Date   

Re: Hello

Kate Stewart
 

Hi Dave,
    Welcome.  :-) 

    Information on the general meetings and past minutes can be found on:

Kate

On Sat, Oct 17, 2015 at 9:11 AM, Marr, David <dmarr@...> wrote:
Hi, I just joined the mail list and look forward to working with folks!

Dave Marr
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


Hello

Dave Marr
 

Hi, I just joined the mail list and look forward to working with folks!

Dave Marr


Re: General Meeting/Minutes/2015-10-01 - SPDX Wiki

J Lovejoy
 

Quick update post-meeting from legal team: 
version 2.2 of the SPDX License List is now available in all the usual places.  
:)

Jilayne
SPDX Legal Team co-lead
opensource@...


On Oct 1, 2015, at 4:31 PM, Philip Odence <podence@...> wrote:




* Attendance: 5
* Lead by Phil Odence

* Minutes of August meeting approved

== searchcode presentation - Nuno Brito ==

* Background
** Has been working with SPDX for two years and it’s been a good experience
** Hard to get engineers to use SPDX with out good examples for them to examine
** seachdcode seemed to be a good solution
* searchcode
** Started by a developer in Austrailia
** Seemed like a great place to make SPDX available
* Questions / Discussions
** Interest in having link from SPDX
** Files seem to have some extra fields so won’t validate
*** Nuno is very open and suggests filing bugs
** Adoption in Europe
*** Everyone that Nuno is working with is using SPDX
*** He’s found little resistance
*** Some people are more comfortable with tag value, but bigger projects are find with RDF
*** Still there is some difficulty for adoption.


== Biz Team Report - Jack ==

* Website
** Working with LF, migrating to new website/new templates
** In parallel will be implementing the new ideas for ease of use

== Tech Team Report - Kate/Gary ==

* No official update
* Main foci have been
** External references
*** Balance between specificity and handling broad cases
*** Specific discussion of vulnerabilities
** Snippets

== Legal Team Report - Jilayne ==

* No official update
* Have been processing more licenses with an eye to getting next release out

== Cross Functional Topics - Phil ==

* LinuxCon Europe 
* SW Supply Chain Summit


== Attendees ==

* Phil Odence, Black Duck
* Mark Gisi, Wind River 
* Scott Sterling, Palamida 
* Nuno Brito, TripleCheck
* Jack Manbeck, TI


  • [[Category:General|Minutes]]
  • [[Category:Minutes]]
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx


General Meeting/Minutes/2015-10-01 - SPDX Wiki

Philip Odence
 




* Attendance: 5

* Lead by Phil Odence


* Minutes of August meeting approved


== searchcode presentation - Nuno Brito ==


* Background

** Has been working with SPDX for two years and it’s been a good experience

** Hard to get engineers to use SPDX with out good examples for them to examine

** seachdcode seemed to be a good solution

* searchcode

** Started by a developer in Austrailia

** Seemed like a great place to make SPDX available

* Questions / Discussions

** Interest in having link from SPDX

** Files seem to have some extra fields so won’t validate

*** Nuno is very open and suggests filing bugs

** Adoption in Europe

*** Everyone that Nuno is working with is using SPDX

*** He’s found little resistance

*** Some people are more comfortable with tag value, but bigger projects are find with RDF

*** Still there is some difficulty for adoption.



== Biz Team Report - Jack ==


* Website

** Working with LF, migrating to new website/new templates

** In parallel will be implementing the new ideas for ease of use


== Tech Team Report - Kate/Gary ==


* No official update

* Main foci have been

** External references

*** Balance between specificity and handling broad cases

*** Specific discussion of vulnerabilities

** Snippets


== Legal Team Report - Jilayne ==


* No official update

* Have been processing more licenses with an eye to getting next release out


== Cross Functional Topics - Phil ==


* LinuxCon Europe 

* SW Supply Chain Summit



== Attendees ==


* Phil Odence, Black Duck

* Mark Gisi, Wind River 

* Scott Sterling, Palamida 

* Nuno Brito, TripleCheck

* Jack Manbeck, TI



  • [[Category:General|Minutes]]
  • [[Category:Minutes]]


Thursday SPDX General Meeting & Special Presentation

Philip Odence
 

As you may have noticed, I’m striving to get guest speakers for every General Meeting. We are interested in anyone who can speak informally and briefly about their organization’s use of SPDX
This month we welcome Nuno Brito from Triplecheck, an SPDX proponent in Europe. He’ll talk about work he’s done with searchcode (free source code and documentation search engine) to include the search of SPDX docs. 
For the November, we’ll by joined by another European, Oliver Fendt who will speak about what Siemens is doing with SPDX.


