Date   

Thursday SPDX General Meeting Reminder (with special guest)

Philip Odence
 

This will be a particularly interesting General Meeting. In addition to our normal team reporting, we will have two special topics:

·         A presentation from Georgia (Zeta) Kapitsaki on her research using SPDX at the Univ of Cyprus

·         Review of 2017 annual goals for SPDX by the Core Team

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Jan 5, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Join the call: https://www.uberconference.com/katestewart

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed

 

Administrative Agenda

Attendance

Minutes Approval http://wiki.spdx.org/view/General_Meeting/Minutes/2016-12-01

 

Special Presentation– Georgia (Zeta) Kapitsaki

License compatibilities and relevant tool in the framework of SPDX

 

Cross Functional Issues – Phil/All

Annual Goals

·         Roll out github-maintainable XML license templates

·         Define and approach to creating notice files from an SPDX doc

·         Develop a web-based license match tool

·         Implement tool to score a project’s licensing quality

·         Gain Apache/Eclipse Foundation adoption

·         Sponsor a Google Summer of Code Project

·         Conduct a supply chain management survey

·         Build “whole product” around the spec—what is required for adoption

·         Deploy existing SPDX group tools on web

·         Develop a github plug-in to generate an SPDX doc

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Business Team Report – Jack

 

 

 

Topic: License compatibilities and relevant tool in the framework of SPDX

Licensing decisions for new Open Source Software are not always straightforward. However, the license that accompanies the software is important as it largely affects its subsequent distribution and reuse. License information for software products is captured - among other data - in the Software Package Data Exchange (SPDX) files. I will talk briefly about our research work and our tool for the validation of SPDX files regarding proper license use. Software packages described in SPDX format are examined in order to detect license violations that may occur when a  product combines different software sources that carry different and potentially contradicting licenses. The SPDX License Validation Tool (SLVT) gives the opportunity to check the compatibility of one or more SPDX files. 

 

Brief biography:

Assistant Professor at the Department of Computer Science of the University of Cyprus (UCY) and faculty member of the Software Engineering and Internet Technologies (SEIT) laboratory in UCY. She received her PhD from the National Technical University of Athens, Greece (2009). Her research interests include: software engineering, service-oriented computing, open source software reuse and privacy enhancing technologies. She has published over 40 papers in international conferences and journals, has participated in conference organisation (e.g. ICSR 2016) and has served as a TPC member and referee in repudiated journals and conferences. She has been involved in EU FP6 and FP7 projects and has worked as a software engineer in the industry.

 

 

 

 

 


FW: Minutes from SPDX Dec General Meeting

Philip Odence
 

http://wiki.spdx.org/view/General_Meeting/Minutes/2016-12-01

 

 

 

 

General Meeting/Minutes/2016-12-01

< General Meeting‎ | Minutes

Jump to: navigation, search

  • Attendance: 11
  • Lead by Phil Odence
  • Minutes of Nov meeting approved

 

Contents [hide] 

  • 1 Tech Team Report - Kate/Gary
  • 2 Legal Team Report - Jilayne/Paul
  • 3 Outreach Team Report - Jack
  • 4 Cross Functional Topics - Phil
  • 5 Attendees

Tech Team Report - Kate/Gary[edit]

  • Spec
    • Has been focusing on coding up best practices for creating a Notices file
      • Will need some input from the Legal Team, probably a joint meeting
      • Output will be pseudo-code which could be the basis for a tools (basis is sparkle queries)
    • 2.1 is out there; no current bugs reported
      • Kate gave a presentation on 2.1 in Yokahama; will get to Jack for posting on website
  • Tooling
    • All upgraded to 2.1
    • No bugs reported
    • Python library being upgraded
      • Useful for implementing SPDX in a Python-based sw tool
  • 2017 Goals Brainstorm
    • Tooling to make quality of licensing more visible
      • Mark G started this work
      • The idea is to grade a project, based on SPDX file, for how complete the licensing is
  • Looking to get plug-ins adopted into communities
    • Apache and Eclipse
  • Web based tools
    • Current java tools involve installing java environment
    • e.g. Past a license into a webpage and have it matched to an SPDX template
  • Discuss pros/cons of moving to single format
    • JSON- Happy medium between tag value and RDF
  • Write a git plug-in for generating SPDX docs
    • Could then grade
  • Another Google Summer of Code Project

