Date   

Re: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

Gary O'Neall
 

In addition to Java, we have quite a few tools written in Python.  We just added libraries written in go. 

 

Gary

 

From: spdx@... <spdx@...> On Behalf Of Manbeck, Jack via Lists.Spdx.Org
Sent: Friday, January 11, 2019 1:04 PM
To: varsha kukreja <varshak333@...>; spdx@...
Subject: Re: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

 

Sure. Were just now starting the process of applying to Google for their Summer of Code 2019. If we do get awarded slots there is a specific process you must follow. I suggest you get signed up with them and review what the process is. You would need to submit a proposal for any of the projects we have, assuming we are selected.   We then go through the proposals and pick the best one. I’m over simplifying this a bit but that’s the general idea.

 

The spdx tools themselves are based on Java.  You can visit our github project here:  https://github.com/spdx

 

We have a few other online tools but off hand I don’t recall what they are written in. Possibly some python and others.

 

Gary, can you fill in that gap?

 

 

Jack

 

 

 

From: varsha kukreja [mailto:varshak333@...]
Sent: Friday, January 11, 2019 1:50 PM
To: Manbeck, Jack; spdx@...
Subject: Re: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

 

Hey Can i know which languages are used in backend of spdx?

 

On Thu, Jan 10, 2019 at 10:35 PM varsha kukreja <varshak333@...> wrote:

HI .Thank you Sir for the response and the link..I would like to work on a google summer of code project for SPDX for GSOC 2019 ..But I would also be interested to contribute to SPDX tools if that makes me familiar with the community and helps getting selected for your organization in GSOC 2019

 

On Thu, Jan 10, 2019 at 7:51 PM Manbeck, Jack <j-manbeck2@...> wrote:

Hi Varshak,

 

Are you looking to work on a google summer of code project for SPDX or help contribute to the SPDX tools or specification, etc.,. (not google summer of code)?

 

Thanks

 

Jack

 

 

From: Spdx-tech@... [mailto:Spdx-tech@...] On Behalf Of Kate Stewart
Sent: Thursday, January 10, 2019 9:07 AM
To: varshak333@...
Cc: spdx-tech@...
Subject: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

 

Hi Varshak,

     Welcome!   Glad you're interested in participating in our community.  I am copying the spdx-tech mail list where we 

discuss the GSoC efforts.

 

     Ideas we've come up with so far are listed on: https://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeas,  but we're in active idea gathering  mode this week,  so suggestions are welcome as well.

 

Kate

 

 

On Thu, Jan 10, 2019 at 7:36 AM <varshak333@...> wrote:

I would like to contribute to the open source community ..I have majorly worked on backend on 2 college sponsored projects and working currently on a project by Government Organization. I have fair knowledge in Javascript, NodeJs, Typescript, Spring Boot, Laravel , Docker and apache thrift. It woukd be great if could if someone could help me get started

 

 


 

--

Kate Stewart

Sr. Director of Strategic Programs,  The Linux Foundation

Mobile: +1.512.657.3669

Email / Google Talk: kstewart@...

 


Re: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

Manbeck, Jack
 

Sure. Were just now starting the process of applying to Google for their Summer of Code 2019. If we do get awarded slots there is a specific process you must follow. I suggest you get signed up with them and review what the process is. You would need to submit a proposal for any of the projects we have, assuming we are selected.   We then go through the proposals and pick the best one. I’m over simplifying this a bit but that’s the general idea.

 

The spdx tools themselves are based on Java.  You can visit our github project here:  https://github.com/spdx

 

We have a few other online tools but off hand I don’t recall what they are written in. Possibly some python and others.

 

Gary, can you fill in that gap?

 

 

Jack

 

 

 

From: varsha kukreja [mailto:varshak333@...]
Sent: Friday, January 11, 2019 1:50 PM
To: Manbeck, Jack; spdx@...
Subject: Re: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

 

Hey Can i know which languages are used in backend of spdx?

 

On Thu, Jan 10, 2019 at 10:35 PM varsha kukreja <varshak333@...> wrote:

HI .Thank you Sir for the response and the link..I would like to work on a google summer of code project for SPDX for GSOC 2019 ..But I would also be interested to contribute to SPDX tools if that makes me familiar with the community and helps getting selected for your organization in GSOC 2019

 

On Thu, Jan 10, 2019 at 7:51 PM Manbeck, Jack <j-manbeck2@...> wrote:

Hi Varshak,

 

Are you looking to work on a google summer of code project for SPDX or help contribute to the SPDX tools or specification, etc.,. (not google summer of code)?

