Date   

Re: SPDX License List v2.4 released

Alexios Zavras
 

This license is empty: http://spdx.org/licenses/NLOD-1.0.html

I assume because the reference (at least in the Excel file) is to “NLOD-1..txt” instead of “NLOD-1.0.txt”.

 

-- zvr

 

From: spdx-legal-bounces@... [mailto:spdx-legal-bounces@...] On Behalf Of J Lovejoy
Sent: Tuesday, April 05, 2016 12:41 AM
To: SPDX-legal <spdx-legal@...>; SPDX-general <spdx@...>
Subject: SPDX License List v2.4 released

 

Hi All,

 

Version 2.4 of the SPDX License List is now available in the usual places.  We added 9 new licenses for this release, including some international licenses and newly-approved by the OSI.http://spdx.org/licenses/

 

You will also notice a new look to the license list pages - this is part of the new website revamp.  You will see the new look on the rest of the pages soon!

 

Thanks,

Jilayne

 

 

SPDX Legal Team co-lead
opensource@...

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10-12, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Christian Lamprechter
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


SPDX April General Meeting Minutes

Philip Odence
 


General Meeting/Minutes/2016-04-07

  • Attendance: 14
  • Lead by Phil Odence
  • Minutes of March meeting approved


Special Guest Star - Kris Reeves[edit]

  • Background
    • Working with the team over the past few months
    • Focused on improving templates and matching process
    • Has been building tools for his NodeJS environment to discover licenses to meet client needs
    • Created a tool that makes a binary decision about whether there are any problematic licenses, yes or no
    • Wasn’t working well initially because of “naive” approach in the package he was using Node License Finder
    • Found 3 packages that were trying to do this
      • Node Packet Manager used SPDX short names
      • Which got Kris onto SPDX
      • Tool was not using matching guidelines properly
    • So Kris got onto trying to trying to fix
  • SPDX Work
    • Felt there needed to be some changes
    • Started submitted bug reports
    • Conclusion:
      • The templates were the right place to address issues he was running into
      • Developed tool in parallel to working on:
        • More Mark Up
          • A big jump
          • XML files that contain all info about a license
          • Obsoleting spreadsheet
        • Better Mark Up
          • XML is familiar and available
          • Self-contained
          • Better to have the matching info in the data for tool consistency
        • Easier Contribution
          • Separate GIt repo, bugzilla, etc system make contribution awkward
          • Feels GitHub web interface streamlines all that, so advocating we migrate in that direction
      • Ideally all this reduces workload on Jilayne
      • Status
        • Has taken passes at converting licenses and submitted pull request
        • Still some issues he’ll work on this weekend.
        • Getting very close


Tech Team Report - Kate/Gary[edit]

  • Specification Update:
    • Good Collab Summit
      • Office hours talk kicked off with some good brainstorming on aggregating SPDX docs
        • Package referring to other packages and best ways to refer to and store relationships
      • Gary and Kris’ prevention was well received.
      • Spec review went very well
        • Bill and Yev are looking at adding some new classes
        • Helpful input from Robin Gandi
      • Looking for wider feedback in May and new release in June.
        • Possible August plug fest
      • FOSSology team did a talk that included SPDX
  • This week’s call
    • Addressed all open items from Collab Summit
  • Tools Update:
    • Bracing for spec to be finished to update tools
    • Kris has contributed some great tooling as well

Outreach Team Report - Jack[edit]

  • Website
    • New site is now staged
    • Reviewed at Collab Summit
      • Some limitations we will need to work around
      • Navigation really needs sorting out
    • Still hoping for April launch
  • Webinars
    • Met with LF Marketing Team
    • Will help us with a webinar as a trial
    • Jack creating one pager to advertise
    • Suggested piggy backing on a new initiative being launched in July- Professional Open Source

Legal Team Report - Jilayne/Paul[edit]

  • License list v2.4 is up
  • Lots of work on new format that Kris talked about
    • Legal team needs to review how the output looks
    • And to take another pass at the licenses
  • Special legal team meeting today immediately following

Cross Functional Topics - Phil[edit]

  • Google SoC
    • We are on the list of LF projects
    • No requests yet, but expecting some
  • Still looking for special guest stars to speak at General Meetings
    • Jilayne has an idea for July.