Legal Team Report - Jilayne/Paul[edit]

  • How to leverage git hub for document maintenance
  • xml work
    • Still plugging away
    • Need to assess where we are in Thursday’s call
  • License list
    • No Sept release
    • Some requests have trickled in
  • 2017 Goals Brainstorm
    • Big thing is getting the XML templates up
    • Getting up and running on GitHub
    • Make sure notice files work is accurate
    • Upgrading the license expressions language
    • Supportive of license match Web App

 

Outreach Team Report - Jack[edit]

  • A few meetings have been missed
  • Website is up
  • Outlining documentation needs
  • 2017 Goals Brainstorm
    • Do a survey of companies using supply chains - understand what they are doing wrt gathering license data
      • Could use other existing groups such as Open Chain

 

Cross Functional Topics - Phil[edit]

Attendees[edit]

  • Phil Odence, Black Duck
  • Kate Stewart, Linux Foundation
  • Jilayne Lovejoy, ARM
  • Paul Madick, Dimension Data
  • Gary O’Neill, SourceAuditor
  • Tarek Jamal, ARM
  • Mark Gisi, Wind River
  • Jack Manbeck, TI
  • Alexios Zavras, Intel
  • Michael Herzog- nexB
  • Philippe Ombrédanne- nexB

 


Thursday SPDX General Meeting

Philip Odence
 

Special Discussion, 2017 Goals- Please bring your thoughts about goals for next year. After each update, team leads will facilitate some brainstorming on this subject. The Core Team will finalize and announce formal goal at the January 5 General Meeting. 

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Dec 1, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed

 

Administrative Agenda

Attendance

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Business Team Report – Jack

 

Cross Functional Issues – Phil

 

 

 

 

 


Minutes from November SPDX General Meeting

Philip Odence
 

Thanks again to Lei from Fujitsu for an interesting presentation!

 

 

General Meeting/Minutes/2016-11-03

< General Meeting‎ | Minutes

Jump to: navigation, search

         Attendance: 12

         Lead by Phil Odence

         Minutes of Sept meeting approved (Oct meeting was cancelled due to LinuxCon Europe)

 

Contents [hide] 

                        1 Special Guest - Lei Mao Hui, Fujitsu

                        2 Tech Team Report - Kate/Gary

                        3 Legal Team Report - Jilayne/Paul

                        4 Outreach Team Report - Jack

                        5 Cross Functional Topics - Phil

                        6 Attendees

Special Guest - Lei Mao Hui, Fujitsu[edit]

         Lei

         Working for Fujitu

         Developing on house Distro

         Spoke at ALS and Linux Conference about experience with SPDXX

         Reason Fujitsu needs SPDX

         Want an SPDX file for all their packages

         Customers ofter require license info

         Released under GPL3, but includes software under other license as well. Many!

         MIT, BSD, GPL2, etc.

         SPDX is good for this purpose

         So they added into production Development

         Yocto SPDX

         Lucky for them that Yocto supports SPDX

         But the activity on Yocto SPDX has been slow

         Found some issues when using

         Only supports SPDX 1.1

         Doesn’t do a great job even with that

         Is complex to use; takes a long time

         May introduce license conflicts

         In the end you can download the SPDX

         Fujitsu’s contributions to Yocto SPDX

         So they did some work to improve:

         Created a patch to upgrade to SPDX 1.2

         Unfortunately was never accepted into Yocto

         Would like to upgrade to SPDX 2.0

         And to improve performance

         Has been working on some of the SPDX open source tools

         including DoSocks developed by UNO

         Lei has been continuing to submit improvements to Yocto

         Improved performance

         Currently discussing more improvements with Yocto

         Will be continuing to improve and to upgrade to SPDX 2.1

         Question

         Has yocto been receptive?

         Yocto has not been active or focused on SPDX.

         Some people have been interested

         Not sure why they are not interested

         Kate will help and follow up

Tech Team Report - Kate/Gary[edit]

         Spec

         SPDX 2.1 is now released and official

         Starting to focus on use cases and tooling

         last call was a joint call with the Legal Team

         Templetazation focus

         Agreed on interfaces between teams

         Tooling

         Incorporated results from the bake off

         Overall, everyone at the bake off got good feedback, leading to improvement of all tools

         XML Format

         Legal Team has been working on new format for license templates

         Makes it easier for multiple contributors

         Working now on making it consumable for external tools

         Really good progress

         Should have draft standards in the next month or two.

