"X.org Preferred License"
The "X.org Preferred License" documented at [
https://www.x.org/archive/current/doc/xorg-docs/License.html ] is the MIT license with the additional text in the middle "(including the next paragraph)". Our SPDX license matching tool is not locking onto it with 100%, but instead is showing it nearest edit distance to MIT. I've not yet dug in deeper, but, Is the X.org variant in the SPDX database? If not should we add it as an new license, or as matching rule variant to MIT? If its not in the database, I will start the legwork and paperwork to add it. ..m Mark Atwood <atwoodm@...> Principal, Open Source +1-206-604-2198
|
|
Referencing external spdx documents with package information from project.spdx.yml
stephanie.neubauer@...
Hello J
I am currently working on an issue in the Oss-Review-Toolkit [1] to support referring to external SPDX files from a `project.spdx.yml` [2].
I am currently checking out the spdx-specs [3] and the spdx schema [4] to create a working example of an ´project.spdx.yml` which has a package referencing an external SPDX document for its metadata. In the example file provided in [5] I could not find a reference of that sort. I have tried using `externalRefs` parameter of a package in the spdx document, but didn’t achieve actually referencing an external spdx document. In the last paragraph of the spdx/tools repository [6] I have found a mention of “ExternalSpdxElement” that is not in the 2.0 model anymore. Has this been replaced in some way?
I wondered if there was an actual example in one of the documentations or repositories that shows: A project.spdx.yml listing a package and in that package metadata refer to additional metadata in the form of a package.spdx.yml (or something similar)
Here is a slightly changed project.spdx.yml (originally from [7]) that shows how I would imagine the mechanisms working: SPDXID: "SPDXRef-DOCUMENT" spdxVersion: "SPDX-2.2" creationInfo: created: "2020-07-23T18:30:22Z" creators: - "Organization: Example Inc." - "Person: Thomas Steenbergen" licenseListVersion: "3.9" name: "xyz-0.1.0" dataLicense: "CC0-1.0" documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz" documentDescribes: - "SPDXRef-Package-xyz" packages: - SPDXID: "SPDXRef-Package-xyz" description: "Awesome product created by Example Inc." copyrightText: "Copyright (C) 2020 Example Inc." downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78" filesAnalyzed: false homepage: "https://example.com/products/xyz" licenseConcluded: "NOASSERTION" licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" name: "xyz" versionInfo: "0.1.0" - SPDXID: "SPDXRef-Package-curl" externalRefs: referenceCategory: "OTHER" referenceLocator: "curl:7.70.0" (or similar way of giving an identifier) referenceType: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here) OR: - SPDXID: "SPDXRef-Package-curl" externalSpdxDocument: documentUri: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here) id: SPDXDocumentRef-curl relationships: - spdxElementId: "SPDXRef-Package-xyz" relatedSpdxElement: "SPDXRef-Package-curl" relationshipType: "DEPENDS_ON"
[1] https://github.com/oss-review-toolkit/ort [2] https://github.com/oss-review-toolkit/ort/issues/3402 [3] https://spdx.github.io/spdx-spec/3-package-information/#321-external-reference [4] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json [5] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXYAMLExample-2.2.spdx.yaml [6] https://github.com/spdx/tools#upgrading-to-spdx-20
Mit freundlichen Grüßen / Best regards
|
|
SPDX General Meeting
Phil Odence
Here’s a new invite for 2021. Please accept the recurring meeting Note there will be no SPDX General Meeting in January. **** New dial in number:
415-881-1586 No PIN needed The weblink for screenshare:
|
|
Canceled: SPDX General Meeting
Phil Odence
This is an old meeting. Please ignore.
|
|
Ignore meeting cancellation
Phil Odence
I am trying to remove a legacy event from an old calendar. I think you will receive a cancellation of this old meeting. Apologies, just ignore. We are on for a General Meeting next week. Happy New Year, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
|
|
SPDX December General Meeting Minutes
Phil Odence
Happy Holidays, All. See you in 2021!