 

Thanks

 

Jack

 

 

From: Spdx-tech@... [mailto:Spdx-tech@...] On Behalf Of Kate Stewart
Sent: Thursday, January 10, 2019 9:07 AM
To: varshak333@...
Cc: spdx-tech@...
Subject: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

 

Hi Varshak,

     Welcome!   Glad you're interested in participating in our community.  I am copying the spdx-tech mail list where we 

discuss the GSoC efforts.

 

     Ideas we've come up with so far are listed on: https://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeas,  but we're in active idea gathering  mode this week,  so suggestions are welcome as well.

 

Kate

 

 

On Thu, Jan 10, 2019 at 7:36 AM <varshak333@...> wrote:

I would like to contribute to the open source community ..I have majorly worked on backend on 2 college sponsored projects and working currently on a project by Government Organization. I have fair knowledge in Javascript, NodeJs, Typescript, Spring Boot, Laravel , Docker and apache thrift. It woukd be great if could if someone could help me get started

 

 


 

--

Kate Stewart

Sr. Director of Strategic Programs,  The Linux Foundation

Mobile: +1.512.657.3669

Email / Google Talk: kstewart@...


Re: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

varshak333@...
 

Hey Can i know which languages are used in backend of spdx?


On Thu, Jan 10, 2019 at 10:35 PM varsha kukreja <varshak333@...> wrote:
HI .Thank you Sir for the response and the link..I would like to work on a google summer of code project for SPDX for GSOC 2019 ..But I would also be interested to contribute to SPDX tools if that makes me familiar with the community and helps getting selected for your organization in GSOC 2019

On Thu, Jan 10, 2019 at 7:51 PM Manbeck, Jack <j-manbeck2@...> wrote:

Hi Varshak,

 

Are you looking to work on a google summer of code project for SPDX or help contribute to the SPDX tools or specification, etc.,. (not google summer of code)?

 

Thanks

 

Jack

 

 

From: Spdx-tech@... [mailto:Spdx-tech@...] On Behalf Of Kate Stewart
Sent: Thursday, January 10, 2019 9:07 AM
To: varshak333@...
Cc: spdx-tech@...
Subject: [EXTERNAL] Re: [spdx-tech] [spdx] Need Help for contrubuting in GSOC 2019 #spdx

 

Hi Varshak,

     Welcome!   Glad you're interested in participating in our community.  I am copying the spdx-tech mail list where we 

discuss the GSoC efforts.

 

     Ideas we've come up with so far are listed on: https://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeas,  but we're in active idea gathering  mode this week,  so suggestions are welcome as well.

 

Kate

 

 

On Thu, Jan 10, 2019 at 7:36 AM <varshak333@...> wrote:

I would like to contribute to the open source community ..I have majorly worked on backend on 2 college sponsored projects and working currently on a project by Government Organization. I have fair knowledge in Javascript, NodeJs, Typescript, Spring Boot, Laravel , Docker and apache thrift. It woukd be great if could if someone could help me get started

 

 


 

--

Kate Stewart

Sr. Director of Strategic Programs,  The Linux Foundation

Mobile: +1.512.657.3669

Email / Google Talk: kstewart@...


Re: Need Help for contrubuting in GSOC 2019 #spdx

Kate Stewart
 

Hi Varshak,
     Welcome!   Glad you're interested in participating in our community.  I am copying the spdx-tech mail list where we 
discuss the GSoC efforts.

     Ideas we've come up with so far are listed on: https://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeas,  but we're in active idea gathering  mode this week,  so suggestions are welcome as well.

Kate


On Thu, Jan 10, 2019 at 7:36 AM <varshak333@...> wrote:
I would like to contribute to the open source community ..I have majorly worked on backend on 2 college sponsored projects and working currently on a project by Government Organization. I have fair knowledge in Javascript, NodeJs, Typescript, Spring Boot, Laravel , Docker and apache thrift. It woukd be great if could if someone could help me get started
 
 



--
Kate Stewart
Sr. Director of Strategic Programs,  The Linux Foundation
Mobile: +1.512.657.3669
Email / Google Talk: kstewart@...


Need Help for contrubuting in GSOC 2019 #spdx

varshak333@...
 

