Date   

Have a tool that supports SPDX?

Manbeck, Jack
 

Greetings all,

 

We are looking to develop a comprehensive list of tools that support SPDX on our website. If you would like to be listed please go to the tool link request page in the wiki (http://wiki.spdx.org/view/Business_Team/Tool_Link_Request ) and follow the instructions there. Feel free to contact me directly if you have further questions.

 

Best regards,

 

Jack Manbeck

SPDX Web Site


LinuxCon schedule posted

Lamons, Scott (Open Source Program Office) <scott.lamons@...>
 


A little more on Fantec

Philip Odence
 

I've posted a couple of items about the Fantec case to the SPDX legal list. Adding this one and including all, because it's authored by Mark Radcliffe (counsel to OSI) and because Mark puts in nice plug for SPDX.

http://osdelivers.blackducksoftware.com/2013/07/12/fantec-critical-lessons-for-foss-compliance/


IDs for Sun Industry Standards Source License

Camille Moulin <camille.moulin@...>
 

Hi all,

I'm comparing SPDX and Fossology's licenses IDs and encountered a little difficulty regarding the Sun Industry Standards Source License.
The SPDX id for the version 1.1 of the license is just "SISSL", while Fossology's is "SISSL-1.1". At first glance, it seems that Fossology's choice is more consistent with SPDX's naming scheme, and I don't see the benefits of removing the version number. It also seems that there is a 1.2 version of this license (http://gridscheduler.sourceforge.net/Gridengine_SISSL_license.html ).
So, would adding the version number to the ID be desirable / possible ?

Best,
Camille

--
Gouvernance Open Source - Alter Way www.alterway.fr


SPDX General Meeting Minutes Correction

Philip Odence
 

Thanks to my friend Bruno Grasset for pointing out an error in my previous memo.

I had overwritten the May 2 minutes with the content of the July 3 minutes. The link I provided was to the correct content, but with the wrong title. Thanks to the Wiki's revisioning capability, I was able to retrieve the May 2 minutes as well as to properly create the July 3 minutes:

Sorry for any confusion this may have caused.


Minutes from July 3 SPDX General Meeting

Philip Odence
 


towards a new version of ninka.

dmg
 

hi everybody,

if you use ninka, this might be useful to you.

With the help of Armijn i have been cleaning up some regressions and
improved some licenses.

The new code is now in the github repo:

http://github.com/dmgerman/ninka

- Renamed InterACPILic to IntelACPILic
- Renamed openSSLvar2 to Apachev1.0
- Split QtorGPLv2orv3exception to QtorGPLv2orv3 from the exception
- Better detection fo GPL lcienses
- BSD and MIT spdx licenses detected (prefixed with spdx ie. spdxBSD3)
- Added a bunch of licenses...

unless I find some major problems, I will release a new version in few
days.

--dmg


--
Daniel M. German "There is the greatest difference
between presuming an opinion to be
true, because, with every opportunity
for contesting it, it
has not been refuted,
and assuming its truth for the purpose
John Stuart Mill -> of not permitting its refutation. "
http://turingmachine.org/
http://silvernegative.com/
dmg (at) uvic (dot) ca
replace (at) with @ and (dot) with .


SPDX General Meeting Reminder - Wednesday, July 3

Philip Odence
 

Recognizing that Thursday is a holiday in the US, we will run the meeting at the normal time, but on Wednesday. 


NOTE: In as part of the business team report, Phil will do a quick review of the survey results. In advance of the meeting, download the docs at the bottom of this page:




Meeting Time: Wednesday, July 3, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance
Approve Minutes- 

Technical Team Report - Kate


Legal Team Report - Jilayne


Business Team Report – Jack/Scott
Phil will review quickly results of survey

Cross Functional Issues – Phil
Website Update – Jack


SPDX General Meeting

Philip Odence
 

When: Wednesday, July 03, 2013 11:00 AM-12:00 PM. (UTC-05:00) Eastern Time (US & Canada)
Where: Bridge info enclosed

*~*~*~*~*~*~*~*~*~*
As the 4th is a holiday in the US, will do the call on July 3, same time. Hope everyone can make it.

