|
Re: Proposed spec for external packages
Jeremiah Foster <jeremiah.foster@...>
On Tue, Aug 4, 2015 at 6:40 PM, Mike Milinkovich <mike.milinkovich@...> wrote:
On 04/08/2015 12:15 PM, Kate Stewart wrote: Its impossible to answer this question, largely because there's not enough data -- what are these "other systems" (Windows?) and what are the "external packages"?
This is my assumption as well. If so, what I am missing is how you are going to motivate the producers of open source to use such a system. You're already getting our libre software for free. Why are we going to do more work to make your lives easier? I think you're on target. Much of this design is coming from the pseudo-standard world where standards are made on paper and forced to be adopted. FOSS works in completely the opposite direction; multiple implementations are tested and then adopted as a standard once proven. If this is not the planned way of working then I suggest looking at W3C's requirements for standards adoption which *requires* two independent implementations of the standard before it can be adopted. Regards, Jeremiah
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Mike Milinkovich
On 04/08/2015 12:15 PM, Kate Stewart wrote:
I agree we should not depend on closed standards. However, the question is do we want to be able to reference to external packages that other systems are supporting?Beats me. But to me the proposed solution looks much worse than whatever problem it is that you're trying to solve. Speaking of which, where is the document that describes the problem you're trying to solve? My impression is that the consumers of open source software are trying to create a system to make it easier to identify and manage the artifacts used within their organization. Is that correct? If so, what I am missing is how you are going to motivate the producers of open source to use such a system. You're already getting our libre software for free. Why are we going to do more work to make your lives easier? My apologies in advance if I'm completely off base here. -- Mike Milinkovich mike.milinkovich@... +1.613.220.3223 (mobile)
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Kate Stewart
On Tue, Aug 4, 2015 at 10:45 AM, Mike Milinkovich <mike.milinkovich@...> wrote: On 04/08/2015 9:34 AM, Philippe Ombredanne wrote: The SPEC being referred to is a NIST one, rather than ANSI. see: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060 Which is open. Its in its second reading right now, and its in a public comment window, before NIST adopts it.
I agree we should not depend on closed standards. However, the question is do we want to be able to reference to external packages that other systems are supporting? Kate
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Kate Stewart
On Tue, Aug 4, 2015 at 10:43 AM, Kate Stewart <kstewart@...> wrote:
here's the link:
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Mike Milinkovich
On 04/08/2015 9:34 AM, Philippe Ombredanne wrote:
On Tue, Aug 4, 2015 at 5:00 AM, Yev BronshteynTo add to Philippe's comments, and speaking on behalf of a major producer of open source software, the proposal for an "External Security and Asset Management Identifier" seems to be fundamentally flawed. A quick perusal of the tagvault.org website tells me that the spec is not publicly available (i.e. you must buy it for $265 from ANSI), and that the tools used to tag software assets are available only to members of their private club. IMO, any requirement that open source communities use a closed standard, and proprietary tools to annotate their open source code is dead on arrival. -- Mike Milinkovich Executive Director, Eclipse Foundation mike.milinkovich@... +1.613.220.3223 (mobile)
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Kate Stewart
Hi Philippe, The document you commented on was from last week's discussion. Your input is appreciated and you're opinion is lining up with some of the thoughts expressed as part of the external identifier proposal from 2 weeks ago from Bill Schineller. Kate
On Tue, Aug 4, 2015 at 8:34 AM, Philippe Ombredanne <pombredanne@...> wrote: On Tue, Aug 4, 2015 at 5:00 AM, Yev Bronshteyn
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Sai Uday Shankar Korlimarla
