Re: Mentorship for GSOC Project
J Lovejoy
Hi Kumar,
toggle quoted messageShow quoted text
Thanks for your interest in SPDX! As you have not joined the SPDX mailing list, I have approved your message and also copied the SPDX tech team here. I believe the tech team is who you need to talk to about a GSOC mentor. More information about our 3 working teams and the general list can be found here: https://spdx.org/participate I would recommend that you sign up for the tech mailing list as soon as possible! The direct link for that is: https://lists.spdx.org/g/spdx-tech thanks! Jilayne SPDX legal co-lead
|
|
Mentorship for GSOC Project
b115012@...
Hi , I, Kumar Saurabh, a final year student at IIIT Bhubaneswar, majoring in Computer Science and engineering. Being passionate about product development, I find developing application development exciting. A background in engineering has allowed me to develop an in-depth, analytical approach and strengthen my critical thinking ability; I have written this email to seek mentorship for GSOC project .I thoroughly gone through the projects.Enhanced Workflow for online license request and Additional format support for Python interests me lot.I am quite proficient in python and done quite amount of projects in XML,JSON and PDF parsing.I am quite comfortable in API development using FLASK .I would like to contribute to these projects. Could you help me with some basic initial information,so that i can get some head-start .Once i get acquainted with the existing workflow,I will present you a Proof of Concept ,so that we can be on same page. I look forward hearing from you. Thank you. Kind regards,
|
|
Joining technical team of SPDX
bhavys@iitk.ac.in <bhavys@...>
Hello everyone, i am interested for working with the technical team of SPDX. The GSoC project ' I want to begin contributing towards the project, could you guide me to begin making some good contributions to SPDX and the project. I have joined the general and technical mailing list. Thanks Bhavy
On 2019-03-01 20:07, Manbeck, Jack via Lists.Spdx.Org wrote:
|
|
Re: [EXTERNAL] Re: [spdx] Newcomer introduction
Manbeck, Jack
Just echoing what Jilayne said. If you can give us an idea of where your interest lie participation wise, after reading about the work groups on the site, we can guide you. Or feel free to ask questions about them.
toggle quoted messageShow quoted text
Jack
-----Original Message-----
From: spdx@... [mailto:spdx@...] On Behalf Of J Lovejoy Sent: Thursday, February 28, 2019 11:09 PM To: SPDX-general Cc: bhavys@... Subject: [EXTERNAL] Re: [spdx] Newcomer introduction Hi Bhavy, Welcome! I have just approved your message, as it appears you have not joined the mailing list. Can you please do so? We actually have 4 mailing lists - this general one and one for each sub-team: tech, legal, and outreach. I’m not sure which is appropriate for you, but there is a description of each and how to join here: https://spdx.org/participate. Thanks, Jilayne SPDX legal co-lead On Feb 26, 2019, at 10:42 AM, bhavys@... wrote:
|
|
Re: Newcomer introduction
J Lovejoy
Hi Bhavy,
toggle quoted messageShow quoted text
Welcome! I have just approved your message, as it appears you have not joined the mailing list. Can you please do so? We actually have 4 mailing lists - this general one and one for each sub-team: tech, legal, and outreach. I’m not sure which is appropriate for you, but there is a description of each and how to join here: https://spdx.org/participate. Thanks, Jilayne SPDX legal co-lead
On Feb 26, 2019, at 10:42 AM, bhavys@... wrote:
|
|
Newcomer introduction
bhavys@...
Hello everyone,
I got to know about Spdx from a friend and I found the organisation's idea of merging multiple licences into one file for easy utility very interesting. I would like to contribute to the organisation and have already opened minor PRs on github of spdx. Could you guide me where to begin. Thanks Bhavy
|
|
Seeking public comments for the OpenChain Specification version 2.0
Mark Gisi
We are seeking public comments for the next version of OpenChain Specification.
For those new to the OpenChain Specification - The OpenChain project developed a specification that defines a core set of requirements that a high quality Open Source Compliance program is expected to satisfy. Although specification provides a minimum set of “must have” requirements, a great deal of flexibility is given on how an organization can implement them.