 

Legal Team Report - Jilayne/Paul[edit]

         Joint Call with Tech Team

         Worked on syncing tag names to be consistent with spec

         Went really well

         License List

         Business as usual with new licenses

         More license requests for licenses in other languages

         Probably need to have a discussion about how to handle consistently

 

Outreach Team Report - Jack[edit]

         Website

         New site is up

         Jack’s in process of posting new stuff

         Next agenda

         Working on new docs, templates, etc

         Mostly to help explain aspects of how to use

         Trying to assemble list of topics and then prioritize

         Very open to ideas

 

Cross Functional Topics - Phil[edit]

         Future topic - Will be a discussion of license in different languages

         Legal Team will come forward with a strawman. A few months out.

         Guest stars

         Always looking for more

 

Attendees[edit]

         Phil Odence, Black Duck

         Lei Mao Hui, Fujitsu

         Kate Stewart, Linux Foundation

         Jilayne Lovejoy, ARM

         Yev Bronshteyn, Black Duck

         Scott Sterling, Palamida

         Paul Madick, Dimension Data

         Gary O’Neill, SourceAuditor

         Tarek Jamal, ARM

         Mark Gisi, Wind River

         Jack Manbeck, TI

         Alexios Zavras, Intel

         NewPP limit report CPU time usage: 0.009 seconds Real time usage: 0.010 seconds Preprocessor visited node count: 23/1000000 Preprocessor generated node count: 28/1000000 Post‐expand include size: 0/2097152 bytes Template argument size: 0/2097152 bytes Highest expansion depth: 2/40 Expensive parser function count: 0/100 Saved in parser cache with key spdx_mwiki:pcache:idhash:1065-0!*!*!!en!*!* and timestamp 20161103153915 and revision id 4059

 


SPDX General Meeting Late Reminder

Philip Odence
 

The call is kicking off now. The highlight will be a presentation from Lei at Fujitsu. Please join us.

Sorry for the late reminder


Re: SPDX Bake off to compare tools generating code for the SPDX 2.1 specification on October 6, 2016.

Sam Ellis <Sam.Ellis@...>
 

Hi,

 

Whilst preparing for SPDX bakeoff I noticed a few issues with my interpretation of the specification that may be worth discussion.

 

Firstly a number of fields in tag files contain arbitrary text enclosed within <text>...</text> tags. I found examples where the text I am including within these tags does itself contain HTML/XML tags from the source document. The inclusion of non-SPDX tags within the <text> tags makes it hard to spot the end of the </text>. This raises the question of whether the text within <text> tags ought to be escaped in some way? I did not find anything on this point in the SPDX specification (apologies if I missed anything).

 

Secondly, I noticed that in the tag field PackageLicenseInfoFromFiles I am including license exceptions, for example:

 

PackageLicenseInfoFromFiles: Classpath-exception-2.0

 

However, I think my use is incorrect. The spec says a license identifier is needed here, and a license exception identifier is not a license identifier. I cannot alternatively use "license WITH exception" here because this is an expression not a license identifier. This raises the question, how should exceptions be represented in PackageLicenseInfoFromFiles, if at all?

 

I appreciate your thoughts on these issues.

 

From: spdx-tech-bounces@... [mailto:spdx-tech-bounces@...] On Behalf Of Kate Stewart
Sent: 22 September 2016 19:58
To: spdx-tech@...; SPDX-general
Subject: SPDX Bake off to compare tools generating code for the SPDX 2.1 specification on October 6, 2016.

 

Hi, 

The SPDX tech team will be hosting an SPDX Tools BakeOff at LinuxCon Europe on 6 October 2016.  Participation can be remote by phone or in person. The Bake-off (also known by some as a Plugfest) will focus on comparing SPDX Documents generated with SPDX specification 2.1 features along with answering any questions people may have about the new revision.

For more information on how to participate,  please read Background info for the SPDX 2.1 Bake-off in LinuxCon Europe.    

If you have questions, please send email to spdx-tech@...

Thanks on behalf of the SPDX tech team,   Gary & Kate

 

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


Re: SPDX Bake off to compare tools generating code for the SPDX 2.1 specification on October 6, 2016.