https://wiki.spdx.org/view/General_Meeting/Minutes/2020-12-03
General Meeting/Minutes/2020-12-03< General Meeting | Minutes · Attendance: 11 · Lead by Phil Odence · Minutes of Nov meeting Approved
Contents[hide] · 2 Legal Team Report - Paul/Jilayne/Steve Tech Team Report - Gary[edit]· Spec · Nov, busy month · Mostly working on Base Model · Working on Relationships · Between, for example, files, packages, etc · Exploring verification methods, digital signatures, etc · Supporting Contains · This should clear the way to get more work done on the other profiles · Process work too · Hoping enough is in place after next meeting to remove blockers · Tools · New release of online tools is up · Quite significant · Much new functionality · As such, there will likely be issues · Report in GitHub or emailing Gary · There was a character encoding issues that was quickly resolved · New license list generator has improved the LL · Good work/improvements on Go libraries · THANKS, Rishabh Legal Team Report - Paul/Jilayne/Steve[edit]· Main Nov work 3.11 License release · A little smaller than previous was · 3.12 discussions starting today · Aiming for end of Jan · Dealing with a little backlog of new requests · Could use help, as usual · Documentation/Website · Core team has been overhauling · Updating License List page · Including moving to GitHub Outreach Team Report[edit]· Aveek’s ideas for increasing SPDX Participation · Started discussing last meeting · Rough plan · Approach student communities at different schools · Give assignments to students or onboarding · e.g. Open Printing has a generic, easy, but comprehensive assignment defined · May need different ones for different technologies · Single point of contact to guide students · Perhaps students from previous years · Identify basic issues to assign · Encourage participation in GSOC and LFMP · Encourage previous students to mentor · Organize Virtual Meetups · From student groups in schools · Also has the idea of talking to other projects about benefits · Will start with Open Printing Attendees[edit]· Phil Odence, Black Duck/Synopsys · David Wheeler, Linux Foundation · Rishabh Bhatnagar, St Francis Inst Tech · Aveek Basu, NextMark Printers · Steve Winslow, LF · Jilayne Lovejoy, Canonical · Mark Atwood, Amazon · Paul Madick · Mike Dolan, Linux Foundation · Jim Hutchison, Qualcomm · Rose Judge, VMware
|
|
Thursday SPDX General Meeting Reminder
Phil Odence
GENERAL MEETING
Meeting Time: Thurs, Dec 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2020-11-05
Technical Team Report – Gary
Legal Team Report – Jilayne/Paul/Steve
Outreach Team Report – Jack
Any Cross Functional Issues –All
|
|
Thursday SPDX General Meeting Reminder
Phil Odence
Sorry for the late notice.
Today we will have the standard agenda plus a walkthrough of the state of the 3.0 spec.
GENERAL MEETING
Meeting Time: Thurs, Nov 5, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval
Spec 3.0 walk through
Technical Team Report – Kate/Gary
Legal Team Report – Jilayne/Paul/Steve
Outreach Team Report – Jack
Any Cross Functional Issues –All
|
|
SPDX General Meeting Minutes and Webpage Update
Phil Odence
There was full support for the webpage updates at the General Meeting. The plan is on to move forward if no one raises any concerns in the next week. (text of update is at the bottom of this email)
Meeting minutes and link below
Thanks, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
Minutes: https://wiki.spdx.org/view/General_Meeting/Minutes/2020-10-01
General Meeting/Minutes/2020-10-01< General Meeting | Minutes · Attendance: 8 · Lead by Phil Odence · Minutes of Sept meeting Approved Contents[hide] · 2 Tech Team Report - Steve standing in · 3 Legal Team Report - Paul/Jilayne/Steve Webpage Update- Phil[edit]· No objections to new copy for website Tech Team Report - Steve standing in[edit]· Spec · DCO bot has been turned on for the spec · 2.2.1 · ISO requested more information · Developed and submitted · 3.0 · WilliamB has set up new branch · Still working on main profile · Minor mods for OMG/NTIA · Japan user group has provided inputs · Vulnerabilities Profile · Working with 3TS group · Linkage Profile · Name still up in the air · Something about of linking docs and vetting provenance · Build Profile · Kate working on looking at different built systems · Tools · Google SoC · All students passed. Congrats! · Rishabh has stayed involved and done some great work · Community Bridge · 2 projects going · Tools.spdx.org · Funding is $2100 / $2400 · All tools being transitioned · Test instance in place http://52.32.53.255/ · Please Poke! Legal Team Report - Paul/Jilayne/Steve[edit]· Licensing Profie · This has been the recent focus of the team · Simplify/Clarify what’s been in place · Working doc for initial draft: https://docs.google.com/document/d/1k_2tSlFXvW_SbW-I1DcSEoCNBMQJd4FEFIQr6KCJuyU/edit# · Base + Licensing is targeted at the historical use case for SPDX · Next step will be to clean up the initial draft for further discussion · License List · Little change due to focus on Licensing Profile · Building up a little backlog · Minutes for Legal Team going forward keeps minutes here: · https://github.com/spdx/meetings Outreach Team Report[edit]· No Update
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Paul Madick · Rishabh Bhatnagar, St Francis Inst Tech · Aveek, NextMark Printers · Steve Winslow, LF · Jilayne Lovejoy, Canonical · Michael Herzog- nexB · Mike Dolan, Linux Foundation
From: Phil Odence <podence@...>
All, The SPDX Core Team has been working on a long overdue update to some of the web content that describes the spec and the project. Below is what we’ve come up with. We think it’s good to go, but at the Thurs General Meeting will see if anyone has concerns that would merit scheduling a meeting to discuss in more detail. Thanks, Phil
----- Short summary for top of main page, https://spdx.dev/ and anywhere else a short summary is needed/used ------ SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
------------ FOR NEW ABOUT PAGE ----------------------------
Our Vision The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
Our Mission The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information.
About SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by two sub-groups: the tech team and the legal team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.
The SPDX project is composed of:
Guiding principles
Governance Model The SPDX Governance model is documented here.
------------END FOR NEW ABOUT PAGE ----------------------------
|
|
Thursday SPDX General Meeting Reminder - w/brief website discussion
Phil Odence
Funding SPDX Tool Hosting…$284 to go to our goal: Thanks to a number of contributions (and especially generous contributions from OpenChain, Qualcomm and our own Jilayne) we’ve blown past our phase 1 goal to fund this year and are well on our way to phase 2 to fund next year. Still a little way to go; if you’ve not already, please contribute: https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124
THANKS!
Phil Odence
GENERAL MEETING
Meeting Time: Thurs, Sept 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval
Website – Input on moving forward with updates (review Tuesday email)
Technical Team Report – Steve
Legal Team Report – Jilayne/Paul/Steve
Outreach Team Report – Jack
Any Cross Functional Issues –All
|
|
SPDX Webpage Update
Phil Odence
All, The SPDX Core Team has been working on a long overdue update to some of the web content that describes the spec and the project. Below is what we’ve come up with. We think it’s good to go, but at the Thurs General Meeting will see if anyone has concerns that would merit scheduling a meeting to discuss in more detail. Thanks, Phil
----- Short summary for top of main page, https://spdx.dev/ and anywhere else a short summary is needed/used ------ SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
------------ FOR NEW ABOUT PAGE ----------------------------
Our Vision The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
Our Mission The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information.
About SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by two sub-groups: the tech team and the legal team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.
The SPDX project is composed of:
Guiding principles
Governance Model The SPDX Governance model is documented here.
------------END FOR NEW ABOUT PAGE ----------------------------
|
|
Using SPDX for Python packages license documentation
Philippe Ombredanne
Dear Special People Doing eXceptional things:
FYI, I have been working with the Python community to specify how Python package distributions can use SPDX license expressions for their Core metadata. The draft of this spec (called a PEP for Python Enhancement Proposal) is at: https://www.python.org/dev/peps/pep-0639/ Comments and feedback are welcomed at: https://discuss.python.org/t/2154 -- Cordially Philippe Ombredanne +1 650 799 0949 | pombredanne@... DejaCode - What's in your code?! - http://www.dejacode.com AboutCode - Open source for open source - https://www.aboutcode.org nexB Inc. - http://www.nexb.com
|
|
SPDX Sept Gen Meeting Minutes
Phil Odence
Thanks to Paul for hosting in my absence. https://wiki.spdx.org/view/General_Meeting/Minutes/2020-09-03
Best, Phil
L. Philip Odence General Manager, Black Duck Audit Business Synopsys Software Integrity Group, Burlington, MA M (781) 258-9502 | phil.odence@... https://www.synopsys.com/audits
|
|
Today's SPDX General Meeting Reminder - Special Presentation
Phil Odence
I have a conflict, so Paul will run the show today. Normal agenda, so it should not go the full hour.
