Jilayne,

We spoke with Kate about it on the outreach call before the end of the year. She was checking with the Linux Foundation to see what the plans were. I agree a meeting room for one day would be good.

-        Jack

Hi All,

http://wiki.spdx.org/view/General_Meeting/Minutes/2017-01-05

General Meeting/Minutes/2017-01-05

< General Meeting‎ | Minutes

Jump to: navigation, search

• Attendance: 14
• Lead by Phil Odence
• Minutes of Dec meeting approved

Contents [hide] 

• 1 Special Presentation- Georgia (Zeta) Kapitsaki
• 2 Cross Functional Topics - Phil
• 3 Tech Team Report - Kate/Gary
• 4 Legal Team Report - Jilayne/Paul
• 5 Outreach Team Report - Jack
• 6 Attendees

Special Presentation- Georgia (Zeta) Kapitsaki[edit]

• Goals of work
  • Automate license specification and selection
  • Helping smaller companies and independent developers
  • Helping with combining licenses
    • Created a graph of compatibility for this purpose
    • Based on analysis by computer scientists (not reviewed by lawyers
• Selected SPDX because it was the only standard way to represent
• Analysis
  • Use RDF version of SPDX
  • Parse and find the different licenses
  • Based on compability graph to determine whether the license combinations are OK
  • Can analyze multiple docs to determine compatibility as well
• Implementation
  • Based tools on SPDX community tools; implemented Java
  • Started with v1.1; needs upgrading
  • Had a problem with finding real files and so used on line FOSSology tools to create
• Process
  • Uses graph, but graph could be used manually independent of SPDX
  • Find compatible/incompatible licenses
  • Determines problems and flags compatibility problems
• Available on GitHub
• Question
  • Are you looking at type of file when analyzing compatibility? Make files for example
    • No they analyze all licenses
    • Would be a direction for the future
    • Might also us dependency information
  • How did you determine which files were compatible and incompatible
    • Did their own analysis
    • Perhaps allow configuration of compatibility

Cross Functional Topics - Phil[edit]

• ANNUAL GOALS
  • Roll out github-maintainable XML license templates
  • Define an approach to creating notice files from an SPDX doc
  • Develop a web-based license match tool
  • Implement tool to score a project’s licensing quality
  • Gain Apache/Eclipse Foundation adoption
  • Sponsor a Google Summer of Code Project
  • Conduct a supply chain management survey
  • Build “whole product” around the spec—what is required for adoption
  • Deploy existing SPDX group tools on web
  • Develop a git plug-in to generate an SPDX doc

Tech Team Report - Kate/Gary[edit]

• Spec
  • Focus has been on support for implementations
    • Best practice
    • Tools
      • Pseudo code for notices generation
• Moving git repo from LF over to GitHub at end of January

Legal Team Report - Jilayne/Paul[edit]

• License list release
  • No Q4 license list release
  • Next one in next few days
• Transition to Github list will be around end of January

Outreach Team Report - Jack[edit]

• No meeting yet this year
• Look at Leadership Conference
• Approach to Summer of Code
• Create survey
• Working on supporting docs

Attendees[edit]

• Phil Odence, Black Duck
• Kate Stewart, Linux Foundation
• Jilayne Lovejoy, ARM
• Paul Madick, Dimension Data
• Gary O’Neill, SourceAuditor
• Georg Link, UNL
• Mark Gisi, Wind River
• Jack Manbeck, TI
• Alexios Zavras, Intel
• Matt Germonprez, UNO
• Robin Gandhi, UNO
• Dave Marr, Qualcomm
• Sayonnha Mandal, UNO
• Georgia Kapitsaki, U of Cyprus

• NewPP limit report CPU time usage: 0.009 seconds Real time usage: 0.010 seconds Preprocessor visited node count: 23/1000000 Preprocessor generated node count: 28/1000000 Post‐expand include size: 0/2097152 bytes Template argument size: 0/2097152 bytes Highest expansion depth: 2/40 Expensive parser function count: 0/100 Saved in parser cache with key spdx_mwiki:pcache:idhash:1072-0!*!*!!en!*!* and timestamp 20170105165343 and revision id 4072

This will be a particularly interesting General Meeting. In addition to our normal team reporting, we will have two special topics:

