Hello J

I am currently working on an issue in the Oss-Review-Toolkit  [1] to support referring to external SPDX files from a `project.spdx.yml` [2].

I am currently checking out the spdx-specs [3] and the spdx schema [4] to create a working example of an ´project.spdx.yml` which has a package referencing an external SPDX document for  its metadata.

In the example file provided in [5]  I could not find a reference of that sort.

I have tried using `externalRefs` parameter of a package in the spdx document, but didn’t achieve actually referencing an external spdx document.

In the last paragraph of the spdx/tools repository [6] I have found a mention of “ExternalSpdxElement” that is not in the 2.0 model anymore. Has this been replaced in some way?

I wondered if there was an actual example in one of the documentations or repositories that shows:

A project.spdx.yml listing a package

and in that package metadata refer to

additional metadata in the form of a package.spdx.yml (or something similar)

Here is a slightly changed project.spdx.yml (originally from [7]) that shows how I would imagine the mechanisms working:

SPDXID: "SPDXRef-DOCUMENT"

spdxVersion: "SPDX-2.2"

creationInfo:

  created: "2020-07-23T18:30:22Z"

  creators:

  - "Organization: Example Inc."

  - "Person: Thomas Steenbergen"

  licenseListVersion: "3.9"

name: "xyz-0.1.0"

dataLicense: "CC0-1.0"

documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz"

documentDescribes:

- "SPDXRef-Package-xyz"

packages:

- SPDXID: "SPDXRef-Package-xyz"

  description: "Awesome product created by Example Inc."

  copyrightText: "Copyright (C) 2020 Example Inc."

  downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78"

  filesAnalyzed: false

  homepage: "https://example.com/products/xyz"

  licenseConcluded:  "NOASSERTION"

  licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"

  name: "xyz"

  versionInfo: "0.1.0"

- SPDXID: "SPDXRef-Package-curl"

  externalRefs:

    referenceCategory: "OTHER"

    referenceLocator: "curl:7.70.0" (or similar way of giving an identifier)

    referenceType: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here)

OR:       - SPDXID: "SPDXRef-Package-curl"

  externalSpdxDocument:

    documentUri: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here)

    id: SPDXDocumentRef-curl

relationships:

- spdxElementId: "SPDXRef-Package-xyz"

  relatedSpdxElement: "SPDXRef-Package-curl"

  relationshipType: "DEPENDS_ON"

[1] https://github.com/oss-review-toolkit/ort

[2] https://github.com/oss-review-toolkit/ort/issues/3402

[3] https://spdx.github.io/spdx-spec/3-package-information/#321-external-reference

[4] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json

[5] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXYAMLExample-2.2.spdx.yaml

[6] https://github.com/spdx/tools#upgrading-to-spdx-20

[7] https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/project/project.spdx.yml

Mit freundlichen Grüßen / Best regards

Stephanie Neubauer

Project Delivery Stuttgart (IOC/PDL4)
Robert Bosch GmbH | Postfach 11 27 | 71301 Waiblingen | GERMANY | www.bosch.com
Tel. +49 711 811-92528 | Mobil +49 172 3620267 | Telefax +49 711 811-58200 | Threema / Threema Work: PHCV2F36 | Stephanie.Neubauer@...

Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart, HRB 14000;
Aufsichtsratsvorsitzender: Franz Fehrenbach; Geschäftsführung: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Michael Bolle, Dr. Christian Fischer,
Dr. Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Rolf Najork, Uwe Raschke
​

Here’s a new invite for 2021. Please accept the recurring meeting

Note there will be no SPDX General Meeting in January.

****

New dial in number: 415-881-1586  

No PIN needed

The weblink for screenshare:
https://www.uberconference.com/room/spdxteam

MEETING MINUTES FOR REVIEW: http://spdx.org/wiki/meeting-minutes-and-decisions

I am trying to remove a legacy event from an old calendar. I think you will receive a cancellation of this old meeting. Apologies, just ignore. We are on for a General Meeting next week.