I would like to contribute to the open source community ..I have majorly worked on backend on 2 college sponsored projects and working currently on a project by Government Organization. I have fair knowledge in Javascript, NodeJs, Typescript, Spring Boot, Laravel , Docker and apache thrift. It woukd be great if could if someone could help me get started
 
 


SPDX January General Meeting Minutes

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2019-01-03

 

 

General Meeting/Minutes/2019-01-03

< General Meeting‎ | Minutes

·         Attendance: 15

·         Lead by Phil Odence

·         Minutes of Dec meeting approved 

 

Contents

 [hide

·         1 Guest Presentation, JC Herz

·         2 Tech Team Report - Kate/Gary

·         3 Legal Team Report - Jilayne

·         4 Outreach Team Report

·         5 Attendees

Guest Presentation, JC Herz[edit]

·         Background

·         Years of working with companies and DOD in open source

·         The Issues/concerns

·         License issues- SPDX handles well

·         Concerns about security close on the heels

·         Compliance is an additional step- Jumping through the hoops to document

·         SEVA Software Evidence Archive

·         Elements

·         Serves S-BOM function

·         Augments with content that needs to travel with software

·         Therefore allowing compliance work to be automated

·         Freeing up valuable resources to do what they are supposed to do

·         Can apply to a single component or a full application, so SEVA doesn’t distinguish

·         Format Issue

·         Customers required XML, beyond SEVA JSON

·         To be useable by a highly secure facility, data has to be hardened for which XML is better suited

·         Can be constrained and format can be verified (and extended)

·         SPDX and SEVA Overlap

·         License Info

·         For the most part SPDX handles beautifully

·         Government also needs to distinguish government open source

·         A little more information about state of software (e.g. pre-release)

·         Security extra needs

·         Some concern about spurious vulnerabilities

·         Answer is to extend a BoM to include patch info, etc

·         End of life indicator

·         They take SPDX familiar thing and provide some extensibility

·         How to name “supplier”?

·         Working with Kate 

·         OSS organization for example

·         A bank’s black list

·         Vulnerabilities

·         Key requirement for vulnerabilities info in SBOM, although just a link might make more sense

·         Reason is “audit” function. What you knew when. So needs a time stamp.

·         Bureaucratic are not going to change in favor of something that makes more sense for developers 

·         Concerns that this will get worse over time

·         Other Side - Logistics

·         Moving and shipping of SW/chain of custody- Where did it come from exactly

·         Not something OSS community has had to worry about

·         Bad mirror issue, for example.

·         Signed? Timestamp? Delivery date and time for software.

·         Something like FedEx analogy

·         Package URL helps identify

·         Q&A

·         What can SPDX group do?

·         JC thinks that they should open source SEVA

·         Could contribute to LinuxF perhaps

·         Understand and need to balance needs of OSS consumers and dev communities

·         Don’t want to burden them

·         Automate

·         Challenge- How to distinguish enterprise quality OSS vs. pet projects

 

Tech Team Report - Kate/Gary[edit]

·         Tools

·         Starting to plan for GSoC submissions with Gary/Kate

·         Steve has been trained on releasing License list, so Gary now has backup

·         Steve has been working on some new tools for summarizing the SPDX_license_ids based on a new SPDX go library - currently its just supporting TV, but he hopes to add in the other formats

·         Specification

·         Gary & James have been working through SeVA XML and working through how it can be added.

Legal Team Report - Jilayne[edit]

·         License List

·         V3.4 out before Christmas

·         Big success to not have to scramble through holidays

·         Release notes in the GitHub repo

·         Instructions for requesting now live in Repo as well

·         Leverage GSOC work has been automated.

·         New frontier- Getting open hardware licenses on list

·         Expanding definition of what goes on the list

 

Outreach Team Report[edit]

·         None this month

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Kate Stewart, Linux Foundation

·         Jilayne Lovejoy

·         Steve Winslow, LF

·         Alexios Zavras, Intel

·         Luis Villa, Tidelift

·         Jams Neushal, Neushul Solutions

·         Matthew Crawford, ARM

·         Kevin Nelson, Optim Tech UHG

·         Dennis Clark, NexB

·         Thomas Steenbergen, HERE

·         Bradlee Edmondson, Harvard

·         Gary O’Neall, SourceAuditor

·         Nicholas Toussaint, Orange

·         JC Herz, Ionchannel

 

 


Re: Jan 3 SPDX General Meeting Reminder

Phil Odence
 

Apologies for the extra email, but someone kindly pointed out an error on my part. The correct time for the General Meeting is 16:00 UTC.

Meeting Time: Thurs, Jan 3, 8am PT / 10 am CT / 11am ET / 16:00 UTC. 

 

From: "podence@..." <podence@...>
Date: Wednesday, January 2, 2019 at 8:17 AM
To: "spdx@..." <spdx@...>
Cc: JC Herz <jc.herz@...>
Subject: FW: Jan 3 SPDX General Meeting Reminder

 

Re-reminding now that most folks are back from the holidays.