Attendees[edit]

  • Phil Odence, Black Duck
  • Kate Stewart, Linux Foundation
  • Pierre LaPointe, nexB 
  • Jilayne Lovejoy, ARM
  • Mark Gisi, Wind River 
  • Michael Herzog- nexB
  • Dave Marr, Qualcomm
  • Jack Manbeck, TI
  • Kris Reeves
  • Scott Sterling, Palamida
  • Josiah Krutz, UNO
  • Matt Germonprez, UNO
  • Gary O’Neill, SourceAuditor 
  • Paul Madick, Dimension Data


Re: SPDX License List v2.4 released

Philippe Ombredanne
 

On Tue, Apr 5, 2016 at 11:08 PM, Gary O'Neall <gary@...> wrote:
Greetings all - The site has now been updated with conforming HTML.
Thank you Gary. That was quick!

--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode : What's in your code?! at http://www.dejacode.com
nexB Inc. at http://www.nexb.com


Reminder: Thursday SPDX General Meeting with (yet another) Special Guest Star

Philip Odence
 

Special Presentation: Kris Reeves will be sharing a boiled down version of the presentation he did at the Collab Summit: 
One of the challenges in open source license compliance is just identifying which licenses are present in the source code. SPDX has created a set of matching guidelines and a license template syntax to help tools match text against the SPDX license list. Kris Reeves will share his practical experience using the SPDX license list for identifying licenses in node.js and how it has led to improvements both in the SPDX license list and making the SPDX license list more accessible for contributors. We will discuss how you can review and make contributions to the SPDX license matching syntax. We will also discuss how you can use the SPDX license list in your own software tools using some of the new formats available on spdx.org/licenses.
Kris writes code for a living and plays Tetris, usually in that order.


GENERAL MEETING

Meeting Time: Thurs, April 7, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Optional dial in number: 877-297-7470
Alternate number: 512-910-4433
No PIN needed


Administrative Agenda
Attendance


Special Presentation – Kris 


Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues - Phil


Re: SPDX License List v2.4 released

Gary O'Neall
 

Greetings all - The site has now been updated with conforming HTML.

Gary

-----Original Message-----
From: spdx-legal-bounces@... [mailto:spdx-legal-
bounces@...] On Behalf Of Philippe Ombredanne
Sent: Tuesday, April 5, 2016 6:45 AM
To: SPDX-legal
Cc: SPDX-general
Subject: Re: SPDX License List v2.4 released

On Tue, Apr 5, 2016 at 12:40 AM, J Lovejoy <opensource@...>
wrote:
Hi All,

Version 2.4 of the SPDX License List is now available in the usual
places.
We added 9 new licenses for this release, including some
international
licenses and newly-approved by the OSI. http://spdx.org/licenses/

You will also notice a new look to the license list pages - this is
part of the new website revamp. You will see the new look on the
rest
of the pages soon!
Excellent!
Note that none of the generated files are valid HTML.
See http://spdx.org/licenses/Glide for instance With the .html
extension, the browsers deal with the quirks somehow:
http://spdx.org/licenses/Glide.html

So this is serious but not critical.

All these files are declared as being strict XHTML (meaning strict
XML).
But they are not as you can see here:
https://validator.w3.org/check?uri=http://spdx.org/licenses/Glide.html

--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode : What's in your code?! at http://www.dejacode.com nexB Inc.
at http://www.nexb.com _______________________________________________
Spdx-legal mailing list
Spdx-legal@...
https://lists.spdx.org/mailman/listinfo/spdx-legal


Re: SPDX License List v2.4 released

Gary O'Neall
 

Thanks Philippe for pointing this out.

Some of these errors were introduced when we updated the templates for a new
website look.

I always visually check the pages, but I'll add running them through a
validator to the checklist when we update the site.

I hope to get these corrected in the next day or so.

Gary

-----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...]
On Behalf Of Philippe Ombredanne
Sent: Tuesday, April 5, 2016 6:45 AM
To: SPDX-legal
Cc: SPDX-general
Subject: Re: SPDX License List v2.4 released

On Tue, Apr 5, 2016 at 12:40 AM, J Lovejoy <opensource@...>
wrote:
Hi All,

Version 2.4 of the SPDX License List is now available in the usual
places.
We added 9 new licenses for this release, including some
international
licenses and newly-approved by the OSI. http://spdx.org/licenses/

You will also notice a new look to the license list pages - this is
part of the new website revamp. You will see the new look on the
rest
of the pages soon!
Excellent!
Note that none of the generated files are valid HTML.
See http://spdx.org/licenses/Glide for instance With the .html
extension, the browsers deal with the quirks somehow:
http://spdx.org/licenses/Glide.html

So this is serious but not critical.