Please accept so this recurring meeting is on your calendar, however no need to respond.

DIAL IN:
Toll-free dial-in number (U.S. and Canada): (877) 435-0230
International dial-in number: (253) 336-6732

Conference code: 7812589502





SPDX General Meeting Thursday

Philip Odence
 

NOTE: In as part of the business team report, Phil will do a quick review of the survey results. In advance of the meeting, download the docs at the bottom of this page:





Meeting Time: Thursday, June 6, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance
Approve Minutes- 

Technical Team Report - Kate


Legal Team Report - Jilayne


Business Team Report – Jack/Scott
Phil will review results of survey

Cross Functional Issues – Phil
Website Update – Jack


Re: Software unique identification

Roger Meier <roger@...>
 

Hi Michel

I think the "Official Common Platform Enumeration (CPE) Dictionary" http://nvd.nist.gov/cpe.cfm is a good starting point for this topic.
another source to consider is ISO/IEC 19770

all the best!
-roger
;-r

Quoting "RUFFIN, MICHEL (MICHEL)" <michel.ruffin@alcatel-lucent.com>:

Dear all we are facing a very difficult issue: How to identify uniquely Software.

In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming from outsourcing contracts, ...) The goal is to automate a lot of things: royalty tracking, producing documentations on FOSS respecting the license obligations automatically, knowing which ALU product is using what SW, automatically connecting with tools such as Blackduck protex or Palamida or any others of their competitors, ....................................................

The major issue is SW unique identification: Today we have the following:
- Maven naming system: but it is limited to java open source libraries
- ALU internal system (but so far limited mostly to commercial SW but we are extending to FOSS but not perfect) and we have to interact with suppliers and customers on this identification
- Blackduck internal unique identification (One millions FOSS but do not cope with proprietary SW and we do not want to be dependent of a company)
- SPDX Check sums for binaries (but do not provide the same checksum with .zip and .gpz)
- SPDX Check sums on source codes but does not work if ALU is doing a small modification to the comments in the file

I know that SPDX is not perhaps the best place to discuss this issue, but I would like to engage a discussion on this topic

So my question here is: do you have similar concerns in your companies, and what can we do to solve this issue (should we create a group on this?)

Michel

Michel.Ruffin@Alcatel-Lucent.com, PhD
Software Coordination Manager, N&P IS/IT
Distinguished Member of Technical Staff
Tel +33 (0) 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceaux
Route De Villejust, 91620 Nozay, France


Re: Software unique identification

Armijn Hemel - Tjaldur Software Governance Solutions <armijn@...>
 

hi,

I am currently a senior systems engineer at Nokia, and I can say
without reservation that we face this problem also, identifying
specific versions of software (binaries as well as sources). Binaries
can change, even if the source does not, if for example the compiler
is updated, or associated libraries. This is especially problematic
when the libraries are (as is often the case) dynamically-linked
shared libraries.
This is not my experience at all. In the Binary Analysis Tool I use fingerprinting using string constants, function names, variable names, and so on, and I can reliably tell versions of binaries apart (granted: the information has to be in my database). This is absolutely no problem at all.

armijn

--
Armijn Hemel, MSc
Tjaldur Software Governance Solutions


Re: Software unique identification

William Boyle
 

I am currently a senior systems engineer at Nokia, and I can say
without reservation that we face this problem also, identifying
specific versions of software (binaries as well as sources). Binaries
can change, even if the source does not, if for example the compiler
is updated, or associated libraries. This is especially problematic
when the libraries are (as is often the case) dynamically-linked
shared libraries.

Bill Boyle
Senior Systems Engineer, Nokia Mobile Phones, Itasca, Illinois

On Mon, May 13, 2013 at 9:56 AM, RUFFIN, MICHEL (MICHEL)
<michel.ruffin@alcatel-lucent.com> wrote:
Dear all we are facing a very difficult issue: How to identify uniquely
Software.