Hi Philippe, HI Yev Philippe, You are right about SWID. Yev, I may be biased over using CPEs and not using SWIDs. Here are my points on SWID. 1. SWID looks nice to have for software asset management and identification. CPEs can do just the same job. 2. SWID are not available in the open. I know that I currently can identify a minimum of 1902702 products by CPEs. Instance: cpe:/a:google:chrome:43.0.2357.134 has CVE CVE-2015-5605. It is easy to perform cross-linked correlation from many sources as you pointed out. Here the below URL gives us "openSUSE-2015-513.nasl" http://www.security-database.com/detail.php?alert=CVE-2015-5605 So we have "openSUSE-2015-513.nasl" "CVE-2015-5605" and "cpe:/a:google:chrome:43.0.2357.134" all talking about one single product google chrome version 43. I don't see how SWIDs will be able to help do this. 3. If I consume SWID, unless I tie the SWID to a CPE, I will not be able to move forward and gain vulnerability information. I could just stick with CPEs then. 4. Trusting a standard without paying $400 is going to be a bit difficult. Open standards are way better. I think it is easier to live with duplicates in CPE dictionary and still be able to accurately get CVE information using cross-linked information as philippe point out. 5. While ISO, Microsoft and Symantec may sound fancy, the real question is on how open is this tag information. If SWID is an open-tagging scheme, it would definitely be worth considering. 6. Anyone can read a CPE and know what it is and do not need a digital signature for integrity for that, i.e. CPEs are open and readable. SWIDs will contain information that is not consumable immediately. Either SWIDs are flawed or is duplication. As philippe points out, if SWIDs would be re-hash over CPE, it would definitely be worth consuming/exploring. I may be wrong in my opinions but am open for learning more. Regards Uday Regards Uday
On Tue, Aug 4, 2015 at 9:15 AM, Sai Uday Shankar Korlimarla <iamudayshankar@...> wrote:
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Yev Bronshteyn
D’oh! Arrgh! Other grunting noises!
Here is the correct link. Terribly sorry for the confusion/inconvenience.
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Philippe Ombredanne
On Tue, Aug 4, 2015 at 5:00 AM, Yev Bronshteyn
<ybronshteyn@...> wrote: Here is the spec for the proposed EternalPackage element. While I touch onYev: I guess you meant External and not Eternal.... I provided a few comments to your proposed spec in the doc at https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit# The gist of my feedback: - SWID tags are a nice concept but look to me at best new and may be emerging, and at worst an unknown quantity fraught with many issues: - no open neutral registry (like a IANA); - little or no known usage in the FOSS world and no known usage by any Linux distro as far as I know; - a de-jure standard backed primarily by commercial entities for commercial licensing compliance, with a closed and pay-walled-garden called tagvault.org; - little general adoption that I could find beyond a few commercial vendors of asset management tools and a few (albeit large) commercial software vendors like Microsoft; - and yet another new standard on top of another standard: based on the NIST discussion draft you provided the ambition of SWID tags seems to be a rehash on top CPEs. - Why limit the purpose to security? identification has a rather general purpose. - Why limit an external id to CPE and SWID tags? There are several other sources of (rather widely used) globally unique ID: - Linux distros package name/version - other package managers name/version such as npm, rubygems, pypi, maven, etc - repo or project names on hosting sites such as Github, Google Code (RIP), Apache, Eclipse, Sourceforge and several others. All these should be supported and are IMHO far better and more widely used that SWID tags. Hence my suggestion for something more inclusive and generic. An interesting question is how you map these to one another: for instance what is the corresponding Debian package for a Fedora RPM? What would be the common id for the upstream of these two packages? What is the corresponding CPE if any? -- Cordially Philippe Ombredanne
|
||||||||||||
|
|
||||||||||||
|
Re: Proposed spec for external packages
Kate Stewart
Hi Yev, The spec you linked to was the one I created for las week's call. Is there a different document we should be refering to? Thanks, Kate
On Mon, Aug 3, 2015 at 10:00 PM, Yev Bronshteyn <ybronshteyn@...> wrote:
|
||||||||||||
|
|
||||||||||||
|
Proposed spec for external packages
Yev Bronshteyn
Here is the spec for the proposed EternalPackage element. While I touch on usage in the beginning, I'll discuss some specific use cases in the context of SpdxTools on the call.
https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit?usp=sharinghttps://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit?usp=sharing
Thanks!
|
||||||||||||
|
|
||||||||||||
|
SPDX 2.0 Bakeoff at Linux Con NA - August 17 9am - Virginia Room
kate.stewart@...