Kate Stewart
 

Hi Bradley,


On Thu, Sep 22, 2016 at 5:30 PM, Bradley M. Kuhn <bkuhn@...> wrote:
Kate,

Kate Stewart wrote at 11:58 (PDT):
> For more information on how to participate, please read Background info
> for the SPDX 2.1 Bake-off in LinuxCon Europe.

I and my colleagues sadly don't have a tool to participate in the bake-off
this year, but in preparation for the future, and out of general curiosity:

What are the licensing requirements are for software tools to enter the
bake-off?  (i.e., do the tools have to be under a specific set of licenses
to participate?  What are the rules in this regard?)

There are no licensing requirements for tools themselves to participate in the bake-off,
the only requirement is that they are able to produce (and ideally consume) valid
SPDX files.   

We're pleased that FOSSology is going to participate for the first time in one
of our bake-off's in Berlin, which is a tool I believe you use already.      

We've also got listed the community supported tools as well as the commercial tools 
we know about on our web site, if you want to see the possible participants.   
All tools (even if they are not listed on the site) are welcome. 

Hope this helps,
Kate


SPDX Bake off to compare tools generating code for the SPDX 2.1 specification on October 6, 2016.

Kate Stewart
 

Hi, 

The SPDX tech team will be hosting an SPDX Tools BakeOff at LinuxCon Europe on 6 October 2016.  Participation can be remote by phone or in person. The Bake-off (also known by some as a Plugfest) will focus on comparing SPDX Documents generated with SPDX specification 2.1 features along with answering any questions people may have about the new revision.

For more information on how to participate,  please read Background info for the SPDX 2.1 Bake-off in LinuxCon Europe.    

If you have questions, please send email to spdx-tech@...

Thanks on behalf of the SPDX tech team,   Gary & Kate



Re: SPDX RDF visualization

STAIR, MICHAEL A
 

Thank you for the suggestions Yev, I will give them a try!

 

Mike

 

From: Yev Bronshteyn <ybronshteyn@...>
Date: Wednesday, September 21, 2016 at 3:16 PM
To: "STAIR, MICHAEL A" <ms1784@...>, "spdx@..." <spdx@...>
Subject: Re: SPDX RDF visualization

 

A slight correction to the above – the sparql query in my previous email may be too simplistic in that it does not include files that are inside of packages (as package contents are not necessarily described with relationships).

 

This should produce the graph of both relationships and file contents:

 

prefix spdx: <http://spdx.org/rdf/terms#>

 

construct { ?sub ?pred ?obj .

            ?sub2 spdx:hasFile ?file}

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

     ?sub2 spdx:hasFile ?file .

    

}

From: <spdx-bounces@...> on behalf of Yev Bronshteyn <ybronshteyn@...>
Date: Wednesday, September 21, 2016 at 2:48 PM
To: "STAIR, MICHAEL A" <ms1784@...>, "spdx@..." <spdx@...>
Subject: Re: SPDX RDF visualization

 

Hi, Michael,

 

I don’t know much about RDF graphing tools, but here’s a trick to make any tool you already have produce a better graph.

 

You can use this sparql query to reduce an SPDX document to an RDF where every relationship is reduced to a single triple:

 

prefix spdx: <http://spdx.org/rdf/terms#>

 

construct { ?sub ?pred ?obj }

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

}      

 

 

Here’s how you can apply this query with Apache Jena:

 

1.      Load your spdx document into Jena’s triple store:

tdbloader --loc=data mydoc.rdf

 

In the example above, “data” is an empty directory where you have write access (where Jena will build its datastore) and mydoc.rdf is your SPDX document.

               

2.      Apply the query, which in this example is loaded into “relConcat.sparql”. Pipe the results into a file.


tdbquery --loc=data --query=../relConcat.sparql --results=RDF

 

 

The resulting RDF should be a much more straightforward graph of all the relationsips.

 

From: <spdx-bounces@...> on behalf of "STAIR, MICHAEL A" <ms1784@...>
Date: Wednesday, September 21, 2016 at 2:16 PM
To: "spdx@..." <spdx@...>
Subject: SPDX RDF visualization

 

Hello,

 

I was wondering if anyone can suggest a tool to visually in a graph (ideally interactive) SPDX RDF files, specifically to follow relationships? I am currently using gruff (http://franz.com/agraph/gruff/) , but it’s a little tedious. Thanks.