In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS
SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming
from outsourcing contracts, …) The goal is to automate a lot of things:
royalty tracking, producing documentations on FOSS respecting the license
obligations automatically, knowing which ALU product is using what SW,
automatically connecting with tools such as Blackduck protex or Palamida or
any others of their competitors, …………………………………………….

The major issue is SW unique identification: Today we have the following:

Maven naming system: but it is limited to java open source libraries
ALU internal system (but so far limited mostly to commercial SW but we are
extending to FOSS but not perfect) and we have to interact with suppliers
and customers on this identification
Blackduck internal unique identification (One millions FOSS but do not cope
with proprietary SW and we do not want to be dependent of a company)
SPDX Check sums for binaries (but do not provide the same checksum with .zip
and .gpz)
SPDX Check sums on source codes but does not work if ALU is doing a small
modification to the comments in the file


I know that SPDX is not perhaps the best place to discuss this issue, but I
would like to engage a discussion on this topic

So my question here is: do you have similar concerns in your companies, and
what can we do to solve this issue (should we create a group on this?)

Michel

Michel.Ruffin@Alcatel-Lucent.com, PhD
Software Coordination Manager, N&P IS/IT
Distinguished Member of Technical Staff
Tel +33 (0) 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceaux
Route De Villejust, 91620 Nozay, France




_______________________________________________
Spdx mailing list
Spdx@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx


Software unique identification

RUFFIN MICHEL
 

Dear all we are facing a very difficult issue: How to identify uniquely Software.
 
In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming from outsourcing contracts, …) The goal is to automate a lot of things: royalty tracking, producing documentations on FOSS respecting the license obligations automatically, knowing which ALU product is using what SW, automatically connecting with tools such as Blackduck protex or Palamida or any others of their competitors, …………………………………………….
 
The major issue is SW unique identification: Today we have the following:
  • Maven naming system: but it is limited to java open source libraries
  • ALU internal system (but so far limited mostly to commercial SW but we are extending to FOSS but not perfect) and we have to interact with suppliers and customers on this identification
  • Blackduck internal unique identification (One millions FOSS but do not cope with proprietary SW and we do not want to be dependent of a company)
  • SPDX Check sums for binaries (but do not provide the same checksum with .zip and .gpz)
  • SPDX Check sums on source codes but does not work if ALU is doing a small modification to the comments in the file
 
I know that SPDX is not perhaps the best place to discuss this issue, but I would like to engage a discussion on this topic
 
So my question here is: do you have similar concerns in your companies, and what can we do to solve this issue (should we create a group on this?)
 
Michel
 
Michel.Ruffin@..., PhD
Software Coordination Manager, N&P IS/IT
Distinguished Member of Technical Staff
Tel +33 (0) 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceaux
Route De Villejust, 91620 Nozay, France
 
 
 


Minutes from May 2 Meeting

Philip Odence
 

The survey is still open. If you haven't responded, please do: www.spdx.org/survey


SPDX General Meeting Reminder and Collab Summit Summary

Philip Odence
 

Announcements
Summary of very successful Collaboration Summit (also appended at the bottom)
HELP WITH THE SURVEY (please please please)
This is to help better understand current awareness and adoption of SPDX and to get some insight future plans and what we can do to shape that future.  http://www.spdx.org/survey  We started promoting the survey at the Collaboration Summit. Here is how you can help drive further participation:
Take the survey yourself. It should require 5-7 minutes of your time. (A good time would be…now.) 
Solicit friends, colleagues and other industry contacts.
So far we have a reasonable representation of the views of old timers, but we really need this to go broader.

Meeting Time: Thursday, May 2, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance
Approve Minutes- 

Technical Team Report - Kate
Next steps

Legal Team Report - Jilayne
Next steps

Business Team Report – Jack/Scott
Next steps

Cross Functional Issues – Phil
Website Update – Jack



COLLABORATION SUMMIT SUMMARY

For those of you who didn’t make it to the Collaboration Summit, below is a summary of the different components of the event. It was pretty inspiring in a number of ways…for me, it felt like the rubber is finally meeting the road seeing real tools—our own, from academia, and commercial—putting out real live SPDX docs. The every positive KarenC summed it up as “The discussions have much more of a feeling that this has to happen – the only questions are around how.” And I agree. 