 

From: "podence@..." <podence@...>
Date: Thursday, December 20, 2018 at 10:04 AM
To: "spdx@..." <spdx@...>
Cc: JC Herz <jc.herz@...>
Subject: Jan 3 SPDX General Meeting Reminder

 

Hello, all. Wishing the best to you for the holidays. As many will have time off between now and the New Year.

 

A new direction from SPDX is to expand into handling security information in addition to license and copyrights. JCC Herz will be talking about this in in the Jan 3 meeting. JC is the COO of Ion Channel, a software supply chain assurance and software logistics platform. JC co-wrote open source acquisition policy for the Defense Department in the mid-2000’s to curtail vendor-driven FUD about OSS, and has worked in large-scale enterprises to accelerate and enable verification, audit and continuous assurance of OSS for mission critical applications. 

 

Here's what she’ll be talking about-

“Evolving SPDX for Open Source Security: Lessons Learned from the Software Evidence Archive (SEVA)”

In the early days of enterprise OSS use, corporate concern tended to stem from licensing status, and SPDX operationalizes and automates risk management in that domain. As concerns around OSS have shifted towards security and supply chain risk, there are enterprise workflows for security approval, audit and compliance that require more and different details to augment transitive dependencies and licensing - some of which are not immediately obvious to developer communities outside the bureaucracies where these workflows exist. In the development of the SEVA (Software Evidence Archive), Ion Channel needed to augment the content of a standard SBOM with security, audit and compliance fields to satisfy the security, audit and compliance requirements of large IT bureaucracies in an an automated fashion. Because of large and escalating regulatory requirements for security, audit and compliance, these workflows are not going away. To that end, Ion Channel seeks to support SPDX with an open source XML implementation that includes these fields, so that large regulated customers can more easily adopt, maintain and update OSS applications and components. 

 

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Jan 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-12-06

 

Guest Speaker  – JC Herz

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 

L. Philip Odence
General Manager, Black Duck On-Demand
Synopsys Software Integrity Group
800 District Avenue, Suite 101, Burlington, MA 01803-5061
Note new work #: W: +1.781.313.6801; M: +1.781.258.9502

www.blackducksoftware.com  

 

 


FW: Jan 3 SPDX General Meeting Reminder

Phil Odence
 

Re-reminding now that most folks are back from the holidays.

 

From: "podence@..." <podence@...>
Date: Thursday, December 20, 2018 at 10:04 AM
To: "spdx@..." <spdx@...>
Cc: JC Herz <jc.herz@...>
Subject: Jan 3 SPDX General Meeting Reminder

 

Hello, all. Wishing the best to you for the holidays. As many will have time off between now and the New Year.

 

A new direction from SPDX is to expand into handling security information in addition to license and copyrights. JCC Herz will be talking about this in in the Jan 3 meeting. JC is the COO of Ion Channel, a software supply chain assurance and software logistics platform. JC co-wrote open source acquisition policy for the Defense Department in the mid-2000’s to curtail vendor-driven FUD about OSS, and has worked in large-scale enterprises to accelerate and enable verification, audit and continuous assurance of OSS for mission critical applications. 

 

Here's what she’ll be talking about-

“Evolving SPDX for Open Source Security: Lessons Learned from the Software Evidence Archive (SEVA)”

In the early days of enterprise OSS use, corporate concern tended to stem from licensing status, and SPDX operationalizes and automates risk management in that domain. As concerns around OSS have shifted towards security and supply chain risk, there are enterprise workflows for security approval, audit and compliance that require more and different details to augment transitive dependencies and licensing - some of which are not immediately obvious to developer communities outside the bureaucracies where these workflows exist. In the development of the SEVA (Software Evidence Archive), Ion Channel needed to augment the content of a standard SBOM with security, audit and compliance fields to satisfy the security, audit and compliance requirements of large IT bureaucracies in an an automated fashion. Because of large and escalating regulatory requirements for security, audit and compliance, these workflows are not going away. To that end, Ion Channel seeks to support SPDX with an open source XML implementation that includes these fields, so that large regulated customers can more easily adopt, maintain and update OSS applications and components. 

 

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Jan 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-12-06

 

Guest Speaker  – JC Herz

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 

L. Philip Odence
General Manager, Black Duck On-Demand
Synopsys Software Integrity Group
800 District Avenue, Suite 101, Burlington, MA 01803-5061
Note new work #: W: +1.781.313.6801; M: +1.781.258.9502

www.blackducksoftware.com  

 

 


Jan 3 SPDX General Meeting Reminder

Phil Odence
 

Hello, all. Wishing the best to you for the holidays. As many will have time off between now and the New Year.