 

Mike

_____________________________
Michael Stair
Principal Member of Technical Staff
AT&T Chief Security Office (CSO)
301.865.3877
mstair@...


Re: SPDX RDF visualization

Yev Bronshteyn
 

A slight correction to the above – the sparql query in my previous email may be too simplistic in that it does not include files that are inside of packages (as package contents are not necessarily described with relationships).

 

This should produce the graph of both relationships and file contents:

 

prefix spdx: <http://spdx.org/rdf/terms#>

 

construct { ?sub ?pred ?obj .

            ?sub2 spdx:hasFile ?file}

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

     ?sub2 spdx:hasFile ?file .

    

}

From: <spdx-bounces@...> on behalf of Yev Bronshteyn <ybronshteyn@...>
Date: Wednesday, September 21, 2016 at 2:48 PM
To: "STAIR, MICHAEL A" <ms1784@...>, "spdx@..." <spdx@...>
Subject: Re: SPDX RDF visualization

 

Hi, Michael,

 

I don’t know much about RDF graphing tools, but here’s a trick to make any tool you already have produce a better graph.

 

You can use this sparql query to reduce an SPDX document to an RDF where every relationship is reduced to a single triple:

 

prefix spdx: <http://spdx.org/rdf/terms#>

 

construct { ?sub ?pred ?obj }

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

}      

 

 

Here’s how you can apply this query with Apache Jena:

 

1.      Load your spdx document into Jena’s triple store:

tdbloader --loc=data mydoc.rdf

 

In the example above, “data” is an empty directory where you have write access (where Jena will build its datastore) and mydoc.rdf is your SPDX document.

               

2.      Apply the query, which in this example is loaded into “relConcat.sparql”. Pipe the results into a file.


tdbquery --loc=data --query=../relConcat.sparql --results=RDF

 

 

The resulting RDF should be a much more straightforward graph of all the relationsips.

 

From: <spdx-bounces@...> on behalf of "STAIR, MICHAEL A" <ms1784@...>
Date: Wednesday, September 21, 2016 at 2:16 PM
To: "spdx@..." <spdx@...>
Subject: SPDX RDF visualization

 

Hello,

 

I was wondering if anyone can suggest a tool to visually in a graph (ideally interactive) SPDX RDF files, specifically to follow relationships? I am currently using gruff (http://franz.com/agraph/gruff/) , but it’s a little tedious. Thanks.

 

Mike

_____________________________
Michael Stair
Principal Member of Technical Staff
AT&T Chief Security Office (CSO)
301.865.3877
mstair@...


Re: SPDX RDF visualization

Yev Bronshteyn
 

Hi, Michael,

 

I don’t know much about RDF graphing tools, but here’s a trick to make any tool you already have produce a better graph.

 

You can use this sparql query to reduce an SPDX document to an RDF where every relationship is reduced to a single triple:

 

prefix spdx: <http://spdx.org/rdf/terms#>

 

construct { ?sub ?pred ?obj }

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

}      

 

 

Here’s how you can apply this query with Apache Jena:

 

1.       Load your spdx document into Jena’s triple store:

tdbloader --loc=data mydoc.rdf

 

In the example above, “data” is an empty directory where you have write access (where Jena will build its datastore) and mydoc.rdf is your SPDX document.

               

2.       Apply the query, which in this example is loaded into “relConcat.sparql”. Pipe the results into a file.


tdbquery --loc=data --query=../relConcat.sparql --results=RDF

 

 

The resulting RDF should be a much more straightforward graph of all the relationsips.

 

From: <spdx-bounces@...> on behalf of "STAIR, MICHAEL A" <ms1784@...>
Date: Wednesday, September 21, 2016 at 2:16 PM
To: "spdx@..." <spdx@...>
Subject: SPDX RDF visualization

 

Hello,

 

I was wondering if anyone can suggest a tool to visually in a graph (ideally interactive) SPDX RDF files, specifically to follow relationships? I am currently using gruff (http://franz.com/agraph/gruff/) , but it’s a little tedious. Thanks.

 

Mike

_____________________________
Michael Stair
Principal Member of Technical Staff
AT&T Chief Security Office (CSO)
301.865.3877
mstair@...


