|
SPDX General Meeting: New Web Meeting Number and URL
Philip Odence
I will follow this email with an updated invitation to the General Meeting. Please accept the recurring meeting even if you can’t make the upcoming Dec meeting. |
|
|
|
FSFE Recommends use of SPDX License Identifiers
Manbeck, Jack
We were excited to see this and wanted to share. As part of Project REUSE the FSFE is recommending use of SPDX License Identifiers.
https://spdx.org/news/news/2017/11/fsfe-recommends-license-identifiers-part-project-reuse
(Click the link for the page with the Video)
|
|
|
|
SPDXTeam - new dial in number for meetings, same web link.
Kate Stewart
Hi, We were able to get the SPDXTeam Uberconference updated last Thursday to remove the limit on number of people attending the call. Yay!!! However, as a result of this, we had to change the dial in number. New dial in number: 415-881-1586 No PIN needed http://uberconference.com/SPDXTeam Meeting times for teams will remain the same, as indicated on the page for each Team Work Area on https://wiki.spdx.org Please let me know if you have any questions. Thanks, Kate |
|
|
|
Re: Minutes of Nov SPDX General Meeting
Kate Stewart
Hi Phil, Couple of comments on the Prague section, added them inline, but that's probably not clear - so can you substitute the following in the minutes? Prague
Thanks, Kate On Thu, Nov 2, 2017 at 10:18 AM, Phil Odence <podence@...> wrote:
should be "SPDX Tools Session"
(ORT) Open Source Review Toolkit working with ScanCode to generate SPDX files
SW360 and FOSSology to generate SPDX files.
source{d} discussed proposal they're working on to apply machine learning to license recognition.
about SPDX tools (and GSOC contributions)
link to more info: http://sched.co/BxI3. Lots of developer interest in this topic now.
|
|
|
|
Minutes of Nov SPDX General Meeting
Philip Odence
https://wiki.spdx.org/view/General_Meeting/Minutes/2017-11-02
General Meeting/Minutes/2017-11-02 < General Meeting | Minutes
Contents [hide] Tech Team Report - Kate[edit]
Legal Team Report - Paul[edit]
Outreach Team Report[edit]
Attendees[edit]
|
|
|
|
Re: Reminder Thursday SPDX General Meeting
W. Trevor King
On Tue, Oct 31, 2017 at 12:16:17PM +0000, Phil Odence wrote:
Meeting Time: Thurs, Nov2, 8am PDT / 10 am CDT / 11am EDT / 15:00For folks who keep a digital calendar, there's an iCalendar file which includes this meeting in flight with [1]. You can import the calendar from [2] now if you don't want to wait for the PR to land, although folks who do that will probably need to re-import if/when the PR lands and I remove the branch from my repository. Cheers, Trevor [1]: https://github.com/spdx/spdx-spec/pull/42 [2]: https://raw.githubusercontent.com/wking/spdx-spec/meeting.ics/meeting.ics -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy |
|
|
|
Reminder Thursday SPDX General Meeting
Philip Odence
Should be a short one with no guest speaker.
European’s note that US has not yet switched back to Standard time, so time is off by an hour from normal.
GENERAL MEETING
Meeting Time: Thurs, Nov2, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the call: https://www.uberconference.com/katestewart Optional dial in number: 877-297-7470 Alternate number: 512-910-4433 No PIN needed
Administrative Agenda Attendance Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-10-05
Technical Team Report – Kate
Legal Team Report – Paul
Outreach Team Report – Jack
Cross Functional Issues –All
|
|
|
|
Marriage of SPDX, OpenChain and the Blockchain
Mark Gisi
In 2016 we explored how the benefits of the Blockchain could be leveraged to assist with open source compliance across a complex manufacturing supply chain [1]. Our interest was sparked after witnessing a group of customers struggling to coordinate/consolidate open source compliance artifacts during the manufacturing of a consumer product.
In February 2017 we presented our findings and announced a new initiative at the Open Source Leadership Summit. The focus: Utilize SPDX + OpenChain + Hyperledger Sawtooth to solve the problem. We made the source code available in July 2017 under the Apache license: https://github.com/Wind-River/sparts/blob/master/README.md
Demo Oct 23-25th 2017 in Prague - We will demo the Software Parts Ledger and its support for a Software Parts catalog this week at the Open Source Summit in Prague in the Intel booth (we hope you can stop by if you are around). The demo includes SPDX and OpenChain components. It is schedule for Monday 8am-1pm, Tuesday 8am-1pm, Wednesday, 1pm-6pm.