We have recently completed the last round of feedback from the OpenChain community and the spec draft is now being circulated more broadly for public comments which concludes on March 22nd. The current draft is available at: https://wiki.linuxfoundation.org/_media/openchain/openchainspec-2.0.draft.pdf past readers of the spec might find the marked up version useful: https://wiki.linuxfoundation.org/_media/openchain/OpenChainSpec-2.0.draft.MarkUp.pdf A high level summary of the changes made over the current version (1.2) can be found on page 3.
You can send feedback via: · the Mailing list: Openchain-specification@...; · the issues wiki: https://github.com/OpenChain-Project/Specification/issues; or · replying to me directly if you wish to remain anonymous (mark.gisi@...)
To obtain a better understanding of the goals and the context in which the Specification was developed before providing feedback, you can review the following FAQ list: https://wiki.linuxfoundation.org/openchain/specification-questions-and-answers
We look forward to your feedback.
best, Mark
Mark Gisi | Wind River | Director, IP & Open Source Tel (510) 749-2016 | Fax (510) 749-4552
|
|
Re: SPDX Feb General Meeting Minutes
Phil Odence
Thanks for the updates.
From: "spdx@..." <spdx@...> on behalf of "kstewart@..." <kstewart@...>
Hi Phil, I've gone in and updated the tech section to put links into some of the items we discussed and added details of Asia SPDX tech call. Please let me know if you want me to revert.
Tech Team Report - Kate/Gary[edit]· Tools · Applying to participate in GSoC for 2019 · Variety of proposals on Wiki: https://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeas · We’ll hear back end of Feb 26 if we are selected. · tools-golang · Steve Winslow has contributed new Go libraries to SPDX to support generating SPDX documents see: https://github.com/spdx/tools-golang · He also created a tool to scan the kernel looking for SPDXIDs that Kate used for her talk at LCA to get latest status of the Kernel. · Go Steve! · Specification · Discussing Mark Atwood's Idea for alternative name spaces for companies licenses that are not open source. · Spec can handle via "LicenseRef-" · What guidance do we provide? · Unblocking contributions to 2.2 · Kate is working with Thomas to unblock contributions to 2.2 (switch master over to 2.2 from 2.1.1) · We will be starting to take pull requests into 2.2 spec, for features approved, please assign issue to yourself if you want to write up the feature. · Focus for next few months · Started a tech call in Asia friendly time · Call will be on 2nd Tuesday of each month 10am Japan/12pm Australia (and 5pm PST Monday) on https://www.uberconference.com/SPDXTeam · First topic will be SPDX-lite discussion that's started in the OpenChain workgroup.
On Thu, Feb 7, 2019 at 11:02 AM Phil Odence <phil.odence@...> wrote:
|
|
Re: SPDX Feb General Meeting Minutes
Kate Stewart
Hi Phil, I've gone in and updated the tech section to put links into some of the items we discussed and added details of Asia SPDX tech call. Please let me know if you want me to revert. Tech Team Report - Kate/Gary[edit]
Thanks, Kate
On Thu, Feb 7, 2019 at 11:02 AM Phil Odence <phil.odence@...> wrote:
|
|
SPDX Feb General Meeting Minutes
Phil Odence
https://wiki.spdx.org/view/General_Meeting/Minutes/2019-02-07For techies, interesting discussion of custom license name space proposal. I hope my non-techie notes capture the essence.PhilGeneral Meeting/Minutes/2019-02-07< General Meeting | Minutes · Attendance: 10 · Lead by Phil Odence · Minutes of Jan meeting approved
Contents[hide] · 1 Tech Team Report - Kate/Gary · 2 Legal Team Report - Jilayne · 3 Outreach Team Report - Jack Tech Team Report - Kate/Gary[edit]· Tools · SoC in again · Variety of proposals on Wiki · We’ll hear back end of Feb · Steve W · created a tool to scan the kernel looking for SPDX · Contributed Go libraries · Go Steve · Specification · Discussing Marks Idea for alternative name spaces · Spec can handle · What guidance do we provide? · Starting to take pull requests into 2.2 spec · Focus for next few months · Started a tech call in Asia friendly Legal Team Report - Jilayne[edit]· License List · New process and links posted · Published policy says advocates need to stay engaged or requests may drop off the radar · GitHub process seems like a great way to handle requests · Need work outside the call