GENERAL MEETING

Meeting Time: Thurs, Oct 1, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –   Nuno

Technical Team Report – Gary 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


Announce: Supply Chain Mini-Summit on October 8 in Dublin

Kate Stewart
 


For those interested in improving the automated tracking of copyright, licensing and security information
in the supply chain, we've managed to get a Supply Chain mini-summit added on after LinuxCon on 
October 8th.

Agenda
9:00 - Intro to Supply Chain mini-summit (Kate Stewart)
9:05 - Overview of OpenChain, goals and status. (Dave Marr)
9:20 - Overview of SPDX project, review of 2.0 and plans for 2.1 (Phil Odence)
9:35 - Debsources as a community curated DB of copyright and license information (Stephano Zaccharoli)
10:20 - break
10:30 - DoSOCS - integrating security with license compliance (Sai Uday Shankar Korlimarla)
11:15 - OpenChain working session on the checklist (Dave Marr)
13:15 - lunch break
14:30 - Group brainstorming session on ways to improve automation around open source license compliance and tracking of relevant security information. (Kate to facilitate)
17:00 - wrap up and next steps


Event Details
Date: Thursday, October 8 
Time: 9:00am-5:00pm
Location: Liffey Meeting Room 3
Cost: Free for LinuxCon + Cloud Open + ELC Europe attendees
Register: RSVP Here


Hope you see there,
Kate






Minutes from Sept SPDX General Meeting

Philip Odence
 




General Meeting/Minutes/2015-09-03

  • Attendance: 12
  • Lead by Phil Odence
  • Minutes of August meeting approved

Open Compliance Program - Kate[edit]

  • Motivations for relaunch:
    • Information on the web site is stale. (FOSSbazaar community isn't active anymore, etc.)
    • Recognition we need to make useful information more accessible to developers
    • The OSS world is changing- cybersecurity for example
    • FOSSology is coming into LF as a project
  • What’s happening
    • New look, new content
    • Highlighting open standards that help with compliance
    • Funneling people to projects and workgroups
    • Highlighting OSS and commercial tools that support SPDX
      • FOSSology will help with upstream adoption
      • Hope is to attract developers
    • Updating educational materials
      • Currently only targeted at large organizations
      • Putting the focus on what the developers need to know and will find useful. 
  • Will be rolled out and announced in first part of Q4 
    • New logos and branding for compliance
    • Target to get SPDX pages lined up to take advantage by start of October. 
    • Current pillar approach will persist, but details under will change/consolidate
  • New Logo for SPDX
    • Group preference is for Option 2
  • Kate is looking for help in identifying companies and products using SPDX and the License List
    • Please send Kate pointer to any projects you're aware of that consume or produce SPDX
    • Jack suggested starting with what's on the SPDX page, and building up from there. 
  • Would like to get 2.0 spec rendered as a web page
    • Jack has starting point, Kate volunteers to help clean up
    • Discussion as to future representations of spec. 
  • LF will help with other aspects of branding now that logo decision made. 
    • Powerpoint templates, etc.
    • Style guide, fonts, etc?
  • LC Europe Add on Event
    • Supply chain mini summit on October 8
    • Stefano will present on Debsource DB work
    • Also presenting will be Uday from UNO
    • Rough agenda and signup sheet will be going up soon


Tech Team Report - Kate[edit]

  • New development over the summer
    • Debsources DB now generating SPDX. work done as GSOC project by Orestis advised by Stefano Zacchiroli
    • some discussion about adding sha256 as alternative to sha1 for manditory field. 
  • 2.1 Progress
    • External package proposal from Yev reviewed and is slated to be included.
    • External ID proposal has some feedback on Debian Repository aspect which will be discussed on spdx-tech list
    • Some further work on Security inclusion for 2.1
    • Snippet work coming back to the fore of active discussions.