·         A presentation from Georgia (Zeta) Kapitsaki on her research using SPDX at the Univ of Cyprus

·         Review of 2017 annual goals for SPDX by the Core Team

GENERAL MEETING

Meeting Time: Thurs, Jan 5, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Join the call: https://www.uberconference.com/katestewart

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed

Administrative Agenda

Attendance

Minutes Approval http://wiki.spdx.org/view/General_Meeting/Minutes/2016-12-01

Special Presentation– Georgia (Zeta) Kapitsaki

License compatibilities and relevant tool in the framework of SPDX

Cross Functional Issues – Phil/All

Annual Goals

·         Roll out github-maintainable XML license templates

·         Define and approach to creating notice files from an SPDX doc

·         Develop a web-based license match tool

·         Implement tool to score a project’s licensing quality

·         Gain Apache/Eclipse Foundation adoption

·         Sponsor a Google Summer of Code Project

·         Conduct a supply chain management survey

·         Build “whole product” around the spec—what is required for adoption

·         Deploy existing SPDX group tools on web

·         Develop a github plug-in to generate an SPDX doc

Technical Team Report – Kate/Gary

Legal Team Report – Jilayne/Paul

Business Team Report – Jack

Topic: License compatibilities and relevant tool in the framework of SPDX

Licensing decisions for new Open Source Software are not always straightforward. However, the license that accompanies the software is important as it largely affects its subsequent distribution and reuse. License information for software products is captured - among other data - in the Software Package Data Exchange (SPDX) files. I will talk briefly about our research work and our tool for the validation of SPDX files regarding proper license use. Software packages described in SPDX format are examined in order to detect license violations that may occur when a  product combines different software sources that carry different and potentially contradicting licenses. The SPDX License Validation Tool (SLVT) gives the opportunity to check the compatibility of one or more SPDX files. 

Brief biography:

Assistant Professor at the Department of Computer Science of the University of Cyprus (UCY) and faculty member of the Software Engineering and Internet Technologies (SEIT) laboratory in UCY. She received her PhD from the National Technical University of Athens, Greece (2009). Her research interests include: software engineering, service-oriented computing, open source software reuse and privacy enhancing technologies. She has published over 40 papers in international conferences and journals, has participated in conference organisation (e.g. ICSR 2016) and has served as a TPC member and referee in repudiated journals and conferences. She has been involved in EU FP6 and FP7 projects and has worked as a software engineer in the industry.

http://wiki.spdx.org/view/General_Meeting/Minutes/2016-12-01

General Meeting/Minutes/2016-12-01

< General Meeting‎ | Minutes

Jump to: navigation, search

• Attendance: 11
• Lead by Phil Odence
• Minutes of Nov meeting approved

Contents [hide] 

• 1 Tech Team Report - Kate/Gary
• 2 Legal Team Report - Jilayne/Paul
• 3 Outreach Team Report - Jack
• 4 Cross Functional Topics - Phil
• 5 Attendees

Tech Team Report - Kate/Gary[edit]

• Spec
  • Has been focusing on coding up best practices for creating a Notices file
    • Will need some input from the Legal Team, probably a joint meeting
    • Output will be pseudo-code which could be the basis for a tools (basis is sparkle queries)
  • 2.1 is out there; no current bugs reported
    • Kate gave a presentation on 2.1 in Yokahama; will get to Jack for posting on website
• Tooling
  • All upgraded to 2.1
  • No bugs reported
  • Python library being upgraded
    • Useful for implementing SPDX in a Python-based sw tool
• 2017 Goals Brainstorm
  • Tooling to make quality of licensing more visible
    • Mark G started this work
    • The idea is to grade a project, based on SPDX file, for how complete the licensing is
• Looking to get plug-ins adopted into communities
  • Apache and Eclipse
• Web based tools
  • Current java tools involve installing java environment
  • e.g. Past a license into a webpage and have it matched to an SPDX template
• Discuss pros/cons of moving to single format
  • JSON- Happy medium between tag value and RDF
• Write a git plug-in for generating SPDX docs
  • Could then grade
• Another Google Summer of Code Project

Legal Team Report - Jilayne/Paul[edit]

