Date   

SPDX January General Meeting Minutes

Philip Odence
 




General Meeting/Minutes/2016-1-07

  • Attendance: 9
  • Lead by Phil Odence
  • Minutes of Dec meeting approved


Tech Team Report - Kate/Gary[edit]

  • Good progress on spec
    • Settled on approaches for both
      • Snippets
      • External References
    • Jilayne assured consistency None/Assertion
  • Now working on
    • Making sure that external identifiers support security
  • Joint call upcoming with Legal Team on template language
    • Have pushed a couple of issues/ to Legal Team
  • Re-examining native from of spec under dev
    • Notion is to make it better accessible in Git Hub
    • Plan for full walk through at Collab Summit
  • Tools
    • Did maintenance release over the last week or so
    • Addressed reported bugs
    • Some other bug fixes
    • Gary will go back to the bug reporter to see if they might speak at a future General Meeting.


Outreach Team Report - Phil (Jack supplied notes in absentia)[edit]

  • Haven’t had our first meeting of the year, that will be next week.
  • I also haven’t heard from the LF yet on the new website. Im going to ping them this week to see where they are.
    • Talked to Craig.
      • Working on some technical issues with generated license list 
      • Next week we should be able to review and update
  • Were still hammering out an outreach plan on the wiki. Id like to to be done with it by the end of January and then we can share plans.


Legal Team Report - Jilayne[edit]

  • License List 2.3 is now live
    • 3 new licenses
    • 1 new exception
    • Now starting to see markup on some of the headers; rest are in process
  • Call today
    • Continuing to look at markup
      • Form 
      • Maintenance Process


Cross Functional Topics - Phil[edit]


Attendees[edit]

  • Phil Odence, Black Duck
  • Gary O’Neill, SourceAuditor 
  • Scott Sterling, Palamida
  • Yev Bronshteyn, Black Duck
  • Kate Stewart, Linux Foundation
  • Pierre LaPointe, nexB 
  • Jilayne Lovejoy, ARM
  • Kirsten Newcomer, Black Duck
  • Mark Gisi, Wind River


SPDX License List v2.3 released

J Lovejoy
 

And available in the usual places:
- “human-friendly” web pages: http://spdx.org/licenses/
- master files available here: http://git.spdx.org/?p=license-list.git;a=summary (use 2.3 tag)
- info on different ways to access the SPDX License List available here: http://wiki.spdx.org/images/SPDX-TR-2014-2.v1.0.pdf

Changes for v2.3:
- 3 new licenses; 1 new exception
- matching markup added to many standard headers (still more work to be done here)
- various minor formatting improvements/fixes

Jilayne Lovejoy
SPDX Legal Team co-lead
opensource@...



SPDX General Meeting

Philip Odence
 

Please accept so this recurring meeting is on your calendar, however no need to respond.

Optional dial in number: 877-297-7470
Alternate number: 512-910-4433
No PIN needed

MEETING MINUTES FOR REVIEW: http://spdx.org/wiki/meeting-minutes-and-decisions


Thursday SPDX General Meeting Reminder - IMPORTANT- NOTE NEW BRIDGE INFO

Philip Odence
 

As per the capital letters, be sure to note the new dial-in numbers below. I will re-issue the calendar invite with this included.

No special presentation this week, so I expect the meeting to be about 30 minutes.

GENERAL MEETING

Meeting Time: Thurs, Jan 7, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Optional dial in number: 877-297-7470
Alternate number: 512-910-4433
No PIN needed

 
Administrative Agenda
Attendance


Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


SPDX Dec General Meeting Minutes

Philip Odence
 



General Meeting/Minutes/2015-12-03

  • Attendance: 7
  • Lead by Phil Odence
  • Minutes of Nov meeting approved

Tech Team Report - Gary[edit]