Legal Team Report - Jilayne[edit]

  • Some bug reports on template markups
    • Maintenance is getting burdensome
    • Triggered discussion about how to set License List up for multiple contributions
    • Somewhat like an open source project
    • Active work going on to define how it would work
  • Other discussions
    • MarkG working on proposal for handling standard headers
      • Mark up existing
      • Concept of suggested header for licenses that don’t have standard


Biz Team Report - Jack[edit]

  • Mostly focused on website changes


Cross Functional Topics - Phil[edit]


Attendees[edit]

  • Phil Odence, Black Duck
  • Mark Gisi, Wind River 
  • Scott Sterling, Palamida 
  • Kate Stewart, Linux Foundation
  • Jack Manbeck, TI
  • Michael Herzog- nexB
  • Pierre LaPointe, nexB 
  • Yev Bronshteyn, Black Duck
  • Jilayne Lovejoy, ARM
  • Hassib Khanafer, Protecode
  • Matt Germonprez, UNO
  • Brian Gartner, SuSE


Re: SPDX General Meeting Thursday

Kate Stewart
 

Hi Phil,

On Wed, Sep 2, 2015 at 4:02 PM, Philip Odence <podence@...> wrote:
Kate,
The original logo was designed to fit with the original Open Compliance Program logo, so if the latter is changing, it makes sense for the SPDX logo to evolve with it.
Yes,  that is the concern that is motivating this proposal.
 
For context, are you able to share the new OCP look and feel? 
Not at this time,  but the new logo ideas were designed by the same designer that work on the open compliance logo.  Both options have been ok'd by the marketing folk.

Talk more about this tomorrow.

Kate
 
Thanks,
Phil

From: Kate Stewart
Date: Wednesday, September 2, 2015 at 4:55 PM
To: Phil Odence
Cc: "spdx@..."
Subject: Re: SPDX General Meeting Thursday

Hi,
    As part of the discussion tomorrow I'd like to get some input 
on the options for new branding for SPDX.

   As SPDX is one of the underpinings to support open compliance,
it would be good if our logo's were update to harmonize with the 
open compliance ones

   I've attached two of the concepts being considered, and would
invite your input in the meeting tomorrow.

Talk to you then,
Kate

On Tue, Sep 1, 2015 at 10:11 AM, Philip Odence <podence@...> wrote:
Special Guest Star for this meeting will be our own Kate Stewart wearing her Linux Foundation hat. As you may know, Kate has started working for the LF, and of of her current priorities is relaunching the Open Compliance Program of which SPDX is one of the key pillars. She’ll kick off this months meeting with a preview of what the relaunch will bring.


GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –  Open Compliance ProgramKate

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx




Re: SPDX General Meeting Thursday

Philip Odence
 

Kate,
The original logo was designed to fit with the original Open Compliance Program logo, so if the latter is changing, it makes sense for the SPDX logo to evolve with it. For context, are you able to share the new OCP look and feel? 
Thanks,
Phil

From: Kate Stewart
Date: Wednesday, September 2, 2015 at 4:55 PM
To: Phil Odence
Cc: "spdx@..."
Subject: Re: SPDX General Meeting Thursday

Hi,
    As part of the discussion tomorrow I'd like to get some input 
on the options for new branding for SPDX.

   As SPDX is one of the underpinings to support open compliance,
it would be good if our logo's were update to harmonize with the 
open compliance ones

   I've attached two of the concepts being considered, and would
invite your input in the meeting tomorrow.

Talk to you then,
Kate

On Tue, Sep 1, 2015 at 10:11 AM, Philip Odence <podence@...> wrote:
Special Guest Star for this meeting will be our own Kate Stewart wearing her Linux Foundation hat. As you may know, Kate has started working for the LF, and of of her current priorities is relaunching the Open Compliance Program of which SPDX is one of the key pillars. She’ll kick off this months meeting with a preview of what the relaunch will bring.


GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –  Open Compliance ProgramKate

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx



Re: SPDX General Meeting Thursday

Kate Stewart
 

Hi,
    As part of the discussion tomorrow I'd like to get some input 
on the options for new branding for SPDX.

   As SPDX is one of the underpinings to support open compliance,
it would be good if our logo's were update to harmonize with the 
open compliance ones

   I've attached two of the concepts being considered, and would
invite your input in the meeting tomorrow.

Talk to you then,
Kate

On Tue, Sep 1, 2015 at 10:11 AM, Philip Odence <podence@...> wrote:
Special Guest Star for this meeting will be our own Kate Stewart wearing her Linux Foundation hat. As you may know, Kate has started working for the LF, and of of her current priorities is relaunching the Open Compliance Program of which SPDX is one of the key pillars. She’ll kick off this months meeting with a preview of what the relaunch will bring.


GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –  Open Compliance ProgramKate

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx



SPDX General Meeting Thursday

Philip Odence
 

Special Guest Star for this meeting will be our own Kate Stewart wearing her Linux Foundation hat. As you may know, Kate has started working for the LF, and of of her current priorities is relaunching the Open Compliance Program of which SPDX is one of the key pillars. She’ll kick off this months meeting with a preview of what the relaunch will bring.