• How to leverage git hub for document maintenance
• xml work
  • Still plugging away
  • Need to assess where we are in Thursday’s call
• License list
  • No Sept release
  • Some requests have trickled in
• 2017 Goals Brainstorm
  • Big thing is getting the XML templates up
  • Getting up and running on GitHub
  • Make sure notice files work is accurate
  • Upgrading the license expressions language
  • Supportive of license match Web App

Outreach Team Report - Jack[edit]

• A few meetings have been missed
• Website is up
• Outlining documentation needs
• 2017 Goals Brainstorm
  • Do a survey of companies using supply chains - understand what they are doing wrt gathering license data
    • Could use other existing groups such as Open Chain

Cross Functional Topics - Phil[edit]

Attendees[edit]

• Phil Odence, Black Duck
• Kate Stewart, Linux Foundation
• Jilayne Lovejoy, ARM
• Paul Madick, Dimension Data
• Gary O’Neill, SourceAuditor
• Tarek Jamal, ARM
• Mark Gisi, Wind River
• Jack Manbeck, TI
• Alexios Zavras, Intel
• Michael Herzog- nexB
• Philippe Ombrédanne- nexB

Special Discussion, 2017 Goals- Please bring your thoughts about goals for next year. After each update, team leads will facilitate some brainstorming on this subject. The Core Team will finalize and announce formal goal at the January 5 General Meeting. 

Thanks again to Lei from Fujitsu for an interesting presentation!

General Meeting/Minutes/2016-11-03

< General Meeting‎ | Minutes

Jump to: navigation, search

•         Attendance: 12

•         Lead by Phil Odence

•         Minutes of Sept meeting approved (Oct meeting was cancelled due to LinuxCon Europe)

Contents [hide] 

                        1 Special Guest - Lei Mao Hui, Fujitsu

                        2 Tech Team Report - Kate/Gary

                        3 Legal Team Report - Jilayne/Paul

                        4 Outreach Team Report - Jack

                        5 Cross Functional Topics - Phil

                        6 Attendees

Special Guest - Lei Mao Hui, Fujitsu[edit]

•         Lei

•         Working for Fujitu

•         Developing on house Distro

•         Spoke at ALS and Linux Conference about experience with SPDXX

•         Reason Fujitsu needs SPDX

•         Want an SPDX file for all their packages

•         Customers ofter require license info

•         Released under GPL3, but includes software under other license as well. Many!

•         MIT, BSD, GPL2, etc.

•         SPDX is good for this purpose

•         So they added into production Development

•         Yocto SPDX

•         Lucky for them that Yocto supports SPDX

•         But the activity on Yocto SPDX has been slow

•         Found some issues when using

•         Only supports SPDX 1.1

•         Doesn’t do a great job even with that

•         Is complex to use; takes a long time

•         May introduce license conflicts

•         In the end you can download the SPDX

•         Fujitsu’s contributions to Yocto SPDX

•         So they did some work to improve:

•         Created a patch to upgrade to SPDX 1.2

•         Unfortunately was never accepted into Yocto

•         Would like to upgrade to SPDX 2.0

•         And to improve performance

•         Has been working on some of the SPDX open source tools

•         including DoSocks developed by UNO

•         Lei has been continuing to submit improvements to Yocto

•         Improved performance

•         Currently discussing more improvements with Yocto

•         Will be continuing to improve and to upgrade to SPDX 2.1

•         Question

•         Has yocto been receptive?

•         Yocto has not been active or focused on SPDX.

•         Some people have been interested

•         Not sure why they are not interested

•         Kate will help and follow up

Tech Team Report - Kate/Gary[edit]

•         Spec

•         SPDX 2.1 is now released and official

•         Starting to focus on use cases and tooling

•         last call was a joint call with the Legal Team

•         Templetazation focus

•         Agreed on interfaces between teams

•         Tooling

•         Incorporated results from the bake off

•         Overall, everyone at the bake off got good feedback, leading to improvement of all tools

•         XML Format

•         Legal Team has been working on new format for license templates

•         Makes it easier for multiple contributors

•         Working now on making it consumable for external tools

•         Really good progress

•         Should have draft standards in the next month or two.