All these files are declared as being strict XHTML (meaning strict
XML).
But they are not as you can see here:
https://validator.w3.org/check?uri=http://spdx.org/licenses/Glide.html

--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode : What's in your code?! at http://www.dejacode.com nexB Inc.
at http://www.nexb.com _______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


Re: SPDX License List v2.4 released

Philippe Ombredanne
 

On Tue, Apr 5, 2016 at 12:40 AM, J Lovejoy <opensource@...> wrote:
Hi All,

Version 2.4 of the SPDX License List is now available in the usual places.
We added 9 new licenses for this release, including some international
licenses and newly-approved by the OSI. http://spdx.org/licenses/

You will also notice a new look to the license list pages - this is part of
the new website revamp. You will see the new look on the rest of the pages
soon!
Excellent!
Note that none of the generated files are valid HTML.
See http://spdx.org/licenses/Glide for instance
With the .html extension, the browsers deal with the quirks somehow:
http://spdx.org/licenses/Glide.html

So this is serious but not critical.

All these files are declared as being strict XHTML (meaning strict XML).
But they are not as you can see here:
https://validator.w3.org/check?uri=http://spdx.org/licenses/Glide.html

--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode : What's in your code?! at http://www.dejacode.com
nexB Inc. at http://www.nexb.com


SPDX License List v2.4 released

J Lovejoy
 

Hi All,

Version 2.4 of the SPDX License List is now available in the usual places.  We added 9 new licenses for this release, including some international licenses and newly-approved by the OSI.http://spdx.org/licenses/

You will also notice a new look to the license list pages - this is part of the new website revamp.  You will see the new look on the rest of the pages soon!

Thanks,
Jilayne


SPDX Legal Team co-lead
opensource@...



Re: Representing Projects Using SPDX 2.0

Gary O'Neall
 

Hi Robin,

 

Got a chance to read through the document.  Thanks for clearly laying out the issues with representing aggregated projects in SPDX - I think this is a good problem to solve for the general community and once we're done, I would like to include this in the SPDX best practices document (minus the DoSOCS specifics) if that is OK with you.

 

A couple high level points and feedback:

 

·         In general, I agree with the approach.

·         For Maven, you can map the Maven dependency scope to the SPDX relationship type.  You can see what I chose as mapping in the Java method scopeToRelationshipType in the SpdxDependencyInformation.java file.  If you see anything you disagree with - do me a favor and log an issue in the Git repository.

·         I would only use PACKAGE_OF if the included package is compiled in source as a sub-project (e.g. a subdirectory) or if it is a complete independent package being distributed as part of a larger distribution.  In a Maven POM file, they are likely dymaically linked dependencies.  From the PDF document, I wasn't sure of the specifics on the example - but they kind of looked liked dynamically linked dependencies.

·         Definition of Package, Application and Project - Here's the definition of a package from the RDF terms:  " A Package represents a collection of software files that are delivered as a single functional component. "  Would this definition apply to Project (e.g. the "files" would be the metadata files)?  We should consider adding this definition to the PDF specification to be consistent (or re-discussing the definition if any disagrees with the RDF definition).  I think it would be useful to define certain types of packages for the use in best practices (e.g. simple packages containing only source files, complex packages including dependency specifications, project packages which only contain metadata files, etc.).

 

Gary

 

From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Robin Gandhi
Sent: Sunday, March 20, 2016 7:35 PM
To: spdx@...
Subject: Representing Projects Using SPDX 2.0

 

Hello all,

 

In our work with a industry partner at the University of Nebraska-Omaha, a request that has come up often is related to project-level visibility of license information. While project-level information can be managed separately from SPDX, there is value in maintaining  the project-level information in a manner similar to the individual project components. However, from a tooling perspective, the project-level view is different from the typical “one-shot” SPDX document generation for a directory or compressed files. After examining the possibilities with the SPDX 2.0 spec, we have come-up with a proposal to handle project-level information in DoSOCSV2 implementation. Please see the attached document. Any and all feedback is welcome in helping us “figure” this out. Especially, if our interpretation and usage of the SPDX spec is appropriate. We also had some early discussions with Kate regarding this. 