Outreach Team Report - Jack[edit]· LinuxCon Aussie Presentation · Included Stat1/3 of files in Kernel have SPDX in them · Great momentum · Panel at FOSDEM on OSS Compliance tooling · Alexios attended · Lots or proposals on tools, so organizers turned into a panel w/ Bradley K moderating · Theme was need for interoperatblity · Video will be published · Alexios also mentioned that at recent copyleft conference, SPDX came up in every talk · Website · Looking into status of move to Wordpress with LF · Request a new license page has been directed to GitHub repo · Need an Outreach reboot Cross Functions[edit]· Alternate name space · Basics · Many companies have source available non-OSS licenses · Would be good for companies to be able to have standard local names · Proposal is to use DNS · Addresses issues with flat, first come first served · DNS will be around for a long time · Allows companies to self-assign · Internationalized by default · Immediately readable · Leading dot clearly differentiates from SPDX standard names · Challenges · Doesn’t cary text · Companies’ names may change through M&A and may lose domains in the process · How to ensure that a company doesn’t change license text · Sentiment is in favor of · Retain “License Ref” prefix · Standardize on place to log license data · In a one-license SPDX doc · Mark will mock up with one of the Amazon licenses, collaborating with Kate
Attendees[edit]· Phil Odence, Black Duck/Synopsys · Kate Stewart, Linux Foundation · Mark Atwood, Amazon · Jilayne Lovejoy · Gary O’Neall, SourceAuditor · Dennis Clark, NexB · Alexios Zavras, Intel · Jack Manbeck, TI · Mark Baushke, Juniper · David Ryan
|
|
Feb 7 SPDX General Meeting Reminder
Phil Odence
GENERAL MEETING
Meeting Time: Thurs, Feb 7, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
New dial in number: 415-881-1586 No PIN needed
The weblink for screenshare will stay the same at:
Administrative Agenda Attendance Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2019-01-03
Technical Team Report – Kate/Gary
Legal Team Report – Jilayne
Outreach Team Report – Jack
Any Cross Functional Issues –All
L. Philip Odence L. Philip Odence
|
|
Re: Standalone license tools for scanning debian/ubuntu apps?
Kate Stewart
On Tue, Feb 5, 2019 at 5:32 PM Dan Kegel <dank@...> wrote: On Tue, Feb 5, 2019 at 1:30 PM Jeremiah C. Foster <jfoster@...> wrote: Hi Dan, Am not sure what you're using for a build infrastructure, but there are some solutions emerging in Yocto that may be relevant, as well as the other projects that Philippe outlines. I checked with Richard and he confirms that
So if you're using Yocto for your builds, and want to help get with the development of this capability available faster, rather than create a stand-alone tool feel free to reach out to Richard (on cc). Thanks, Kate
|
|
Re: Standalone license tools for scanning debian/ubuntu apps?
Philippe Ombredanne
Hi Dan:
You are asking a simple question for which is there is no simple answer: this is not yet a solved problem and there is no easy button to press. Hence the long answer. On Mon, Feb 4, 2019 at 8:20 PM Dan Kegel <dank@...> wrote: Since you are trying to figure out the license of a shared object (aka library, or DLL) you need to know the license of the files that are compiled/linked in it. And quite rightly, using Debian copyright files will help you find out the license of the source files. So will a ScanCode scan (and it will also look in the binaries and report anything that can be found there). But that would not help you find out which set of source files are baked in that shared object and what is the effective license of the shared object in many cases (short of applying some extra heuristics or work on top). The most common problem is when a package provides a library and a command line too/utilities and each use a different license (typically the library is LGPL and the command line utilities are GPL). There are also other files such as build scripts, test files, documentation, tools, etc that may use several other licenses. These are not linked in the shared library and therefore would need to be parsed out to properly conclude what is the effective shared object license. As an example libcap-ng (one of the package you listed) is both small and typical of many Linux libraries licensing and code organization and the issues that come up when you are trying to find which license applies to what. - It is overall under LGPL-2.1 or later and in particular its library is using this license [1] but its RPM spec file (libcap-ng.spec) is not up to date and refers to an LGPL-2.0+ instead of a 2.1 version. - Command line utilities are under GPL 2.0 [2] - Some build scripts are MIT-licensed (configure.ac), or