Happy New Year,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

Happy Holidays, All. See you in 2021!

https://wiki.spdx.org/view/General_Meeting/Minutes/2020-12-03

< General Meeting‎ | Minutes

·         Attendance: 11

·         Lead by Phil Odence

·         Minutes of Nov meeting Approved

Contents

 [hide] 

·         1 Tech Team Report - Gary

·         2 Legal Team Report - Paul/Jilayne/Steve

·         3 Outreach Team Report

·         4 Attendees

·         Spec

·         Nov, busy month

·         Mostly working on Base Model

·         Working on Relationships

·         Between, for example, files, packages, etc

·         Exploring verification methods, digital signatures, etc

·         Supporting Contains

·         This should clear the way to get more work done on the other profiles

·         Process work too

·         Hoping enough is in place after next meeting to remove blockers

·         Tools

·         New release of online tools is up

·         Quite significant

·         Much new functionality

·         As such, there will likely be issues

·         Report in GitHub or emailing Gary

·         There was a character encoding issues that was quickly resolved

·         New license list generator has improved the LL

·         Good work/improvements on Go libraries

·         THANKS, Rishabh

·         Main Nov work 3.11 License release

·         A little smaller than previous was

·         3.12 discussions starting today

·         Aiming for end of Jan

·         Dealing with a little backlog of new requests

·         Could use help, as usual

·         Documentation/Website

·         Core team has been overhauling

·         Updating License List page

·         Including moving to GitHub

·         Aveek’s ideas for increasing SPDX Participation

·         Started discussing last meeting

·         Rough plan

·         Approach student communities at different schools

·         Give assignments to students or onboarding

·         e.g. Open Printing has a generic, easy, but comprehensive assignment defined

·         May need different ones for different technologies

·         Single point of contact to guide students

·         Perhaps students from previous years

·         Identify basic issues to assign

·         Encourage participation in GSOC and LFMP

·         Encourage previous students to mentor

·         Organize Virtual Meetups

·         From student groups in schools

·         Also has the idea of talking to other projects about benefits

·         Will start with Open Printing

·         Phil Odence, Black Duck/Synopsys

·         David Wheeler, Linux Foundation

·         Rishabh Bhatnagar, St Francis Inst Tech

·         Aveek Basu, NextMark Printers

·         Steve Winslow, LF

·         Jilayne Lovejoy, Canonical

·         Mark Atwood, Amazon

·         Paul Madick

·         Mike Dolan, Linux Foundation

·         Jim Hutchison, Qualcomm

·         Rose Judge, VMware

GENERAL MEETING

Meeting Time: Thurs, Dec 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2020-11-05

Technical Team Report – Gary

Legal Team Report – Jilayne/Paul/Steve

Outreach Team Report – Jack

Any Cross Functional Issues –All

 Sorry for the late notice.

Today we will have the standard agenda plus a walkthrough of the state of the 3.0 spec.

GENERAL MEETING

Meeting Time: Thurs, Nov 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

Administrative Agenda

Attendance

Minutes Approval 

Spec 3.0 walk through

Technical Team Report – Kate/Gary

Legal Team Report – Jilayne/Paul/Steve

Outreach Team Report – Jack

Any Cross Functional Issues –All

There was full support for the webpage updates at the General Meeting. The plan is on to move forward if no one raises any concerns in the next week. (text of update is at the bottom of this email)

Meeting minutes and link below

Thanks,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

Minutes:

https://wiki.spdx.org/view/General_Meeting/Minutes/2020-10-01

< General Meeting‎ | Minutes

·         Attendance: 8

·         Lead by Phil Odence

·         Minutes of Sept meeting Approved

Contents

 [hide] 

·         1 Webpage Update- Phil

·         2 Tech Team Report - Steve standing in

·         3 Legal Team Report - Paul/Jilayne/Steve

·         4 Outreach Team Report

·         5 Attendees

·         No objections to new copy for website

·         Spec

·         DCO bot has been turned on for the spec

·         2.2.1

·         ISO requested more information

·         Developed and submitted

·         3.0

·         WilliamB has set up new branch

·         Still working on main profile

·         Minor mods for OMG/NTIA

·         Japan user group has provided inputs

·         Vulnerabilities Profile

·         Working with 3TS group

·         Linkage Profile

·         Name still up in the air

·         Something about of linking docs and vetting provenance

·         Build Profile

·         Kate working on looking at different built systems

·         Tools

·         Google SoC

·         All students passed. Congrats!