 

Best Regards,

 

Robin and the UNO DoSOCSv2 team (Matt, Uday and Josiah)


Representing Projects Using SPDX 2.0

Robin Gandhi
 

Hello all,

In our work with a industry partner at the University of Nebraska-Omaha, a request that has come up often is related to project-level visibility of license information. While project-level information can be managed separately from SPDX, there is value in maintaining  the project-level information in a manner similar to the individual project components. However, from a tooling perspective, the project-level view is different from the typical “one-shot” SPDX document generation for a directory or compressed files. After examining the possibilities with the SPDX 2.0 spec, we have come-up with a proposal to handle project-level information in DoSOCSV2 implementation. Please see the attached document. Any and all feedback is welcome in helping us “figure” this out. Especially, if our interpretation and usage of the SPDX spec is appropriate. We also had some early discussions with Kate regarding this. 

Best Regards,

Robin and the UNO DoSOCSv2 team (Matt, Uday and Josiah)


Collab Summit SPDX Agenda

Philip Odence
 

Collab Summit is Tue, March 29 – Thu, March 31


Guide to the agenda for SPDX-interested folks

Tues

End of day panel. "Office hours” 

Brainstorming problem solving with participants

Gary's talk on templatization

Wed – Monument Peak Room

Morning

9-1 Tech Team (2.1 spec walk through)

Afternoon-

Git Hub -State of Open Source Licensing presentation

2:30- 5:30 Legal  Team (license templatization)

Thurs – Castle Peak Room

Morning- Open Chain

Afternoon- FOSSology

MarkG- Best practices presentation


Minutes from SPDX March General Meeting

Phil Odence <podence@...>
 



General Meeting/Minutes/2016-03-05

  • Attendance: 12
  • Lead by Phil Odence
  • Minutes of Feb meeting approved

Special Guest Star - Camille Moulin, Inno3[edit]

  • SPDX license list and expressions
    • Most dependency management solutions include licensing info
      • So you can extract and process the information
      • Most clients aren’t using this approach, rather they use scanners like Black Duck, Palamida, Protecode
    • The dependency manager approach
      • This approach is not as accurate as code scanners
      • No information at the sub level package
      • Depends on quality metadata
    • Metadata quality
      • 30% of all packages have no license data
    • SPDX Maturity
      • Still a young project
      • License expressions were a key addition
      • Need to be clear on license version numbers
      • SPDX is already adopted by most package manager, particularly newer ones
      • Some useful tools are available
    • Q&A
      • What improvements in SPDX are required?
        • He suggest separating License name from version number as separate attributes


Tech Team Report - Kate/Gary[edit]

  • Specification Update:
    • meetings over last month spent continuing to refine the External Reference proposal from Bill and Yev.
    • Its been refactored a couple of couple of time, and active discussion is ongoing.
    • Introduced Draft version of Appendix on how to specify "SPDX-License-Expression:" in file comments.
    • Summarized information on WIKI and input received from mail list. Team wants to make sure wording
    • at top makes it clear that if a license has a standard header, that header should be used.
  • Tools Update:
    • None this month

Outreach Team Report - Jack[edit]

  • Website
    • Still waiting on LF to update
  • Webinars
    • Just starting a regular series of Webinars
    • Jilayne was “volunteered” talk about the license list as the initial one
    • Talking to LF about hosting


Legal Team Report - Jilayne[edit]

  • Big Update: Templates Rehab
    • Have reviewed guidelines and mark-up method and implementation
      • Guidelines were human-friendly, not machine
      • Fairly major overhaul back end
      • Much better handling of single source than was possible with spreadsheet
    • Better for machines
    • Enabling others to contribute
    • Easier to maintain
  • OSI
    • Have synced up our new license process
    • Our heads up had been coming late, after their URLs were set up
    • Now we can pick short ID first

Cross Functional Topics - Phil[edit]

  • Collab meeting: Walk through of the 2.1 SPEC changes in a combined document. 
  • Google SoC
    • SPDX along was not accepted 
    • LF was, so we may be able to piggyback