use other similar licenses (INSTALL is FSFAP) or are GPL- or LGPL-licensed (Makefile.am) - The root directory contains a copy of the GPL 2 (COPYING) and LGPL 2.1 (COPYING.LIB) and another copy of the LGPL (LICENSE). But there are no indication of which one applies to what except for the not entirely correct spec file mentioned above. - The corresponding Debian copyright file [3] is not structured to be machine readable yet . Yet it provides a bit more information: the top level license is properly reported as an LGPL-2.1 or later. And there is a mention of the GPL-2.0-licensed build scripts and command line utilities. But it also introduces a new GPL-3.0 license for the Debian packaging removing some clarity to the licensing documentation. The overall licensing is pretty clear when you are used to this after a quick review (and the help of a ScanCode scan of course ;)): the shared library license is LGPL-2.1-or-later and nothing else but things are mighty difficult to automate to come to the same correct conclusion. If you could know which exact files are included in the shared object/library, you could get back to these source files to get the licensing information. For this there are a few ways to go: 1. trace which files are compiled and linked the DLL 2. obtain that information from a DB or from a tool (without tracing) 1. For the tracing part 1.1- in the world of ELFs, you could use a debug build and parse out debug symbols to get back the list of actual source files that are based in that executable. There is contributed code in scancode [4] to extract DWARF debug symbols and get the corresponding source code file paths but that has not been fully integrated yet in the main tool. 1.2- you could trace the build such that you know exactly which files are used and included in the .so. I maintain TraceCode for this [5] and quartermaster [6] is also doing similar things (with different approaches). TraceCode works from an strace system calls trace of an unmodified/uninstrumented build to recreate/reverse engineer a build graph as it happens in user space. This is not a magically automated solution though and results require review and interpretation. But it works not too badly on single libraries. 2. To obtain the information without tracing: Some tool or database could have told which files are in the library and which files are in the CLI utilities and which are build scripts in a structured way. This is what are called facets [7] in scancode which is a concept borrowed from ClearlyDefined [8]. But being able to define facets and having facets defined is not the same. Scancode can report facets for each file if you tell it. But it does not have yet the ability to infer facets from the code such as for instance assigning "Makefile.am" to a development/build scripts facets. Working together on this would go a long way. There are a few Scancode pending tickets on this [9] [10]. As for ClearlyDefined, our goal (I contribute to the project) is to have facets possibly contributed as part of the curation and review process. And any enhancement to Scancode to infer facets would also benefit ClearlyDefined and would likely be of a great help to Debian to improve copyright files that are not yet machine readable too. [1] https://github.com/stevegrubb/libcap-ng/blob/master/libcap-ng.spec#L7 [2] https://github.com/stevegrubb/libcap-ng/blob/master/libcap-ng.spec#L57 [3] https://metadata.ftp-master.debian.org/changelogs/main/libc/libcap-ng/libcap-ng_0.7.7-3_copyright [4] https://github.com/nexB/scancode-toolkit-contrib/tree/develop/src/compiledcode [5] https://github.com/nexB/tracecode-toolkit [6] https://github.com/QMSTR/qmstr [7] https://github.com/nexB/scancode-toolkit/blob/develop/src/summarycode/facet.py#L58 [8] https://clearlydefined.io/ [9] https://github.com/nexB/scancode-toolkit/issues/1036 [10] https://github.com/nexB/scancode-toolkit/issues/377 -- Cordially Philippe Ombredanne +1 650 799 0949 | pombredanne@... ScanCode maintainer
|
|
SPDX General Meeting 2018 (replacement)
Phil Odence
When: Occurs every month on the first Thursday of the month from 11:00 AM to 12:00 PM effective 8/2/2018 until 1/1/2020. (UTC-05:00) Eastern Time (US & Canada) Where: Bridge info enclosed *~*~*~*~*~*~*~*~*~* I’m extending this recurring meeting to run through 2019. Please accept so it is updated on your calendar, however no need to send a response to me.
New dial in number:
415-881-1586 No PIN needed The weblink for screenshare will stay the same at:
|
|
Re: Standalone license tools for scanning debian/ubuntu apps?