  • Only 2 tech meetings due to Thanksgiving
  • Code Snippets
    • Candidate proposal in GoogleDocs for Review
    • Background
      • A bit controversial due to legit concern that it adds a lot of effort
      • Identification at the line level requires substantial extra work
    • So, snippets are optional
    • Decision driven by important use case- Java script files
      • As they tend to bundle together a number of downloadable chunks in one file
    • For many other use cases, it may not be used much
    • Implementation
      • Just added snippet level similar to Package and File
        • Additionally adds byte range
        • Snippets relate to files analogously to how files relate to packages
  • External ID discussion is back on the table with snippet work starting to wind down
  • Tools
    • A lot of good community contribution
      • individuals from a variety of organizations- Linux, other open source (eg NPM community), some users (e.g. Black Duck)
    • Should be releasing a new rev of the SPDX tools in the next few weeks
    • Question: relation to Stefano’s work with Debian tooling described at LinuxCon Europe
      • Enabling Debian copyright files to auto-gen SPDX files
      • Gary will discuss with Kate


Legal Team Report - Jilayne/Paul[edit]

    • Went over the list of license and exceptions list
    • Added 2 or 3 licenses and some exceptions
    • Entertaining new proposal for mark up format
      • involved Tech Team as well
      • needs to be resurrected


Outreach Team Report - Jack[edit]

  • New Website
    • Work was put on hold by LF for some higher priority work
    • Should have something staged before the end of the year
    • Front page will be a big improvement
    • Early 2016 launch is targeted, but we will need to evaluate with 
  • Working on outreach plan
    • targeting groups and conferences

Cross Functional Topics - Phil[edit]

  • Always interested in guest speakers for upcoming meetings
    • Please come to Phil with ideas about organizations who are willing to do short/informal presentations on what they are doing with SPDX

Attendees[edit]

  • Phil Odence, Black Duck
  • Gary O’Neill, SourceAuditor 
  • Jack Manbeck, TI
  • Dave Marr, Qualcomm
  • Dave McLaughlin, Rogue Wave
  • Jilayne Lovejoy, ARM
  • Paul Madick, Dimension Data


SPDX General Meeting this Thursday

Philip Odence
 

No special presentation this week, so I expect the meeting to be about 30 minutes.

GENERAL MEETING

Meeting Time: Thurs, Dec 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance


Technical Team Report – Gary 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


SPDX November General Meeting Minutes

Philip Odence
 

Thanks again, to Oliver.




General Meeting/Minutes/2015-11-05

  • Attendance: 12
  • Lead by Phil Odence
  • Minutes of Oct meeting approved/

Siemens - Oliver Fendt[edit]

  • Open Source Group 
    • Deals with compliance issues
    • Made up of members from all parts of the company
    • Has been going for 2.5 years
    • Recognized SPDX early in their existence
      • Took a close look
      • First interest was in the license list
        • Requested some license for list; some successful, some not
        • Participated in discussion about how to handle license exceptions
    • SPDX 2.0 was coming on line
      • Voted internally to adopt SPDX
      • And to start requiring SPDX docs from their suppliers
    • Got involved with FOSSology
      • Implemented initial SPDX 2.0 in FOSSology
        • Just RDF, not yet Tag Value
    • Became aware of process of development of standard
        • Concerned about the direction, specifically snippet discussion
        • Concerns that it contradicts vision/mission
        • Minimizing costs across the supply chain
        • Concerned that granularity of snippets and that it’s hard to say, unless you are the developer
        • So, worries about usability
        • And that it adds interpretation, for example, Black Duck Protex requires the human to interpret
        • Also, since there is no open source tool that does snippets, adoption may be limited
      • Would be interested in adding other sorts of information like ECC info
    • They are currently using the latest/greatest FOSSology and encouraging suppliers to do same
    • Starting to see projects using SPDX short IDs in files
    • Suppliers normally don’t deliver source code; Siemens requires that they assert that the comply w/copyrights
      • So they typically don’t scan source.
      • They use FOSSo
      • And they encourage SPDX to supply the info


Tech Team Report - Kate/Gary[edit]