Attendees[edit]

  • Phil Odence, Black Duck
  • Yev Bronshteyn, Black Duck
  • Kate Stewart, Linux Foundation
  • Pierre LaPointe, nexB 
  • Jilayne Lovejoy, ARM
  • Kirsten Newcomer, Black Duck
  • Mark Gisi, Wind River 
  • Michael Herzog- nexB
  • Dave Marr, Qualcomm
  • Jack Manbeck, TI
  • Camille Moulin, Inno3
  • Scott Sterling, Palamida


FW: FOSDEM talk - of interest to SPDX general meeting

Philip Odence
 

If you will be on the call today, here are the slides the Camille with go through. 

When you open them you can click on the browser to advance. And/or, we will try to have Camille share his screen.

From: Camille Moulin <cmoulin@...>
Date: Thursday, March 3, 2016 at 10:28 AM
To: Phil Odence <podence@...>
Cc: Jilayne Lovejoy <lovejoylids@...>, Kate Stewart <kstewart@...>
Subject: Re: FOSDEM talk - of interest to SPDX general meeting

Hi Phil,

Please find attached a few slides for my short presentation (its SVG that should open correctly in any modern browser).

Thanks,
Camille


SPDX Reminder about Thursday General Meeting with special guest star!

Philip Odence
 

Special “guest" speaker this month is Camille Moulin, from Inno3, a French open source consultancy. 
Camille will go through an abbreviated version of a talk he did at FOSDEM about SPDX and dependency managers:
Handling of licensing information in dependency managers (NPM, Composer et alii): how they can benefit from SPDX licence list and license expressions, and how they can be used as a simple application case to project SPDX licence expression future evolutions. 
Please let me know if you would be willing to give a 10 minute presentation in a future call on your organization’s use of SPDX or some other SPDX-related topic.


GENERAL MEETING

Meeting Time: Thurs, March 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Optional dial in number: 877-297-7470
Alternate number: 512-910-4433
No PIN needed


Administrative Agenda
Attendance


Special Presentation – Camille 


Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues - Phil



L. Philip Odence
VP/General Manager, Black Duck On-Demand
Black Duck Software, Inc.
800 District Avenue, Suite 211, Burlington MA 01803
Phone: 781.425.4479, Mobile: 781.258.9502
Skype: philip.odence


Feb SPDX General Meeting Minutes

Philip Odence
 


General Meeting/Minutes/2016-02-04

  • Attendance: 11
  • Lead by Kirsten Newcomer
  • Minutes of previous meeting were not reviewed

Special Presentation - Jack Manbeck[edit]

