|
Re: Jitsi video calling for the General Meeting tomorrow
J Lovejoy
Hi all,
toggle quoted messageShow quoted text
I pasted Sebastian's original message, which was in an attached .txt file, into the email body below for convenience here. To follow-up on this: We have been using Uberconference for the monthly general calls. We have had requests to switch as Uberconference does not always work well for people outside the US. Some of the SPDX working groups use Zoom and so that was the option to switch to being considered. In response to Sebastian's suggestion to switch to Jitsi instead, no one had any objections. Sebastian is looking into a Jitsi server we can use and will provide an update. Thanks Sebastian for looking into this! Cheers, Jilayne SPDX legal co-lead
On 3/31/21 4:48 PM, Sebastian wrote:
Dear all, I'm looking forward to participating in tomorrow's SPDX General Meeting. As Phil Odence has just mentioned moving the meeting to an alternative platform, I'd like to suggest using a free and open source platform, such as Jitsi, for the meeting. Jitsi is free of charge and does not require registration or signing up to participate. It would be fitting for SPDX to use free and open source software for meetings, and I can personally vouch for the reliability of Jitsi. It has worked well in all of the calls I've used it for, which must number over a hundred now. This includes calls of tens of participants, as well as a particularly memorable meeting that ran continuously for over 9 (!) hours. We could use the main server (which as I mentioned is free of charge), or indeed we could just ask nicely to use one of any number of Jitsi servers hosted by various FOSS organisations - or, even run our own! :) If you like this idea, I'd suggest that we meet a little earlier than the scheduled time in a Jitsi room. If anyone has trouble with Jitsi then we can just hop over to the existing platform. If there no hitches, we can continue on Jitsi! I'm more than happy to answer any questions anyone might have; I'll be checking my emails throughout tomorrow. I look forward to hearing what you think of this idea. Best wishes, Sebastian
|
|
|
|
|
|
updating SPDX website FAQ page
J Lovejoy
Hi all,
As per some discussion on the general call today, the FAQ page on the website is in dire need of a refresh. https://spdx.dev/faq/ The legal team has made a copy of the text of the license list section of the FAQ in a Google doc and has begun to collect comments and suggestions. https://docs.google.com/document/d/1WBV0f8L_ddUf9P3eUXMoCwQJiHSckWNA1ykNil8JxGY/edit# Admittedly, having just read through the license list FAQs, they might need more of full revision than a few suggestions! Ask for the general SPDX community: 1) re: the SPDX License List: are there ‘frequently asked questions’ related to the SPDX License List that you would like to see added to the FAQ? If so, could you please add them to the bottom of the Google doc at the link above (with your proposed answer, if you have one!) 2) Would someone like to create another Google doc for the other parts of the FAQ and being the same type of review? Thanks! Jilayne legal team co-lead
|
|
|
|
|
|
SPDX Gen Meeting Minutes
Phil Odence
Minutes from Feb for approval today: https://wiki.spdx.org/view/General_Meeting/Minutes/2021-03-04
Thanks for your patience, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
|
|
|
|
|
|
Jitsi video calling for the General Meeting tomorrow
|
|
|
|
|
|
Thursday SPDX General Meeting Reminder
Phil Odence
No special presentation this month, so the meeting will likely not run the full hour.
Note: The plan is still to move this meeting to Zoom, but we are still working out details with the Linux Foundation and so remain on Uberconference for the moment.
GENERAL MEETING
Meeting Time: Thurs, April 1, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|
|
|
|
|
Re: Introducing myself
Phil Odence
Cheers, Sebastian, welcome.