  • Busy refining external identifiers proposal
    • Aim was a single field 
    • Thought is to break into multiple fields, source of identifier and the domain
    • Wrestling with the difference between security IDs (NVD/CPE) and repos (e.g. Debian)
  • Also, recently revisited snippets proposal
    • Now is a good time to weigh in.
  • Tools
    • Active; Sebastian Schubert has been a big contributor recently
      • Mostly fixes
      • 2.1 will add some work
      • UNO repos also very active


Legal Team Report - Jilayne[edit]

  • Cross functional work with tech team on templates and matching
    • recent joint call, apologies for 10 person limit on call; will address
    • Looking to change maintenance process
    • Lots of good discussion about implementing matching guidelines
    • plan is for another joint call in early December


Biz Team Report - Jack[edit]

  • Working with LF on a new look feel for website
    • In parallel, changing some of the navigation.
    • Looks like it’s been delayed, so probably 2-3 weeks before rollout
    • Some progress already; looking good so far
  • In process of changing name of team to Outreach Team
    • Will roll out with new website
  • Eclipse Foundation
    • Might be interesting group to speak with about SPDX

Cross Functional Topics - Phil[edit]

  • See Jack’s brief blog on SPDX.org pointing must read blog by Eric Raymond on SPDX


Attendees[edit]

  • Phil Odence, Black Duck
  • Oliver Fendt, Siemens
  • Tarek Jomaa. ARM
  • Gary O’Neill, SourceAuditor 
  • Jilayne Lovejoy, ARM
  • Jack Manbeck, TI
  • Richard Christie, ARM
  • Pierre LaPointe, nexB 
  • Sami Atabani, ARM
  • Kate Stewart, Linux Foundation
  • Michael Herzog- nexB
  • Scott Sterling, Palamida


Thursday SPDX General Meeting & Special Presentation (& a very cool blog)

Philip Odence
 

First, Jack wrote a short blog about a blog, author of The Cathedral and the Bazaar, Eric Raymond’s nice little piece plugging SPDX. It’s well worth a read and will make you feel good about your involvement with SPDX: http://spdx.org/news/2015-10-26/see-what-eric-raymond-had-to-say-about-spdx 

As mentioned last month, for November we’ll by joined by Oliver Fendt who will speak about what Siemens is doing with SPDX. Big thanks to Oliver for joining us this week. I’m continuing to line up guest speakers for General Meetings. We are interested in anyone who can speak informally and briefly about their organization’s use of SPDX.


GENERAL MEETING

Meeting Time: Thurs, Nov5, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –   Oliver

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


Re: Hello

Kate Stewart
 

Hi Dave,
    Welcome.  :-) 

    Information on the general meetings and past minutes can be found on:

Kate

On Sat, Oct 17, 2015 at 9:11 AM, Marr, David <dmarr@...> wrote:
Hi, I just joined the mail list and look forward to working with folks!

Dave Marr
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


Hello

Dave Marr
 

Hi, I just joined the mail list and look forward to working with folks!

Dave Marr


Re: General Meeting/Minutes/2015-10-01 - SPDX Wiki

J Lovejoy
 

Quick update post-meeting from legal team: 
version 2.2 of the SPDX License List is now available in all the usual places.  
:)

Jilayne
SPDX Legal Team co-lead
opensource@...


On Oct 1, 2015, at 4:31 PM, Philip Odence <podence@...> wrote:




* Attendance: 5
* Lead by Phil Odence

* Minutes of August meeting approved

== searchcode presentation - Nuno Brito ==

* Background
** Has been working with SPDX for two years and it’s been a good experience
** Hard to get engineers to use SPDX with out good examples for them to examine
** seachdcode seemed to be a good solution
* searchcode
** Started by a developer in Austrailia
** Seemed like a great place to make SPDX available
* Questions / Discussions
** Interest in having link from SPDX
** Files seem to have some extra fields so won’t validate
*** Nuno is very open and suggests filing bugs
** Adoption in Europe
*** Everyone that Nuno is working with is using SPDX
*** He’s found little resistance
*** Some people are more comfortable with tag value, but bigger projects are find with RDF
*** Still there is some difficulty for adoption.