  • Jack spoke about Texas Instrument’s (TI) process for generating and content of the manifest (attribution) file. Below are my notes from the presentation. Jack, please send corrections as needed!!
  • Jack shared an example file in HTML format. There is a section for licenses and TI is considering replacing this section with an SPDX document showing file-level data. 
  • TI considered using the yocto integration to generate SPDX files, but the output was too big. They decided to scale back and start with the project and a more narrow scope.
  • The goal is for any engineer to be able to generate an SPDX document. Which means tooling that is easy to use and integrated with multiple build tools and / or CI tools. It also needs to run on multiple platforms. 
  • There are a series of steps in the TI process
    • Grab OSS and evaluate for use. It doesn’t make sense to generate SPDX at this time although you need some of that info to evaluate the open source. But things that SPDX requires change too quickly, such as location of the file, checksum (bug fixes to file).
    • So, it makes more sense to generate the SPDX file when you’re ready to ship
    • Then you have to edit the doc; it’s not usable as is, in part due to incomplete copyright strings, or possibly extracted license text
    • If files need to be edited, or the code needs to be re-built, the SPDX file needs to be re-generated and then re-edited. So, a tool that retains and re-applies previous edits that still apply is very much needed.
    • Would like to share / re-use generated SPDX docs, but the best way to share isn’t clear.
    • TI is looking at SPDX 2.0 and considering whether relationships between generated SPDX docs can help
    • Don’t want to have to use multiple tools for compliance and SPDX
    • Consider SPDX to be a good supplement to their manifest file but doesn’t replace it.
    • They still need to vet the process and polish
    • Jack mentioned a copyright snippet example where the output was not good enough. They’re evaluating different tools to use. They like the SPDX tools from UNO. 
    • They’d like, in some cases, to provide file by file list which could be done through a link to SPDX doc. 
    • They’re looking at Fossology and SPDX plugin. Also mentioned that it would be nice to get an idea of license spread at the beginning. 
  • Matt mentioned additional tools built by UNO, including DoSocks (spelling?) and Gary’s maven plugin which generates SPDX docs based on maven POM content. 
  • Kate mentioned Fossology 3.0 and Deb sources as well as FOSDEM and notion of a shared database of SPDX documents. 
  • Matt said that the UNO tools don’t store SPDX docs but instead store the data so the docs can be generated when required. Jack sees this as the right approach.
  • TI’s plan is to first build a repeatable process and then they can do more to enhance it. The checksum in SPDX documents is a challenge because files change right up to the last minute. 
  • Dave Marr commented that the model he’s interested in is having SPDX perpetuate through a development cycle with minimum impact on the team. Would like to be able to check code in with meta-data so that the meta-data travels with the file. 
  • Gary said that he’s seen this approach both work and not work. Tried an integration with IDEs but there was too much change for it to work. Says the Maven plugin seems to be pretty effective in maintaining the meta-data and the integration recalculates the checksum. Solution does assume that the data in the POM is correct. POMs are stored in the repository and the SPDX is generated at build time. Developers are used to editing POM files. 
  • Jack commented that in a structured environment that works, but TI needs a solution that works across multiple environments. 
  • Dave commented that training for engineering is needed — when you add or subtract content, here’s what you need to do. 
  • Jilayne would like engineering training for lawyers, with graphs, not just text. 
  • Everyone thought this would be a good overall topic for Collab Summit. 


Tech Team Report - Kate/Gary[edit]

  • Team is continuing discussions on External References. The work is close to being ready for a broader review. 
  • Joint tech / legal call on license markup planned for 2/9.
  • Discussions happening with Richard Fontana at OSI

Outreach Team Report - Jack/Kate[edit]

  • Planning for Collab Summit: 1/2 day Tech team and 1/2 day Legal, with SPDX “Office Hours” for folks to bring questions, issues. 
  • Good mentions of SPDX @ FOSDEM
  • LF says new website is close to being staged for review; Jack hopes it will be up for Collab Summit
  • Planning webinars in first quarter. Pierre has volunteered and the first will be on the license list. 

Legal Team Report - Jilayne/Paul[edit]

  • Working on proposal for license matching
  • Working on tighter communication with OSI


Cross Functional Topics - Kate[edit]


Attendees[edit]

  • Kirsten Newcomer, Black Duck
  • Gary O’Neall, SourceAuditor 
  • Scott Sterling, Palamida
  • Kate Stewart, Linux Foundation
  • Pierre LaPointe, nexB 
  • Jilayne Lovejoy, ARM
  • Kirsten Newcomer, Black Duck
  • Jack Manbeck, TI
  • Dave Marr, Qualcomm
  • Eric Weddington
  • Hassib Khanafer, Protecode
  • Matt Germonprez, UNO


Re: Tutorials, sample RDF files

Manbeck, Jack
 

Marvin,

Thanks for the feedback on the tutorials. It's a good idea. We have started a wiki page where we are doing something similar. Ill add this as an example as well.

Wiki link: http://wiki.spdx.org/view/Technical_Team/Best_Practices

Scroll down to the examples. I think its likely we will pull them out to their own page.

Jack



-----O a wiki priginal Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Marvin Humphrey
Sent: Monday, February 08, 2016 6:53 PM
To: Gary O'Neall
Cc: spdx@...
Subject: Re: Tutorials, sample RDF files

Thanks, everyone, for the quick responses! I've successfully built and run the tools from Github, and I found the sample RDF files within the repo.

