sender and know that the content is safe.

 

Hi Mark,

 

The MIT license template on the license list [1] has the language "(including the next paragraph)" as optional text, which is why that part shows up in blue italics on the list [2].

 

I think that's what you're referring to, but let me know if I'm missing something.

 

Best,

Steve

 

 

On Thu, Jan 14, 2021 at 3:19 PM Mark Atwood via lists.spdx.org <atwoodm=amazon.com@...> wrote:

The "X.org Preferred License" documented at [
https://www.x.org/archive/current/doc/xorg-docs/License.html ] is the MIT
license with the additional text in the middle "(including the next
paragraph)".

Our SPDX license matching tool is not locking onto it with 100%, but instead
is showing it nearest edit distance to MIT.  I've not yet dug in deeper,
but,

Is the X.org variant in the SPDX database?
If not should we add it as an new license, or as matching rule variant to
MIT?

If its not in the database, I will start the legwork and paperwork to add
it.

..m


Mark Atwood <atwoodm@...>
Principal, Open Source
+1-206-604-2198








--

Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: "X.org Preferred License"

Steve Winslow
 

Hi Mark,

The MIT license template on the license list [1] has the language "(including the next paragraph)" as optional text, which is why that part shows up in blue italics on the list [2].

I think that's what you're referring to, but let me know if I'm missing something.

Best,
Steve


On Thu, Jan 14, 2021 at 3:19 PM Mark Atwood via lists.spdx.org <atwoodm=amazon.com@...> wrote:
The "X.org Preferred License" documented at [
https://www.x.org/archive/current/doc/xorg-docs/License.html ] is the MIT
license with the additional text in the middle "(including the next
paragraph)".

Our SPDX license matching tool is not locking onto it with 100%, but instead
is showing it nearest edit distance to MIT.  I've not yet dug in deeper,
but,

Is the X.org variant in the SPDX database?
If not should we add it as an new license, or as matching rule variant to
MIT?

If its not in the database, I will start the legwork and paperwork to add
it.

..m


Mark Atwood <atwoodm@...>
Principal, Open Source
+1-206-604-2198









--
Steve Winslow
Director of Strategic Programs
The Linux Foundation

41 - 60 of 1424