== Biz Team Report - Jack ==

* Website
** Working with LF, migrating to new website/new templates
** In parallel will be implementing the new ideas for ease of use

== Tech Team Report - Kate/Gary ==

* No official update
* Main foci have been
** External references
*** Balance between specificity and handling broad cases
*** Specific discussion of vulnerabilities
** Snippets

== Legal Team Report - Jilayne ==

* No official update
* Have been processing more licenses with an eye to getting next release out

== Cross Functional Topics - Phil ==

* LinuxCon Europe 
* SW Supply Chain Summit


== Attendees ==

* Phil Odence, Black Duck
* Mark Gisi, Wind River 
* Scott Sterling, Palamida 
* Nuno Brito, TripleCheck
* Jack Manbeck, TI


  • [[Category:General|Minutes]]
  • [[Category:Minutes]]
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


General Meeting/Minutes/2015-10-01 - SPDX Wiki

Philip Odence
 




* Attendance: 5

* Lead by Phil Odence


* Minutes of August meeting approved


== searchcode presentation - Nuno Brito ==


* Background

** Has been working with SPDX for two years and it’s been a good experience

** Hard to get engineers to use SPDX with out good examples for them to examine

** seachdcode seemed to be a good solution

* searchcode

** Started by a developer in Austrailia

** Seemed like a great place to make SPDX available

* Questions / Discussions

** Interest in having link from SPDX

** Files seem to have some extra fields so won’t validate

*** Nuno is very open and suggests filing bugs

** Adoption in Europe

*** Everyone that Nuno is working with is using SPDX

*** He’s found little resistance

*** Some people are more comfortable with tag value, but bigger projects are find with RDF

*** Still there is some difficulty for adoption.



== Biz Team Report - Jack ==


* Website

** Working with LF, migrating to new website/new templates

** In parallel will be implementing the new ideas for ease of use


== Tech Team Report - Kate/Gary ==


* No official update

* Main foci have been

** External references

*** Balance between specificity and handling broad cases

*** Specific discussion of vulnerabilities

** Snippets


== Legal Team Report - Jilayne ==


* No official update

* Have been processing more licenses with an eye to getting next release out


== Cross Functional Topics - Phil ==


* LinuxCon Europe 

* SW Supply Chain Summit



== Attendees ==


* Phil Odence, Black Duck

* Mark Gisi, Wind River 

* Scott Sterling, Palamida 

* Nuno Brito, TripleCheck

* Jack Manbeck, TI



  • [[Category:General|Minutes]]
  • [[Category:Minutes]]


Thursday SPDX General Meeting & Special Presentation

Philip Odence
 

As you may have noticed, I’m striving to get guest speakers for every General Meeting. We are interested in anyone who can speak informally and briefly about their organization’s use of SPDX
This month we welcome Nuno Brito from Triplecheck, an SPDX proponent in Europe. He’ll talk about work he’s done with searchcode (free source code and documentation search engine) to include the search of SPDX docs. 
For the November, we’ll by joined by another European, Oliver Fendt who will speak about what Siemens is doing with SPDX.


GENERAL MEETING

Meeting Time: Thurs, Oct 1, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –   Nuno

Technical Team Report – Gary 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


Announce: Supply Chain Mini-Summit on October 8 in Dublin

Kate Stewart
 


For those interested in improving the automated tracking of copyright, licensing and security information
in the supply chain, we've managed to get a Supply Chain mini-summit added on after LinuxCon on 
October 8th.

Agenda
9:00 - Intro to Supply Chain mini-summit (Kate Stewart)
9:05 - Overview of OpenChain, goals and status. (Dave Marr)
9:20 - Overview of SPDX project, review of 2.0 and plans for 2.1 (Phil Odence)
9:35 - Debsources as a community curated DB of copyright and license information (Stephano Zaccharoli)
10:20 - break
10:30 - DoSOCS - integrating security with license compliance (Sai Uday Shankar Korlimarla)
11:15 - OpenChain working session on the checklist (Dave Marr)
13:15 - lunch break
14:30 - Group brainstorming session on ways to improve automation around open source license compliance and tracking of relevant security information. (Kate to facilitate)
17:00 - wrap up and next steps