 

A new direction from SPDX is to expand into handling security information in addition to license and copyrights. JCC Herz will be talking about this in in the Jan 3 meeting. JC is the COO of Ion Channel, a software supply chain assurance and software logistics platform. JC co-wrote open source acquisition policy for the Defense Department in the mid-2000’s to curtail vendor-driven FUD about OSS, and has worked in large-scale enterprises to accelerate and enable verification, audit and continuous assurance of OSS for mission critical applications. 

 

Here's what she’ll be talking about-

“Evolving SPDX for Open Source Security: Lessons Learned from the Software Evidence Archive (SEVA)”

In the early days of enterprise OSS use, corporate concern tended to stem from licensing status, and SPDX operationalizes and automates risk management in that domain. As concerns around OSS have shifted towards security and supply chain risk, there are enterprise workflows for security approval, audit and compliance that require more and different details to augment transitive dependencies and licensing - some of which are not immediately obvious to developer communities outside the bureaucracies where these workflows exist. In the development of the SEVA (Software Evidence Archive), Ion Channel needed to augment the content of a standard SBOM with security, audit and compliance fields to satisfy the security, audit and compliance requirements of large IT bureaucracies in an an automated fashion. Because of large and escalating regulatory requirements for security, audit and compliance, these workflows are not going away. To that end, Ion Channel seeks to support SPDX with an open source XML implementation that includes these fields, so that large regulated customers can more easily adopt, maintain and update OSS applications and components. 

 

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Jan 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-12-06

 

Guest Speaker  – JC Herz

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 

L. Philip Odence
General Manager, Black Duck On-Demand
Synopsys Software Integrity Group
800 District Avenue, Suite 101, Burlington, MA 01803-5061
Note new work #: W: +1.781.313.6801; M: +1.781.258.9502

www.blackducksoftware.com  

 

 


Meeting Minutes from December General Meeting

Gary O'Neall
 

Meeting minutes from this month’s general meeting have been published at https://wiki.spdx.org/view/General_Meeting/Minutes/2018-12-06

 

Regards,
Gary

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: gary@...

 


SPDX Nov General Meeting Minutes

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2018-11-01 

 

General Meeting/Minutes/2018-11-01

< General Meeting‎ | Minutes

·         Attendance: 6

·         Lead by Phil Odence

·         Minutes of Oct meeting approved 

 

Contents

 [hide

·         1 Tech Team Report - Kate/Gary

·         2 Legal Team Report - Jilayne

·         3 Outreach Team Report - All

·         4 Attendees

Tech Team Report - Kate/Gary[edit]

·         Spec

·         Ceva discussions

·         Looking at fields that we might incorporate

·         Security

·         Evidence

·         Idea is to bring in as a separate section

·         Good Progress

·         Some discussions with NTIA Group as well

·         SWID

·         May start using the security mailing list soon

·         Tooling

·         Multiple formats

·         Challenges solves

·         XML, JSON, YAML, Tag value, RDF

·         Attention back to updating tooling with spec

·         Some concern about file sizes with certain packages/formats

·         May simply be an issue of LOTS of files

·         Generating License List 

·         Didn’t work perfectly

·         Giving another run

·         Updating tooling for license submittal/editing

·         A few bugs need to be worked around

 

Legal Team Report - Jilayne[edit]

·         There’s a fair backlog of issues to work through

·         Ongoing process

·         3.1 Is out

·         Started new practice of release notes

·         Tooling and new request system has to be nailed down

·         People are going through multiple paths/processes

·         Need to standardize

·         Tooling is close

·         Need a few more text fields

·         All submissions seem to come from Gary

·         License inclusion guidelines

·         Inbound request regarding open hardware languages

·         Already included open data license

·         May need to revisit inclusion guidelines

·         OSI discussion about naming issues with SPDX

·         Need to find opportunity for better collaboration 

 

Outreach Team Report - All[edit]

·         Seems to be a lot more use of SPDX in the wild than we are aware of

·         How do we run down and catalog?

·         Wonder if it’s time for another poll

·         Last poll results: https://spdx.org/sites/cpstandard/files/pages/files/spdx_survey_results_may_2013.zip

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Kate Stewart, Linux Foundation

·         Gary O’Neall, SourceAuditor

·         Andrew Katz, Orcro

·         Jilayne Lovejoy

·         Steve Winslow, LF

 


Re: Today SPDX General Meeting Reminder

Paul Madick
 

Hi Phil, 

I have a conflict today so will miss the meeting. I will be on the legal call after. 