From:
spdx@... <spdx@...> on behalf of Sebastian <seabass-labrax@...> Dear all on the SPDX mailing list,
|
|
|
|
|
|
Introducing myself
Dear all on the SPDX mailing list,
Since I've just joined this list, I am writing now to introduce myself! I'm Sebastian Crane, hailing from Britain. I like software, and I like standards: a specification for software packaging is right up my street! Having done licensing audits for software, I've seen what may be considered 'best practices' as well as some 'worst practices' - hopefully SPDX can tip the scale to the 'best' side! I use SPDX license identifiers in my own software projects, and I'm keen to study the other aspects of the SPDX specification. I look forward to getting to know the members of this group, and to play a part in helping SPDX to reach even greater heights. Best wishes, Sebastian -- IRC (registered on freenode, hackint and OFTC): 'seabass'
|
|
|
|
|
|
Thursday SPDX General Meeting Reminder
Phil Odence
Steve Winslow will present:
A Proof-of-concept for Generating an SPDX SBoM for CMake-based Projects. I will discuss an experiment with leveraging the CMake file-based APIs to automatically create SPDX 2.2 SBoMs. The generated SBoM includes relationships to denote which source files were used as inputs for the corresponding build artifacts. I will present this in the context of the Zephyr project, an open source RTOS for embedded systems that leverages CMake. I will briefly discuss this proof-of-concept, some early results from it and thoughts for next steps.
GENERAL MEETING
Meeting Time: Thurs, March 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-02-04
CMake to SPDX - Steve
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|
|
|
|
|
Re: Thursday SPDX General Meeting Reminder - joining forces with 3T SBOM
J Lovejoy
Hi all,
toggle quoted messageShow quoted text
This message from Santiago bounced, which is a good reminder for all newcomers that you will want to join the spdx-general mailing list, and probably the spdx-tech mailing list (for tech team discussions). See https://spdx.dev/participate/ for more info on the different mailing lists, how to sign up, etc. Thanks! Jilayne SPDX legal co-lead
|
|
|
|
|
|
Re: Thursday SPDX General Meeting Reminder - joining forces with 3T SBOM
Santiago Torres Arias
Exciting indeed!
toggle quoted messageShow quoted text
Looking forward to this! -Santiago
On Tue, Feb 02, 2021 at 07:40:08PM +0000, Phil Odence wrote:
An exciting development!
|
|
|
|
|
|
Thursday SPDX General Meeting Reminder - joining forces with 3T SBOM
Phil Odence
An exciting development!
As you may know, there have been a handful of groups working on standardizing SBOMs. Kate and Gary have been working closely with the 3T SBOM group for some time. Our missions are sufficiently aligned that we will be joining forces to evolve SPDX. Those folks will be attending various SPDX meetings including the General meeting.
In Thursday’s General meeting, Kay Williams and Bob Martin will provide some background on 3T SBOM and their perspective on joining forces. We will also add reports from the teams developing the various profiles to our regular agenda. The 3T folks have been working on and will report on the Integrity and Defects profiles.
GENERAL MEETING
Meeting Time: Thurs, Feb 4, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval
3T SBOM Intro - Kay/Bob
Technical Team Report – Kate/Gary/Others
Legal Team Report – Jilayne/Paul/Steve
Outreach/Website Team Report – Jack
|
|
|
|
|
|
Re: [spdx-tech] [spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -
Takahashi, Kentaro <kentaro_takahashi@...>
Thank you for your kind support Kate-san !
toggle quoted messageShow quoted text
Best regards, Kentaro Takahashi
-----Original Message-----
|
|
|
|
|
|
Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -
Kate Stewart
Thanks for sending this Takahashi-san. I'm forwarding this email for discussion on the spdx-tech mailing list where the usage profile will be discussed. spdx-tech is where we are discussing the profiles. spdx-general is low volume, and more for announcements. Will follow up on the spdx-tech mail list. Thanks, Kate ---------- Forwarded message --------- From: Takahashi, Kentaro <kentaro_takahashi@...> Date: Tue, Jan 19, 2021 at 8:57 AM Subject: [spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan WG - To: spdx@... <spdx@...