We will be presenting the latest status of this initiative at the Open Source Compliance Summit in November in Yokohama, Japan: Utilizing Blockchain Across The Supply Chain Asian manufacturers and suppliers have expressed above average interest in this approach.
This has been and still largely is a grass roots initiative – which is how all great things begin (including Linux J). The project is looking for contributors who have a serious interest/pain/stake in solving the problem being addressed (especially product manufacturers and software supplier organizations). The success of any supply chain Blockchain initiative will eventually require heavy involvement of the supply chain participants (e.g., to host ledger/Blockchain nodes, contribute requirements, code, documentation and so forth). We are also looking for a neutral place/organization to host the project which will also be important an requirement for its success in the long term.
Reach out to me if you are interested or would like to learn more.
cheers, Mark
[1]: https://lists.spdx.org/pipermail/spdx-tech/2016-December/003199.html
Mark Gisi | Wind River | Director, IP & Open Source Tel (510) 749-2016 | Fax (510) 749-4552
|
|
|
|
Re: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/
Philippe Ombredanne
On Fri, Oct 20, 2017 at 9:20 AM, Fendt, Oliver <oliver.fendt@...> wrote:
great to see this direction of development.The MODULE_LICENSE macro used in the kernel is a clear license statement. And better than a terse "Copyright (c) John Doe, GPL" that is seen in the kernel since there is a clear documentation of its meaning in the kernel's module.h [0] : * The following license idents are currently accepted as indicating free * software modules * * "GPL" [GNU Public License v2 or later] * "GPL v2" [GNU Public License v2] * "GPL and additional rights" [GNU Public License v2 rights and more] * "Dual BSD/GPL" [GNU Public License v2 * or BSD license choice] * "Dual MIT/GPL" [GNU Public License v2 * or MIT license choice] * "Dual MPL/GPL" [GNU Public License v2 * or Mozilla license choice] * * The following other idents are available * * "Proprietary" [Non free products] [...] So MODULE_LICENSE("GPL") means clearly "GNU Public License v2 or later" and nothing else. I cannot comment on whether such a license statement would be legally binding or not, but at least there is no ambiguity about what this means. And IMHO this is as good as an SPDX license identifier and as good as it gets short of any other licensing indications. Since the MODULE_LICENSE is only for kernel modules, there was a need for something that could be applied elsewhere, hence the use of SPDX identifiers. Note that there were talks to use a macro instead of a comment. It may come back in the future as it would have the added benefit to inject license ids in the built binaries (the same way a MODULE_LICENSE ends up in a built LKM) [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/module.h?id=refs/tags/v4.10#n172 -- Cordially Philippe Ombredanne |
|
|
|
Re: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/
Oliver Fendt
Hi,
great to see this direction of development. This will are least clarify all the files which carry nothing expect the Marko MODUL_LICENSE("GPL"); Because one of the interesting questions is "is this a legally binding expression of licensing?" Ciao Oliver -----Ursprüngliche Nachricht----- Von: spdx-bounces@... [mailto:spdx-bounces@...] Im Auftrag von Philippe Ombredanne Gesendet: Donnerstag, 19. Oktober 2017 20:28 An: SPDX-legal; spdx-tech@...; SPDX-general Betreff: Fwd: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/ FYI: In case you missed it: SPDX identifiers have landed in kernel land... Read the whole thread at https://patchwork.kernel.org/patch/10016189/ And as a side effect, some new patches elsewhere are coming in with SPDX identifiers right in! -- Cordially Philippe Ombredanne ---------- Forwarded message ---------- From: Greg Kroah-Hartman <gregkh@...> Date: Thu, Oct 19, 2017 at 10:38 AM Subject: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/ To: linux-usb@... Cc: linux-kernel@..., Thomas Gleixner <tglx@...>, Kate Stewart <kstewart@...>, Philippe Ombredanne <pombredanne@...