Best, 

Paul






-------- Original message --------
From: Phil Odence <phil.odence@...>
Date: 11/1/18 12:48 AM (GMT-08:00)
To: spdx@...
Subject: [spdx] Today SPDX General Meeting Reminder



No guest presentation this month, so anticipate a shorter meeting.

 

(I’m open to ideas for guest presentations.)

 

GENERAL MEETING

 

Meeting Time: Thurs, Nov 1, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-10-04

 

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 

L. Philip Odence
General Manager, Black Duck On-Demand
Synopsys Software Integrity Group
800 District Avenue, Suite 101, Burlington, MA 01803-5061
Note new work #: W: +1.781.313.6801; M: +1.781.258.9502

www.blackducksoftware.com  

 

 



itevomcid


Today SPDX General Meeting Reminder

Phil Odence
 

No guest presentation this month, so anticipate a shorter meeting.

 

(I’m open to ideas for guest presentations.)

 

GENERAL MEETING

 

Meeting Time: Thurs, Nov 1, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-10-04

 

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 

L. Philip Odence
General Manager, Black Duck On-Demand
Synopsys Software Integrity Group
800 District Avenue, Suite 101, Burlington, MA 01803-5061
Note new work #: W: +1.781.313.6801; M: +1.781.258.9502

www.blackducksoftware.com  

 

 


OpenChain Recap - Week of 22nd October - Open Source Summit Europe

Shane Coughlan <coughlan@...>
 

It was a huge week last week. Quick recap of the major items below.
tl;dr - Toshiba is a Platinum Member, SUSE is OpenChain Conformant, Sony and Fujitsu shared knowledge

We had two slide decks shared via the OpenChain Workshop (see bottom of mail). These boil down to two data points:
(1) Fujitsu is actively using SPDX and wants to work with everyone else using this standard for describing information in software packages.
(2) Sony has identified that it is important to include Sales/Marketing in the discussions around OpenChain and open source compliance. This builds on prior identification of the importance of making sure Procurement can understand OpenChain.

For (1), I am going to hand over to Kate and the team at SPDX to discuss collaboration with Ueba San at Fujitsu. All in CC.

For (2), we have a clear understanding that we need to formulate onboarding/introduction material for:
(i) Procurement
(ii) Sales/Marketing
Nathan (chair of onboarding), would it make sense for us to open a couple of Google Docs to collaborate on this?

== Big News ==

Toshiba Joins the OpenChain Project as a Platinum Member:
“OpenChain is not just a project for OSS license compliance, it also helps to improve mutual trust and effective communication between open source developers and users,” says Tetsuji Fukaya, Director of the Corporate Software Engineering and Technology Center of Toshiba Corporation. “Open source is publicly recognized as an essential part of digital transformation and widely used in numerous products. In order to use open source appropriately, we think that license compliance alone is not enough. Mutual trust between developers and users is also essential. OpenChain will be key to achieve both. For that reason, we feel proud of being part of the OpenChain Project.”
https://www.linuxfoundation.org/press-release/2018/10/toshiba-joins-the-openchain-project-as-a-platinum-member/

SUSE Joins the OpenChain Community of Conformance:
“For more than 25 years, SUSE has created and engaged with open source communities as a foundation for its enterprise solutions,” said Thomas Di Giacomo, SUSE CTO. “We always engage with the community to better meet customer needs, and our OpenChain certification is another indication to enterprises that we are committed to making their experience with open source software more reliable and cost effective.”
https://www.linuxfoundation.org/press-release/2018/10/suse-joins-the-openchain-community-of-conformance/

== OpenChain Workshop Contributions ==

Improvements in meta spdxscanner through FOSSology - Ueba San:
https://www.slideshare.net/ShaneCoughlan3/improvements-in-meta-spdxscanner-through-fossology-ueba-san

Two aspects for OpenChain BoF session - Ueda San:
https://www.slideshare.net/ShaneCoughlan3/two-aspects-for-openchain-bof-session-ueda-san

Regards

Shane

--
Shane Coughlan
General Manager, OpenChain
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance


SPDX Sept General Meeting Minutes

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2018-10-04

 

General Meeting/Minutes/2018-10-04

< General Meeting‎ | Minutes

·         Attendance: 8

·         Lead by Phil Odence

·         Minutes of Sept meeting approved 

 

Contents

 [hide

·         1 Tech Team Report - Kate/Gary

·         2 Legal Team Report - Jilayne

·         3 Outreach Team Report - Jack

·         4 Attendees

Tech Team Report - Kate/Gary[edit]

·         Spec

·         Focus on multiple formats

·         How do deal with XML, JSON, YAML

·         Proposal to link to software heritage identifies

·         SW heritage- presentation came out recently on how code should be ID’ed in repos