> Dear members, We are in the license information exchange sub group under OpenChain Japan WG, and would like to propose usage profile for SPDX3.0 on this mailing list based on Kate's suggestion as follows: How can we describe "Reference to Local/Contract Documents" with External Document Ref Tag? (1) Proposal of usage profile: including OSS policy and/or contract information on the SPDX (at chain basis) As each company would have own OSS policy, OSS related inconsistency may be arisen at each deal(each supply chain). Generally, this kind of policy would be defined in the closed / local document such as policy, agreement, contract, and/or SPEC under each chain, and as such, it would not be applicable for SPDX2.2 for the moment. However, for the purpose of clear data exchange at supply chain basis and of whole data exchange management, we would like to include OSS policy and/or contract information on the SPDX3.0 at chain basis. (2)How can we do? For example, restricted OSS license may be identified in the OSS policy. Also, such OSS license may be approved only for prototype. Accordingly, we are focused on "External Document References", "UsageInfo", "ValidUntil" to describe such information exchange with the following (A)-(D): (A)In order to refer to the machine readable "Agreement" in relation to product development between company A and company B.: ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B file://anyware_but_not_disclosed_to_open/Agreement_Btw_A_B.txt Checksum_for_for_Agreement_Btw_A_B Or ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B "Specific ID, Effective As Of or any other common identifier between supplier A and consumer B" Checksum_for_Agreement_Btw_A_B (B)In order to describe UsageInfo for product defined in the Agreement between A and B: DocumentRef-ThisSPDXID: SPDXID PREREQUISITE_FOR TargetProductInfo-ThisSPDXID TargetProductInfo: TargetProductinfo-ThisSPDXID "Product Name which worte in Agreement_Btw_A_B" (C)In order to pick up UsageInfo description about package "X" from the Agreement between A and B: Package Description about "X"..... UsageInfo:<text> "Only for Verification but not for Final Product" </text> (Picked up from "Agreement_Btw_A_B"). (D)In order to define Expiration of This SPDX Document on Product Development: ValidUntil: <text>"Next Scheduled Delivery of SPDX Doc"</text> We are looking forward to receive any feedback from others on this matter. Thank you in advance! Best regards, Kentaro Takahashi Intellectual Property Div. TOYOTA MOTOR CORPORATION Attention: The information contained in this email may be attorney/client privileged and confidential information intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender by reply e-mail and destroy all copies of this e-mail message. Thank you.
|
|
|
|
|
|
Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -
Takahashi, Kentaro <kentaro_takahashi@...>
Dear members,
We are in the license information exchange sub group under OpenChain Japan WG, and would like to propose usage profile for SPDX3.0 on this mailing list based on Kate's suggestion as follows: How can we describe "Reference to Local/Contract Documents" with External Document Ref Tag? (1) Proposal of usage profile: including OSS policy and/or contract information on the SPDX (at chain basis) As each company would have own OSS policy, OSS related inconsistency may be arisen at each deal(each supply chain). Generally, this kind of policy would be defined in the closed / local document such as policy, agreement, contract, and/or SPEC under each chain, and as such, it would not be applicable for SPDX2.2 for the moment. However, for the purpose of clear data exchange at supply chain basis and of whole data exchange management, we would like to include OSS policy and/or contract information on the SPDX3.0 at chain basis. (2)How can we do? For example, restricted OSS license may be identified in the OSS policy. Also, such OSS license may be approved only for prototype. Accordingly, we are focused on "External Document References", "UsageInfo", "ValidUntil" to describe such information exchange with the following (A)-(D): (A)In order to refer to the machine readable "Agreement" in relation to product development between company A and company B.: ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B file://anyware_but_not_disclosed_to_open/Agreement_Btw_A_B.txt Checksum_for_for_Agreement_Btw_A_B Or ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B "Specific ID, Effective As Of or any other common identifier between supplier A and consumer B" Checksum_for_Agreement_Btw_A_B (B)In order to describe UsageInfo for product defined in the Agreement between A and B: DocumentRef-ThisSPDXID: SPDXID PREREQUISITE_FOR TargetProductInfo-ThisSPDXID TargetProductInfo: TargetProductinfo-ThisSPDXID "Product Name which worte in Agreement_Btw_A_B" (C)In order to pick up UsageInfo description about package "X" from the Agreement between A and B: Package Description about "X"..... UsageInfo:<text> "Only for Verification but not for Final Product" </text> (Picked up from "Agreement_Btw_A_B"). (D)In order to define Expiration of This SPDX Document on Product Development: ValidUntil: <text>"Next Scheduled Delivery of SPDX Doc"</text> We are looking forward to receive any feedback from others on this matter. Thank you in advance! Best regards, Kentaro Takahashi Intellectual Property Div. TOYOTA MOTOR CORPORATION Attention: The information contained in this email may be attorney/client privileged and confidential information intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender by reply e-mail and destroy all copies of this e-mail message. Thank you.
|
|
|
|
|
|
Re: Referencing external spdx documents with package information from project.spdx.yml
Gary O'Neall
Moving this from spdx general list to spdx-tech list.