Dan Kegel
On Tue, Feb 5, 2019 at 1:30 PM Jeremiah C. Foster <jfoster@...> wrote:
If I'm not mistaken, copyright has to be a string because it has to be legible by humans. This means you can likely grep through source code as scancode does with a fair degree of confidence and use 'strings' on binaries.Yes, absolutely. SPDX's set of standard licenses and ids (and scancode's somewhat expanded similar set) are great for stating license info succinctly. scancode is great at collecting the info that should go into the debian copyright file. My goal for this iteration at our licensing process was to automate collection of license info for the shared libraries our binary uses. Here's the pipeline I set up to do that: 1) https://github.com/Oblong/obs/blob/master/ob-filter-licenses reads a DEP-5 (aka Debian copyright) file and filters out any clauses that (most likely) do not propagate to shared library artifacts 2) https://github.com/Oblong/obs/blob/master/ob-parse-licenses reads a Debian copyright file, filters it through ob-filter-licenses, and outputs spdx ids. (For non-DEP-5 copyright files, it uses scancode to guess licenses.) 3) https://github.com/Oblong/obs/blob/master/ob-list-licenses uses ldd to look up shared libraries used by a binary, uses dpkg-query to look up the containing packages, and runs ob-parse-licenses on them. For instance, running "ob-list-licences /bin/login" outputs: libaudit1 https://people.redhat.com/sgrubb/audit/ GPL-2 LGPL-2.1 libc6 https://www.gnu.org/software/libc/libc.html libc6-special libcap-ng0 http://people.redhat.com/sgrubb/libcap-ng GPL-2.0-or-later LGPL-2.1-only GPL-1.0-or-later libpam0g http://www.linux-pam.org/ BSD-3-Clause GPL-1.0-or-later GPL-2.0-only This of course only solves a small part of the license / copyright problem, and only approximately, but it found interesting things for us. - Dan
|
|
Re: Standalone license tools for scanning debian/ubuntu apps?
If I'm not mistaken, copyright has to be a string because it has to be legible by humans. This means you can likely grep through source code as scancode does with a fair degree of confidence and use 'strings' on binaries.
Using DEP-5 and Debian Copyright files where you can should also be sufficient for due diligence in most jurisdictions, but I can't point to any legal precedent as evidence. SPDX helps by creating a framework for human and machine readable documentation of your work, but you'll still need to scan code for copyright. Binaries likely require a bit of reverse engineering. From: Dan Kegel <dank@...>
Sent: Monday, February 4, 2019 23:49 To: spdx@... Subject: Re: [spdx] Standalone license tools for scanning debian/ubuntu apps? I did look a bit at those, but they seemed more about unpacking
binaries than about wrangling copyrights. This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.
|
|
Re: Standalone license tools for scanning debian/ubuntu apps?
Dan Kegel
I did look a bit at those, but they seemed more about unpacking
binaries than about wrangling copyrights.
|
|
Re: Standalone license tools for scanning debian/ubuntu apps?
Kate Stewart
On Mon, Feb 4, 2019 at 8:47 PM Jeremiah C. Foster <jfoster@...> wrote:
There's also BANG! (Binary Analysis Next Generation) that is in beta now. Kate
|
|
Re: Standalone license tools for scanning debian/ubuntu apps?
Have you looked at the binary analysis tool?
Regards,
Jeremiah
This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.
|
|
Standalone license tools for scanning debian/ubuntu apps?
Dan Kegel
Hi all!
Coming up with a list of licenses a binary is bound by is a mind-boggling task that I avoid whenever possible. I've been watching spdx and friends from afar for some time in hopes they will help. Recently I was asked to write a stateless, standalone tool that takes a path to a dynamically linked linux binary, and outputs an approximate list of licenses the shared libraries it uses are bound by. Here's my current draft: https://github.com/Oblong/obs/blob/master/ob-list-licenses Roughly, it uses ldd and dpkg-query to locate copyright files for all shared libraries it references, and then either just outputs the License: values for DEP-5 copyright files, or uses scancode to detect them for non-DEP-5 copyright files. Now I'm plugging along, adding optional heuristics like "XXX of dependencies can be filtered out (because I'm only interested in the bits pulled in via dynamic linking)" where XXX is "files: debian/*" and "files: doc/*" Am I duplicating work? I looked at fossology, but its complexity kind of disqualifies it (nothing about it seems standalone or stateless). Thanks, Dan
|
|