SPDX RDF visualization

STAIR, MICHAEL A
 

Hello,

 

I was wondering if anyone can suggest a tool to visually in a graph (ideally interactive) SPDX RDF files, specifically to follow relationships? I am currently using gruff (http://franz.com/agraph/gruff/) , but it’s a little tedious. Thanks.

 

Mike

_____________________________
Michael Stair
Principal Member of Technical Staff
AT&T Chief Security Office (CSO)
301.865.3877
mstair@...


Canceled: SPDX General Meeting

Philip Odence
 

Cancelling the October meeting as it conflicts with LinuxCon Europe.

We will have a special presentation for the November meeting on OpenChain.


*******


Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed


MEETING MINUTES FOR REVIEW: 
http://spdx.org/wiki/meeting-minutes-and-decisions


Re: SPDX Tool Contributions

Gary O'Neall
 

Hi Michael,

Glad to hear of your interest in contributing to the tools. We can discuss on the next tech call, but feel free to contribute issues and pull requests on GitHub. The only request is on the pull requests to include a statement that you contributions are made available under the Apache 2.0 license.

Thanks,
Gary

On September 1, 2016 12:17:58 PM CDT, "STAIR, MICHAEL A" <ms1784@...> wrote:

Hello,

 

I attended the general meeting today but had some issues with my audio so was unable to ask a few questions. Is attending the technical team meeting the appropriate way to discuss contributing to the tools (including bug fixes)?

 

Michael Stair



Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx

--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.


Re: SPDX Tool Contributions

Kate Stewart
 

Hi Michael, 
    Yes, feel free to join us on the weekly call (Tuesday at 1pm Eastern)

or send email to spdx-tech@... with your questions.

Bug fixes most welcome!   :-)

Kate 


On Thu, Sep 1, 2016 at 12:17 PM, STAIR, MICHAEL A <ms1784@...> wrote:

Hello,

 

I attended the general meeting today but had some issues with my audio so was unable to ask a few questions. Is attending the technical team meeting the appropriate way to discuss contributing to the tools (including bug fixes)?

 

Michael Stair


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx



SPDX Tool Contributions

STAIR, MICHAEL A
 

Hello,

 

I attended the general meeting today but had some issues with my audio so was unable to ask a few questions. Is attending the technical team meeting the appropriate way to discuss contributing to the tools (including bug fixes)?

 

Michael Stair


Re: Meeting Minutes

Kate Stewart
 

Thanks Gary,    Sorry I had to leave mid way through the report. 

Couple of minor adjustments to the minutes.

On Thu, Sep 1, 2016 at 10:40 AM, <gary@...> wrote:

Greetings all,

 

Below is the minutes from today’s general meeting.  Meeting minutes are also available on the Wiki at http://wiki.spdx.org/view/General_Meeting/Minutes/2016-09-01

 

Please let me know if you see any errors or omissions.

 

Thanks,
Gary

 

General Meeting/Minutes/2016-09-01

·         Attendance: 6

·         Lead by Gary O'Neall

·         Minutes of August meeting approved

Tech Team Report - Kate

·         SPDX 2.1 all comment incorporated

·         PDF should be available today

·         Will follow-on with HTML later

·         1 1/2 month feedback cycle


The review window for SPDX 2.1 spec is now closed.    Its been open for a 1.5 months, and feedback has tailed off.

·         Tech office hours - should publish to general

·         There will be a tools bake-off in Berlin on 6 Oct

·         All tools providers are encouraged to attend or send in SPDX documents

·         There will not be a west coast bake-off - the West Coast tools providers are encouraged to submit SPDX documents to the Berlin bake-off

Outreach Team Report - Jack

·         Getting reading to go live with the new site

·         Jack is working with the Linux Foundation to schedule a go-live date

·         All updates to the new site have been completed

Legal Team Report - Jilayne

·         Going through the XML conversion of the license list

·         Action items for closing on the XML conversion is published

·         Decided to do the next license list update around the end of Oct. which will use the new XML file format

Cross Functional Topics - Gary

·         Discussion on whether the new XML license master list format is intended for external tools or to be used internal only to the Legal Team in producing the license list

·         Gary recalled a discussion where we decided the first release of the XML format would be internal only

·         Consensus that one of the overall goal of the XML format is to enable better tooling - the issue is only related to the phasing of the XML format implementation

·         Some of the issues to external tool use would be the inconsistency in the element and property names with the SPDX specification

·         Request that the technical team be involved if the XML format is to be used externally

·         Will be discussed on the legal call

Attendees

·         Gary O'Neall

·         Kate Stewart

·         Jilayne Lovejoy

·         Michael Stair

·         Scott Sterling

·         Paul Madick

 

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: gary@...