Greetings Stephanie,
If you are referring to an external SPDX document, you will want to use the ExternalSpdxDocument rather than ExternalRef.
The serialization format for the ExternalSpdxDocument varies quite a bit between the different file formats.
For YAML, the top level document will have a field externalDocumentRefs which lists all documents which are referenced. For example:
… externalDocumentRefs: - externalDocumentId: "DocumentRef-spdx-tool-1.2" checksum: algorithm: "SHA1" checksumValue: "d6a770ba38583ed4bb4525bd96e50461655d2759" spdxDocument: "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301" …
When there an element in the external document referenced, the syntax is externalDocumentId:SPDXRef-XXX where the SPDXRef-XXX is the SPDX reference in the external document.
For example: … relationships: - spdxElementId: "SPDXRef-DOCUMENT" relatedSpdxElement: "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement" relationshipType: "COPY_OF" …
This is a similar approach to how the Tag/Value fields are parsed.
Note that this is an area of active discussion for the 3.0 Spec. We all are finding the ExternalDocumentRef’s confusing and we will be renaming the fields at a minimum. There is also some discussion on changing the model related to external document ref’s. We will probably be discussing this on upcoming SPDX tech calls. It has been proposed that we reintroduce the ExternalSpdxElement in the model for 3.0.
The SPDX YAML example includes an external document reference.
Best regards,
From: spdx@... <spdx@...> On Behalf Of Neubauer Stephanie (IOC/PDL4) via lists.spdx.org
Sent: Wednesday, January 13, 2021 4:40 AM To: spdx@... Cc: Schuberth Sebastian (IOC/PDL1) <Sebastian.Schuberth@...> Subject: [spdx] Referencing external spdx documents with package information from project.spdx.yml
Hello J
I am currently working on an issue in the Oss-Review-Toolkit [1] to support referring to external SPDX files from a `project.spdx.yml` [2].
I am currently checking out the spdx-specs [3] and the spdx schema [4] to create a working example of an ´project.spdx.yml` which has a package referencing an external SPDX document for its metadata. In the example file provided in [5] I could not find a reference of that sort. I have tried using `externalRefs` parameter of a package in the spdx document, but didn’t achieve actually referencing an external spdx document. In the last paragraph of the spdx/tools repository [6] I have found a mention of “ExternalSpdxElement” that is not in the 2.0 model anymore. Has this been replaced in some way?
I wondered if there was an actual example in one of the documentations or repositories that shows: A project.spdx.yml listing a package and in that package metadata refer to additional metadata in the form of a package.spdx.yml (or something similar)
Here is a slightly changed project.spdx.yml (originally from [7]) that shows how I would imagine the mechanisms working: SPDXID: "SPDXRef-DOCUMENT" spdxVersion: "SPDX-2.2" creationInfo: created: "2020-07-23T18:30:22Z" creators: - "Organization: Example Inc." - "Person: Thomas Steenbergen" licenseListVersion: "3.9" name: "xyz-0.1.0" dataLicense: "CC0-1.0" documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz" documentDescribes: - "SPDXRef-Package-xyz" packages: - SPDXID: "SPDXRef-Package-xyz" description: "Awesome product created by Example Inc." copyrightText: "Copyright (C) 2020 Example Inc." downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78" filesAnalyzed: false homepage: "https://example.com/products/xyz" licenseConcluded: "NOASSERTION" licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" name: "xyz" versionInfo: "0.1.0" - SPDXID: "SPDXRef-Package-curl" externalRefs: referenceCategory: "OTHER" referenceLocator: "curl:7.70.0" (or similar way of giving an identifier) referenceType: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here) OR: - SPDXID: "SPDXRef-Package-curl" externalSpdxDocument: documentUri: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here) id: SPDXDocumentRef-curl relationships: - spdxElementId: "SPDXRef-Package-xyz" relatedSpdxElement: "SPDXRef-Package-curl" relationshipType: "DEPENDS_ON"
[1] https://github.com/oss-review-toolkit/ort [2] https://github.com/oss-review-toolkit/ort/issues/3402 [3] https://spdx.github.io/spdx-spec/3-package-information/#321-external-reference [4] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json [5] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXYAMLExample-2.2.spdx.yaml [6] https://github.com/spdx/tools#upgrading-to-spdx-20
Mit freundlichen Grüßen / Best regards
|
|
|
|
|
|
Re: "X.org Preferred License"
Hi Alan,
toggle quoted messageShow quoted text
Your Firefox extension works really well. Thanks for this great tool! Best, Till Am 14.01.21 um 22:26 schrieb Alan Tse:
Hi Mark,
|
|
|
|
|
|
Re: "X.org Preferred License"
I'm glad this topic came up, because I hadn't heard of spdx-license-diff before, and now I have it installed. That's a pretty good start to a Friday!