GENERAL MEETING

Meeting Time: Thurs, Sept 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:
Conference code:  7812589502
Toll-free dial-in number (U.S. and Canada):  (877) 435-0230
International dial-in number: (253) 336-6732
For those dialing in from other regions, a list of toll free numbers can be found: 
https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF

 
Administrative Agenda
Attendance

Special Presentation –  Open Compliance ProgramKate

Technical Team Report – Kate 


Legal Team Report – Jilayne


Business Team Report – Jack


Cross Functional Issues – Phil


L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence


Re: Using SPDX for firmware

Kate Stewart
 



On Wed, Aug 12, 2015 at 2:00 PM, Richard Hughes <hughsient@...> wrote:
On 12 August 2015 at 17:40, Kate Stewart <kstewart@...> wrote:
> typo?
> Is at:  http://spdx.org/licenses/exceptions-index.html
> Its available from the http://spdx.org/licenses/ page

On http://spdx.org/spdx-license-list the link is marked as
http://spdx.org/exceptions-index.html ...

Thanks.   I've forward the info to the folks with web access, and we'll
get it fixed. 
 

> "LicenseRef-"<insert your favorite identifier for it here>

Right, I wasn't sure if LicenseRef-proprietary was correct as
proprietary isn't really a licence to use something, more of a
statement of reservation of rights. I guess we need some more
information there about when it's legal to use the firmware and under
what circumstances. I'm thinking about something like
https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
for the Raspberry Pi firmware.

Agree.   

Possibly something like LicenseRef-Rasbperry-Pi-firmware
would be short and descriptive.

Actual syntax in the spec is 
LicenseRef-[idstring] 
where [idstring] is a unique string containing letters, numbers, “.”, “-” or “+”.

Then define in another section of the metadata to contain the actual details
of the License itself, so it can carry along.


> So in the example - using something like
> "LicenseRef-proprietary" is fine as an identifier,
> (as would be LicenseRef-proprietary-1, or
> LicenseRef-ACME-proprietary-firmware,  etc.)

Right, I'll add that information to the AppStream parser, thanks.

> as long as there's the definition somewhere

Where and how would I define this? In the AppStream metadata format itself?

The AppStream metadata probably is the logical point. 
That way the info can be self referential and consistent.
  

> Agree - if you can line up with using "LicenseRef-" prefix  infront of any
> you need to create,  it will permit more automatic recognition down the
> road.

Right. I'll have to handle LicenseRef prefixes in the software center
explicitly; at the moment we show a clickable link from each
application showing them the licence text.

If its in the meta data,  you should be able to still do this.
This is one of the use cases that motivated us having an
"Other Licensing Information Detected" section in SPDX ;-)

For maximizing interoperability,  suggest the following or something similar be added to Appstream metadata specification.   

I've filled it in using Rasberry Pi Firmware example.

<ExtractedLicensingInfo rdf:about="LicenseRef-Raspbery-Pi-Firmware">
   <licenseId>LicenceRef-Raspberi-Pi-Firmware</licenseId>
   <licenseName>Raspberry Pi Firmware from Broadcom</licenseName>
   <rdfs:comment> This permits redistribution without modification only </rdfs:comment>
   <extractedText>
Copyright (c) 2006, Broadcom Corporation.
All rights reserved.

Redistribution. Redistribution and use in binary form, without
modification, are permitted provided that the following conditions are
met:
 * This software may only be used for the purposes of developing for, running or using a Raspberry Pi device.
 * Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
 * Neither the name of Broadcom Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.

DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   </extractedText>
</ExtractedLicensingInfo>


>> The alternative could to have also a catch-all "non-free" or "proprietary"
>> license ID in SPDX indeed.
> Probably this is a discussion for the legal list, as to whether they want
> to permit this?   Concern point is that it won't give enough information
> when there are multiple non-free licenses present.

Right, this makes my life easier, but doesn't sit 100% with the idea
of an SPDX licence in itself. I suppose in the RPi example above it
would have to be something ugly like
LicenseRef-ForRaspberryPiUseOnlyRedistributionWithoutModificationOnly
or maybe "LicenseRef-RaspberryPi AND LicenseRef-NoModification" or
even "LicenseRef-https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom"
although I know I'm pushing things here. Better ideas welcome.

Have filled in an example of how the above would be coded up and carried with the metadata in SPDX.   Of the example,  for SPDX the only fields are mandatory are: 
licenseId, licenseName, & extractedText.   Those would be the ones to make sure are carried in your metadata.    rdfs:seeAlso and rdfs:comment - are optional in SPDX, but are nice to have. 