Hi, We're now less than on month away from LinuxCon, and we wanted to get some information out for those who want to participate in the SPDX 2.0 Bakeoff. If you can make it to Seattle that’s fantastic -- we look forward to meeting you or re-connecting! If you can’t make it in person that’s OK -- you may still upload your SPDX files. A folder has been setup to share SPDX files for the SPDX Bakeoff workgroup session scheduled for Monday morning August 17, 2015. We’ll be meeting in Virginia Room (located on the 4th floor, Union St side of hotel) from 9:00am - 1:00pm. In order to facilitate the analysis and discussion we are asking everyone who has tools that generate SPDX to at least generate an SPDX file (tag-value format) for Time v1.7 (a small package for the purpose of comparing SPDX output from different tools), cpio 2.10 and spdx-tools v 2.0 . Please use the links to the source packages in the table below so that we are comparing “apples to apples.” Then simply create a folder with the name of your organization and just drop the SPDX files in there. If you have any questions or problems email spdx-tech@.... Also please fill out our sign-up form to let us know what additional topics you would like to see covered in this session. SPDX files to be compared:
Reference Information:Instructions:
Thanks, Jack, Gary & Kate
|
||||||||||||
|
|
||||||||||||
|
SPDX General Meeting Minutes
Philip Odence
Thanks again to Gary and the UNO team for the interesting presentation.
L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence
General Meeting/Minutes/2015-07-02
Contents[hide]UNO - Matt Germonprez[edit]
Tech Team Report - Kate & Gary[edit]
Legal Team Report - Paul[edit]
Biz Team Report - Jack[edit]
Cross Functional Topics - Phil[edit]
Attendees[edit]
|
||||||||||||
|
|
||||||||||||
|
UNO SPDX Project Repositories
Matt Germonprez <germonprez@...>
Hi everyone, Thanks for the chance to discuss the UNO SPDX tools at the General Meeting. Here are the links to the GH repositories for projects that are currently active: DoSOCS: GitScanner: Eclipse Plugin: Feel free to contact us with any questions. Regards, Matt Mutual of Omaha Associate Professor College of Information Science & Technology University of Nebraska Omaha
|
||||||||||||
|
|
||||||||||||
|
Re: SPDX General Meeting Thursday
Jeremiah Foster <jeremiah.foster@...>
Hi, I would love to hear about SPDX 2 integrated into yocto or Open Embedded if someone has done that. Regards, Jeremiah On Jul 1, 2015 2:09 PM, "Philip Odence" <podence@...> wrote:
|
||||||||||||
|
|
||||||||||||
|
SPDX General Meeting Thursday
Philip Odence
I’m trying to spice up every General Meeting with a speaker talking about a special topic, usually their organizations’ use of SPDX or work related to. If you have any ideas for future presentations, PLEASE contact me. I assure you that even the simplest
adoption story if of great interest.
This month, Matt Germonprez will provide an update on the Univ of Nebraska/Omaha’s work with SPDX.
GENERAL MEETING
Meeting Time: Thurs, July 2, 8am PDT / 10 am CDT
/ 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Conf call dial-in: Conference code: 7812589502 Toll-free dial-in number (U.S. and Canada): (877) 435-0230 International dial-in number: (253) 336-6732 For those dialing in from other regions, a list of toll free numbers can be found: https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF Administrative Agenda
Attendance
Minutes
Approval - http://wiki.spdx.org/view/General_Meeting/Minutes/2015-06-04-
Presentation – Matt
Technical Team Report - Kate
Legal Team Report - Jilayne
Business Team Report – Jack
Cross Functional Issues – Phil
|
||||||||||||
|
|
||||||||||||
|
Re: Zero Clause BSD (0BSD)
J Lovejoy
Hi Rob,
toggle quoted messageShow quoted text
Thanks for you email. To request a new license be added to the SPDX License List, you need to provide the info listed on this page (most of which you already have) http://spdx.org/spdx-license-list/request-new-license and send it to the SPDX-Legal mailing list. If you are not a member there, you can join the legal mailing list here: http://spdx.org/participate/legal-team Thanks! Jilayne SPDX Legal Team co-lead
On Jun 12, 2015, at 1:01 PM, Rob Landley <rob@...> wrote:
|
||||||||||||
|
|
||||||||||||
|
Zero Clause BSD (0BSD)
Rob Landley <rob@...>
I'm told I should contact you about registering Toybox's "zero clause