Legal Team Report - Jilayne/Paul[edit]

•         Joint Call with Tech Team

•         Worked on syncing tag names to be consistent with spec

•         Went really well

•         License List

•         Business as usual with new licenses

•         More license requests for licenses in other languages

•         Probably need to have a discussion about how to handle consistently

Outreach Team Report - Jack[edit]

•         Website

•         New site is up

•         Jack’s in process of posting new stuff

•         Next agenda

•         Working on new docs, templates, etc

•         Mostly to help explain aspects of how to use

•         Trying to assemble list of topics and then prioritize

•         Very open to ideas

Cross Functional Topics - Phil[edit]

•         Future topic - Will be a discussion of license in different languages

•         Legal Team will come forward with a strawman. A few months out.

•         Guest stars

•         Always looking for more

Attendees[edit]

•         Phil Odence, Black Duck

•         Lei Mao Hui, Fujitsu

•         Kate Stewart, Linux Foundation

•         Jilayne Lovejoy, ARM

•         Yev Bronshteyn, Black Duck

•         Scott Sterling, Palamida

•         Paul Madick, Dimension Data

•         Gary O’Neill, SourceAuditor

•         Tarek Jamal, ARM

•         Mark Gisi, Wind River

•         Jack Manbeck, TI

•         Alexios Zavras, Intel

•         NewPP limit report CPU time usage: 0.009 seconds Real time usage: 0.010 seconds Preprocessor visited node count: 23/1000000 Preprocessor generated node count: 28/1000000 Post‐expand include size: 0/2097152 bytes Template argument size: 0/2097152 bytes Highest expansion depth: 2/40 Expensive parser function count: 0/100 Saved in parser cache with key spdx_mwiki:pcache:idhash:1065-0!*!*!!en!*!* and timestamp 20161103153915 and revision id 4059

The call is kicking off now. The highlight will be a presentation from Lei at Fujitsu. Please join us.

Sorry for the late reminder

Hi,

Whilst preparing for SPDX bakeoff I noticed a few issues with my interpretation of the specification that may be worth discussion.

Firstly a number of fields in tag files contain arbitrary text enclosed within <text>...</text> tags. I found examples where the text I am including within these tags does itself contain HTML/XML tags from the source document. The inclusion of non-SPDX tags within the <text> tags makes it hard to spot the end of the </text>. This raises the question of whether the text within <text> tags ought to be escaped in some way? I did not find anything on this point in the SPDX specification (apologies if I missed anything).

Secondly, I noticed that in the tag field PackageLicenseInfoFromFiles I am including license exceptions, for example:

PackageLicenseInfoFromFiles: Classpath-exception-2.0

However, I think my use is incorrect. The spec says a license identifier is needed here, and a license exception identifier is not a license identifier. I cannot alternatively use "license WITH exception" here because this is an expression not a license identifier. This raises the question, how should exceptions be represented in PackageLicenseInfoFromFiles, if at all?

I appreciate your thoughts on these issues.

From: spdx-tech-bounces@... [mailto:spdx-tech-bounces@...] On Behalf Of Kate Stewart
Sent: 22 September 2016 19:58
To: spdx-tech@...; SPDX-general
Subject: SPDX Bake off to compare tools generating code for the SPDX 2.1 specification on October 6, 2016.

Thank you for the suggestions Yev, I will give them a try!

Mike

A slight correction to the above – the sparql query in my previous email may be too simplistic in that it does not include files that are inside of packages (as package contents are not necessarily described with relationships).

This should produce the graph of both relationships and file contents:

prefix spdx: <http://spdx.org/rdf/terms#>

construct { ?sub ?pred ?obj .

            ?sub2 spdx:hasFile ?file}

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

     ?sub2 spdx:hasFile ?file .

}

Hi, Michael,

I don’t know much about RDF graphing tools, but here’s a trick to make any tool you already have produce a better graph.

You can use this sparql query to reduce an SPDX document to an RDF where every relationship is reduced to a single triple:

prefix spdx: <http://spdx.org/rdf/terms#>

construct { ?sub ?pred ?obj }

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

}      

Here’s how you can apply this query with Apache Jena:

1.      Load your spdx document into Jena’s triple store:

tdbloader --loc=data mydoc.rdf

In the example above, “data” is an empty directory where you have write access (where Jena will build its datastore) and mydoc.rdf is your SPDX document.