Hope this helps,
Kate


Re: Using SPDX for firmware

Richard Hughes
 

On 12 August 2015 at 17:40, Kate Stewart <kstewart@...> wrote:
typo?
Is at: http://spdx.org/licenses/exceptions-index.html
Its available from the http://spdx.org/licenses/ page
On http://spdx.org/spdx-license-list the link is marked as
http://spdx.org/exceptions-index.html ...

"LicenseRef-"<insert your favorite identifier for it here>
Right, I wasn't sure if LicenseRef-proprietary was correct as
proprietary isn't really a licence to use something, more of a
statement of reservation of rights. I guess we need some more
information there about when it's legal to use the firmware and under
what circumstances. I'm thinking about something like
https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom
for the Raspberry Pi firmware.

So in the example - using something like
"LicenseRef-proprietary" is fine as an identifier,
(as would be LicenseRef-proprietary-1, or
License-Ref-ACME-proprietary-firmware, etc.)
Right, I'll add that information to the AppStream parser, thanks.

as long as there's the definition somewhere
Where and how would I define this? In the AppStream metadata format itself?

Agree - if you can line up with using "LicenseRef-" prefix infront of any
you need to create, it will permit more automatic recognition down the
road.
Right. I'll have to handle LicenseRef prefixes in the software center
explicitly; at the moment we show a clickable link from each
application showing them the licence text.

The alternative could to have also a catch-all "non-free" or "proprietary"
license ID in SPDX indeed.
Probably this is a discussion for the legal list, as to whether they want
to permit this? Concern point is that it won't give enough information
when there are multiple non-free licenses present.
Right, this makes my life easier, but doesn't sit 100% with the idea
of an SPDX licence in itself. I suppose in the RPi example above it
would have to be something ugly like
LicenseRef-ForRaspberryPiUseOnlyRedistributionWithoutModificationOnly
or maybe "LicenseRef-RaspberryPi AND LicenseRef-NoModification" or
even "LicenseRef-https://github.com/raspberrypi/firmware/blob/master/boot/LICENCE.broadcom"
although I know I'm pushing things here. Better ideas welcome.

Richard.


Re: Using SPDX for firmware

Kate Stewart
 

Hi Richard,

On Wed, Aug 12, 2015 at 9:23 AM, Philippe Ombredanne <pombredanne@...> wrote:
On Wed, Aug 12, 2015 at 4:05 PM, Richard Hughes <hughsient@...> wrote:
> Hi all,
>
> I've been using SPDX for years in the AppStream specification to
> describe applications that can be installed in software centers. I'm
> using the AND, OR extensions, and am soon to include the WITH
> exception support too[2].
 
Very cool. 
 

Very nice! About the dead link, I am not sure exceptions have been published
yet, though it could be a bug too.

typo?
Its available from the http://spdx.org/licenses/ page
 

> AppStream can be used to describe free
> software, but is increasing being used for other things too, for
> instance, in the LVFS[2] firmware update service. In this we describe
> firmware licensing using SDPX tags, but I'm not sure what to do about
> non-free firmware. OpenHardware firmware is fine, and we can use all
> the existing IDs to represent that correctly.
>
> At the moment I've asked vendors to use:
> <project_license>proprietary</project_license> to indicate it's
> nonfree, but this obviously isn't a SPDX ID and probably will make the
> specification people quite upset. What should I be using?

Syntax in the specification right now [1] for things not included in the 
SPDX license list is to refer to them as:

"LicenseRef-"<insert your favorite identifier for it here>

Possibly look at adding to the AppStream format, something
like section 5 from the SPDX format [1] to permit the 
arbitrary use of licenses not in the SPDX license list. 
(and translation to other formats ;-) )?  

So in the example - using something like
"LicenseRef-proprietary" is fine as an identifier,
(as would be LicenseRef-proprietary-1, or 
License-Ref-ACME-proprietary-firmware,  etc.)

as long as there's the definition somewhere of what
LicenseRef-proprietary maps to.  In the spdx spec 
see: 

5 Other Licensing Information Detected .....48 
5.1 License Identifier................................... 48 
5.2 Extracted Text....................................... 48 
5.3 License Name....................................... 49 
5.4 License Cross Reference ..................... 50 
5.5 License Comment.................................50

In the RDF - the class for this is ExtractedLicensingInfo

 
Dropping the
> <project_license> tags for non-free firmware is fine, but it's then
> confusing the "explicitly nonfree" firmware with the "unspecified"
> firmware and makes validation hard. It also means there's no clickable
> link explaining what proprietary means, unlike all the other SPDX IDs.
> Is there already an ID I can use for this?