All the team leads did an outstanding job organizing our ever expanding involvement in Linux event. (Now we even get our own track.) Gary, MarkG and Adam were also key in pulling this off. 

Tech Team Working Session 
In this session we went through the current model proposal for 2.0,  and discussed options that would simplify the model, and still meet the use cases we're targeting.   We were also able to start off the relationship and element usage enumerations.   Full details can be found at: http://wiki.spdx.org/view/Technical_Team/Minutes/2013-04-16.
Legal Team Working Session
The SPDX Legal Team met at the LF Collab Summit to hash out the remaining bits of the License Matching guidelines.  Namely whether SPDX should provide "guidelines only" in regards to what is to be considered substantive text of a license for matching purposes or whether SPDX should go further and provide some kind of actual markup or examples in regards to text than can be ignored or considered "replaceable" for matching purposes.  And, if the latter, to what extent and in what format to provide such markup or examples.  The legal team, with good representation from various tool makers and tech team members, decided that markup was needed to avoid potential differences in interpretation by tool makers.  It was decided to use simple markup that could be illustrated within a .txt file, as that is the (mostly) preferred download format for the licenses.  The exact details of the markup are being worked out and the Legal Team (with help from anyone else in the SPDX Workgroup) will manage getting the markup created for the entire current SPDX License List.

Open SPDX Discussion
Mark Gisi from Windriver and Adam Cohn from Cisco held this session on Tuesday afternoon. It was held under Chatham House Rules which means “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”. Now before you say hey you just said you weren’t supposed to mention names, these two were the chairs as listed on the SPDX schedule.There was a lot of good discussion. One individual talked about how they are fully integrating SPDX into what they their company delivers and how they are shipping, and I believe the number was, over 500 SPDX documents with each release. They also had a website for generating SPDX documents. Others talked about how they have started to integrate SPDX into their compliance process using it for reviews but not yet quite shipping. The reasons seemed to vary for that but they appeared to be more procedural than SPDX related. One individual did raise a concern on the amount of time that it might take to generate SPDX documents adding that it increased the cost of their compliance it was not something they could do. A few individuals talked about the adoption of SPDX among open source projects. There was some discussion on how this could be done now as there are a few open source tools that have appeared to generate SPDX documents. One individual talked about how they would like to see SPDX become more fully integrated into the community meaning that practices normally associated with an open source project such as peer review and so forth were used and considered part of the process of generating, reviewing and editing SPDX documents.

SPDX Morning Sessions
Mark Gisi (the man that Scott calls “the spiritual leader of SPDX adoption”) kicked off the morning with License to Kill…You Code, a very cogent treatise on why it’s important for copyright holders to get it right if they want their projects to thrive. 
Then Gary “the Toolman” O’Neall lead a panel on Tooling up for SPDX. He gave an over view of group, community and commercial tools that are now compatible with SPDX. Gary was joined by Matt Germonprez of the University of Nebraska Omaha and Sameer Ahmed from Wind River Systems who both talked in some detail about work their groups have done to “tool up.”
Conclusion: This stuff is real!  And to prove it…

SPDX Bakeoff
The SPDX Bakeoff was held Wednesday afternoon. Our main objective was to compare SPDX output from different tools in order to identify bugs and resolve different interpretations of the specification. We had great representation from the various tool providers, members of the SPDX working group, and a number of other interested parties. Gary O’Neall’s excellent spreadsheet comparison tool was used as the basis for comparison of the various SPDX files. Per the agenda, we first stepped through the complete Time package on a file by file basis. Following that we dove into Busybox but only at the package level. There was a lot good discussion and yes we did find some bugs in the tools and areas where the specification needs to be improved. All in all it was a very productive session and should serve to advance the adoption of SPDX. The spreadsheet along with notes from the session are captured on in this Google doc folder: https://drive.google.com/?tab=mo&authuser=0#folders/0BxKdX878M2HCTlZIbkZSMXN6SGc


SPDX Website and Survey

Philip Odence
 

Here's some great news about the website and a request for your help with the SPDX survey.