2.      Apply the query, which in this example is loaded into “relConcat.sparql”. Pipe the results into a file.

tdbquery --loc=data --query=../relConcat.sparql --results=RDF

The resulting RDF should be a much more straightforward graph of all the relationsips.

Hello,

I was wondering if anyone can suggest a tool to visually in a graph (ideally interactive) SPDX RDF files, specifically to follow relationships? I am currently using gruff (http://franz.com/agraph/gruff/) , but it’s a little tedious. Thanks.

Mike

_____________________________
Michael Stair
Principal Member of Technical Staff
AT&T Chief Security Office (CSO)
301.865.3877
mstair@...

A slight correction to the above – the sparql query in my previous email may be too simplistic in that it does not include files that are inside of packages (as package contents are not necessarily described with relationships).

This should produce the graph of both relationships and file contents:

prefix spdx: <http://spdx.org/rdf/terms#>

construct { ?sub ?pred ?obj .

            ?sub2 spdx:hasFile ?file}

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

     ?sub2 spdx:hasFile ?file .

}

Hi, Michael,

I don’t know much about RDF graphing tools, but here’s a trick to make any tool you already have produce a better graph.

You can use this sparql query to reduce an SPDX document to an RDF where every relationship is reduced to a single triple:

prefix spdx: <http://spdx.org/rdf/terms#>

construct { ?sub ?pred ?obj }

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

}      

Here’s how you can apply this query with Apache Jena:

1.      Load your spdx document into Jena’s triple store:

tdbloader --loc=data mydoc.rdf

In the example above, “data” is an empty directory where you have write access (where Jena will build its datastore) and mydoc.rdf is your SPDX document.

2.      Apply the query, which in this example is loaded into “relConcat.sparql”. Pipe the results into a file.

tdbquery --loc=data --query=../relConcat.sparql --results=RDF

The resulting RDF should be a much more straightforward graph of all the relationsips.

Hello,

I was wondering if anyone can suggest a tool to visually in a graph (ideally interactive) SPDX RDF files, specifically to follow relationships? I am currently using gruff (http://franz.com/agraph/gruff/) , but it’s a little tedious. Thanks.

Mike

_____________________________
Michael Stair
Principal Member of Technical Staff
AT&T Chief Security Office (CSO)
301.865.3877
mstair@...

Hi, Michael,

I don’t know much about RDF graphing tools, but here’s a trick to make any tool you already have produce a better graph.

You can use this sparql query to reduce an SPDX document to an RDF where every relationship is reduced to a single triple:

prefix spdx: <http://spdx.org/rdf/terms#>

construct { ?sub ?pred ?obj }

where {

     ?sub spdx:relationship ?rel .

     ?rel spdx:relationshipType ?pred .

     ?rel spdx:relatedSpdxElement ?obj .

}      

Here’s how you can apply this query with Apache Jena:

1.       Load your spdx document into Jena’s triple store:

tdbloader --loc=data mydoc.rdf

In the example above, “data” is an empty directory where you have write access (where Jena will build its datastore) and mydoc.rdf is your SPDX document.

2.       Apply the query, which in this example is loaded into “relConcat.sparql”. Pipe the results into a file.

tdbquery --loc=data --query=../relConcat.sparql --results=RDF

The resulting RDF should be a much more straightforward graph of all the relationsips.

Hello,

I was wondering if anyone can suggest a tool to visually in a graph (ideally interactive) SPDX RDF files, specifically to follow relationships? I am currently using gruff (http://franz.com/agraph/gruff/) , but it’s a little tedious. Thanks.

Mike

_____________________________
Michael Stair
Principal Member of Technical Staff
AT&T Chief Security Office (CSO)
301.865.3877
mstair@...

Hello,

I was wondering if anyone can suggest a tool to visually in a graph (ideally interactive) SPDX RDF files, specifically to follow relationships? I am currently using gruff (http://franz.com/agraph/gruff/) , but it’s a little tedious. Thanks.

Mike

_____________________________
Michael Stair
Principal Member of Technical Staff
AT&T Chief Security Office (CSO)
301.865.3877
mstair@...

Cancelling the October meeting as it conflicts with LinuxCon Europe.

We will have a special presentation for the November meeting on OpenChain.