Event Details
Date: Thursday, October 8 
Time: 9:00am-5:00pm
Location: Liffey Meeting Room 3
Cost: Free for LinuxCon + Cloud Open + ELC Europe attendees
Register: RSVP Here


Hope you see there,
Kate






Minutes from Sept SPDX General Meeting

Philip Odence
 




General Meeting/Minutes/2015-09-03

  • Attendance: 12
  • Lead by Phil Odence
  • Minutes of August meeting approved

Open Compliance Program - Kate[edit]

  • Motivations for relaunch:
    • Information on the web site is stale. (FOSSbazaar community isn't active anymore, etc.)
    • Recognition we need to make useful information more accessible to developers
    • The OSS world is changing- cybersecurity for example
    • FOSSology is coming into LF as a project
  • What’s happening
    • New look, new content
    • Highlighting open standards that help with compliance
    • Funneling people to projects and workgroups
    • Highlighting OSS and commercial tools that support SPDX
      • FOSSology will help with upstream adoption
      • Hope is to attract developers
    • Updating educational materials
      • Currently only targeted at large organizations
      • Putting the focus on what the developers need to know and will find useful. 
  • Will be rolled out and announced in first part of Q4 
    • New logos and branding for compliance
    • Target to get SPDX pages lined up to take advantage by start of October. 
    • Current pillar approach will persist, but details under will change/consolidate
  • New Logo for SPDX
    • Group preference is for Option 2
  • Kate is looking for help in identifying companies and products using SPDX and the License List
    • Please send Kate pointer to any projects you're aware of that consume or produce SPDX
    • Jack suggested starting with what's on the SPDX page, and building up from there. 
  • Would like to get 2.0 spec rendered as a web page
    • Jack has starting point, Kate volunteers to help clean up
    • Discussion as to future representations of spec. 
  • LF will help with other aspects of branding now that logo decision made. 
    • Powerpoint templates, etc.
    • Style guide, fonts, etc?
  • LC Europe Add on Event
    • Supply chain mini summit on October 8
    • Stefano will present on Debsource DB work
    • Also presenting will be Uday from UNO
    • Rough agenda and signup sheet will be going up soon


Tech Team Report - Kate[edit]

  • New development over the summer
    • Debsources DB now generating SPDX. work done as GSOC project by Orestis advised by Stefano Zacchiroli
    • some discussion about adding sha256 as alternative to sha1 for manditory field. 
  • 2.1 Progress
    • External package proposal from Yev reviewed and is slated to be included.
    • External ID proposal has some feedback on Debian Repository aspect which will be discussed on spdx-tech list
    • Some further work on Security inclusion for 2.1
    • Snippet work coming back to the fore of active discussions.

Legal Team Report - Jilayne[edit]

  • Some bug reports on template markups
    • Maintenance is getting burdensome
    • Triggered discussion about how to set License List up for multiple contributions
    • Somewhat like an open source project
    • Active work going on to define how it would work
  • Other discussions
    • MarkG working on proposal for handling standard headers
      • Mark up existing
      • Concept of suggested header for licenses that don’t have standard


Biz Team Report - Jack[edit]

  • Mostly focused on website changes


Cross Functional Topics - Phil[edit]


Attendees[edit]

  • Phil Odence, Black Duck
  • Mark Gisi, Wind River 
  • Scott Sterling, Palamida 
  • Kate Stewart, Linux Foundation
  • Jack Manbeck, TI
  • Michael Herzog- nexB
  • Pierre LaPointe, nexB 
  • Yev Bronshteyn, Black Duck
  • Jilayne Lovejoy, ARM
  • Hassib Khanafer, Protecode
  • Matt Germonprez, UNO
  • Brian Gartner, SuSE


Re: SPDX General Meeting Thursday

Kate Stewart
 

Hi Phil,

On Wed, Sep 2, 2015 at 4:02 PM, Philip Odence <podence@...> wrote:
Kate,
The original logo was designed to fit with the original Open Compliance Program logo, so if the latter is changing, it makes sense for the SPDX logo to evolve with it.
Yes,  that is the concern that is motivating this proposal.
 