Funding SPDX Tool Hosting…$800 to go to our goal: Thanks to a number of contributions we’ve blown past our phase 1 goal to fund this year and are well on our way to phase 2 to fund next year. You can still contribute: https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124
GENERAL MEETING
Meeting Time: Thurs, Sept 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval
Technical Team Report – Kate/Gary
Legal Team Report – Jilayne/Paul/Steve
Outreach Team Report – Jack
Any Cross Functional Issues –All
|
|
Re: Confirming General Meeting datetime and connection info
VM (Vicky) Brasseur
Check! Many thanks to you & Mike for the quick responses. My calendar is finally correct on this matter. :)
toggle quoted messageShow quoted text
--V Steve Winslow wrote on 10/8/20 11:54:
Hi VM, that's correct, for the time being the General meeting has continued to use UberConference for their monthly calls.
|
|
Re: Confirming General Meeting datetime and connection info
Steve Winslow
Hi VM, that's correct, for the time being the General meeting has continued to use UberConference for their monthly calls. Best, Steve
On Mon, Aug 10, 2020 at 2:43 PM VM (Vicky) Brasseur <spdx@...> wrote: According to the wiki page, the General Meeting call is the first
|
|
Re: Confirming General Meeting datetime and connection info
|
|
Confirming General Meeting datetime and connection info
VM (Vicky) Brasseur
According to the wiki page, the General Meeting call is the first Thursday of the month and meets on Uberconference: https://wiki.spdx.org/view/General_Meeting
Is this still correct, or is there (for instance) a Zoom link to use instead? --V
|
|
SPDX Aug General Meeting Minutes
Phil Odence
https://wiki.spdx.org/view/General_Meeting/Minutes/2020-08-06
General Meeting/Minutes/2020-08-06< General Meeting | Minutes · Attendance: 14 · Lead by Phil Odence · Minutes of Aug meeting Contents[hide] · 1 Presentation - GSoC Smith Tanjong Agbor · 2 Tech Team Report - Kate / Gary · 3 Legal Team Report - Paul/Steve Presentation - GSoC Smith Tanjong Agbor[edit]· Validating License Cross References Tech Team Report - Kate / Gary[edit]· Spec · 2.1 is in good shape · Ready to submit to ISO · Many big thanks to Steve, Jack, Rex and others for great work · Should be an ISO Spec in 4-5 months · Also looking at 3.0 for ISO · Tools · Community Bridge funding project · We are through phase 1 (funding for this year) · On track for phase 2 next year · Should have new infrastructure up in the next month or two · Including real URL · and SSL for security · GSoC · All projects are progressing quite well · All students have passed 2nd evaluation · Aveek started this for SPDX (in addition to LF) and it’s been great for us · We get more slots as a consequence Legal Team Report - Paul/Steve[edit]· License List · Monday we relapsed 3.10 license list · 20 new ones · Joint meeting upcoming with the tech team to look at 3.0 Outreach Team Report[edit]· No Update Cross Functional[edit]·
Attendees[edit]· Phil Odence, Black Duck/Synopsys · David Wheeler, Linux Foundation · Mark Baushke, Juniper · Kate Stewart, Linux Foundation · Gary O’Neall, SourceAuditor · Paul Madick · Michael Herzog- nexB · Steve Winslow, LF · Michael Herzog- nexB · Matije Suklje, Liferay · Aveek, NextMark Printers · Alexios Zavras, Intel · Michael Richardson · Mike Dolan, Linux Foundation
|
|
Today's SPDX General Meeting Reminder - Special Presentation
Phil Odence
Special Presentation by Tanjong Agbor Smith, one of our Google Summer of Code students
Here’s how Tanjong describes himself and his work: I am Tanjong Agbor smith, enrolled in a Masters degree in Computing Science at the University of Alberta. This is my second GSOC contribution for spdx; my first was last year(GSOC 2019) with the License List namespaces project which was a success. I shall be talking about a Google summer of code project titled "Validate license list cross references". This project emanates from a github issue raised, and seeks to provide more information on the validity of urls listed in license files.
Funding SPDX Tool Hosting: I’ll also mention that thanks to a number of contributions we’ve blown past our phase 1 goal to fund this year and are well on our way to phase 2 to fund next year. You can still contribute: https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124
GENERAL MEETING
Meeting Time: Thurs, Aug 6, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval
Presentation
Technical Team Report – Kate/Gary
Legal Team Report – Jilayne/Paul/Steve
Outreach Team Report – Jack
Any Cross Functional Issues –All
|
|