 


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx




--
Kate Stewart
Sr. Director of Strategic Programs,  The Linux Foundation
Mobile: +1.512.657.3669
Email / Google Talk: kstewart@...


Meeting Minutes

Gary O'Neall
 

Greetings all,

 

Below is the minutes from today’s general meeting.  Meeting minutes are also available on the Wiki at http://wiki.spdx.org/view/General_Meeting/Minutes/2016-09-01

 

Please let me know if you see any errors or omissions.

 

Thanks,
Gary

 

General Meeting/Minutes/2016-09-01

·         Attendance: 6

·         Lead by Gary O'Neall

·         Minutes of August meeting approved

Tech Team Report - Kate

·         SPDX 2.1 all comment incorporated

·         PDF should be available today

·         Will follow-on with HTML later

·         1 1/2 month feedback cycle

·         Tech office hours - should publish to general

·         There will be a tools bake-off in Berlin on 6 Oct

·         All tools providers are encouraged to attend or send in SPDX documents

·         There will not be a west coast bake-off - the West Coast tools providers are encouraged to submit SPDX documents to the Berlin bake-off

Outreach Team Report - Jack

·         Getting reading to go live with the new site

·         Jack is working with the Linux Foundation to schedule a go-live date

·         All updates to the new site have been completed

Legal Team Report - Jilayne

·         Going through the XML conversion of the license list

·         Action items for closing on the XML conversion is published

·         Decided to do the next license list update around the end of Oct. which will use the new XML file format

Cross Functional Topics - Gary

·         Discussion on whether the new XML license master list format is intended for external tools or to be used internal only to the Legal Team in producing the license list

·         Gary recalled a discussion where we decided the first release of the XML format would be internal only

·         Consensus that one of the overall goal of the XML format is to enable better tooling - the issue is only related to the phasing of the XML format implementation

·         Some of the issues to external tool use would be the inconsistency in the element and property names with the SPDX specification

·         Request that the technical team be involved if the XML format is to be used externally

·         Will be discussed on the legal call

Attendees

·         Gary O'Neall

·         Kate Stewart

·         Jilayne Lovejoy

·         Michael Stair

·         Scott Sterling

·         Paul Madick

 

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: gary@...

 


FW: Thursday SPDX General Meeting

Philip Odence
 

No special guest star this month, so plan on a <30minute meeting.

 

Note: I only just realized that I neglected to publish the minutes from the August meeting, so I am including at the bottom.

 

GENERAL MEETING

 

Meeting Time: Thurs, Aug 4, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed

 

Administrative Agenda

Attendance

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul

 

Business Team Report – Jack

 

Cross Functional Issues – Phil

 

 

 

 

 

 

 

 

General Meeting/Minutes/2016-08-04

< General Meeting‎ | Minutes

Jump to: navigation, search

   Attendance: 12

   Lead by Phil Odence

   Minutes of July meeting approved

 

Contents [hide

          1 Special Guest - Alexios Zavras, Intel

          2 Tech Team Report - Kate

          3 Outreach Team Report - Jack

          4 Legal Team Report - Jilayne

          5 Cross Functional Topics - Phil

          6 Attendees

Special Guest - Alexios Zavras, Intel[edit]

   His role is open source compliance at Intel, based in Munich

                   Now at open source tech center

                   Will be talking about his previous role with Intel Mobile Comms

   Mobile Comms

                   Based in Germany

                   Germans are very process-oriented, well-documented

   His role was SW legal compliance.