IMHO using your own ID extensions is quite fine, there is nothing
upsetting about it, especially since it provides valuable indication to
downstream users about the licensing terms, even if this is not precisely
pointing to a unique license text.

Agree - if you can line up with using "LicenseRef-" prefix  infront of any
you need to create,  it will permit more automatic recognition down the
road. 


The alternative could to have also a catch-all "non-free" or "proprietary"
license ID in SPDX indeed.

Probably this is a discussion for the legal list, as to whether they want
to permit this?   Concern point is that it won't give enough information
when there are multiple non-free licenses present.
 
Hope this helps, 
Kate



Re: Using SPDX for firmware

Philippe Ombredanne
 

On Wed, Aug 12, 2015 at 4:05 PM, Richard Hughes <hughsient@...> wrote:
Hi all,

I've been using SPDX for years in the AppStream specification to
describe applications that can be installed in software centers. I'm
using the AND, OR extensions, and am soon to include the WITH
exception support too[2].
Very nice! About the dead link, I am not sure exceptions have been published
yet, though it could be a bug too.

AppStream can be used to describe free
software, but is increasing being used for other things too, for
instance, in the LVFS[2] firmware update service. In this we describe
firmware licensing using SDPX tags, but I'm not sure what to do about
non-free firmware. OpenHardware firmware is fine, and we can use all
the existing IDs to represent that correctly.

At the moment I've asked vendors to use:
<project_license>proprietary</project_license> to indicate it's
nonfree, but this obviously isn't a SPDX ID and probably will make the
specification people quite upset. What should I be using? Dropping the
<project_license> tags for non-free firmware is fine, but it's then
confusing the "explicitly nonfree" firmware with the "unspecified"
firmware and makes validation hard. It also means there's no clickable
link explaining what proprietary means, unlike all the other SPDX IDs.
Is there already an ID I can use for this?
IMHO using your own ID extensions is quite fine, there is nothing
upsetting about it, especially since it provides valuable indication to
downstream users about the licensing terms, even if this is not precisely
pointing to a unique license text.

The alternative could to have also a catch-all "non-free" or "proprietary"
license ID in SPDX indeed.

--
Cordially
Philippe Ombredanne


Using SPDX for firmware

Richard Hughes
 

Hi all,

I've been using SPDX for years in the AppStream specification to
describe applications that can be installed in software centers. I'm
using the AND, OR extensions, and am soon to include the WITH
exception support too[2]. AppStream can be used to describe free
software, but is increasing being used for other things too, for
instance, in the LVFS[2] firmware update service. In this we describe
firmware licensing using SDPX tags, but I'm not sure what to do about
non-free firmware. OpenHardware firmware is fine, and we can use all
the existing IDs to represent that correctly.

At the moment I've asked vendors to use:
<project_license>proprietary</project_license> to indicate it's
nonfree, but this obviously isn't a SPDX ID and probably will make the
specification people quite upset. What should I be using? Dropping the
<project_license> tags for non-free firmware is fine, but it's then
confusing the "explicitly nonfree" firmware with the "unspecified"
firmware and makes validation hard. It also means there's no clickable
link explaining what proprietary means, unlike all the other SPDX IDs.
Is there already an ID I can use for this?

Comments welcome,

Richard.

[1] Although, http://spdx.org/exceptions-index.html is a 404...
[2] https://beta-lvfs.rhcloud.com/


Re: Proposed spec for external packages

Kate Stewart
 

Hi Uday,

On Mon, Aug 10, 2015 at 9:54 AM, Sai Uday Shankar Korlimarla <skorlimarla@...> wrote:
Hi Kate,

Thanks a ton for the clarification. It definitely helps, I am sorry for this delayed response.

I have one more question/doubt though. In 2.2.1 Corpus Tags, What I infer is that either the distributor or software vendor produces the SWID tag. In the future, assuming SWIDs are prevalent, Are we considering SPDX tools to accommodate creation of SWID tags if a vendor does not do so?

I don't think so.   This is an optional field to permit linkage to security information IF it exists.   If it doesn't exist,  its more the responsibility of the package creator or distributor to register it (or the person finding a security issue - might force it to be created).   SPDX would only reference it if it exists (its an optional field for that reason).   Similar story for CPE's I think.

If someone can describe a good use case that is counter though, we can certainly discuss further.  :-)

Kate



Re: Proposed spec for external packages

Sai Uday Shankar Korlimarla
 

Hi Kate,

Thanks a ton for the clarification. It definitely helps, I am sorry for this delayed response.