·         Rishabh has stayed involved and done some great work

·         Community Bridge

·         2 projects going

·         Tools.spdx.org

·         Funding is $2100 / $2400

·         All tools being transitioned

·         Test instance in place http://52.32.53.255/

·         Please Poke!

·         Licensing Profie

·         This has been the recent focus of the team

·         Simplify/Clarify what’s been in place

·         Working doc for initial draft: https://docs.google.com/document/d/1k_2tSlFXvW_SbW-I1DcSEoCNBMQJd4FEFIQr6KCJuyU/edit#

·         Base + Licensing is targeted at the historical use case for SPDX

·         Next step will be to clean up the initial draft for further discussion

·         License List

·         Little change due to focus on Licensing Profile

·         Building up a little backlog

·         Minutes for Legal Team going forward keeps minutes here:

·         https://github.com/spdx/meetings

·         No Update

·         Phil Odence, Black Duck/Synopsys

·         Paul Madick

·         Rishabh Bhatnagar, St Francis Inst Tech

·         Aveek, NextMark Printers

·         Steve Winslow, LF

·         Jilayne Lovejoy, Canonical

·         Michael Herzog- nexB

·         Mike Dolan, Linux Foundation

All,

The SPDX Core Team has been working on a long overdue update to some of the web content that describes the spec and the project. Below is what we’ve come up with. We think it’s good to go, but at the Thurs General Meeting will see if anyone has concerns that would merit scheduling a meeting to discuss in more detail.

Thanks,

Phil

----- Short summary for top of main page, https://spdx.dev/ and anywhere else a short summary is needed/used ------

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations  and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

------------ FOR NEW ABOUT PAGE ----------------------------

Our Vision

The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. 

Our Mission

The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information. 

About

SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by two sub-groups: the tech team and the legal team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.

The SPDX project is composed of:

• The SPDX Specification itself
• the SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax)
• SPDX tools and libraries for working with the SPDX documents and SPDX License List

Guiding principles

• SPDX represents data in formats that are both machine- and human-readable.
• SPDX focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
• SPDX makes no legal interpretations (of licenses or license compliance).
• SPDX facilitates the efficient exchange of metadata in the supply chain. 

Governance Model

The SPDX Governance model is documented here.

------------END  FOR NEW ABOUT PAGE ----------------------------

Funding SPDX Tool Hosting…$284 to go to our goal: Thanks to a number of contributions (and especially generous contributions from OpenChain, Qualcomm and our own Jilayne) we’ve blown past our phase 1 goal to fund this year and are well on our way to phase 2 to fund next year.

Still a little way to go; if you’ve not already, please contribute: https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124

THANKS!

Phil Odence

GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

Administrative Agenda

Attendance

Minutes Approval 

Website – Input on moving forward with updates (review Tuesday email)

Technical Team Report – Steve

Legal Team Report – Jilayne/Paul/Steve

Outreach Team Report – Jack

Any Cross Functional Issues –All

All,

The SPDX Core Team has been working on a long overdue update to some of the web content that describes the spec and the project. Below is what we’ve come up with. We think it’s good to go, but at the Thurs General Meeting will see if anyone has concerns that would merit scheduling a meeting to discuss in more detail.

Thanks,

Phil

----- Short summary for top of main page, https://spdx.dev/ and anywhere else a short summary is needed/used ------

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations  and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

------------ FOR NEW ABOUT PAGE ----------------------------

Our Vision

The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. 

Our Mission

The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information. 

About

SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by two sub-groups: the tech team and the legal team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.