                   Ensuring all software legally compliant across all kinds of software

                   They treat all compliance issues as a bug, just like any problem in the software

                   Alexis learned of SPDX and was very pleased and excited about it

                                   Didn’t manage to get everything SPDX based

                                   Started slowly

                                   SPDX is very valuable at many levels

                                                   Even just the license list and standard way of expressing was very helpful

                                                   Quickly standardized on SPDX notations and it started appearing in their documentation etc

                                   Included in training that was mandatory for SW devs and later extended to marketing, legal, biz dev

                                                   Everyone who touches software had to take on-line course with a deeper course available for some

                                   Have developed number of tools, tightly coupled with dev environment

                                                   All developed internally

                                                   very tightly controlled, eg can’t check out code without a ticket

                                                   Tool chain includes license compliance

                                   Central team provides compliance services to dev

                                                   too much for all devs to worry about

                                                   Fits with org structure

                                                   Internal teams reviews all code

                                   Started small, then more widespread and more automated

                                                   Today every release goes though this license compliance check

                                                   Requires ‘stamp of approval’ from central team

                                   To make the central team more efficient

                                                   Save all results

                                                   Including many of the SPDX fields

                                                   Saved in database

                                   Last step, not yet taken, is to generate an SPDX doc for each release

                                                   Just held up by organizational issues, technically feasible

                                                   Being worked on

                                                   Have started getting the request from customers

                                                                   Not mentioning SPDX by name, have not seen that yet,

                                                                   but asking for data that SPDX covers, files, license, etc

                                                                   (both are with Euro customers)

                                   When they generate SPDX

                                                   Permissive license require attribution

                                                   They’ve had an issue with that going back 5 years

                                                   Their policy to handle is to deliver all OSS in source form

                                                   So, therefore include attribution in comments

                                                   They include a list of open source and model licenses, but the attribution is all in source code

                                   Example- Modem company

                                                   Intel provides chips and software in binary form

                                                   Packaging: With binary they include

                                                                   all source for open source in binary

                                                                   And, list of conditions for any 3td party proprietary code

                                   Are they being asked for security vulnerabilities associated with components

                                                   Not yet, but they are thinking about it with respect to naming (CPEs, etc)

   AZ- “Thanks for the wonderful work. It’s really helpful.”

 

Tech Team Report - Kate[edit]

   Spec

                   Collecting feedback

                   Addressing as it comes it

   Gary has taken a pass at updating tools

   In the polishing stage

                   One more round of feedback

                   Into publishing mode as of Tuesday

   Bake Offs

                   Possible SF 9/27 and Europe at LCon

                   Needs to be nailed down in the next couple week.

Outreach Team Report - Jack[edit]

   Website

                   Still working this week

                   Will review at next week’s meeting

                   Should be close with go live; shooting for Linux Con NA

                   Still looking for some improvements that will require work from the Linux Foundation team

                                   No show stoppers

                   Will send out link for review

Legal Team Report - Jilayne[edit]

   XML review

                   Still plugging away

                   Timeline set

   2.5 release

                   Just a few licenses

                   Aiming for end of Oct

                   See Legal Team meeting mins for detail

                   Could use all the help they can get; lots to do

                                   To review new XML master format for every license

 

Cross Functional Topics - Phil[edit]

   Guest stars

                   Always looking for more

 

Attendees[edit]

   Phil Odence, Black Duck

   Alexios Zavras, Intel

   Kate Stewart, Linux Foundation

   Jilayne Lovejoy, ARM

   Scott Sterling, Palamida

   Robin Gandhi, UNO

   Jack Manbeck, TI

   Yev Bronshteyn, Black Duck

   Matt Germonprez, UNO

   Michael Herzog- nexB

   Georg Link, UNO

   Mike Dolan, Linux Foundation

              NewPP limit report CPU time usage: 0.009 seconds Real time usage: 0.011 seconds Preprocessor visited node count: 23/1000000 Preprocessor generated node count: 28/1000000 Post‐expand include size: 0/2097152 bytes Template argument size: 0/2097152 bytes Highest expansion depth: 2/40 Expensive parser function count: 0/100 Saved in parser cache with key spdx_mwiki:pcache:idhash:1048-0!*!*!!en!*!* and timestamp 20160830122940 and revision id 3956

 


Thursday SPDX General Meeting

Philip Odence
 

Please join us this week. Alexios Zavras will begin the meeting with an informal presentation on Intel’s use and plans for SPDX.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, Aug 4, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed

 

Administrative Agenda

Attendance

 

 

Guest Presentation – Alexios Zavras

 

Technical Team Report – Kate 

 

Legal Team Report – Jilayne

 

Business Team Report – Jack

 

Cross Functional Issues - Phil

521 - 540 of 1598