I have one more question/doubt though. In 2.2.1 Corpus Tags, What I infer is that either the distributor or software vendor produces the SWID tag. In the future, assuming SWIDs are prevalent, Are we considering SPDX tools to accommodate creation of SWID tags if a vendor does not do so?

Regards
Uday

On Tue, Aug 4, 2015 at 3:10 PM, Kate Stewart <kstewart@...> wrote:
Hi Uday,

On Tue, Aug 4, 2015 at 10:20 AM, Sai Uday Shankar Korlimarla <skorlimarla@...> wrote:
Hi Philippe, HI Yev 

Philippe, You are right about SWID.
Yev, I may be biased over using CPEs and not using SWIDs.

Proposal was to permit use of either.  It was not mandating that one or another needs be used.
 
Here are my points on SWID.

1. SWID looks nice to have for software asset management and identification. CPEs can do just the same job.
 
Agree.  

Also,  see appendix A in NIST-8060 where  CPE can be derived from SWID. 


2. SWID are not available in the open.

NIST-8060 is an emerging NIST standard, so are not present today, but if the standard is approved, they will be in the future.
 
I know that I currently can identify a minimum of 1902702 products by CPEs.

Instance: cpe:/a:google:chrome:43.0.2357.134 has CVE CVE-2015-5605. It is easy to perform cross-linked correlation from many sources as you pointed out. Here the below URL gives us "openSUSE-2015-513.nasl"

http://www.security-database.com/detail.php?alert=CVE-2015-5605

So we have "openSUSE-2015-513.nasl" "CVE-2015-5605"  and "cpe:/a:google:chrome:43.0.2357.134" all talking about one single product google chrome version 43.

I don't see how SWIDs will be able to help do this.

SWID's are the proposed standard to eventually replace CPEs in the infrastructure.
Adding the ability to reference to them as an external identifier in SPDX is a future proofing measure.    
 

3. If I consume SWID, unless I tie the SWID to a CPE, I will not be able to move forward and gain vulnerability information. I could just stick with CPEs then.

For your purposes,  use the CPEs.   see earlier comments about future proofing. 
 

4. Trusting a standard without paying $400 is going to be a bit difficult. Open standards are way better. I think it is easier to live with duplicates in CPE dictionary and still be able to accurately get CVE information using cross-linked information as philippe point out.

Completely agree CPE is what should be linked to today.  

From the NIST 8060 (which is open):
1532 At some point in the future, as SWID tags become widely used and available, SWID tags will be 
1533 able to supplant CPE names as the primary means of identifying software products and 
1534 correlating vulnerability reports with those products. Until that occurs, SWID tags need to 
1535 provide certain data values from which CPE names could be mechanically generated. These 
1536 generated CPE names can be used to populate the CPE dictionary and to allow for searching 
1537 repositories like the NVD. 


5. While ISO, Microsoft and Symantec may sound fancy, the real question is on how open is this tag information. If SWID is an open-tagging scheme, it would definitely be worth considering.

Its a standard that is in "public review" right now, from NIST.  


6. Anyone can read a CPE and know what it is and do not need a digital signature for integrity for that, i.e. CPEs are open and readable. SWIDs will contain information that is not consumable immediately. Either SWIDs are flawed or is duplication. As philippe points out, if SWIDs would be re-hash over CPE, it would definitely be worth consuming/exploring.

See Appendix A for the mapping. 
 

I may be wrong in my opinions but am open for learning more.

Hopefully the above clarifies.

Kate 



August SPDX General Meeting Minutes

Philip Odence
 


Announcements: 
LinuxCon Europe: If you are attending, there will be a supply chain focused session on Thursday after LC, so consider in your travel planning
LinuxCon NA Bakeoff: A reminder for anyone producing SPDX docs, there will be a “Bake Off” at LCNA and there are still openings for participants. See Kate’s July 23 mailing to the General List for details.
General Meeting Special Presentations: We are always looking for volunteers to talk briefly (10 mins or so) about their organization’s use of SPDX and the License List. If you have a story, I promise, others are interested.