On Mon, Feb 8, 2016 at 1:53 PM, Gary O'Neall <gary@...> wrote:

Just following up on Bill's email, I would be happy to provide you any
information/background on using SPDX/RDF for Apache.
Here's a bit more context: On my own initiative, I'm exploring SPDF as a general solution for documenting dependency licensing for Apache projects.
See this thread I started yesterday on the Apache legal-discuss list:

http://markmail.org/message/6435qziggbjyvy6u

I've also written a Maven plugin that generates SPDX/RDF files at
https://github.com/goneall/spdx-maven-plugin that may provide another
example application.
This plugin would surely be very useful for any Maven-driven Java project, but for my purposes, it cannot be counted on as available -- in fact the pilot project is likely to be a C project. (There are a lot of Java projects at Apache, but the Foundation is actually technology-neutral.) It is not important to deliver anything concrete in the near term -- instead, the goal is to understand how much effort it would for *any* Apache project to generate SPDX data. The worst case is particularly important -- no Maven plugin, minimal XML expertise, etc.

Let me know what other information I can help with.
What I envision as most helpful would be a tutorial which shows how to craft SPDX data manually for progressively more complex scenarios.

* Start off with a single "hello world" source file.
* Add several more source files under the same license.
* Add a bundled dependency under the same license but with a different
copyright holder.
* Add a bundled dependency under a different license.
* Add a seperately-downloaded dependency under a different license.
* Generate a binary distribution.

And so on. There are naturally many corner cases to deal with (which I'm sure comes as no surprise to you all), and I don't expect that such documentation exists because my use case is esoteric -- but I hope that communicates where I'm headed with this.

Marvin Humphrey
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


Re: Tutorials, sample RDF files

Marvin Humphrey <marvin@...>
 

Thanks, everyone, for the quick responses! I've successfully built and run
the tools from Github, and I found the sample RDF files within the repo.

On Mon, Feb 8, 2016 at 1:53 PM, Gary O'Neall <gary@...> wrote:

Just following up on Bill's email, I would be happy to provide you any
information/background on using SPDX/RDF for Apache.
Here's a bit more context: On my own initiative, I'm exploring SPDF as a
general solution for documenting dependency licensing for Apache projects.
See this thread I started yesterday on the Apache legal-discuss list:

http://markmail.org/message/6435qziggbjyvy6u

I've also written a Maven plugin that generates SPDX/RDF files at
https://github.com/goneall/spdx-maven-plugin that may provide another
example application.
This plugin would surely be very useful for any Maven-driven Java project, but
for my purposes, it cannot be counted on as available -- in fact the pilot
project is likely to be a C project. (There are a lot of Java projects at
Apache, but the Foundation is actually technology-neutral.) It is not
important to deliver anything concrete in the near term -- instead, the goal
is to understand how much effort it would for *any* Apache project to generate
SPDX data. The worst case is particularly important -- no Maven plugin,
minimal XML expertise, etc.

Let me know what other information I can help with.
What I envision as most helpful would be a tutorial which shows how to craft
SPDX data manually for progressively more complex scenarios.

* Start off with a single "hello world" source file.
* Add several more source files under the same license.
* Add a bundled dependency under the same license but with a different
copyright holder.
* Add a bundled dependency under a different license.
* Add a seperately-downloaded dependency under a different license.
* Generate a binary distribution.

And so on. There are naturally many corner cases to deal with (which I'm sure
comes as no surprise to you all), and I don't expect that such documentation
exists because my use case is esoteric -- but I hope that communicates where
I'm headed with this.

Marvin Humphrey


Re: Tutorials, sample RDF files

Gary O'Neall
 

Hi Marvin,

Just following up on Bill's email, I would be happy to provide you any
information/background on using SPDX/RDF for Apache.

I've also written a Maven plugin that generates SPDX/RDF files at
https://github.com/goneall/spdx-maven-plugin that may provide another
example application.

The RDF terms are defined at http://spdx.org/rdf/terms/.

Let me know what other information I can help with.

Best regards,
Gary

-----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...]
On Behalf Of Bill Schineller
Sent: Monday, February 8, 2016 12:04 PM
To: Marvin Humphrey; spdx@...
Subject: Re: Tutorials, sample RDF files

Hi Marvin,
Welcome to the list and thanks for your interest!

Is this you?

https://www.openhub.net/people?query=Marvin%20Humphrey



Regarding samples and tools, our spdx-tools repo is mirrored here:
https://github.com/spdx/tools


Primary developer for those tools is Gary O'Neall, with some
contributions from others.

Have a look, and I'm certain that Gary and some hands-on tech team
contributors would be happy to guide you through their use.

- Bill



Bill Schineller
VP Engineering - KnowledgeBase
Black Duck Software
781-425-4405
508-308-5921 (cell)
bschineller@...