> It's good to have SPDX identifiers in all files to make it easier to audit the kernel tree for correct licenses. This patch adds these identifiers to all files in drivers/usb/ based on a script and data from Thomas Gleixner, Philippe Ombredanne, and Kate Stewart. Cc: Thomas Gleixner <tglx@...> Cc: Kate Stewart <kstewart@...> Cc: Philippe Ombredanne <pombredanne@...> Signed-off-by: Greg Kroah-Hartman <gregkh@...> --- Unless someone really complains, I'm going to add this to my tree for 4.15-rc1. diff --git a/drivers/usb/Makefile b/drivers/usb/Makefile index 9650b351c26c..cb8d902b801d 100644 --- a/drivers/usb/Makefile +++ b/drivers/usb/Makefile @@ -1,6 +1,7 @@ # # Makefile for the kernel USB device drivers. # +# SPDX-License-Identifier: GPL-2.0 # Object files in subdirectories [....] long diff of 600 files removed for brevity... _______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx |
|
|
|
[PATCH] USB: add SPDX identifiers to all files in drivers/usb/
Philippe Ombredanne
FYI:
In case you missed it: SPDX identifiers have landed in kernel land... Read the whole thread at https://patchwork.kernel.org/patch/10016189/ And as a side effect, some new patches elsewhere are coming in with SPDX identifiers right in! -- Cordially Philippe Ombredanne ---------- Forwarded message ---------- From: Greg Kroah-Hartman <gregkh@...> Date: Thu, Oct 19, 2017 at 10:38 AM Subject: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/ To: linux-usb@... Cc: linux-kernel@..., Thomas Gleixner <tglx@...>, Kate Stewart <kstewart@...>, Philippe Ombredanne <pombredanne@...> It's good to have SPDX identifiers in all files to make it easier to audit the kernel tree for correct licenses. This patch adds these identifiers to all files in drivers/usb/ based on a script and data from Thomas Gleixner, Philippe Ombredanne, and Kate Stewart. Cc: Thomas Gleixner <tglx@...> Cc: Kate Stewart <kstewart@...> Cc: Philippe Ombredanne <pombredanne@...> Signed-off-by: Greg Kroah-Hartman <gregkh@...> --- Unless someone really complains, I'm going to add this to my tree for 4.15-rc1. diff --git a/drivers/usb/Makefile b/drivers/usb/Makefile index 9650b351c26c..cb8d902b801d 100644 --- a/drivers/usb/Makefile +++ b/drivers/usb/Makefile @@ -1,6 +1,7 @@ # # Makefile for the kernel USB device drivers. # +# SPDX-License-Identifier: GPL-2.0 # Object files in subdirectories [....] long diff of 600 files removed for brevity... |
|
|
|
Oct SPDX General Meeting Minutes
Philip Odence
Here you go: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-10-05
BLACKDUCK
General Meeting/Minutes/2017-10-05 < General Meeting | Minutes
Contents [hide]
Guest Presentation - Alexander Lisianoi[edit]
Tech Team Report - Kate/Gary[edit]
Legal Team Report - Jilayne/Paul[edit]
Outreach Team Report - Jack[edit]
Attendees[edit]
|
|
|
|
Reminder about Thursday SPDX General Meeting (with special guest!)
Philip Odence
Please join us for a special presentation by Alexander Lisianoi another SPDX 2017 Google Summer of Code student participant. He is a software engineer working towards his Masters at Technical University of Vienna, Austria. His project for us was called "Online Validation Tools.” He will describe how took two libraries (boolean.py and license-expression) and converted them from Python to Javascript with a tool called Transcryp.
GENERAL MEETING
Meeting Time: Thurs, Oct 5, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the call: https://www.uberconference.com/katestewart Optional dial in number: 877-297-7470 Alternate number: 512-910-4433 No PIN needed
Administrative Agenda Attendance Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-09-07
Guest Presentation – Alexander
Technical Team Report – Kate/Gary
Legal Team Report – Jilayne
Business Team Report – Jack
Cross Functional Issues –All
Phil
BLACKDUCK
|
|
|
|
Re: Package, mandatory?
Gary O'Neall
Hi Jonas,
However, the cardinality is given as "Optional, one or many." I'm notI would call this a bug in the SPDX tools. If you could log an issue in the git repo and upload a tag/value file which reproduces the error, I'll take a look at it (https://github.com/spdx/tools/issues). Thanks for reporting the issues. Gary |
|
|
|
Re: Package, mandatory?