WEBSITE
I am pleased to tell you that http://spdx.org/ has been upgraded with a new, superior underlying platform as well as new architecture/look & feel. It should take you about 2 seconds to notice the improvement. The biggest conceptual change is the we have separated the main site from the wiki and upgraded the wiki as well. Now the main site is mainly for purposes of learning and consumption and the wiki is our working area.

Jack Manbeck deserves a ton of credit for driving this change and herding the cats needed to make it happen before the Collaboration Summit. (He's accepting beers in SF next week.) Other worthy beer recipients are Brian Warner from the Linux Foundation and Martin Michlmayr who seamlessly migrated the wiki. Jilayne, Scott, Kate and Gary also participated in the heavy lifting, and credit goes to Ibrahim Haddad for originally convincing us to accept the Foundation's generous offer to help with the site. 

SURVEY
A key part of the business team's agenda is to make sure we systematically collect and utilize industry feedback on an ongoing basis. The first step in that is a survey to help better understand current awareness and adoption of SPDX and to get some insight future plans and what we can do to shape that future.  http://www.spdx.org/survey 

We will be promoting the survey at the Collaboration Summit. Here is how you can help drive further participation:
  1. Please, take the survey yourself. It should require 5-7 minutes of your time. (A good time would be…now. TGIF.) 
  2. Solicit friends, colleagues and other industry contacts. (Feel free to use the text below, if it is helpful)
As you may know, I'm involved with SPDX, an industry standard for exchanging information about software package content and licensing. Please give 5-7 minutes of your time to take a survey which will help the SPDX group assess industry awareness and adoption of SPDX. Even if you know very little about SPDX, the group values your feedback. Thank you in advance.

Thanks,
Phil

L. Philip Odence
Vice President of Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


Re: Wiki migration: feedback required

Lamons, Scott (Open Source Program Office) <scott.lamons@...>
 

New wiki looks great.

Scott: ++1

The LF hasn't installed a WYSIWYG editor yet but we can request it if
there's a need.

Jack: I'm thinking we should request one. Media wiki syntax while not difficult may seem bizarre to some people?

Scott: yes!


Re: Wiki migrated to MediaWiki

Martin Michlmayr
 

* Marc-Etienne Vargenau <Marc-Etienne.Vargenau@alcatel-lucent.com> [2013-04-11 15:48]:
The e-mail address wiki@spdx.org given in page
http://wiki.spdx.org/view/Getting_started
to request an account does not seem to work.
Yeah, I know. I also sent a request to the LF.

You can email me directly in the meantime.

--
Martin Michlmayr
Open Source Program Office, Hewlett-Packard


Re: Wiki migrated to MediaWiki

Marc-Etienne Vargenau
 

Le 11/04/2013 12:58, Martin Michlmayr a écrit :
The wiki has been migrated to a proper wiki using MediaWiki. All
content (including past revisions) has been migrated.

You can find the new wiki at http://wiki.spdx.org/view/

Here's a "Getting started" guide:
http://wiki.spdx.org/view/Getting_started

And a set of proposed wiki conventions, although they will have to be
refined as we gain more experience with the new wiki:
http://wiki.spdx.org/view/Wiki_Conventions

If you have any questions, please let me know.
Hello,

The e-mail address wiki@spdx.org given in page
http://wiki.spdx.org/view/Getting_started
to request an account does not seem to work.

Best regards,

Marc-Etienne

--
Marc-Etienne Vargenau Marc-Etienne.Vargenau@alcatel-lucent.com
Alcatel-Lucent France, Route de Villejust, 91620 NOZAY, FRANCE
+33 1 30 77 28 33 OnNet 2103 2833

641 - 660 of 1467