For context, are you able to share the new OCP look and feel? 
Not at this time,  but the new logo ideas were designed by the same designer that work on the open compliance logo.  Both options have been ok'd by the marketing folk.

Talk more about this tomorrow.

Kate
 
Thanks,
Phil

From: Kate Stewart
Date: Wednesday, September 2, 2015 at 4:55 PM
To: Phil Odence
Cc: "spdx@..."
Subject: Re: SPDX General Meeting Thursday

Hi,
    As part of the discussion tomorrow I'd like to get some input 
on the options for new branding for SPDX.

   As SPDX is one of the underpinings to support open compliance,
it would be good if our logo's were update to harmonize with the 
open compliance ones

   I've attached two of the concepts being considered, and would
invite your input in the meeting tomorrow.

Talk to you then,
Kate

On Tue, Sep 1, 2015 at 10:11 AM, Philip Odence <podence@...> wrote:
Special Guest Star for this meeting will be our own Kate Stewart wearing her Linux Foundation hat. As you may know, Kate has started working for the LF, and of of her current priorities is relaunching the Open Compliance Program of which SPDX is one of the key pillars. She’ll kick off this months meeting with a preview of what the relaunch will bring.


GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –  Open Compliance ProgramKate

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx




Re: SPDX General Meeting Thursday

Philip Odence
 

Kate,
The original logo was designed to fit with the original Open Compliance Program logo, so if the latter is changing, it makes sense for the SPDX logo to evolve with it. For context, are you able to share the new OCP look and feel? 
Thanks,
Phil

From: Kate Stewart
Date: Wednesday, September 2, 2015 at 4:55 PM
To: Phil Odence
Cc: "spdx@..."
Subject: Re: SPDX General Meeting Thursday

Hi,
    As part of the discussion tomorrow I'd like to get some input 
on the options for new branding for SPDX.

   As SPDX is one of the underpinings to support open compliance,
it would be good if our logo's were update to harmonize with the 
open compliance ones

   I've attached two of the concepts being considered, and would
invite your input in the meeting tomorrow.

Talk to you then,
Kate

On Tue, Sep 1, 2015 at 10:11 AM, Philip Odence <podence@...> wrote:

Special Guest Star for this meeting will be our own Kate Stewart wearing her Linux Foundation hat. As you may know, Kate has started working for the LF, and of of her current priorities is relaunching the Open Compliance Program of which SPDX is one of the key pillars. She’ll kick off this months meeting with a preview of what the relaunch will bring.


GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –  Open Compliance ProgramKate

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx



Re: SPDX General Meeting Thursday

Kate Stewart
 

Hi,
    As part of the discussion tomorrow I'd like to get some input 
on the options for new branding for SPDX.

   As SPDX is one of the underpinings to support open compliance,
it would be good if our logo's were update to harmonize with the 
open compliance ones

   I've attached two of the concepts being considered, and would
invite your input in the meeting tomorrow.

Talk to you then,
Kate

On Tue, Sep 1, 2015 at 10:11 AM, Philip Odence <podence@...> wrote:
Special Guest Star for this meeting will be our own Kate Stewart wearing her Linux Foundation hat. As you may know, Kate has started working for the LF, and of of her current priorities is relaunching the Open Compliance Program of which SPDX is one of the key pillars. She’ll kick off this months meeting with a preview of what the relaunch will bring.


GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –  Open Compliance ProgramKate

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx



SPDX General Meeting Thursday

Philip Odence
 

Special Guest Star for this meeting will be our own Kate Stewart wearing her Linux Foundation hat. As you may know, Kate has started working for the LF, and of of her current priorities is relaunching the Open Compliance Program of which SPDX is one of the key pillars. She’ll kick off this months meeting with a preview of what the relaunch will bring.


GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –  Open Compliance ProgramKate

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


Re: Using SPDX for firmware

Kate Stewart
 



On Wed, Aug 12, 2015 at 2:00 PM, Richard Hughes <hughsient@...> wrote:
On 12 August 2015 at 17:40, Kate Stewart <kstewart@...> wrote:
> typo?
> Is at:  http://spdx.org/licenses/exceptions-index.html
> Its available from the http://spdx.org/licenses/ page

On http://spdx.org/spdx-license-list the link is marked as
http://spdx.org/exceptions-index.html ...

Thanks.   I've forward the info to the folks with web access, and we'll
get it fixed. 
 

> "LicenseRef-"<insert your favorite identifier for it here>

Right, I wasn't sure if LicenseRef-proprietary was correct as
proprietary isn't really a licence to use something, more of a
statement of reservation of rights. I guess we need some more
information there about when it's legal to use the firmware and under
what circumstances. I'm thinking about something like
https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
for the Raspberry Pi firmware.

Agree.   

Possibly something like LicenseRef-Rasbperry-Pi-firmware
would be short and descriptive.

Actual syntax in the spec is 
LicenseRef-[idstring] 
where [idstring] is a unique string containing letters, numbers, “.”, “-” or “+”.

Then define in another section of the metadata to contain the actual details
of the License itself, so it can carry along.


> So in the example - using something like
> "LicenseRef-proprietary" is fine as an identifier,
> (as would be LicenseRef-proprietary-1, or
> LicenseRef-ACME-proprietary-firmware,  etc.)

Right, I'll add that information to the AppStream parser, thanks.

> as long as there's the definition somewhere

Where and how would I define this? In the AppStream metadata format itself?

The AppStream metadata probably is the logical point. 
That way the info can be self referential and consistent.
  

> Agree - if you can line up with using "LicenseRef-" prefix  infront of any
> you need to create,  it will permit more automatic recognition down the
> road.

Right. I'll have to handle LicenseRef prefixes in the software center
explicitly; at the moment we show a clickable link from each
application showing them the licence text.

If its in the meta data,  you should be able to still do this.
This is one of the use cases that motivated us having an
"Other Licensing Information Detected" section in SPDX ;-)

For maximizing interoperability,  suggest the following or something similar be added to Appstream metadata specification.   

I've filled it in using Rasberry Pi Firmware example.

<ExtractedLicensingInfo rdf:about="LicenseRef-Raspbery-Pi-Firmware">
   <licenseId>LicenceRef-Raspberi-Pi-Firmware</licenseId>
   <licenseName>Raspberry Pi Firmware from Broadcom</licenseName>
   <rdfs:comment> This permits redistribution without modification only </rdfs:comment>
   <extractedText>
Copyright (c) 2006, Broadcom Corporation.
All rights reserved.

Redistribution. Redistribution and use in binary form, without
modification, are permitted provided that the following conditions are
met:
 * This software may only be used for the purposes of developing for, running or using a Raspberry Pi device.
 * Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
 * Neither the name of Broadcom Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.

DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   </extractedText>
</ExtractedLicensingInfo>


>> The alternative could to have also a catch-all "non-free" or "proprietary"
>> license ID in SPDX indeed.
> Probably this is a discussion for the legal list, as to whether they want
> to permit this?   Concern point is that it won't give enough information
> when there are multiple non-free licenses present.

Right, this makes my life easier, but doesn't sit 100% with the idea
of an SPDX licence in itself. I suppose in the RPi example above it
would have to be something ugly like
LicenseRef-ForRaspberryPiUseOnlyRedistributionWithoutModificationOnly
or maybe "LicenseRef-RaspberryPi AND LicenseRef-NoModification" or
even "LicenseRef-https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom"
although I know I'm pushing things here. Better ideas welcome.

Have filled in an example of how the above would be coded up and carried with the metadata in SPDX.   Of the example,  for SPDX the only fields are mandatory are: 
licenseId, licenseName, & extractedText.   Those would be the ones to make sure are carried in your metadata.    rdfs:seeAlso and rdfs:comment - are optional in SPDX, but are nice to have. 

Hope this helps,
Kate

581 - 600 of 1598