Kate Stewart
Hi Jonas On Tue, Sep 26, 2017 at 7:11 AM, Jonas Oberg <jonas@...> wrote: Hi everyone, Prior to 2.0, the expectation was that there would only be a single package with a set of files in each SPDX document. When we introduced relationships/identifiers, in 2.0, we were able to extend the specification to handle multiple packages could be present in the same SPDX document (cardinality (Many)). Similarily it was recognized that an SPDX document could be just a grouping of files (ie. a set of binary files and an artificial package to encompass them all was not needed). (hence Optional). I can see though that we should have been clearer. The tools should be able to handle the translation, so yes, go ahead and log a bug there too.
Bug in the spdx-tools, improvement in wording needed in the specification - so please go ahead and log issues against both. Thanks, Kate
|
|
|
|
Package, mandatory?
Jonas Oberg
Hi everyone,
as you know, the FSFE is working on a project, REUSE, which has as one of its recommendations to produce a SPDX conformant bill of materials, if one can be generated automatically. As part of this project, I'm putting together a few template/example repositories which does exactly this. I will definitely make a lot of assumptions in generating the SPDX file, and it won't scale well beyond the example, but it's still an interesting practice. In this, I've discovered what feels like an inconsistency in the specification, or its implementation. I would like to bring your attention to version 2.1, section 3[^1] which deals with the package information. The description is given as "One instance of the Package Information is required per package being described." However, the cardinality is given as "Optional, one or many." I'm not sure exactly how to interpret this, as I noticed the spdx-tools fails when converting from tag format to RDF if I don't have a Package specified. If I know where the bug is (specification, me, spdx-tools), I can file a more appropriate bug report or fix my own code :-) [^1]: https://spdx.org/spdx-specification-21-web-version#h.4i7ojhp Best regards, -- Jonas Öberg Executive Director FSFE e.V. - keeping the power of technology in your hands. Your support enables our work, please join us today http://fsfe.org/join |
|
|
|
SPDX Sept General Meeting Minutes
Philip Odence
https://wiki.spdx.org/view/General_Meeting/Minutes/2017-09-07
General Meeting/Minutes/2017-09-07 < General Meeting | Minutes
Contents [hide]
Guest Presentation - Krys Nuvadga[edit]
Tech Team Report - Kate/Gary[edit]
Legal Team Report - Jilayne/Paul[edit]
Outreach Team Report - Jack[edit]
Attendees[edit]
|
|
|
|
Re: SPDX recommendations from other communities! :-D
Kate Stewart
On Wed, Sep 6, 2017 at 7:51 AM, Neal Gompa <ngompa13@...> wrote:
Hi Neal, We agree, some tooling is needed to generate the signing of the files that is needed in an SPDX document for an accurate manifest. Both FOSSology and ScanCode are open source projects that scan source projects and generate SPDX documents. Windriver also provides a service to do so too. Kate |
|
|
|
Re: SPDX recommendations from other communities! :-D
Philip Odence
Sorry, all, didn’t mean to cc the list. But you might find my blog amusing as well.
From: <spdx-bounces@...> on behalf of Philip Odence <podence@...>
Wow, Kate, great stuff! Thanks for sharing. I’ll talk to Jack about putting reference on the website.
In the meantime, for your amusement: http://blog.blackducksoftware.com/open-source-licenses-interesting
From: <spdx-bounces@...> on behalf of Kate Stewart <kstewart@...>
Hi, Just thought some of you might be interested in some recent announcements with SPDX showing up in them.
FSFE just launched a new site today recommending use of SPDX license identifiers in the source files, and generating a manifest from an SPDX document. :-)
Also there are a similar set of recommendations by the Commons Conservancy which also recommend use of the tags, and generation of SPDX documents:
Best regards, Kate
|
|
|
|
Re: SPDX recommendations from other communities! :-D
Philip Odence
Wow, Kate, great stuff! Thanks for sharing. I’ll talk to Jack about putting reference on the website.
In the meantime, for your amusement: http://blog.blackducksoftware.com/open-source-licenses-interesting
From: <spdx-bounces@...> on behalf of Kate Stewart <kstewart@...>
Hi, Just thought some of you might be interested in some recent announcements with SPDX showing up in them.
FSFE just launched a new site today recommending use of SPDX license identifiers in the source files, and generating a manifest from an SPDX document. :-)
Also there are a similar set of recommendations by the Commons Conservancy which also recommend use of the tags, and generation of SPDX documents:
Best regards, Kate
|
|
|