On 2/8/16, 2:49 PM, "spdx-bounces@... on behalf of Marvin
Humphrey" <spdx-bounces@... on behalf of
marvin@...> wrote:

Greetings,

I'm an active contributor at the Apache Software Foundation with
regards to release policy and licensing. I'd like to explore the
possibility of having an Apache project supply SPDX data in a release.

I'm imagining that we would supply SPDX data as an RDF file, because
our official releases are 100% source. I also imagine that we would
want to either hand-craft those files or generate them using open
source tools.

Can you point me to some sample RDF files, tutorials, or documentation
explaining how I would go about that? It's been surprisingly
difficult
to track down such materials.

Best,

Marvin Humphrey
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


Re: Tutorials, sample RDF files

Yev Bronshteyn
 

I believe Gary mentioned said generator has a dependency on external packages in order for its output to be legal.

On 2/8/16, 3:33 PM, "spdx-bounces@... on behalf of Manbeck, Jack" <spdx-bounces@... on behalf of j-manbeck2@...> wrote:

I believe Gary has been working on a Maven plug in generator for SPDX as well if that would be useful.

Jack


-----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Bill Schineller
Sent: Monday, February 08, 2016 3:04 PM
To: Marvin Humphrey; spdx@...
Subject: Re: Tutorials, sample RDF files

Hi Marvin,
Welcome to the list and thanks for your interest!

Is this you?

https://www.openhub.net/people?query=Marvin%20Humphrey



Regarding samples and tools, our spdx-tools repo is mirrored here:
https://github.com/spdx/tools


Primary developer for those tools is Gary O'Neall, with some contributions from others.

Have a look, and I'm certain that Gary and some hands-on tech team contributors would be happy to guide you through their use.

- Bill



Bill Schineller
VP Engineering - KnowledgeBase
Black Duck Software
781-425-4405
508-308-5921 (cell)
bschineller@...








On 2/8/16, 2:49 PM, "spdx-bounces@... on behalf of Marvin Humphrey" <spdx-bounces@... on behalf of marvin@...> wrote:

Greetings,

I'm an active contributor at the Apache Software Foundation with
regards to release policy and licensing. I'd like to explore the
possibility of having an Apache project supply SPDX data in a release.

I'm imagining that we would supply SPDX data as an RDF file, because
our official releases are 100% source. I also imagine that we would
want to either hand-craft those files or generate them using open source tools.

Can you point me to some sample RDF files, tutorials, or documentation
explaining how I would go about that? It's been surprisingly difficult
to track down such materials.

Best,

Marvin Humphrey
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


Re: Tutorials, sample RDF files

Manbeck, Jack
 

I believe Gary has been working on a Maven plug in generator for SPDX as well if that would be useful.

Jack

-----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Bill Schineller
Sent: Monday, February 08, 2016 3:04 PM
To: Marvin Humphrey; spdx@...
Subject: Re: Tutorials, sample RDF files

Hi Marvin,
Welcome to the list and thanks for your interest!

Is this you?

https://www.openhub.net/people?query=Marvin%20Humphrey



Regarding samples and tools, our spdx-tools repo is mirrored here:
https://github.com/spdx/tools


Primary developer for those tools is Gary O'Neall, with some contributions from others.

Have a look, and I'm certain that Gary and some hands-on tech team contributors would be happy to guide you through their use.

- Bill



Bill Schineller
VP Engineering - KnowledgeBase
Black Duck Software
781-425-4405
508-308-5921 (cell)
bschineller@...








On 2/8/16, 2:49 PM, "spdx-bounces@... on behalf of Marvin Humphrey" <spdx-bounces@... on behalf of marvin@...> wrote:

Greetings,

I'm an active contributor at the Apache Software Foundation with
regards to release policy and licensing. I'd like to explore the
possibility of having an Apache project supply SPDX data in a release.

I'm imagining that we would supply SPDX data as an RDF file, because
our official releases are 100% source. I also imagine that we would
want to either hand-craft those files or generate them using open source tools.

Can you point me to some sample RDF files, tutorials, or documentation
explaining how I would go about that? It's been surprisingly difficult
to track down such materials.

Best,

Marvin Humphrey
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx

561 - 580 of 1604