Thanks, Alan!
steve
From: spdx@... <spdx@...>
On Behalf Of Alan Tse
Hi Mark, I’m also not sure of which SPDX tool you were using but I checked with the browser extension spdx-license-diff and I get a template match to MIT since the extra part is optional as described by Steve.
Of course if you do use the browser extension and you see missing template matches with it (which I find occasionally), I’ll fix it if you report it.
Alan
From:
<spdx@...> on behalf of Steve Winslow <swinslow@...>
CAUTION: This email originated from outside of Western Digital. Do not click on links or open attachments unless you recognize the sender and know that the content is safe.
Hi Mark,
The MIT license template on the license list [1] has the language "(including the next paragraph)" as optional text, which is why that part shows up in blue italics on the list [2].
I think that's what you're referring to, but let me know if I'm missing something.
Best, Steve
On Thu, Jan 14, 2021 at 3:19 PM Mark Atwood via
lists.spdx.org <atwoodm=amazon.com@...> wrote:
Steve Winslow
|
|
|
|
|
|
Re: "X.org Preferred License"
Thanks, and I see it’s already done. Now I need to see why my tool isn’t matching it.
..m
From: Steve Winslow <swinslow@...>
Sent: Thursday, January 14, 2021 12:47 PM To: spdx@... Cc: Kate Stewart <kstewart@...>; Atwood, Mark <atwoodm@...> Subject: RE: [EXTERNAL] [spdx] "X.org Preferred License"
Hi Mark,
The MIT license template on the license list [1] has the language "(including the next paragraph)" as optional text, which is why that part shows up in blue italics on the list [2].
I think that's what you're referring to, but let me know if I'm missing something.
Best, Steve
On Thu, Jan 14, 2021 at 3:19 PM Mark Atwood via lists.spdx.org <atwoodm=amazon.com@...> wrote:
Steve Winslow
|
|
|
|
|
|
Re: "X.org Preferred License"
Alan Tse
Hi Mark, I’m also not sure of which SPDX tool you were using but I checked with the browser extension spdx-license-diff and I get a template match to MIT since the extra part is optional as described by Steve.
Of course if you do use the browser extension and you see missing template matches with it (which I find occasionally), I’ll fix it if you report it.
Alan
From: <spdx@...> on behalf of Steve Winslow <swinslow@...>
CAUTION: This email originated from outside of Western Digital. Do not click on links or open attachments unless you recognize the sender and know that the content is safe.
Hi Mark,
The MIT license template on the license list [1] has the language "(including the next paragraph)" as optional text, which is why that part shows up in blue italics on the list [2].
I think that's what you're referring to, but let me know if I'm missing something.
Best, Steve
On Thu, Jan 14, 2021 at 3:19 PM Mark Atwood via
lists.spdx.org <atwoodm=amazon.com@...> wrote:
Steve Winslow
|
|
|
|
|
|
Re: "X.org Preferred License"
Steve Winslow
Hi Mark, The MIT license template on the license list [1] has the language "(including the next paragraph)" as optional text, which is why that part shows up in blue italics on the list [2]. I think that's what you're referring to, but let me know if I'm missing something. Best, Steve
The "X.org Preferred License" documented at [
|
|
|
|