Best,
Phil

L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence



General Meeting/Minutes/2015-08-06

  • Attendance: 10
  • Lead by Phil Odence
  • Minutes of June meeting approved

Tech Team Report - Kate & Gary[edit]

  • Focus has been on how to add external identifiers
    • Packages (for which there is no SPDX file)
    • Security
  • Planning to get back to snippets in the next month
  • Folder is up for the LinuxCon NA bake off 
    • Prep is already generating good feedback and conversation
  • Tooling
    • Tools should be ready to go for bakeoff
      • Try out new ‘verify’ command
      • Bugs can go to the Tools mailing list or get logged in the bug systerm
    • FOSSology now has a beta release generating SPDX RDF directly
      • They are looking for testers


Legal Team Report - Paul[edit]

  • Activity on Fedora mailing list about using SPDX identifiers
    • Kate has been responding to straighten out some misunderstanding
  • Working on standard headers
    • Mark G keeping up draft
    • For license that have no prescribed header, discussing whether we will recommend
  • Jilayne’s talk accepted to LinuxCon Europe


Biz Team Report - Jack[edit]

  • Slow progress on revamp of website
    • Moving company logos to Participation menu
    • Adding Adoption section and links

Cross Functional Topics - Phil[edit]

  • Linux Foundation is rebranding Open Compliance Program in October timeframe
    • Goal to improve educational materials
    • Logos may change and trying to tie into new initiatives
  • LinuxCon Europe
    • Will likely be more of a focus on Compliance
    • Probably adding a Thursday session on Supply Chain / OpenChain
  • Mailing List
    • Lost admin for mailing lists and wiki
    • Mailing lists will be handled by team chairs
    • Still need someone to manage the Wiki; Kate raised hand
  • Always looking for special presentations for the General Meeting


Attendees[edit]

  • Phil Odence, Black Duck
  • Mark Gisi, Wind River 
  • Scott Sterling, Palamida 
  • Gary O’Neill, SourceAuditor 
  • Kate Stewart, Linux Foundation
  • Jack Manbeck, TI
  • Michael Herzog- nexB
  • Pierre LaPointe, nexB 
  • Yev Bronshteyn, Black Duck
  • Jilayne Lovejoy, ARM


Re: Proposed spec for external packages

Jeremiah Foster <jeremiah.foster@...>
 



On Wed, Aug 5, 2015 at 4:56 PM, Kate Stewart <kstewart@...> wrote:


On Tue, Aug 4, 2015 at 3:18 PM, Jeremiah Foster <jeremiah.foster@...> wrote:


On Tue, Aug 4, 2015 at 8:09 PM, Kate Stewart <kstewart@...> wrote:
On Tue, Aug 4, 2015 at 11:40 AM, Mike Milinkovich <mike.milinkovich@...> wrote:
On 04/08/2015 12:15 PM, Kate Stewart wrote:
I agree we should not depend on closed standards.  However,  the question is do we want to be able to reference to external packages that other systems are supporting?

Beats me. But to me the proposed solution looks much worse than whatever problem it is that you're trying to solve. Speaking of which, where is the document that describes the problem you're trying to solve?

The base document that these changes are being proposed for is SPDX 2.0 see: http://spdx.org/SPDX-specifications/spdx-version-2.0 

My impression is that the consumers of open source software are trying to create a system to make it easier to identify and manage the artifacts used within their organization. Is that correct?

The goal of software package data exchange (SPDX) is to create a common way to communicate copyright and licensing information in the entire ecosystem.   There are producers and consumers through out the entire supply chain.   

Open source projects are built on top of other open source projects all the time (libraries, dependencies, etc.)    Providing a clear way that can be machine readable and trusted,`

How do you propose it be trusted? It is just a string! You need substantially more infrastructure than just a SPDX tag to generate trust. 

There is no SPDX tag - per se.   An SPDX document for a package contains hash codes at the file level.  (SHA1, SHA256 ),  as well as an algorithm for a verification code to be generated from the component files at the package level. 

in  Section 3 Package Section see 3.8 Package Verification Code & 3.9 Package Checksum.
in  Section 4 File Section see 4.4 File Checksum.

The proposal is to add cross link to other databases where security information is being tracked already.

All I can do is comment on the SPDX spec from the perspective of a small business and FOSS contributor. The spec is already quite heavy weight and adding this tag might make sense for the larger commercial organizations, but it doesn't fit the need for a lightweight process that SME's use in my experience.

Today this is primarily through the CPE,  however NIST is reviewing SWID proposal to be used, and so linking to the software identifier tag (SWID tag),  seems to be useful from a security vulnerability tracking perspective.   ie. lets not duplicate work, but rather make other's work easy to find.     

I don't see the use case. I already use Debian's security tracking which relies on CVE's and Debian package versions and that works quite well. I personally wouldn't consume this additional tag but I see how it might be used to market commercial tools. 

As an aside, after NIST's work with crypto ciphers I wonder how closely FOSS projects will follow their proposals?  
 
There is another proposal already in discussion to include external identifiers which include the Debian, Fedora, Maven, etc. repositories. 

Kate

Regards,

Jeremiah

581 - 600 of 1590