bsd" license for an official 0BSD acronym/abbreviation. The license text itself (paragraphs 2 and 3 here): https://github.com/landley/toybox/blob/master/LICENSE Is 2 clause BSD with the removal of half a sentence: https://github.com/landley/toybox/commit/ee86b1d8e25cb0ca9d418b33eb0dc5e7716ddc1e This simplification makes the license function as a public domain license (such as unlicense.org or creative commons zero), specifically it means that combining works from multiple sources allows the license text to collapse together, so you don't wind up with nonsense such as Android's dozens of concatenated license copies for toolbox: https://github.com/android/platform_system_core/blob/master/toolbox/NOTICE (I asked why they had multiple copies of _identical_ license text, and they said the copyright dates had changed so a strict reading of the "copy exactly" part of the license meant... Don't laugh, the "about->license" pulldown in the kindle paperwhite has over _300_pages_ of this nonsense. It's a chronic issue with bsd-alikes.) So yeah, zero clause BSD. In toybox. Is there a form I should fill out? Rob
|
||||||||||||
|
|
||||||||||||
|
Re: Exclusion of NONE and NOASSERTION from ABNF
Mark Gisi
Hi Terin,
toggle quoted messageShow quoted text
On the surface the following appears to be syntactically convenient: license-expression = 1*1(simple-expression / compound-expression / "NONE" / "NOASSERTION") but semantically incorrect. Let me try to explain using a database data field analogy. NONE and NOASSERTION are defined at the SPDX document field level and even have different semantic values with respect to different fields. SPDX fields can have several different types assigned which is analogous to a database field. For example, a database field may contain values of *type* Character, Integer, Float, Boolean, Date and so forth. A database field can also contain the special value NULL, which does not belong to a specific data type, but instead represents a special field value (NULL = missing unknown data). NONE and NOASSERTION are analogous to NULL, where a license expression is analogous to a type such as Character, Integer, Float, Boolean, Date and so forth. A license expression represents the licensing terms of a piece of software (source or binary). In less precise terms, it represents the distribution obligations for a software component. NONE and NOASSERTION do not semantically represent that. To include NONE and NOASSERTION as validate license expressions is analogous to adding NULL to a database type which would be semantically awkward. In summary, on the surface the following appear syntactically convenient: license-expression = 1*1(simple-expression / compound-expression / "NONE" / "NOASSERTION") But semantically it is not correct, and therefore, NONE or NOASSERTION should not be included in the ABNF definition for a license expression. At least that is one perspective. Best, - Mark Mark Gisi | Wind River | Director, IP & Open Source Tel (510) 749-2016 | Fax (510) 749-4552
-----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Terin Stock Sent: Thursday, June 11, 2015 9:21 AM To: Kate Stewart Cc: spdx@... Subject: Re: Exclusion of NONE and NOASSERTION from ABNF Kate: I'm unsure of any use case where you would want to mix NONE or NOASSERTION with either simple-expression or compound-expression in the same package. You may however want to use these strings when packaging code that has no license or where you are unsure of the license. In ABNF speak was thinking more along the lines of license-expression = 1*1(simple-expression / compound-expression / "NONE" / "NOASSERTION") -- #Terin Stock On Thu, Jun 11, 2015 at 9:07 AM, Kate Stewart <kstewart@...> wrote: Hi Terin,_______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx
|
||||||||||||
|
|
||||||||||||
|
Re: Exclusion of NONE and NOASSERTION from ABNF
Kate Stewart
Hi Terin On Thu, Jun 11, 2015 at 11:20 AM, Terin Stock <terinjokes@...> wrote: Kate: Neither could we. :-) You may however want to use these strings when Ah yes, that should be considered. Right now when NONE or NOASSERTION are permitted, they are associated with the actual fields in the specification (ie. LicenseConcluded, etc.) , but this may be a more elegant way to express it. Will need to take a pass through all the other fields using them and see if there are any snags. The next tech call on the 16th is a joint call with the legal team where we plan on talking about the NONE/NOASSERTION language. It probably makes sense to consider this, as well at that time. Please feel free to join in to the call if you'd like. Thanks for raising this. Kate --
|
||||||||||||
|
|