The SPDX project is composed of:

• The SPDX Specification itself
• the SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax)
• SPDX tools and libraries for working with the SPDX documents and SPDX License List

Guiding principles

• SPDX represents data in formats that are both machine- and human-readable.
• SPDX focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
• SPDX makes no legal interpretations (of licenses or license compliance).
• SPDX facilitates the efficient exchange of metadata in the supply chain. 

Governance Model

The SPDX Governance model is documented here.

------------END  FOR NEW ABOUT PAGE ----------------------------

Thanks to Paul for hosting in my absence.

https://wiki.spdx.org/view/General_Meeting/Minutes/2020-09-03

Best,

Phil

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

I have a conflict, so Paul will run the show today. Normal agenda, so it should not go the full hour.

Funding SPDX Tool Hosting…$800 to go to our goal: Thanks to a number of contributions we’ve blown past our phase 1 goal to fund this year and are well on our way to phase 2 to fund next year. You can still contribute: https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124

GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

Administrative Agenda

Attendance

Minutes Approval 

Technical Team Report – Kate/Gary

Legal Team Report – Jilayne/Paul/Steve

Outreach Team Report – Jack

Any Cross Functional Issues –All

https://wiki.spdx.org/view/General_Meeting/Minutes/2020-08-06

< General Meeting‎ | Minutes

·         Attendance: 14

·         Lead by Phil Odence

·         Minutes of Aug meeting

Contents

 [hide] 

·         1 Presentation - GSoC Smith Tanjong Agbor

·         2 Tech Team Report - Kate / Gary

·         3 Legal Team Report - Paul/Steve

·         4 Outreach Team Report

·         5 Cross Functional

·         6 Attendees

·         Validating License Cross References

·         Spec

·         2.1 is in good shape

·         Ready to submit to ISO

·         Many big thanks to Steve, Jack, Rex and others for great work

·         Should be an ISO Spec in 4-5 months

·         Also looking at 3.0 for ISO

·         Tools

·         Community Bridge funding project

·         We are through phase 1 (funding for this year)

·         On track for phase 2 next year

·         Should have new infrastructure up in the next month or two

·         Including real URL

·         and SSL for security

·         GSoC

·         All projects are progressing quite well

·         All students have passed 2nd evaluation

·         Aveek started this for SPDX (in addition to LF) and it’s been great for us

·         We get more slots as a consequence

·         License List

·         Monday we relapsed 3.10 license list

·         20 new ones

·         Joint meeting upcoming with the tech team to look at 3.0

·         No Update

·          

·         Phil Odence, Black Duck/Synopsys

·         David Wheeler, Linux Foundation

·         Mark Baushke, Juniper

·         Kate Stewart, Linux Foundation

·         Gary O’Neall, SourceAuditor

·         Paul Madick

·         Michael Herzog- nexB

·         Steve Winslow, LF

·         Michael Herzog- nexB

·         Matije Suklje, Liferay

·         Aveek, NextMark Printers

·         Alexios Zavras, Intel

·         Michael Richardson

·         Mike Dolan, Linux Foundation

Special Presentation by Tanjong Agbor Smith, one of our Google Summer of Code students

Here’s how Tanjong describes himself and his work: I am Tanjong Agbor smith, enrolled in a Masters degree in Computing Science at the University of Alberta. This is my second GSOC contribution for spdx; my first was last year(GSOC 2019) with the License List namespaces project which was a success. I shall be talking about a Google summer of code project titled "Validate license list cross references". This project emanates from a github issue raised, and seeks to provide more information on the validity of urls listed in license files.

Funding SPDX Tool Hosting: I’ll also mention that thanks to a number of contributions we’ve blown past our phase 1 goal to fund this year and are well on our way to phase 2 to fund next year. You can still contribute: https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124

GENERAL MEETING

Meeting Time: Thurs, Aug 6, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

Administrative Agenda

Attendance

Minutes Approval 

Presentation

Technical Team Report – Kate/Gary

Legal Team Report – Jilayne/Paul/Steve

Outreach Team Report – Jack

Any Cross Functional Issues –All