·         Seems to make sense to extend references to point to

·         General agreement on last tech call

·         Tooling

·         Got integrated on line tools up

·         License submittal

·         XML editor

·         Beta quality, ready to go. http://spdxtools.sourceauditor.com

·         GSOC has worked very well

·         Should thank Google

·         Post on Website

·         Could use some social media

·         Topic for Outreach 

·         May want to point projects to FSF software reuse site which advocates SPDX

·         Would be a good credibility builder

·         The link is on the site, but not easy to find

·         Other Groups

·         NTIA- Government group defining a BoM standard

·         Prototype work in health care

·         Fingers crossed that they will use SPDX

·         SWID

·         Active discussion

·         Mapping fields between SPDX an SW

·         Other groups may be able to use our use cases

·         They are wrestling with what is a components

·         Also, how a company can keep their own supplementary license list

·         Can do via a SPDX doc that is just licenses and make external reference to

·         Steve W will help out

Legal Team Report - Jilayne[edit]

·         New license backlog

·         Trying to clear out for next release

·         Looking forward to new tooling

·         Could use testing help

·         Need some Python help on the tools

·         Mostly fixing up formatting stuff

Outreach Team Report - Jack[edit]

·         Little activity

·         Regrouping

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Kate Stewart, Linux Foundation

·         Gary O’Neall, SourceAuditor

·         Matthew Crawford, ARM

·         Jilayne Lovejoy, ARM

·         Jack Manbeck, TI

·         Steve Winslow, LF

·         Mark Atwood, Amazon

 


Thursday SPDX General Meeting Reminder

Phil Odence
 

 No guest presentation this month, so anticipate a shorter meeting.

 

(I’m open to ideas for guest presentations.)

 

GENERAL MEETING

 

Meeting Time: Thurs, Oct 4, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-09-06

 

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 

L. Philip Odence
General Manager, Black Duck On-Demand
Synopsys Software Integrity Group
800 District Avenue, Suite 101, Burlington, MA 01803-5061
Note new work #: W: +1.781.313.6801; M: +1.781.258.9502

www.blackducksoftware.com  

 

 


Re: Thursday SPDX General Meeting Reminder

Häb Tïñø
 

On 4 Sep 2018 10:45 p.m., "Phil Odence" <phil.odence@...> wrote:
>
> This month’s guest speaker is Mark Gisi.  Many of you know Mark from his big contributions over the years to SPDX and OpenChaiun. He has a really interesting topic to share.
>
> I’m disappointed that I have a conflict. One of the other SPDX Core Team Members will host.
>
> Phil Odence
>
>  
>
> Abstract
>
> -----------
>
> The union of SPDX data and a blockchain ledger is a match made in heaven. This union enables us to provide both *accountability* and *access* to SPDX data for manufactured products that are comprised on software components contributed by dozens of suppliers. We will present a use case of how we track SPDX data (along with source code and notices)  across the manufacturing supply chain of a device running the Zephyr operating system runtime.
>
> Bio
>
> ----
>
> Mark Gisi, Directory of Intellectual Property and Open Source at Wind River Systems, has been managing Open Source policies and programs for the past 12 years. Mark contributes to the Linux Foundation’s SPDX project, OpenChain Project and the Hyperledger Project’s SParts (Software Parts) lab initiative. Mark holds a MS degree in Computer Science and a BS degree in Mathematics.
>
>  
>
>  
>
> GENERAL MEETING
>
>  
>
> Meeting Time: Thurs, Sept 6, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
>
>
> Conf call dial-in:
>
> New dial in number: 415-881-1586
>
> No PIN needed
>
> The weblink for screenshare will stay the same at: 
> http://uberconference.com/SPDXTeam
>
>  
>
> Administrative Agenda
>
> Attendance
>
> Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-08-02
>
>  
>
> Guest Presentation – Mark
>
>  
>
> Technical Team Report – Kate/Gary
>
>  
>
> Legal Team Report – Jilayne/Paul
>
>  
>
> Outreach Team Report – Jack
>
>  
>
> Any Cross Functional Issues –All
>
>  
>


Thursday SPDX General Meeting Reminder

Phil Odence
 

This month’s guest speaker is Mark Gisi.  Many of you know Mark from his big contributions over the years to SPDX and OpenChaiun. He has a really interesting topic to share.

I’m disappointed that I have a conflict. One of the other SPDX Core Team Members will host.

Phil Odence

 

Abstract

-----------

The union of SPDX data and a blockchain ledger is a match made in heaven. This union enables us to provide both *accountability* and *access* to SPDX data for manufactured products that are comprised on software components contributed by dozens of suppliers. We will present a use case of how we track SPDX data (along with source code and notices)  across the manufacturing supply chain of a device running the Zephyr operating system runtime.

Bio

----

Mark Gisi, Directory of Intellectual Property and Open Source at Wind River Systems, has been managing Open Source policies and programs for the past 12 years. Mark contributes to the Linux Foundation’s SPDX project, OpenChain Project and the Hyperledger Project’s SParts (Software Parts) lab initiative. Mark holds a MS degree in Computer Science and a BS degree in Mathematics.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Sept 6, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2018-08-02

 

Guest Presentation – Mark

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 


Re: OpenChain @ Open Source Summit 2018 (Vancouver) on August 28th

Shane Coughlan <coughlan@...>
 

Dear all

This is the final schedule for the OpenChain workshop at Open Source Summit North America today:
13:00 - Welcome and Status Update
13:10 - Work Team - Conformance
13:30 - Adjacent Project Status Overviews
- SPDX
- FOSSology
- Clearly Defined
14:00 - Networking Break
14:30 - Forward Planning - Strategy and Tactics
15:00 - Work Team - Specification
15:50 - Networking Break
16:20 - Work Team - Curriculum
16:40 - Work Team - Onboarding
17:00 - Close

Join us between 1:00 – 5:00 pm at Room 205, Vancouver Convention Centre West

Regards

Shane

On Aug 27, 2018, at 3:10, Shane Coughlan <coughlan@...> wrote:

Dear all

This is a reminder that there will be an OpenChain workshop at Open Source Summit North America this week. We are coordinating with our friends at the SPDX Project, who also have a workshop on the 28th, to ensure people can attend key parts of both.

Here are our details:

OpenChain Mini Summit
Date: Tuesday, August 28
Time: 1:00 – 5:00 pm
Location: Room 205, Vancouver Convention Centre West
Registration Costs: Complimentary

Here is our schedule:
13:00 - Welcome and Status Update
13:10 - Work Team - Conformance
13:30 - Forward Planning - Strategy and Tactics
14:00 - Networking Break
14:30 - Adjacent Project Status Overviews
- SPDX
- FOSSology
- Clearly Defined
15:00 - Work Team - Specification
15:50 - Networking Break
16:20 - Work Team - Curriculum
16:40 - Work Team - Onboarding
17:00 - Close

Public announcement here:
https://www.openchainproject.org/news/2018/08/17/openchain-workshop-open-source-summit-north-america

There will be an informal OpenChain social gathering at 6pm in the Mosaic Grill in the Hyatt Regency at 6pm. Spaces are limited to 20 people. We only have a couple of spots (literally) left so RSVP is strongly advised.

I look forward to seeing you in Vancouver!

Regards

Shane


--
Shane Coughlan
General Manager, OpenChain
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance




OpenChain @ Open Source Summit 2018 (Vancouver) on August 28th

Shane Coughlan <coughlan@...>
 

Dear all

This is a reminder that there will be an OpenChain workshop at Open Source Summit North America this week. We are coordinating with our friends at the SPDX Project, who also have a workshop on the 28th, to ensure people can attend key parts of both.

Here are our details:

OpenChain Mini Summit
Date: Tuesday, August 28
Time: 1:00 – 5:00 pm
Location: Room 205, Vancouver Convention Centre West
Registration Costs: Complimentary

Here is our schedule:
13:00 - Welcome and Status Update
13:10 - Work Team - Conformance
13:30 - Forward Planning - Strategy and Tactics
14:00 - Networking Break
14:30 - Adjacent Project Status Overviews
- SPDX
- FOSSology
- Clearly Defined
15:00 - Work Team - Specification
15:50 - Networking Break
16:20 - Work Team - Curriculum
16:40 - Work Team - Onboarding
17:00 - Close

Public announcement here:
https://www.openchainproject.org/news/2018/08/17/openchain-workshop-open-source-summit-north-america

There will be an informal OpenChain social gathering at 6pm in the Mosaic Grill in the Hyatt Regency at 6pm. Spaces are limited to 20 people. We only have a couple of spots (literally) left so RSVP is strongly advised.

I look forward to seeing you in Vancouver!

Regards

Shane


--
Shane Coughlan
General Manager, OpenChain
e: coughlan@...
p: +81 (0) 80 4035 8083
w: www.openchainproject.org

Professional profile: http://www.linkedin.com/in/shanecoughlan

Get my free book on open source compliance here:
https://www.linuxfoundation.org/news-media/research/practical-gpl-compliance

401 - 420 of 1604